From 9218123bc6ae4f1cab9b2eb90d0eae74434f014d Mon Sep 17 00:00:00 2001
From: Bogdan Gavril <bogavril@microsoft.com>
Date: Thu, 26 Mar 2026 15:51:32 +0000
Subject: [PATCH 1/5] Revert breaking changes introduced in Abstrations 11

---
 Directory.Build.props                         |  2 -
 .../CredentialDescription.cs                  | 48 +----------------
 .../CredentialDescriptionExtensions.cs        | 52 -------------------
 .../PublicAPI/net10.0/PublicAPI.Shipped.txt   | 18 ++-----
 4 files changed, 6 insertions(+), 114 deletions(-)
 delete mode 100644 src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescriptionExtensions.cs

diff --git a/Directory.Build.props b/Directory.Build.props
index 81cc917..1f9718d 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -39,8 +39,6 @@
     <AssemblyOriginatorKeyFile>../../build/MSAL.snk</AssemblyOriginatorKeyFile>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <Nullable>enable</Nullable>
-    <!-- LangVersion set to 14 to enable C# 14 extension properties for .NET 10+ AOT compatibility.
-         Extension properties are required to make CredentialDescription AOT-safe while maintaining source compatibility. -->
     <LangVersion>14</LangVersion>
     <EnablePackageValidation>true</EnablePackageValidation>
     <PackageValidationBaselineVersion>8.0.0</PackageValidationBaselineVersion>
diff --git a/src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescription.cs b/src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescription.cs
index 5a78c2c..d599794 100644
--- a/src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescription.cs
+++ b/src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescription.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
 using System;
@@ -79,7 +79,7 @@ public string Id
             {
                 if (_cachedId == null)
                 {
-                    // Use backing field directly to work in both .NET 10+ and older TFMs
+                    // Use backing field directly for efficiency
                     string certificateThumbprint = _certificate?.Thumbprint ?? "null";
 
                     switch (SourceType)
@@ -531,49 +531,6 @@ public string? SignedAssertionFileDiskPath
         /// <remarks>If you want to use the default authority, don't provide a token exchange authority URL.</remarks>
         public string? TokenExchangeAuthority { get; set; }
 
-#if NET10_0_OR_GREATER
-        // For .NET 10+, use protected internal methods to avoid AOT issues with configuration binders
-        // Extension properties (defined in CredentialDescriptionExtensions.cs) provide property-style access
-        // Methods are protected internal to allow derived classes to access them
-
-        /// <summary>
-        /// Gets the certificate. For .NET 10+, use the Certificate extension property instead.
-        /// This method is protected internal to allow derived classes to access the certificate.
-        /// </summary>
-#pragma warning disable CA1024 // Use properties where appropriate
-        protected internal X509Certificate2? GetCertificateInternal() => _certificate;
-#pragma warning restore CA1024 // Use properties where appropriate
-
-        /// <summary>
-        /// Sets the certificate. For .NET 10+, use the Certificate extension property instead.
-        /// This method is protected internal to allow derived classes to set the certificate.
-        /// </summary>
-        protected internal void SetCertificateInternal(X509Certificate2? value)
-        {
-            _certificate = value;
-            // Cached Id can depend on the certificate thumbprint. Set it to null so that it will be recomputed.
-            _cachedId = null;
-        }
-
-        /// <summary>
-        /// Gets the cached value. For .NET 10+, use the CachedValue extension property instead.
-        /// This method is protected internal to allow derived classes to access the cached value.
-        /// </summary>
-#pragma warning disable CA1024 // Use properties where appropriate
-        protected internal object? GetCachedValueInternal() => _cachedValue;
-#pragma warning restore CA1024 // Use properties where appropriate
-
-        /// <summary>
-        /// Sets the cached value. For .NET 10+, use the CachedValue extension property instead.
-        /// This method is protected internal to allow derived classes to set the cached value.
-        /// </summary>
-        protected internal void SetCachedValueInternal(object? value)
-        {
-            _cachedValue = value;
-            // Cached Id can depend on the cached value. Set it to null so that it will be recomputed.
-            _cachedId = null;
-        }
-#else
         /// <summary>
         /// When <see cref="SourceType"/> is <see cref="CredentialSource.Certificate"/>, you will use this property to provide the certificate yourself.
         /// When <see cref="SourceType"/> is <see cref="CredentialSource.Base64Encoded"/> or <see cref="CredentialSource.KeyVault"/>
@@ -607,7 +564,6 @@ public virtual object? CachedValue
                 _cachedId = null;
             }
         }
-#endif
 
