diff --git a/src/client/Microsoft.Identity.Client/Extensibility/AbstractConfidentialClientAcquireTokenParameterBuilderExtension.cs b/src/client/Microsoft.Identity.Client/Extensibility/AbstractConfidentialClientAcquireTokenParameterBuilderExtension.cs
index 0ac6b478e4..4618d04748 100644
--- a/src/client/Microsoft.Identity.Client/Extensibility/AbstractConfidentialClientAcquireTokenParameterBuilderExtension.cs
+++ b/src/client/Microsoft.Identity.Client/Extensibility/AbstractConfidentialClientAcquireTokenParameterBuilderExtension.cs
@@ -7,10 +7,11 @@
 
 namespace Microsoft.Identity.Client.Extensibility
 {
+
     /// <summary>
     /// Extensions for all AcquireToken methods
     /// </summary>
-    public static partial class AbstractConfidentialClientAcquireTokenParameterBuilderExtension
+    public static class AbstractConfidentialClientAcquireTokenParameterBuilderExtension
     {
         /// <summary>
         /// Intervenes in the request pipeline, by executing a user provided delegate before MSAL makes the token request. 
diff --git a/src/client/Microsoft.Identity.Client/Extensibility/AcquireTokenForClientBuilderExtensions.cs b/src/client/Microsoft.Identity.Client/Extensibility/AcquireTokenForClientBuilderExtensions.cs
new file mode 100644
index 0000000000..5eab4e7314
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client/Extensibility/AcquireTokenForClientBuilderExtensions.cs
@@ -0,0 +1,39 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.ComponentModel;
+
+namespace Microsoft.Identity.Client.Extensibility
+{
+    /// <summary>
+    /// 
+    /// </summary>
+    public static class AcquireTokenForClientBuilderExtensions
+    {
+        /// <summary>
+        /// Binds the token to a key in the cache. L2 cache keys contain the key id.
+        /// No cryptographic operations is performed on the token.
+        /// </summary>
+        /// <param name="builder"></param>
+        /// <param name="keyId">A key id to which the access token is associated. The token will not be retrieved from the cache unless the same key id is presented. Can be null.</param>
+        /// <param name="expectedTokenTypeFromAad">AAD issues several types of bound tokens. MSAL checks the token type, which needs to match the value set by ESTS. Normal POP tokens have this as "pop"</param>
+        /// <returns>the builder</returns>
+        [EditorBrowsable(EditorBrowsableState.Never)] // https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4789        
+        public static AcquireTokenForClientParameterBuilder WithProofOfPosessionKeyId( 
+            this AcquireTokenForClientParameterBuilder builder,
+            string keyId,
+            string expectedTokenTypeFromAad = "Bearer")
+        {
+            if (string.IsNullOrEmpty(keyId))
+            {
+                throw new ArgumentNullException(nameof(keyId));
+            }
+
+            builder.ValidateUseOfExperimentalFeature();
+            builder.CommonParameters.AuthenticationScheme = new ExternalBoundTokenScheme(keyId, expectedTokenTypeFromAad);
+
+            return builder;
+        }
+    }
+}