Azure.Identity

An exception class raised for errors in authenticating client requests.

Creates a new AuthenticationFailedException with the specified message.

The message describing the authentication failure.

Creates a new AuthenticationFailedException with the specified message.

The message describing the authentication failure. The exception underlying the authentication failure.

A constructor used for serialization.

The . The .

Account information relating to an authentication request.

The user principal or service principal name of the account.

The authority host used to authenticate the account.

A unique identifier of the account.

The tenant the account should authenticate in.

The client id of the application which performed the original authentication

Serializes the to the specified .

The which the serialized will be written to. A controlling the request lifetime.

Serializes the to the specified .

The to which the serialized will be written. A controlling the request lifetime.

Deserializes the from the specified .

The from which the serialized will be read. A controlling the request lifetime.

Deserializes the from the specified .

The from which the serialized will be read. A controlling the request lifetime.

An exception indicating that interactive authentication is required.

Creates a new with the specified message and context.

The message describing the authentication failure. The details of the authentication request.

Creates a new with the specified message, context and inner exception.

The message describing the authentication failure. The details of the authentication request. The exception underlying the authentication failure.

A constructor used for serialization.

The . The .

The details of the authentication request which resulted in the authentication failure.

Defines fields exposing the well known authority hosts for the Azure Public Cloud and sovereign clouds.

The host of the Microsoft Entra authority for tenants in the Azure Public Cloud.

The host of the Microsoft Entra authority for tenants in the Azure China Cloud.

The host of the Microsoft Entra authority for tenants in the Azure German Cloud.

The host of the Microsoft Entra authority for tenants in the Azure US Government Cloud.

Authenticates by redeeming an authorization code previously obtained from Microsoft Entra ID. See for more information about the authorization code authentication flow.

Protected constructor for mocking.

Creates an instance of the ClientSecretCredential with the details needed to authenticate against Microsoft Entra ID with a prefetched authorization code.

The Microsoft Entra tenant (directory) ID of the service principal. The client (application) ID of the service principal A client secret that was generated for the App Registration used to authenticate the client. The authorization code obtained from a call to authorize. The code should be obtained with all required scopes. See https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow for more information.

Creates an instance of the ClientSecretCredential with the details needed to authenticate against Microsoft Entra ID with a prefetched authorization code.

The Microsoft Entra tenant (directory) ID of the service principal. The client (application) ID of the service principal A client secret that was generated for the App Registration used to authenticate the client. The authorization code obtained from a call to authorize. The code should be obtained with all required scopes. See for more information. Options that allow to configure the management of the requests sent to Microsoft Entra ID.

Creates an instance of the ClientSecretCredential with the details needed to authenticate against Microsoft Entra ID with a prefetched authorization code.

The Microsoft Entra tenant (directory) ID of the service principal. The client (application) ID of the service principal A client secret that was generated for the App Registration used to authenticate the client. The authorization code obtained from a call to authorize. The code should be obtained with all required scopes. See for more information. Options that allow to configure the management of the requests sent to Microsoft Entra ID.

Obtains a token from Microsoft Entra ID, using the specified authorization code to authenticate. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Options used to configure the .

The redirect Uri that will be sent with the GetToken request.

For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the application is installed.

Gets or sets the setting which determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to true, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy."

Provides a implementation which chains the and implementations to be tried in order until one of the getToken methods returns a non-default .

This credential is designed for applications deployed to Azure is better suited to local development). It authenticates service principals and managed identities..

Initializes an instance of the .

The to configure this credential.

Sequentially calls on all the specified sources, returning the first successfully obtained . Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

The details of the authentication request. A controlling the request lifetime. The first returned by the specified sources. Any credential which raises a will be skipped.

Sequentially calls on all the specified sources, returning the first successfully obtained . Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible,reuse credential instances to optimize cache effectiveness.

The details of the authentication request. A controlling the request lifetime. The first returned by the specified sources. Any credential which raises a will be skipped.

Options to configure the authentication flow and requests made to Azure Identity services.

Specifies the client id of the azure ManagedIdentity in the case of user assigned identity.

Enables authentication to Microsoft Entra ID using Azure CLI to obtain an access token.

Create an instance of class.

The Microsoft Entra tenant (directory) ID of the service principal.

Obtains a access token from Azure CLI credential, using this access token to authenticate. This method called by Azure SDK clients.

Obtains a access token from Azure CLI service, using the access token to authenticate. This method id called by Azure SDK clients.

Options for configuring the .

The ID of the tenant to which the credential will authenticate by default. If not specified, the credential will authenticate to any requested tenant, and will default to the tenant provided to the 'az login' command.

The Cli process timeout.

Enables authentication to Microsoft Entra ID using Azure Developer CLI to obtain an access token.

Create an instance of the class.

The Microsoft Entra tenant (directory) ID of the service principal.

Obtains an access token from Azure Developer CLI credential, using this access token to authenticate. This method called by Azure SDK clients.

AccessToken

Obtains an access token from Azure Developer CLI service, using the access token to authenticate. This method is called by Azure SDK clients.

Options for configuring the .

The CLI process timeout.

Enables authentication to Microsoft Entra ID using Azure PowerShell to obtain an access token.

Creates a new instance of the .

Creates a new instance of the with the specified options.

Options for configuring the credential.

Obtains a access token from Azure PowerShell, using the access token to authenticate. This method id called by Azure SDK clients.

Options for configuring the .

The Powershell process timeout.

Options to customize browser view.

Specifies if the public client application should used an embedded web browser or the system default browser

Property to set HtmlMessageSuccess of SystemWebViewOptions from MSAL, which the browser will show to the user when the user finishes authenticating successfully.

Property to set HtmlMessageError of SystemWebViewOptions from MSAL, which the browser will show to the user when the user finishes authenticating, but an error occurred. You can use a string format e.g. "An error has occurred: {0} details: {1}".

Provides a implementation which chains multiple implementations to be tried in order until one of the getToken methods returns a non-default .

The ChainedTokenCredential class provides the ability to link together multiple credential instances to be tried sequentially when authenticating. The following example demonstrates creating a credential which will attempt to authenticate using managed identity, and fall back to Azure CLI for authentication if a managed identity is unavailable in the current environment.