         /// <summary>
         /// Skip this credential description. This is useful when, you specify a list of
diff --git a/src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescriptionExtensions.cs b/src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescriptionExtensions.cs
deleted file mode 100644
index 9526e31..0000000
--- a/src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescriptionExtensions.cs
+++ /dev/null
@@ -1,52 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-#if NET10_0_OR_GREATER
-using System.Security.Cryptography.X509Certificates;
-
-namespace Microsoft.Identity.Abstractions
-{
-    /// <summary>
-    /// Provides extension properties for <see cref="CredentialDescription"/> instances (.NET 10+ only).
-    /// These extension properties provide property-style access to Certificate and CachedValue
-    /// while keeping them hidden from AOT/NativeAOT configuration binders.
-    /// </summary>
-    /// <remarks>
-    /// This uses C# 14 extension property syntax. While C# 14 extension properties as a language feature
-    /// are available on any target framework, for this library they are only exposed on .NET 10+ by design
-    /// to avoid binary breaking changes on older frameworks.
-    /// The extension block defines properties that appear as instance properties on CredentialDescription
-    /// but are not part of the type's public API surface visible to reflection-based tools like configuration binders.
-    /// </remarks>
-    public static class CredentialDescriptionExtensions
-    {
-#pragma warning disable CA1034 // Do not nest type - this is intentional C# 14 extension block syntax
-        // C# 14 extension block syntax - defines extension properties on CredentialDescription
-        extension(CredentialDescription credential)
-        {
-            /// <summary>
-            /// When <see cref="CredentialDescription.SourceType"/> is <see cref="CredentialSource.Certificate"/>, you will use this property to provide the certificate yourself.
-            /// When <see cref="CredentialDescription.SourceType"/> is <see cref="CredentialSource.Base64Encoded"/> or <see cref="CredentialSource.KeyVault"/>
-            /// or <see cref="CredentialSource.Path"/> or <see cref="CredentialSource.StoreWithDistinguishedName"/> or <see cref="CredentialSource.StoreWithThumbprint"/>
-            /// after the certificate is retrieved by a <see cref="ICredentialsLoader"/>, it will be stored in this property and also in the <b>CachedValue</b> property.
-            /// </summary>
-            public X509Certificate2? Certificate
-            {
-                get => credential.GetCertificateInternal();
-                set => credential.SetCertificateInternal(value);
-            }
-
-            /// <summary>
-            /// When the credential is retrieved by a <see cref="ICredentialsLoader"/>, it will be stored in this property, where you can retrieve it. If the credential is a certificate,
-            /// it will also be stored in the <b>Certificate</b> property.
-            /// </summary>
-            public object? CachedValue
-            {
-                get => credential.GetCachedValueInternal();
-                set => credential.SetCachedValueInternal(value);
-            }
-        }
-#pragma warning restore CA1034
-    }
-}
-#endif
diff --git a/src/Microsoft.Identity.Abstractions/PublicAPI/net10.0/PublicAPI.Shipped.txt b/src/Microsoft.Identity.Abstractions/PublicAPI/net10.0/PublicAPI.Shipped.txt
index ca9febd..366931b 100644
--- a/src/Microsoft.Identity.Abstractions/PublicAPI/net10.0/PublicAPI.Shipped.txt
+++ b/src/Microsoft.Identity.Abstractions/PublicAPI/net10.0/PublicAPI.Shipped.txt
@@ -102,6 +102,8 @@ Microsoft.Identity.Abstractions.CredentialDescription.Algorithm.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.Algorithm.set -> void
 Microsoft.Identity.Abstractions.CredentialDescription.Base64EncodedValue.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.Base64EncodedValue.set -> void
+Microsoft.Identity.Abstractions.CredentialDescription.Certificate.get -> System.Security.Cryptography.X509Certificates.X509Certificate2?
+Microsoft.Identity.Abstractions.CredentialDescription.Certificate.set -> void
 Microsoft.Identity.Abstractions.CredentialDescription.CertificateDiskPath.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.CertificateDiskPath.set -> void
 Microsoft.Identity.Abstractions.CredentialDescription.CertificateDistinguishedName.get -> string?
@@ -125,8 +127,6 @@ Microsoft.Identity.Abstractions.CredentialDescription.CustomSignedAssertionProvi
 Microsoft.Identity.Abstractions.CredentialDescription.CustomSignedAssertionProviderName.set -> void
 Microsoft.Identity.Abstractions.CredentialDescription.DecryptKeysAuthenticationOptions.get -> Microsoft.Identity.Abstractions.AuthorizationHeaderProviderOptions?
 Microsoft.Identity.Abstractions.CredentialDescription.DecryptKeysAuthenticationOptions.set -> void
-Microsoft.Identity.Abstractions.CredentialDescription.GetCachedValueInternal() -> object?
-Microsoft.Identity.Abstractions.CredentialDescription.GetCertificateInternal() -> System.Security.Cryptography.X509Certificates.X509Certificate2?
