4.2.0

What's Changed

New features

• Added CAE claims support for FIC + Managed Identity. See #3647 for details.
• Added AddMicrosoftIdentityMessageHandler extension methods for IHttpClientBuilder. See #3649 for details.

##Bug fixes

• Fixed tenant not being propagated in credential FIC acquisition. See #3633 for details.
• Fixed ForAgentIdentity hardcoded 'AzureAd' ConfigurationSection to respect AuthenticationOptionsName. See #3635 for details.
• Fixed GetTokenAcquirer to propagate MicrosoftEntraApplicationOptions properties. See #3651 for details.
• Added meaningful error message when identity configuration is missing. See #3637 for details.

Dependencies updates

• Update Microsoft.Identity.Abstractions to version 10.0.0.
• Bump express from 5.1.0 to 5.2.0 in /tests/DevApps/SidecarAdapter/typescript. #3636
• Bump jws from 3.2.2 to 3.2.3 in /tests/DevApps/SidecarAdapter/typescript. #3641

Fundamentals

• Update support policy. #3656
• Update agent identity coordinates in E2E tests after deauth. #3640
• Update E2E agent identity configuration to new tenant. #3646

Full Changelog: 4.1.1...4.2.0

4.1.1

Bug fixes

• Authority-only configuration parsing improvements: Early parsing of Authority into Instance/TenantId and defensive fallback in PrepareAuthorityInstanceForMsal. Behavior is backward compatible; Authority is still ignored when Instance/TenantId explicitly provided—now surfaced via a warning. See #3612.

New features

• Added warning diagnostics for conflicting Authority vs Instance/TenantId: Emitting a single structured warning when both styles are provided. See #3611.

Fundamentals

• Expanded authority test matrix: Coverage for AAD (v1/v2), B2C (/tfp/ normalization, policy path), CIAM (PreserveAuthority), query parameters, scheme-less forms, and conflict scenarios. See #3610.

4.1.0

New features

• Migrate to .NET 10 GA. #3449 and #3590

Dependencies updates

• Bump MSAL.NET to version 4.79.2 and handle changes to deprecated WithExtraQueryParameters APIs. #3583
• Update Microsoft.IdentityModel and Abstractions versions. #3604
• Update coverlet.collector to 6.0.4. #3587
• Update package validation baseline version to 4.0.0. #3589
• Bump js-yaml from 4.1.0 to 4.1.1 in /tests/DevApps/SidecarAdapter/typescript. #3595

Entra ID SDK sidecar

• Restrict hosts to localhost for sidecar. #3579
• Update http file to match endpoints. #3555
• Revise sidecar issue template for Entra ID. #3577

Documentation

• Update README to include Entra SDK container info. #3578

Fundamentals

• Include NET 9.0 in template-install-dependencies. #3593
• Fix CodeQL alerts. #3591
• Suppression file is needed. #3592

4.0.1

Bugs fixes

• Correctly compute Application Key when credential usage fails.
• Fix bugs where agent user identities didn't work with non-default authentication schemes.

Fundamentals

• Update .net version to CG compliance

Sidecar

• Configure Sidecar to default AllowWebApiToBeAuthorizedByACL to true as the container doesn't do authZ

4.0.0

4.0.0

Breaking Changes

Removed support for .NET 6.0 and .NET 7.0 - Microsoft Identity Web 4.0.0 no longer targets .NET 6.0 and .NET 7.0, following Microsoft's support lifecycle. The supported target frameworks are now .NET 8.0, .NET 9.0, .NET Framework 4.6.2, .NET Framework 4.7.2, and .NET Standard 2.0.