             // Authenticate using managed identity if it is available; otherwise use the Azure CLI to authenticate.
            
             var credential = new ChainedTokenCredential(new ManagedIdentityCredential(), new AzureCliCredential());
            
             var eventHubProducerClient = new EventHubProducerClient("myeventhub.eventhubs.windows.net", "myhubpath", credential);

Constructor for instrumenting in tests

Creates an instance with the specified sources.

The ordered chain of implementations to tried when calling or

The details of the authentication request. A controlling the request lifetime. The first returned by the specified sources. Any credential which raises a will be skipped.

Enables authentication of a Microsoft Entra service principal using a signed client assertion.

Protected constructor for mocking.

Creates an instance of the ClientCertificateCredential with an asynchronous callback that provides a signed client assertion to authenticate against Microsoft Entra ID.

The Microsoft Entra tenant (directory) ID of the service principal. The client (application) ID of the service principal An asynchronous callback returning a valid client assertion used to authenticate the service principal. Options that allow to configure the management of the requests sent to Microsoft Entra ID.

Creates an instance of the ClientCertificateCredential with a synchronous callback that provides a signed client assertion to authenticate against Microsoft Entra ID.

The Microsoft Entra tenant (directory) ID of the service principal. The client (application) ID of the service principal A synchronous callback returning a valid client assertion used to authenticate the service principal. Options that allow to configure the management of the requests sent to Microsoft Entra ID.

Obtains a token from Microsoft Entra ID, by calling the assertionCallback specified when constructing the credential to obtain a client assertion for authentication.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Obtains a token from Microsoft Entra ID, by calling the assertionCallback specified when constructing the credential to obtain a client assertion for authentication.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Options used to configure the .

Enables authentication of a service principal to Microsoft Entra ID using a X509 certificate that is assigned to its App Registration. More information on how to configure certificate authentication can be found at .

Gets the Microsoft Entra tenant (directory) ID of the service principal

Gets the client (application) ID of the service principal

Protected constructor for mocking.

Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Microsoft Entra ID with the specified certificate.

The Microsoft Entra tenant (directory) ID of the service principal. The client (application) ID of the service principal The path to a file which contains both the client certificate and private key.

Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Microsoft Entra ID with the specified certificate.

The Microsoft Entra tenant (directory) ID of the service principal. The client (application) ID of the service principal The path to a file which contains both the client certificate and private key. Options that allow to configure the management of the requests sent to Microsoft Entra ID.

Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Microsoft Entra ID with the specified certificate.

The Microsoft Entra tenant (directory) ID of the service principal. The client (application) ID of the service principal The authentication X509 Certificate of the service principal

Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Microsoft Entra ID with the specified certificate.

The Microsoft Entra tenant (directory) ID of the service principal. The client (application) ID of the service principal The authentication X509 Certificate of the service principal Options that allow to configure the management of the requests sent to Microsoft Entra ID.

Creates an instance of the ClientCertificateCredential with the details needed to authenticate against Microsoft Entra ID with the specified certificate.

Obtains a token from Microsoft Entra ID, using the specified X509 certificate to authenticate. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Options used to configure the .

Specifies the to be used by the credential. If no options are specified, the token cache will not be persisted to disk.

Will include x5c header in client claims when acquiring a token to enable subject name / issuer based authentication for the .

Enables authentication to Microsoft Entra ID using a client secret that was generated for an App Registration. More information on how to configure a client secret can be found at .

Gets the Microsoft Entra tenant (directory) Id of the service principal

Gets the client (application) ID of the service principal

Gets the client secret that was generated for the App Registration used to authenticate the client.

Protected constructor for mocking.

Creates an instance of the ClientSecretCredential with the details needed to authenticate against Microsoft Entra ID with a client secret.

Obtains a token from Microsoft Entra ID, using the specified client secret to authenticate. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Options used to configure the .

Specifies the to be used by the credential. If not options are specified, the token cache will not be persisted to disk.

Provides a default authentication flow for applications that will be deployed to Azure. The following credential types if enabled will be tried, in order: Consult the documentation of these credential types for more information on how they attempt authentication.

Note that credentials requiring user interaction, such as the , are not included by default. Callers must explicitly enable this when constructing the either by setting the includeInteractiveCredentials parameter to true, or the setting the property to false when passing . This example demonstrates authenticating the BlobClient from the Azure.Storage.Blobs client library using the DefaultAzureCredential, deployed to an Azure resource with a user assigned managed identity configured.


             // When deployed to an azure host, the default azure credential will authenticate the specified user assigned managed identity.
            
             string userAssignedClientId = "<your managed identity client Id>";
             var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = userAssignedClientId });
            
             var blobClient = new BlobClient(new Uri("https://myaccount.blob.core.windows.net/mycontainer/myblob"), credential);

Creates an instance of the DefaultAzureCredential class.

Specifies whether credentials requiring user interaction will be included in the default authentication flow.

Creates an instance of the class.

Options that configure the management of the requests sent to Microsoft Entra ID, and determine which credentials are included in the authentication flow.

Sequentially calls on all the included credentials in the order , , , and returning the first successfully obtained . Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

Note that credentials requiring user interaction, such as the , are not included by default. The details of the authentication request. A controlling the request lifetime. The first returned by the specified sources. Any credential which raises a will be skipped.

Options to configure the authentication flow and requests made to Azure Identity services.

The tenant id of the user to authenticate, in the case the authenticates through, the . The default is null and will authenticate users to their default tenant. The value can also be set by setting the environment variable AZURE_TENANT_ID.

Specifies the tenant id of the preferred authentication account, to be retrieved from the shared token cache for single sign on authentication with development tools, in the case multiple accounts are found in the shared token.

If multiple accounts are found in the shared token cache and no value is specified, or the specified value matches no accounts in the cache the SharedTokenCacheCredential will not be used for authentication.

The tenant ID of the user to authenticate, in the case the authenticates through, the . The default is null and will authenticate users to their default tenant. The value can also be set by setting the environment variable AZURE_TENANT_ID.

Specifies tenants in addition to the specified for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the logged in account can access. If no value is specified for , this option will have no effect on that authentication method, and the credential will acquire tokens for any requested tenant when using that method. This value can also be set by setting the environment variable AZURE_ADDITIONALLY_ALLOWED_TENANTS.

Specifies the preferred authentication account to be retrieved from the shared token cache for single sign on authentication with development tools. In the case multiple accounts are found in the shared token.

Specifies the client id of the selected credential

Specifies the client id of the application the workload identity will authenticate.