 Microsoft.Identity.Abstractions.CredentialDescription.Id.get -> string!
 Microsoft.Identity.Abstractions.CredentialDescription.KeyVaultCertificateName.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.KeyVaultCertificateName.set -> void
@@ -134,8 +134,6 @@ Microsoft.Identity.Abstractions.CredentialDescription.KeyVaultUrl.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.KeyVaultUrl.set -> void
 Microsoft.Identity.Abstractions.CredentialDescription.ManagedIdentityClientId.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.ManagedIdentityClientId.set -> void
-Microsoft.Identity.Abstractions.CredentialDescription.SetCachedValueInternal(object? value) -> void
-Microsoft.Identity.Abstractions.CredentialDescription.SetCertificateInternal(System.Security.Cryptography.X509Certificates.X509Certificate2? value) -> void
 Microsoft.Identity.Abstractions.CredentialDescription.SignedAssertionFileDiskPath.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.SignedAssertionFileDiskPath.set -> void
 Microsoft.Identity.Abstractions.CredentialDescription.Skip.get -> bool
@@ -146,12 +144,6 @@ Microsoft.Identity.Abstractions.CredentialDescription.TokenExchangeAuthority.get
 Microsoft.Identity.Abstractions.CredentialDescription.TokenExchangeAuthority.set -> void
 Microsoft.Identity.Abstractions.CredentialDescription.TokenExchangeUrl.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.TokenExchangeUrl.set -> void
-Microsoft.Identity.Abstractions.CredentialDescriptionExtensions
-Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.extension(Microsoft.Identity.Abstractions.CredentialDescription!)
-Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.extension(Microsoft.Identity.Abstractions.CredentialDescription!).CachedValue.get -> object?
-Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.extension(Microsoft.Identity.Abstractions.CredentialDescription!).CachedValue.set -> void
-Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.extension(Microsoft.Identity.Abstractions.CredentialDescription!).Certificate.get -> System.Security.Cryptography.X509Certificates.X509Certificate2?
-Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.extension(Microsoft.Identity.Abstractions.CredentialDescription!).Certificate.set -> void
 Microsoft.Identity.Abstractions.CredentialDescriptionJsonConverter
 Microsoft.Identity.Abstractions.CredentialDescriptionJsonConverter.CredentialDescriptionJsonConverter() -> void
 Microsoft.Identity.Abstractions.CredentialSource
@@ -358,13 +350,11 @@ static Microsoft.Identity.Abstractions.AcquireTokenOptions.LongRunningWebApiSess
 static Microsoft.Identity.Abstractions.AuthorizationHeaderResult.implicit operator Microsoft.Identity.Abstractions.AuthorizationHeaderResult!(Microsoft.Identity.Abstractions.AuthorizationHeaderError! error) -> Microsoft.Identity.Abstractions.AuthorizationHeaderResult!
 static Microsoft.Identity.Abstractions.AuthorizationHeaderResult.implicit operator Microsoft.Identity.Abstractions.AuthorizationHeaderResult!(Microsoft.Identity.Abstractions.AuthorizationHeaderInformation! info) -> Microsoft.Identity.Abstractions.AuthorizationHeaderResult!
 static Microsoft.Identity.Abstractions.AuthorizationHeaderResult.implicit operator string!(Microsoft.Identity.Abstractions.AuthorizationHeaderResult! result) -> string!
-static Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.get_CachedValue(Microsoft.Identity.Abstractions.CredentialDescription! credential) -> object?
-static Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.get_Certificate(Microsoft.Identity.Abstractions.CredentialDescription! credential) -> System.Security.Cryptography.X509Certificates.X509Certificate2?
-static Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.set_CachedValue(Microsoft.Identity.Abstractions.CredentialDescription! credential, object? value) -> void
-static Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.set_Certificate(Microsoft.Identity.Abstractions.CredentialDescription! credential, System.Security.Cryptography.X509Certificates.X509Certificate2? value) -> void
 static Microsoft.Identity.Abstractions.OperationResult<TResult, TError>.implicit operator Microsoft.Identity.Abstractions.OperationResult<TResult, TError!>(TError! error) -> Microsoft.Identity.Abstractions.OperationResult<TResult, TError!>
 static Microsoft.Identity.Abstractions.OperationResult<TResult, TError>.implicit operator Microsoft.Identity.Abstractions.OperationResult<TResult, TError!>(TResult result) -> Microsoft.Identity.Abstractions.OperationResult<TResult, TError!>
 virtual Microsoft.Identity.Abstractions.AcquireTokenOptions.Clone() -> Microsoft.Identity.Abstractions.AcquireTokenOptions!
 virtual Microsoft.Identity.Abstractions.AuthorizationHeaderProviderOptions.CloneInternal() -> Microsoft.Identity.Abstractions.AuthorizationHeaderProviderOptions!
+virtual Microsoft.Identity.Abstractions.CredentialDescription.CachedValue.get -> object?
+virtual Microsoft.Identity.Abstractions.CredentialDescription.CachedValue.set -> void
 virtual Microsoft.Identity.Abstractions.IdentityApplicationOptions.Authority.get -> string?
 virtual Microsoft.Identity.Abstractions.IdentityApplicationOptions.Authority.set -> void