See MIGRATION_GUIDE_V4

New features

• Various improvements to performance logging, authentication, and credential loading capabilities.
• Bumped MSAL.NET to 4.77.1
• Added credential description extensibility. For details, see #3487
• Added a new CerticateObserverAction type: SuccessfullyUsed and support for multiple certificate observers for improved certificate lifecycle management and telemetry. See #3505
• Add specification of OID (in addition to upn) when requesting an authorization header for Agent User Identity. See #3513
• Added ClaimsPrincipal and ClaimsIdentity extension methods for agent identity detection in web APIs enabling developers to easily detect agent identities and retrieve parent agent blueprint from token claims. See #3515
• Added MicrosoftIdentityMessageHandler for flexible HttpClient authentication. Provides composable alternative to DownstreamApi with per-request authentication configuration. Supports WWW-Authenticate challenge handling. See #3503
• Support for multiple certificate observers. See #3506
• The Microsoft.Identity.Web.Sidecar will provide a container solution for validation and token acquisition in any-language. See #3524

Bug Fixes

• Fixed TokenAcquirerFactory null reference when AppContext.BaseDirectory is root path. See #3443
• Fixed IDW10405 error when using managed identity with common tenant. See #3415
• Removed hard dependency on IConfiguration in OidcIdpSignedAssertionLoader. See #3414

Fundamentals

• Various improvements to .NET support and dependency optimizations.
• Added doc for Agent identities. See Agent identities
• Combined and fixed test collections. See #3472
• Migrate repository agent rules from .clinerules to agents.md. See #3475
• Add .NET 6.x setup step to dotnetcore.yml workflow, as the default build agents don't have it any longer. See #3489
• Renamed NET 7 tests to ThreadingTests for framework independence. See #3501

3.14.1

3.14.1

Bug fixe

• Support client secrets with agent user identities. See #3470 for details.

3.14.0

New features

• Support multi-tenant agent user identities. See #3461 for details.
• Id Web now allows for passing of ExtraBodyParameters. See #3463 for details.

3.13.1

3.13.1

Dependencies updates

• Microsoft.IdentityModel updated to version 8.14.0.

3.13.0

3.13.0

Dependencies updates

• Microsoft.IdentityModel updated to version 8.13.1.
• Microsoft.Abstractions updated to version 9.3.0 and using IAuthenticationSchemeInformationProvider from that library, deprecating the interface of the same name in Microsoft.Identity.Web (introduced in 3.12.0).

Bug fixes

• Fixed an issue with instantiation of TokenAcquirerFactory when AppContext.BaseDirectory is root path. See PR #3443 for details.

Fundamentals

• Use cloud user in tests. See PR #3441 and #3442 for details.

3.12.0

3.12.0

Dependencies updates

• Updated MSAL to version 4.74.1 part of #3398.

Bug fix

Reload certificates for all client credential based issues to solve the issue that when a bad certificate was installed on the machine and picked up, and subsequently rotated, a service restart was needed for the new certificate to be used. See issue #3429 and PR #3430

New features

• Include the thrown exception in CertificateChangeEventArg. See PR #3428 for better supportabiliby.
• Support for Agent User identities. See PR #3435

3.11.0

3.11.0

Dependencies updates

• Updated global.json to the latest .NET 9 runtime framework 9.0.108. See PR #3422 for details.

Bug fixes

• Fix IDW10405 error when using managed identity with common tenant. See PR #3415 for details.
• Fix OidcIdpSignedAssertionLoader to remove hard dependency on IConfiguration registration. See PR #3414 for details.

New feature

• Add support for ExtraHeaderParameters and ExtraQueryParameters properties on DownstreamApiOptions to simplify adding custom headers and query parameters to downstream API requests. See PR #3413 for details.
• Add better support for Azure SDK. For details see Readme-Azure and PR #3416

What's Changed

• Update Abstractions version and the public API files after 3.10.0 release by @jmprieur in #3407
• Update Directory.Build.props by @jennyf19 in #3404
• Fix IDW10405 error when using managed identity with common tenant by @Copilot in #3415
• Add ExtraHeaderParameters and ExtraQueryParameters support to DownstreamApi by @Copilot in #3413
• Fix OidcIdpSignedAssertionLoader to remove hard dependency on IConfiguration registration by @Copilot in #3414
• Update global.json by @jennyf19 in #3422
• Improved experience for Azure SDKs with Microsoft Identity Platform authentication by @jmprieur in #3416
• Update 3.11 changelog by @jennyf19 in #3423
• update test certs by @jennyf19 in #3424

New Contributors

• @Copilot made their first contribution in #3415

Full Changelog: 3.10.0...3.11.0