Specifies the client id of a user assigned ManagedIdentity. If this value is configured, then should not be configured.

Specifies the resource id of a user assigned ManagedIdentity. If this value is configured, then should not be configured.

Specifies timeout for credentials invoked via sub-process. e.g. Visual Studio, Azure CLI, Azure Powershell.

Specifies whether the will be excluded from the authentication flow. Setting to true disables reading authentication details from the process' environment variables.

Specifies whether the will be excluded from the authentication flow. Setting to true disables authenticating with managed identity endpoints.

Specifies whether the will be excluded from the authentication flow.

Specifies whether the will be excluded from the authentication flow. Setting to true disables single sign on authentication with development tools which write to the shared token cache. The default is true.

Specifies whether the will be excluded from the authentication flow. Setting to true disables launching the default system browser to authenticate in development environments. The default is true.

Specifies whether the will be excluded from the authentication flow.

Specifies whether the will be excluded from the authentication flow. The default is true.

Specifies whether the will be excluded from the authentication flow.

A implementation which authenticates a user using the device code flow, and provides access tokens for that user account. For more information on the device code authentication flow see https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Device-Code-Flow.

Creates a new , which will authenticate users using the device code flow.

Creates a new with the specified options, which will authenticate users using the device code flow.

The client options for the newly created .

Creates a new DeviceCodeCredential with the specified options, which will authenticate users with the specified application.

The callback to be executed to display the device code to the user The client id of the application to which the users will authenticate The client options for the newly created DeviceCodeCredential

Creates a new DeviceCodeCredential with the specified options, which will authenticate users with the specified application.

The callback to be executed to display the device code to the user The tenant id of the application to which users will authenticate. This can be null for multi-tenanted applications. The client id of the application to which the users will authenticate The client options for the newly created DeviceCodeCredential

Interactively authenticates a user via the default browser.

A controlling the request lifetime. The result of the authentication request, containing the acquired , and the which can be used to silently authenticate the account.

Interactively authenticates a user via the default browser.

A controlling the request lifetime. The which can be used to silently authenticate the account on future execution of credentials using the same persisted token cache.

Interactively authenticates a user via the default browser.

A controlling the request lifetime. The details of the authentication request. The of the authenticated account.

Interactively authenticates a user via the default browser.

A controlling the request lifetime. The details of the authentication request. The of the authenticated account.

Obtains a token for a user account, authenticating them through the device code authentication flow. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Options to configure the .

Prevents the from automatically prompting the user. If automatic authentication is disabled a AuthenticationRequiredException will be thrown from and in the case that user interaction is necessary. The application is responsible for handling this exception, and calling or to authenticate the user interactively.

The tenant ID the user will be authenticated to. If not specified the user will be authenticated to their home tenant.

The client ID of the application used to authenticate the user. If not specified the user will be authenticated with an Azure development application.

Specifies the to be used by the credential. If not options are specified, the token cache will not be persisted to disk.

The captured from a previous authentication.

The callback which will be executed to display the device code login details to the user. In not specified the device code and login instructions will be printed to the console.

Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user with a username and password. Configuration is attempted in this order, using these environment variables: Service principal with secret: VariableDescription AZURE_TENANT_IDThe Microsoft Entra tenant (directory) ID. AZURE_CLIENT_IDThe client (application) ID of an App Registration in the tenant. AZURE_CLIENT_SECRETA client secret that was generated for the App Registration. Service principal with certificate: VariableDescription AZURE_TENANT_IDThe Microsoft Entra tenant (directory) ID. AZURE_CLIENT_IDThe client (application) ID of an App Registration in the tenant. AZURE_CLIENT_CERTIFICATE_PATHA path to certificate and private key pair in PEM or PFX format, which can authenticate the App Registration. AZURE_CLIENT_CERTIFICATE_PASSWORD(Optional) The password protecting the certificate file (currently only supported for PFX (PKCS12) certificates). AZURE_CLIENT_SEND_CERTIFICATE_CHAIN(Optional) Specifies whether an authentication request will include an x5c header to support subject name / issuer based authentication. When set to `true` or `1`, authentication requests include the x5c header. Username and password: VariableDescription AZURE_TENANT_IDThe Microsoft Entra tenant (directory) ID. AZURE_CLIENT_IDThe client (application) ID of an App Registration in the tenant. AZURE_USERNAMEThe username, also known as upn, of a Microsoft Entra user account. AZURE_PASSWORDThe password of the Microsoft Entra user account. Note this does not support accounts with MFA enabled. This credential ultimately uses a , , or to perform the authentication using these details. Please consult the documentation of that class for more details.

Creates an instance of the EnvironmentCredential class and reads client secret details from environment variables. If the expected environment variables are not found at this time, the GetToken method will return the default when invoked.

Options that allow to configure the management of the requests sent to Microsoft Entra ID.

Obtains a token from Microsoft Entra ID, using the specified client details specified in the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET or AZURE_USERNAME and AZURE_PASSWORD to authenticate. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

If the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET are not specified, the default The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Options used to configure the .

The ID of the tenant to which the credential will authenticate by default. This value defaults to the value of the environment variable AZURE_TENANT_ID.

The client ID (app ID) of the service pricipal the credential will authenticate. This value defaults to the value of the environment variable AZURE_CLIENT_ID.

The client secret used to authenticate the service pricipal. This value defaults to the value of the environment variable AZURE_CLIENT_SECRET.

The path to the client certificate used to authenticate the service pricipal. This value defaults to the value of the environment variable AZURE_CLIENT_CERTIFICATE_PATH.

The password of the client certificate used to authenticate the service pricipal. This value defaults to the value of the environment variable AZURE_CLIENT_CERTIFICATE_PASSWORD.

Will include x5c header in client claims when acquiring a token to enable certificate subject name / issuer based authentication. This value defaults to the value of the environment variable AZURE_CLIENT_SEND_CERTIFICATE_CHAIN.

The username of the user account the credeential will authenticate. This value defaults to the value of the environment variable AZURE_USERNAME.

The password of used to authenticate the user. This value defaults to the value of the environment variable AZURE_PASSWORD.

MSAL client to be used for testing.

Specifies tenants in addition to the specified for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the logged in account can access. If no value is specified for , this option will have no effect on that authentication method, and the credential will acquire tokens for any requested tenant when using that method. This value defaults to the value of the environment variable AZURE_ADDITIONALLY_ALLOWED_TENANTS.