From 289c0b8d685b3de7df8287620796ab7d989309d1 Mon Sep 17 00:00:00 2001
From: Bogdan Gavril <bogavril@microsoft.com>
Date: Thu, 26 Mar 2026 16:02:58 +0000
Subject: [PATCH 2/5] Supressions

---
 .../CompatibilitySuppressions.xml             | 24 -------------------
 1 file changed, 24 deletions(-)

diff --git a/src/Microsoft.Identity.Abstractions/CompatibilitySuppressions.xml b/src/Microsoft.Identity.Abstractions/CompatibilitySuppressions.xml
index 65b2998..17afab9 100644
--- a/src/Microsoft.Identity.Abstractions/CompatibilitySuppressions.xml
+++ b/src/Microsoft.Identity.Abstractions/CompatibilitySuppressions.xml
@@ -1,30 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- https://learn.microsoft.com/dotnet/fundamentals/package-validation/diagnostic-ids -->
 <Suppressions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
-  <Suppression>
-    <DiagnosticId>CP0002</DiagnosticId>
-    <Target>M:Microsoft.Identity.Abstractions.CredentialDescription.get_CachedValue</Target>
-    <Left>lib/net9.0/Microsoft.Identity.Abstractions.dll</Left>
-    <Right>lib/net10.0/Microsoft.Identity.Abstractions.dll</Right>
-  </Suppression>
-  <Suppression>
-    <DiagnosticId>CP0002</DiagnosticId>
-    <Target>M:Microsoft.Identity.Abstractions.CredentialDescription.get_Certificate</Target>
-    <Left>lib/net9.0/Microsoft.Identity.Abstractions.dll</Left>
-    <Right>lib/net10.0/Microsoft.Identity.Abstractions.dll</Right>
-  </Suppression>
-  <Suppression>
-    <DiagnosticId>CP0002</DiagnosticId>
-    <Target>M:Microsoft.Identity.Abstractions.CredentialDescription.set_CachedValue(System.Object)</Target>
-    <Left>lib/net9.0/Microsoft.Identity.Abstractions.dll</Left>
-    <Right>lib/net10.0/Microsoft.Identity.Abstractions.dll</Right>
-  </Suppression>
-  <Suppression>
-    <DiagnosticId>CP0002</DiagnosticId>
-    <Target>M:Microsoft.Identity.Abstractions.CredentialDescription.set_Certificate(System.Security.Cryptography.X509Certificates.X509Certificate2)</Target>
-    <Left>lib/net9.0/Microsoft.Identity.Abstractions.dll</Left>
-    <Right>lib/net10.0/Microsoft.Identity.Abstractions.dll</Right>
-  </Suppression>
   <Suppression>
     <DiagnosticId>CP0006</DiagnosticId>
     <Target>M:Microsoft.Identity.Abstractions.IDownstreamApi.PatchForAppAsync``1(System.String,``0,System.Action{Microsoft.Identity.Abstractions.DownstreamApiOptionsReadOnlyHttpMethod},System.Threading.CancellationToken)</Target>