A implementation which launches the system default browser to interactively authenticate a user, and obtain an access token. The browser will only be launched to authenticate the user once, then will silently acquire access tokens through the users refresh token as long as it's valid.

Creates a new with the specified options, which will authenticate users.

Creates a new with the specified options, which will authenticate users with the specified application.

The client options for the newly created .

Creates a new with the specified options, which will authenticate users with the specified application.

The client id of the application to which the users will authenticate

Creates a new with the specified options, which will authenticate users with the specified application.

The tenant id of the application and the users to authenticate. Can be null in the case of multi-tenant applications. The client id of the application to which the users will authenticate TODO: need to link to info on how the application has to be created to authenticate users, for multiple applications The client options for the newly created .

Interactively authenticates a user via the default browser.

A controlling the request lifetime. The result of the authentication request, containing the acquired , and the which can be used to silently authenticate the account.

Interactively authenticates a user via the default browser. The resulting will automatically be used in subsequent calls to .

A controlling the request lifetime. The result of the authentication request, containing the acquired , and the which can be used to silently authenticate the account.

Interactively authenticates a user via the default browser. The resulting will automatically be used in subsequent calls to .

A controlling the request lifetime. The details of the authentication request. The of the authenticated account.

Interactively authenticates a user via the default browser.

A controlling the request lifetime. The details of the authentication request. The of the authenticated account.

Obtains an token for a user account silently if the user has already authenticated, otherwise the default browser is launched to authenticate the user. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Options to configure the .

The tenant ID the user will be authenticated to. If not specified the user will be authenticated to the home tenant.

The client ID of the application used to authenticate the user. If not specified the user will be authenticated with an Azure development application.

Specifies the to be used by the credential. If not options are specified, the token cache will not be persisted to disk.

Uri where the STS will call back the application with the security token. This parameter is not required if the caller is not using a custom . In the case that the caller is using their own the value must match the redirect url specified when creating the application registration.

The captured from a previous authentication.

Avoids the account prompt and pre-populates the username of the account to login.

The options for customizing the browser for interactive authentication.

Specifies tenants in addition to the configured tenant for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the logged in account can access. If no specific tenant was configured this option will have no effect, and the credential will acquire tokens for any requested tenant.

Attempts authentication using a managed identity that has been assigned to the deployment environment. This authentication type works for all Azure hosted environments that support managed identity. More information about configuring managed identities can be found at .

Protected constructor for mocking.

Creates an instance of the ManagedIdentityCredential capable of authenticating a resource with a managed identity.

The client ID to authenticate for a user-assigned managed identity. More information on user-assigned managed identities can be found at . Options to configure the management of the requests sent to Microsoft Entra ID.

Creates an instance of the ManagedIdentityCredential capable of authenticating a resource with a managed identity.

The resource ID to authenticate for a user-assigned managed identity. More information on user-assigned managed identities can be found at . Options to configure the management of the requests sent to Microsoft Entra ID.

Obtains an from the Managed Identity service, if available. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls, or a default if no managed identity is available.

Enables authentication to Microsoft Entra ID using an On-Behalf-Of flow.

Protected constructor for mocking.

Creates an instance of the with the details needed to authenticate against Microsoft Entra ID with the specified certificate.

The Microsoft Entra tenant (directory) ID of the service principal. The client (application) ID of the service principal The authentication X509 Certificate of the service principal The access token that will be used by as the user assertion when requesting On-Behalf-Of tokens.

Creates an instance of the with the details needed to authenticate against Microsoft Entra ID with the specified certificate.

The Microsoft Entra tenant (directory) ID of the service principal. The client (application) ID of the service principal The authentication X509 Certificate of the service principal The access token that will be used by as the user assertion when requesting On-Behalf-Of tokens. Options that allow to configure the management of the requests sent to Microsoft Entra ID.

Creates an instance of the with the details needed to authenticate with Microsoft Entra ID.

The Microsoft Entra tenant (directory) ID of the service principal. The client (application) ID of the service principal A client secret that was generated for the App Registration used to authenticate the client. The access token that will be used by as the user assertion when requesting On-Behalf-Of tokens.

Creates an instance of the with the details needed to authenticate with Microsoft Entra ID.

The Microsoft Entra tenant (directory) ID of the service principal. The client (application) ID of the service principal A client secret that was generated for the App Registration used to authenticate the client. The access token that will be used by as the user assertion when requesting On-Behalf-Of tokens. Options that allow to configure the management of the requests sent to Microsoft Entra ID.

Authenticates with Microsoft Entra ID and returns an access token if successful. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

The .

Will include x5c header in client claims when acquiring a token to enable subject name / issuer based authentication for the .

Authenticates using tokens in a local cache file. This is a legacy mechanism for authenticating clients using credentials provided to Visual Studio. This mechanism for Visual Studio authentication has been replaced by the .

Creates a new which will authenticate users signed in through developer tools supporting Azure single sign on.

The client options for the newly created

Creates a new which will authenticate users signed in through developer tools supporting Azure single sign on.

The username of the user to authenticate The client options for the newly created

Obtains an token for a user account silently if the user has already authenticated to another Microsoft application participating in SSO through a shared MSAL cache. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

The details of the authentication request. A controlling the request lifetime An which can be used to authenticate service client calls

Options to configure the authentication.

The client id of the application registration used to authenticate users in the cache.

Specifies the preferred authentication account username, or UPN, to be retrieved from the shared token cache for single sign on authentication with development tools, in the case multiple accounts are found in the shared token.

When set to true the can be used to authenticate to tenants other than the home tenant, requiring and also to be specified as well.

The captured from a previous authentication with an interactive credential, such as the or .

Specifies the to be used by the credential. Value cannot be null.

Initializes a new instance of .

The that will apply to the token cache used by this credential.

Options to configure requests made to the OAUTH identity service.

Constructs a new instance.

The host of the Microsoft Entra authority. The default is https://login.microsoftonline.com/. For well known authority hosts for Azure cloud instances see .

Gets or sets value indicating if ETW logging that contains potentially sensitive content should be logged. Setting this property to true will not disable redaction of Content. To enable logging of sensitive the property must be set to true. Setting this property to `true` equates to passing 'true' for the enablePiiLogging parameter to the 'WithLogging' method on the MSAL client builder.

Gets or sets whether this credential is part of a chained credential.

Gets the credential diagnostic options.

Enables authentication to Microsoft Entra ID using a user's username and password. If the user has MFA enabled this credential will fail to get a token throwing an . Also, this credential requires a high degree of trust and is not recommended outside of prototyping when more secure credentials can be used.

Protected constructor for mocking

Creates an instance of the with the details needed to authenticate against Microsoft Entra ID with a simple username and password.

The user account's username, also known as UPN. The user account's password. The Microsoft Entra tenant (directory) ID or name. The client (application) ID of an App Registration in the tenant.

Creates an instance of the with the details needed to authenticate against Microsoft Entra ID with a simple username and password.

The user account's user name, UPN. The user account's password. The Microsoft Entra tenant (directory) ID or name. The client (application) ID of an App Registration in the tenant. The client options for the newly created UsernamePasswordCredential

Creates an instance of the with the details needed to authenticate against Microsoft Entra ID with a simple username and password.

Authenticates the user using the specified username and password.

A controlling the request lifetime. The of the authenticated account.

Authenticates the user using the specified username and password.

A controlling the request lifetime. The of the authenticated account.

Authenticates the user using the specified username and password.

A controlling the request lifetime. The details of the authentication request. The of the authenticated account.

Authenticates the user using the specified username and password.

A controlling the request lifetime. The details of the authentication request. The of the authenticated account.

Obtains a token for a user account, authenticating them using the given username and password. Note: This will fail with an if the specified user account has MFA enabled. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

The details of the authentication request. A controlling the request lifetime. An which can be used to authenticate service client calls.

Options to configure the .

Specifies the to be used by the credential. If not options are specified, the token cache will not be persisted to disk.

Enables authentication to Microsoft Entra ID as the user signed in to Visual Studio Code via the 'Azure Account' extension. It's a known issue that `VisualStudioCodeCredential` doesn't work with Azure Account extension versions newer than 0.9.11. A long-term fix to this problem is in progress. In the meantime, consider authenticating with .

Creates a new instance of the .

Creates a new instance of the with the specified options.

Options for configuring the credential.

Gets an for the specified set of scopes.

The with authentication information.The to use.A valid .Caching and management of the lifespan for the is considered the responsibility of the caller: each call should request a fresh token being requested.

Gets an for the specified set of scopes.

Options for configuring the .

The tenant ID the user will be authenticated to. If not specified, the user will be authenticated to any requested tenant, and by default to the tenant the user originally authenticated to via the Visual Studio Code Azure Account extension.

Enables authentication to Microsoft Entra ID using data from Visual Studio 2017 or later. See for more information on how to configure Visual Studio for Azure development.

Creates a new instance of the .

Creates a new instance of the with the specified options.

Options for configuring the credential.

Gets an for the specified set of scopes.

Options for configuring the .

The tenant ID the credential will be authenticated to by default. If not specified, the credential will authenticate to any requested tenant, and will default to the tenant the user originally authenticated to via the Visual Studio Azure Service Account dialog.

The VisualStudio process timeout.

WorkloadIdentityCredential supports Microsoft Entra Workload ID authentication on Kubernetes and other hosts supporting workload identity. Refer to Microsoft Entra Workload ID for more information.

Creates a new instance of the with the default options. When no options are specified AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_FEDERATED_TOKEN_FILE must be specified in the environment.

Creates a new instance of the with the specified options.

Options that allow to configure the management of the requests sent to Microsoft Entra ID.

Gets an for the specified set of scopes.

Options used to configure the .

The tenant ID of the service principal. Defaults to the value of the environment variable AZURE_TENANT_ID.

The client (application) ID of the service principal. Defaults to the value of the environment variable AZURE_CLIENT_ID.

The path to a file containing the workload identity token. Defaults to the value of the environment variable AZURE_FEDERATED_TOKEN_FILE.

Specifies tenants in addition to the specified for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the logged in account can access. If no value is specified for , this option will have no effect, and the credential will acquire tokens for any requested tenant. Defaults to the value of the environment variable AZURE_ADDITIONALLY_ALLOWED_TENANTS.

An exception indicating a did not attempt to authenticate and retrieve , as its prerequisite information or state was not available.

Creates a new with the specified message.

The message describing the authentication failure.

Creates a new with the specified message.

The message describing the authentication failure. The exception underlying the authentication failure.

A constructor used for serialization.

The . The .

Details of the device code to present to a user to allow them to authenticate through the device code authentication flow.

User code returned by the service

Device code returned by the service

Verification URL where the user must navigate to authenticate using the device code and credentials.

Time when the device code will expire.

User friendly text response that can be used for display purpose.

Identifier of the client requesting device code.

List of the scopes that would be held by token.

This class is an HttpClient factory which creates an HttpClient which delegates it's transport to an HttpPipeline, to enable MSAL to send requests through an Azure.Core HttpPipeline.

Model factory that enables mocking for the Azure Identity library.

Initializes a new instance of the class for mocking purposes.

Sets the . Sets the . Sets the . Sets the . Sets the . A new instance of the for mocking purposes.

Initializes a new instance of the class for mocking purposes.

Sets the . Sets the . Sets the . Sets the . Sets the . Sets the . Sets the . A new instance of the for mocking purposes.

IX509Certificate2Provider provides a way to control how the X509Certificate2 object is fetched.

Default Constructor.

Creates a new instance of Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper. To configure MSAL to use this cache persistence, call Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper.RegisterCache(Microsoft.Identity.Client.ITokenCache)

Passing null uses a default logger A new instance of Microsoft.Identity.Client.Extensions.Msal.MsalCacheHelper.

Performs a write -> read -> clear using the underlying persistence mechanism and throws an Microsoft.Identity.Client.Extensions.Msal.MsalCachePersistenceException if something goes wrong.

Does not overwrite the token cache. Should never fail on Windows and Mac where the cache accessors are guaranteed to exist by the OS.

Registers a token cache to synchronize with on disk storage.

Unregisters a token cache so it no longer synchronizes with on disk storage.

Extracts the token cache data from the persistent store

This method should be used with care. The data returned is unencrypted. UTF-8 byte array of the unencrypted token cache

Saves an unencrypted, UTF-8 encoded byte array representing an MSAL token cache. The save operation will persist the data in a secure location, as configured in Microsoft.Identity.Client.Extensions.Msal.StorageCreationProperties

For mocking purposes only.