From bd061dc3ba831279c429d7410f3310031907e3c4 Mon Sep 17 00:00:00 2001
From: Bogdan Gavril <bogavril@microsoft.com>
Date: Thu, 26 Mar 2026 15:51:32 +0000
Subject: [PATCH 3/5] Revert breaking changes introduced in Abstrations 11

---
 Directory.Build.props                         |  2 -
 .../CredentialDescription.cs                  | 48 +----------------
 .../CredentialDescriptionExtensions.cs        | 52 -------------------
 .../PublicAPI/net10.0/PublicAPI.Shipped.txt   | 18 ++-----
 4 files changed, 6 insertions(+), 114 deletions(-)
 delete mode 100644 src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescriptionExtensions.cs

diff --git a/Directory.Build.props b/Directory.Build.props
index 81cc917..1f9718d 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -39,8 +39,6 @@
     <AssemblyOriginatorKeyFile>../../build/MSAL.snk</AssemblyOriginatorKeyFile>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <Nullable>enable</Nullable>
-    <!-- LangVersion set to 14 to enable C# 14 extension properties for .NET 10+ AOT compatibility.
-         Extension properties are required to make CredentialDescription AOT-safe while maintaining source compatibility. -->
     <LangVersion>14</LangVersion>
     <EnablePackageValidation>true</EnablePackageValidation>
     <PackageValidationBaselineVersion>8.0.0</PackageValidationBaselineVersion>
diff --git a/src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescription.cs b/src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescription.cs
index 5a78c2c..d599794 100644
--- a/src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescription.cs
+++ b/src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescription.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
 using System;
@@ -79,7 +79,7 @@ public string Id
             {
                 if (_cachedId == null)
                 {
-                    // Use backing field directly to work in both .NET 10+ and older TFMs
+                    // Use backing field directly for efficiency
                     string certificateThumbprint = _certificate?.Thumbprint ?? "null";
 
                     switch (SourceType)
@@ -531,49 +531,6 @@ public string? SignedAssertionFileDiskPath
         /// <remarks>If you want to use the default authority, don't provide a token exchange authority URL.</remarks>
         public string? TokenExchangeAuthority { get; set; }
 
-#if NET10_0_OR_GREATER
-        // For .NET 10+, use protected internal methods to avoid AOT issues with configuration binders
-        // Extension properties (defined in CredentialDescriptionExtensions.cs) provide property-style access
-        // Methods are protected internal to allow derived classes to access them
-
-        /// <summary>
-        /// Gets the certificate. For .NET 10+, use the Certificate extension property instead.
-        /// This method is protected internal to allow derived classes to access the certificate.
-        /// </summary>
-#pragma warning disable CA1024 // Use properties where appropriate
-        protected internal X509Certificate2? GetCertificateInternal() => _certificate;
-#pragma warning restore CA1024 // Use properties where appropriate
-
-        /// <summary>
-        /// Sets the certificate. For .NET 10+, use the Certificate extension property instead.
-        /// This method is protected internal to allow derived classes to set the certificate.
-        /// </summary>
-        protected internal void SetCertificateInternal(X509Certificate2? value)
-        {
-            _certificate = value;
-            // Cached Id can depend on the certificate thumbprint. Set it to null so that it will be recomputed.
-            _cachedId = null;
-        }
-
-        /// <summary>
-        /// Gets the cached value. For .NET 10+, use the CachedValue extension property instead.
-        /// This method is protected internal to allow derived classes to access the cached value.
-        /// </summary>
-#pragma warning disable CA1024 // Use properties where appropriate
-        protected internal object? GetCachedValueInternal() => _cachedValue;
-#pragma warning restore CA1024 // Use properties where appropriate
-
-        /// <summary>
-        /// Sets the cached value. For .NET 10+, use the CachedValue extension property instead.
-        /// This method is protected internal to allow derived classes to set the cached value.
-        /// </summary>
-        protected internal void SetCachedValueInternal(object? value)
-        {
-            _cachedValue = value;
-            // Cached Id can depend on the cached value. Set it to null so that it will be recomputed.
-            _cachedId = null;
-        }
-#else
         /// <summary>
         /// When <see cref="SourceType"/> is <see cref="CredentialSource.Certificate"/>, you will use this property to provide the certificate yourself.
         /// When <see cref="SourceType"/> is <see cref="CredentialSource.Base64Encoded"/> or <see cref="CredentialSource.KeyVault"/>
@@ -607,7 +564,6 @@ public virtual object? CachedValue
                 _cachedId = null;
             }
         }
-#endif
 
         /// <summary>
         /// Skip this credential description. This is useful when, you specify a list of
diff --git a/src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescriptionExtensions.cs b/src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescriptionExtensions.cs
deleted file mode 100644
index 9526e31..0000000
--- a/src/Microsoft.Identity.Abstractions/ApplicationOptions/CredentialDescriptionExtensions.cs
+++ /dev/null
@@ -1,52 +0,0 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-#if NET10_0_OR_GREATER
-using System.Security.Cryptography.X509Certificates;
-
-namespace Microsoft.Identity.Abstractions
-{
-    /// <summary>
-    /// Provides extension properties for <see cref="CredentialDescription"/> instances (.NET 10+ only).
-    /// These extension properties provide property-style access to Certificate and CachedValue
-    /// while keeping them hidden from AOT/NativeAOT configuration binders.
-    /// </summary>
-    /// <remarks>
-    /// This uses C# 14 extension property syntax. While C# 14 extension properties as a language feature
-    /// are available on any target framework, for this library they are only exposed on .NET 10+ by design
-    /// to avoid binary breaking changes on older frameworks.
-    /// The extension block defines properties that appear as instance properties on CredentialDescription
-    /// but are not part of the type's public API surface visible to reflection-based tools like configuration binders.
-    /// </remarks>
-    public static class CredentialDescriptionExtensions
-    {
-#pragma warning disable CA1034 // Do not nest type - this is intentional C# 14 extension block syntax
-        // C# 14 extension block syntax - defines extension properties on CredentialDescription
-        extension(CredentialDescription credential)
-        {
-            /// <summary>
-            /// When <see cref="CredentialDescription.SourceType"/> is <see cref="CredentialSource.Certificate"/>, you will use this property to provide the certificate yourself.
-            /// When <see cref="CredentialDescription.SourceType"/> is <see cref="CredentialSource.Base64Encoded"/> or <see cref="CredentialSource.KeyVault"/>
-            /// or <see cref="CredentialSource.Path"/> or <see cref="CredentialSource.StoreWithDistinguishedName"/> or <see cref="CredentialSource.StoreWithThumbprint"/>
-            /// after the certificate is retrieved by a <see cref="ICredentialsLoader"/>, it will be stored in this property and also in the <b>CachedValue</b> property.
-            /// </summary>
-            public X509Certificate2? Certificate
-            {
-                get => credential.GetCertificateInternal();
-                set => credential.SetCertificateInternal(value);
-            }
-
-            /// <summary>
-            /// When the credential is retrieved by a <see cref="ICredentialsLoader"/>, it will be stored in this property, where you can retrieve it. If the credential is a certificate,
-            /// it will also be stored in the <b>Certificate</b> property.
-            /// </summary>
-            public object? CachedValue
-            {
-                get => credential.GetCachedValueInternal();
-                set => credential.SetCachedValueInternal(value);
-            }
-        }
-#pragma warning restore CA1034
-    }
-}
-#endif
diff --git a/src/Microsoft.Identity.Abstractions/PublicAPI/net10.0/PublicAPI.Shipped.txt b/src/Microsoft.Identity.Abstractions/PublicAPI/net10.0/PublicAPI.Shipped.txt
index ca9febd..366931b 100644
--- a/src/Microsoft.Identity.Abstractions/PublicAPI/net10.0/PublicAPI.Shipped.txt
+++ b/src/Microsoft.Identity.Abstractions/PublicAPI/net10.0/PublicAPI.Shipped.txt
@@ -102,6 +102,8 @@ Microsoft.Identity.Abstractions.CredentialDescription.Algorithm.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.Algorithm.set -> void
 Microsoft.Identity.Abstractions.CredentialDescription.Base64EncodedValue.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.Base64EncodedValue.set -> void
+Microsoft.Identity.Abstractions.CredentialDescription.Certificate.get -> System.Security.Cryptography.X509Certificates.X509Certificate2?
+Microsoft.Identity.Abstractions.CredentialDescription.Certificate.set -> void
 Microsoft.Identity.Abstractions.CredentialDescription.CertificateDiskPath.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.CertificateDiskPath.set -> void
 Microsoft.Identity.Abstractions.CredentialDescription.CertificateDistinguishedName.get -> string?
@@ -125,8 +127,6 @@ Microsoft.Identity.Abstractions.CredentialDescription.CustomSignedAssertionProvi
 Microsoft.Identity.Abstractions.CredentialDescription.CustomSignedAssertionProviderName.set -> void
 Microsoft.Identity.Abstractions.CredentialDescription.DecryptKeysAuthenticationOptions.get -> Microsoft.Identity.Abstractions.AuthorizationHeaderProviderOptions?
 Microsoft.Identity.Abstractions.CredentialDescription.DecryptKeysAuthenticationOptions.set -> void
-Microsoft.Identity.Abstractions.CredentialDescription.GetCachedValueInternal() -> object?
-Microsoft.Identity.Abstractions.CredentialDescription.GetCertificateInternal() -> System.Security.Cryptography.X509Certificates.X509Certificate2?