Resolves the tenantId based on the supplied configuration values.

The tenantId passed to the ctor of the Credential. The . Additional tenants the credential is configured to acquire tokens for. The tenantId to be used for authorization.

A cache for Tokens.

The internal state of the cache.

Determines whether the token cache will be associated with CAE enabled requests.

If true, this cache services only CAE enabled requests.Otherwise, this cache services non-CAE enabled requests.

Creates a new instance of with the specified options.

Options controlling the storage of the . Controls whether this cache will be associated with CAE requests or non-CAE requests.

A delegate that is called with the cache contents when the underlying has been updated.

A delegate that will be called before the cache is accessed. The data returned will be used to set the current state of the cache.

Details related to a cache delegate.

Constructs a new instance with the specified cache bytes.

The serialized content of the token cache.

The bytes representing the state of the token cache.

Options controlling the storage of the token cache.

This is an example showing how TokenCachePersistenceOptions and an AuthenticationRecord can be used together to enable silent authentication across executions of a client application.


             const string TOKEN_CACHE_NAME = "MyTokenCache";
             InteractiveBrowserCredential credential;
             AuthenticationRecord authRecord;
            
             // Check if an AuthenticationRecord exists on disk.
             // If it does not exist, get one and serialize it to disk.
             // If it does exist, load it from disk and deserialize it.
             if (!File.Exists(AUTH_RECORD_PATH))
             {
                 // Construct a credential with TokenCachePersistenceOptions specified to ensure that the token cache is persisted to disk.
                 // We can also optionally specify a name for the cache to avoid having it cleared by other applications.
                 credential = new InteractiveBrowserCredential(
                     new InteractiveBrowserCredentialOptions { TokenCachePersistenceOptions = new TokenCachePersistenceOptions { Name = TOKEN_CACHE_NAME } });
            
                 // Call AuthenticateAsync to fetch a new AuthenticationRecord.
                 authRecord = await credential.AuthenticateAsync();
            
                 // Serialize the AuthenticationRecord to disk so that it can be re-used across executions of this initialization code.
                 using var authRecordStream = new FileStream(AUTH_RECORD_PATH, FileMode.Create, FileAccess.Write);
                 await authRecord.SerializeAsync(authRecordStream);
             }
             else
             {
                 // Load the previously serialized AuthenticationRecord from disk and deserialize it.
                 using var authRecordStream = new FileStream(AUTH_RECORD_PATH, FileMode.Open, FileAccess.Read);
                 authRecord = await AuthenticationRecord.DeserializeAsync(authRecordStream);
            
                 // Construct a new client with our TokenCachePersistenceOptions with the addition of the AuthenticationRecord property.
                 // This tells the credential to use the same token cache in addition to which account to try and fetch from cache when GetToken is called.
                 credential = new InteractiveBrowserCredential(
                     new InteractiveBrowserCredentialOptions
                     {
                         TokenCachePersistenceOptions = new TokenCachePersistenceOptions { Name = TOKEN_CACHE_NAME },
                         AuthenticationRecord = authRecord
                     });
             }
            
             // Construct our client with the credential which is connected to the token cache
             // with the capability of silent authentication for the account specified in the AuthenticationRecord.
             var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential);

Name uniquely identifying the .

If set to true the token cache may be persisted as an unencrypted file if no OS level user encryption is available. When set to false the token cache will throw a in the event no OS level user encryption is available.

Creates a copy of the .

Args sent to TokenCache OnBefore and OnAfter events.

A suggested token cache key, which can be used with general purpose storage mechanisms that allow storing key-value pairs and key based retrieval. Useful in applications that store one token cache per user, the recommended pattern for web apps. The value is: homeAccountId for AcquireTokenSilent, GetAccount(homeAccountId), RemoveAccount and when writing tokens on confidential client calls "{clientId}__AppTokenCache" for AcquireTokenForClient "{clientId}_{tenantId}_AppTokenCache" for AcquireTokenForClient when using a tenant specific authority the hash of the original token for AcquireTokenOnBehalfOf

Whether or not the cache is enabled for CAE. Note that this value should be used as an indicator for how the cache will be partitioned. Token cache refresh events with this value set to `true` will originate from a different cache instance than those with this value set to `false`.

Data regarding an update of a token cache.

The instance which was updated.

Exposes client options related to logging, telemetry, and distributed tracing.

If true, we try to log the account identifiers by parsing the received access token. The account identifiers we try to log are: The Application or Client Identifier User Principal Name Tenant Identifier Object Identifier of the authenticated user or application

Options controlling the storage of the token cache.

The delegate to be called when the Updated event fires.

Returns the bytes used to initialize the token cache. This would most likely have come from the . This implementation will get called by the default implementation of . It is recommended to provide an implementation for rather than this method.

Returns the bytes used to initialize the token cache. This would most likely have come from the . It is recommended that if this method is overriden, there is no need to provide a duplicate implementation for the parameterless .

The containing information about the current state of the cache. The controlling the lifetime of this operation.

As tenant id is used in constructing authority endpoints and in command line invocation we validate the character set of the tenant id matches allowed characters.

PowerShell Legacy can only be used on Windows OS systems.

X509Certificate2FromFileProvider provides an X509Certificate2 from a file on disk. It supports both "pfx" and "pem" encoded certificates.

X509Certificate2FromObjectProvider provides an X509Certificate2 from an existing instance.

An HttpMessageHandler which delegates SendAsync to a specified HttpPipeline.

Helper for interacting with AppConfig settings and their related Environment variable settings.

Determines if either an AppContext switch or its corresponding Environment Variable is set

Name of the AppContext switch. Name of the Environment variable. If the AppContext switch has been set, returns the value of the switch. If the AppContext switch has not been set, returns the value of the environment variable. False if neither is set.

Argument validation.

This class should be shared via source using Azure.Core.props and contain only common argument validation. It is declared partial so that you can use the same familiar class name but extend it with project-specific validation. To extend the functionality of this class, just declare your own partial class with project-specific methods. Be sure to document exceptions thrown by these methods on your public methods.

Throws if is null.

The value to validate. The name of the parameter. is null.

Throws if has not been initialized.

The value to validate. The name of the parameter. has not been initialized.

Throws if is null or an empty collection.

The value to validate. The name of the parameter. is an empty collection. is null.

Throws if is null or an empty string.