 Microsoft.Identity.Abstractions.CredentialDescription.Id.get -> string!
 Microsoft.Identity.Abstractions.CredentialDescription.KeyVaultCertificateName.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.KeyVaultCertificateName.set -> void
@@ -134,8 +134,6 @@ Microsoft.Identity.Abstractions.CredentialDescription.KeyVaultUrl.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.KeyVaultUrl.set -> void
 Microsoft.Identity.Abstractions.CredentialDescription.ManagedIdentityClientId.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.ManagedIdentityClientId.set -> void
-Microsoft.Identity.Abstractions.CredentialDescription.SetCachedValueInternal(object? value) -> void
-Microsoft.Identity.Abstractions.CredentialDescription.SetCertificateInternal(System.Security.Cryptography.X509Certificates.X509Certificate2? value) -> void
 Microsoft.Identity.Abstractions.CredentialDescription.SignedAssertionFileDiskPath.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.SignedAssertionFileDiskPath.set -> void
 Microsoft.Identity.Abstractions.CredentialDescription.Skip.get -> bool
@@ -146,12 +144,6 @@ Microsoft.Identity.Abstractions.CredentialDescription.TokenExchangeAuthority.get
 Microsoft.Identity.Abstractions.CredentialDescription.TokenExchangeAuthority.set -> void
 Microsoft.Identity.Abstractions.CredentialDescription.TokenExchangeUrl.get -> string?
 Microsoft.Identity.Abstractions.CredentialDescription.TokenExchangeUrl.set -> void
-Microsoft.Identity.Abstractions.CredentialDescriptionExtensions
-Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.extension(Microsoft.Identity.Abstractions.CredentialDescription!)
-Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.extension(Microsoft.Identity.Abstractions.CredentialDescription!).CachedValue.get -> object?
-Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.extension(Microsoft.Identity.Abstractions.CredentialDescription!).CachedValue.set -> void
-Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.extension(Microsoft.Identity.Abstractions.CredentialDescription!).Certificate.get -> System.Security.Cryptography.X509Certificates.X509Certificate2?
-Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.extension(Microsoft.Identity.Abstractions.CredentialDescription!).Certificate.set -> void
 Microsoft.Identity.Abstractions.CredentialDescriptionJsonConverter
 Microsoft.Identity.Abstractions.CredentialDescriptionJsonConverter.CredentialDescriptionJsonConverter() -> void
 Microsoft.Identity.Abstractions.CredentialSource
@@ -358,13 +350,11 @@ static Microsoft.Identity.Abstractions.AcquireTokenOptions.LongRunningWebApiSess
 static Microsoft.Identity.Abstractions.AuthorizationHeaderResult.implicit operator Microsoft.Identity.Abstractions.AuthorizationHeaderResult!(Microsoft.Identity.Abstractions.AuthorizationHeaderError! error) -> Microsoft.Identity.Abstractions.AuthorizationHeaderResult!
 static Microsoft.Identity.Abstractions.AuthorizationHeaderResult.implicit operator Microsoft.Identity.Abstractions.AuthorizationHeaderResult!(Microsoft.Identity.Abstractions.AuthorizationHeaderInformation! info) -> Microsoft.Identity.Abstractions.AuthorizationHeaderResult!
 static Microsoft.Identity.Abstractions.AuthorizationHeaderResult.implicit operator string!(Microsoft.Identity.Abstractions.AuthorizationHeaderResult! result) -> string!
-static Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.get_CachedValue(Microsoft.Identity.Abstractions.CredentialDescription! credential) -> object?
-static Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.get_Certificate(Microsoft.Identity.Abstractions.CredentialDescription! credential) -> System.Security.Cryptography.X509Certificates.X509Certificate2?
-static Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.set_CachedValue(Microsoft.Identity.Abstractions.CredentialDescription! credential, object? value) -> void
-static Microsoft.Identity.Abstractions.CredentialDescriptionExtensions.set_Certificate(Microsoft.Identity.Abstractions.CredentialDescription! credential, System.Security.Cryptography.X509Certificates.X509Certificate2? value) -> void
 static Microsoft.Identity.Abstractions.OperationResult<TResult, TError>.implicit operator Microsoft.Identity.Abstractions.OperationResult<TResult, TError!>(TError! error) -> Microsoft.Identity.Abstractions.OperationResult<TResult, TError!>
 static Microsoft.Identity.Abstractions.OperationResult<TResult, TError>.implicit operator Microsoft.Identity.Abstractions.OperationResult<TResult, TError!>(TResult result) -> Microsoft.Identity.Abstractions.OperationResult<TResult, TError!>
 virtual Microsoft.Identity.Abstractions.AcquireTokenOptions.Clone() -> Microsoft.Identity.Abstractions.AcquireTokenOptions!
 virtual Microsoft.Identity.Abstractions.AuthorizationHeaderProviderOptions.CloneInternal() -> Microsoft.Identity.Abstractions.AuthorizationHeaderProviderOptions!
+virtual Microsoft.Identity.Abstractions.CredentialDescription.CachedValue.get -> object?
+virtual Microsoft.Identity.Abstractions.CredentialDescription.CachedValue.set -> void
 virtual Microsoft.Identity.Abstractions.IdentityApplicationOptions.Authority.get -> string?
 virtual Microsoft.Identity.Abstractions.IdentityApplicationOptions.Authority.set -> void