The value to validate. The name of the parameter. is an empty string. is null.

Throws if is null, an empty string, or consists only of white-space characters.

The value to validate. The name of the parameter. is an empty string or consists only of white-space characters. is null.

Throws if is the default value for type .

The type of structure to validate which implements . The value to validate. The name of the parameter. is the default value for type .

Throws if is less than the or greater than the .

The type of to validate which implements . The value to validate. The minimum value to compare. The maximum value to compare. The name of the parameter.

Throws if is not defined for .

The type to validate against. The value to validate. The name of the parameter. is not defined for .

Throws if has not been initialized; otherwise, returns .

The value to validate. The name of the parameter. has not been initialized.

Throws if is null or an empty string; otherwise, returns .

The value to validate. The name of the parameter. is an empty string. is null.

Throws if is not null.

The value to validate. The name of the parameter. The error message. is not null.

Represents a heap-based, array-backed output sink into which data can be written.

Creates an instance of an , in which data can be written to, with the default initial capacity.

Creates an instance of an , in which data can be written to, with an initial capacity specified.

The minimum capacity with which to initialize the underlying buffer. Thrown when is not positive (i.e. less than or equal to 0).

Returns the data written to the underlying buffer so far, as a .

Returns the amount of data written to the underlying buffer so far.

Returns the total amount of space within the underlying buffer.

Returns the amount of space available that can still be written into without forcing the underlying buffer to grow.

Clears the data written to the underlying buffer.

You must clear the before trying to re-use it.

Notifies that amount of data was written to the output /.

Thrown when is negative. Thrown when attempting to advance past the end of the underlying buffer. You must request a new buffer after calling Advance to continue writing more data and cannot write to a previously acquired buffer.

Returns a to write to that is at least the requested length (specified by ). If no is provided (or it's equal to 0), some non-empty buffer is returned.

Thrown when is negative. This will never return an empty . There is no guarantee that successive calls will return the same buffer or the same-sized buffer. You must request a new buffer after calling Advance to continue writing more data and cannot write to a previously acquired buffer.

Returns a to write to that is at least the requested length (specified by ). If no is provided (or it's equal to 0), some non-empty buffer is returned.

Primitive that combines async lock and value cache

Method that either returns cached value or acquire a lock. If one caller has acquired a lock, other callers will be waiting for the lock to be released. If value is set, lock is released and all waiters get that value. If value isn't set, the next waiter in the queue will get the lock.

Returns true if lock contains the cached value. Otherwise false.

Returns cached value if it was set when lock has been created. Throws exception otherwise.

Value isn't set.

Set value to the cache and to all the waiters.

Value is set already.

This attribute should be set on all client assemblies with value of one of the resource providers from the https://docs.microsoft.com/azure/azure-resource-manager/management/azure-services-resource-providers list.

Converts a Base64URL encoded string to a string.

The Base64Url encoded string containing UTF8 bytes for a string. The string represented by the Base64URL encoded string.

Encode a byte array as a Base64URL encoded string.

Raw byte input buffer. The bytes, encoded as a Base64URL string.

Converts a Base64URL encoded string to a string.

The Base64Url encoded string containing UTF8 bytes for a string. The string represented by the Base64URL encoded string.

Encode a string as a Base64URL encoded string.

String input buffer. The UTF8 bytes for the string, encoded as a Base64URL string.

Initializes a new instance of the class.

The customer provided client options object. Flag controlling if created by this for client method calls should be suppressed when called by other Azure SDK client methods. It's recommended to set it to true for new clients; use default (null) for backward compatibility reasons, or set it to false to explicitly disable suppression for specific cases. The default value could change in the future, the flag should be only set to false if suppression for the client should never be enabled.

Initializes a new instance of the class.

Namespace of the client class, such as Azure.Storage or Azure.AppConfiguration. Azure Resource Provider namespace of the Azure service SDK is primarily used for. The customer provided client diagnostics options. Flag controlling if created by this for client method calls should be suppressed when called by other Azure SDK client methods. It's recommended to set it to true for new clients, use default (null) for old clients for backward compatibility reasons, or set it to false to explicitly disable suppression for specific cases. The default value could change in the future, the flag should be only set to false if suppression for the client should never be enabled.

Adds a link to the scope. This must be called before has been called for the DiagnosticScope.

The traceparent for the link. The tracestate for the link. Optional attributes to associate with the link.

Sets the trace context for the current scope.

The trace parent to set for the current scope. The trace state to set for the current scope.

Marks the scope as failed.

The exception to associate with the failed scope.

Marks the scope as failed with low-cardinality error.type attribute.

Error code to associate with the failed scope.

Until Activity Source is no longer considered experimental.

Creates diagnostic scope factory.

The namespace which is used as a prefix for all ActivitySources created by the factory and the name of DiagnosticSource (when used). Azure resource provider namespace. Flag indicating if distributed tracing is enabled. Flag indicating if nested Azure SDK activities describing public API calls should be suppressed. Whether instrumentation is considered stable. When false, experimental feature flag controls if tracing is enabled.

Both and are defined as public structs so that foreach can use duck typing to call and avoid heap memory allocation. Please don't delete this method and don't make these types private.

This is a very targeted PKCS#8 decoder for use when reading a PKCS# encoded RSA private key from an DER encoded ASN.1 blob. In an ideal world, we would be able to call AsymmetricAlgorithm.ImportPkcs8PrivateKey off an RSA object to import the private key from a byte array, which we got from the PEM file. There are a few issues with this however: 1. ImportPkcs8PrivateKey does not exist in the Desktop .NET Framework as of today. 2. ImportPkcs8PrivateKey was added to .NET Core in 3.0, and we'd love to be able to support this on older versions of .NET Core. This code is able to decode RSA keys (without any attributes) from well formed PKCS#8 blobs.

Reads PEM streams to parse PEM fields or load certificates.

This class provides a downlevel PEM decoder since PemEncoding wasn't added until net5.0. The PemEncoding class takes advantage of other implementation changes in net5.0 and, based on conversations with the .NET team, runtime changes.

Loads an from PEM data.

The PEM data to parse. Optional public certificate data if not defined within the PEM data. Optional of the certificate private key. The default is to automatically detect. Only support for is implemented by shared code. Whether to create an if no private key is read. A combination of the enumeration values that control where and how to import the certificate. An loaded from the PEM data. A cryptographic exception occurred when trying to create the . is null and no CERTIFICATE field is defined in PEM, or no PRIVATE KEY is defined in PEM. The is not supported. Creating a from PEM data is not supported on the current platform.

Attempts to read the next PEM field from the given data.

The PEM data to parse. The PEM first complete PEM field that was found. True if a valid PEM field was parsed; otherwise, false. To find subsequent fields, pass a slice of past the found .

Key type of the certificate private key.

The key type is unknown.

Attempt to detect the key type.

RSA key type.

ECDsa key type.

A PEM field including its section header and encoded data.

The offset of the section from the start of the input PEM stream.

A span of the section label from within the PEM stream.

A span of the section data from within the PEM stream.

The length of the section from the .

Decodes the base64-encoded

Indicates that the specified method requires the ability to generate new code at runtime, for example through .

This allows tools to understand which methods are unsafe to call when compiling ahead of time.

Initializes a new instance of the class with the specified message.

A message that contains information about the usage of dynamic code.

Gets a message that contains information about the usage of dynamic code.

Gets or sets an optional URL that contains more information about the method, why it requires dynamic code, and what options a consumer has to deal with it.

Indicates that the specified method requires dynamic access to code that is not referenced statically, for example through .

This allows tools to understand which methods are unsafe to call when removing unreferenced code from an application.

Initializes a new instance of the class with the specified message.

A message that contains information about the usage of unreferenced code.

Gets a message that contains information about the usage of unreferenced code.

Gets or sets an optional URL that contains more information about the method, why it requires unreferenced code, and what options a consumer has to deal with it.

Suppresses reporting of a specific rule violation, allowing multiple suppressions on a single code artifact.

is different than in that it doesn't have a . So it is always preserved in the compiled assembly.

Initializes a new instance of the class, specifying the category of the tool and the identifier for an analysis rule.

The category for the attribute. The identifier of the analysis rule the attribute applies to.

Gets the category identifying the classification of the attribute.

The property describes the tool or tool analysis category for which a message suppression attribute applies.

Gets the identifier of the analysis tool rule to be suppressed.

Concatenated together, the and properties form a unique check identifier.

Gets or sets the scope of the code that is relevant for the attribute.

The Scope property is an optional argument that specifies the metadata scope for which the attribute is relevant.

Gets or sets a fully qualified path that represents the target of the attribute.

The property is an optional argument identifying the analysis target of the attribute. An example value is "System.IO.Stream.ctor():System.Void". Because it is fully qualified, it can be long, particularly for targets such as parameters. The analysis tool user interface should be capable of automatically formatting the parameter.

Gets or sets an optional argument expanding on exclusion criteria.

The property is an optional argument that specifies additional exclusion where the literal metadata target is not sufficiently precise. For example, the cannot be applied within a method, and it may be desirable to suppress a violation against a statement in the method that will give a rule violation, but not against all statements in the method.

Gets or sets the justification for suppressing the code analysis message.

States a dependency that one member has on another.

This can be used to inform tooling of a dependency that is otherwise not evident purely from metadata and IL, for example a member relied on via reflection.

Initializes a new instance of the class with the specified signature of a member on the same type as the consumer.

The signature of the member depended on.

Initializes a new instance of the class with the specified signature of a member on a .

The signature of the member depended on. The containing .

Initializes a new instance of the class with the specified signature of a member on a type in an assembly.

The signature of the member depended on. The full name of the type containing the specified member. The assembly name of the type containing the specified member.

Initializes a new instance of the class with the specified types of members on a .

The types of members depended on. The containing the specified members.

Initializes a new instance of the class with the specified types of members on a type in an assembly.

The types of members depended on. The full name of the type containing the specified members. The assembly name of the type containing the specified members.

Gets the signature of the member depended on.

Either must be a valid string or must not equal , but not both.

Gets the which specifies the type of members depended on.

Either must be a valid string or must not equal , but not both.

Gets the containing the specified member.

If neither nor are specified, the type of the consumer is assumed.

Gets the full name of the type containing the specified member.

If neither nor are specified, the type of the consumer is assumed.

Gets the assembly name of the specified type.

is only valid when is specified.

Gets or sets the condition in which the dependency is applicable, e.g. "DEBUG".

Indicates that certain members on a specified are accessed dynamically, for example through .

This allows tools to understand which members are being accessed during the execution of a program. This attribute is valid on members whose type is or . When this attribute is applied to a location of type , the assumption is that the string represents a fully qualified type name. When this attribute is applied to a class, interface, or struct, the members specified can be accessed dynamically on instances returned from calling on instances of that class, interface, or struct. If the attribute is applied to a method it's treated as a special case and it implies the attribute should be applied to the "this" parameter of the method. As such the attribute should only be used on instance methods of types assignable to System.Type (or string, but no methods will use it there).

Initializes a new instance of the class with the specified member types.

The types of members dynamically accessed.

Gets the which specifies the type of members dynamically accessed.

Specifies the types of members that are dynamically accessed. This enumeration has a attribute that allows a bitwise combination of its member values.

Specifies no members.

Specifies the default, parameterless public constructor.

Specifies all public constructors.

Specifies all non-public constructors.

Specifies all public methods.

Specifies all non-public methods.

Specifies all public fields.

Specifies all non-public fields.

Specifies all public nested types.

Specifies all non-public nested types.

Specifies all public properties.

Specifies all non-public properties.

Specifies all public events.

Specifies all non-public events.

Specifies all interfaces implemented by the type.

Specifies all members.

Gets a string containing the displayable value in UserPrincipalName (UPN) format, e.g. john.doe@contoso.com. This can be null.

This property replaces the DisplayableId property of IUser in previous versions of MSAL.NET

Gets a string containing the identity provider for this account, e.g. login.microsoftonline.com.

This property replaces the IdentityProvider property of IUser in previous versions of MSAL.NET except that IdentityProvider was a URL with information about the tenant (in addition to the cloud environment), whereas Environment is only the

AccountId of the home account for the user. This uniquely identifies the user across AAD tenants.

Can be null, for example if this account was migrated to MSAL.NET from ADAL.NET v3's token cache

Returns an enumerator that iterates through the collection.

An enumerator that can be used to iterate through the collection.

Returns an enumerator that iterates through a collection.

An object that can be used to iterate through the collection.

Gets the element in the collection at the current position of the enumerator.

The element in the collection at the current position of the enumerator.