From d6c462166ef6a8e1c09d877438200cb037fbad21 Mon Sep 17 00:00:00 2001
From: Bogdan Gavril <bogavril@microsoft.com>
Date: Thu, 26 Mar 2026 16:02:58 +0000
Subject: [PATCH 4/5] Supressions

---
 .../CompatibilitySuppressions.xml             | 24 -------------------
 1 file changed, 24 deletions(-)

diff --git a/src/Microsoft.Identity.Abstractions/CompatibilitySuppressions.xml b/src/Microsoft.Identity.Abstractions/CompatibilitySuppressions.xml
index 65b2998..17afab9 100644
--- a/src/Microsoft.Identity.Abstractions/CompatibilitySuppressions.xml
+++ b/src/Microsoft.Identity.Abstractions/CompatibilitySuppressions.xml
@@ -1,30 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- https://learn.microsoft.com/dotnet/fundamentals/package-validation/diagnostic-ids -->
 <Suppressions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
-  <Suppression>
-    <DiagnosticId>CP0002</DiagnosticId>
-    <Target>M:Microsoft.Identity.Abstractions.CredentialDescription.get_CachedValue</Target>
-    <Left>lib/net9.0/Microsoft.Identity.Abstractions.dll</Left>
-    <Right>lib/net10.0/Microsoft.Identity.Abstractions.dll</Right>
-  </Suppression>
-  <Suppression>
-    <DiagnosticId>CP0002</DiagnosticId>
-    <Target>M:Microsoft.Identity.Abstractions.CredentialDescription.get_Certificate</Target>
-    <Left>lib/net9.0/Microsoft.Identity.Abstractions.dll</Left>
-    <Right>lib/net10.0/Microsoft.Identity.Abstractions.dll</Right>
-  </Suppression>
-  <Suppression>
-    <DiagnosticId>CP0002</DiagnosticId>
-    <Target>M:Microsoft.Identity.Abstractions.CredentialDescription.set_CachedValue(System.Object)</Target>
-    <Left>lib/net9.0/Microsoft.Identity.Abstractions.dll</Left>
-    <Right>lib/net10.0/Microsoft.Identity.Abstractions.dll</Right>
-  </Suppression>
-  <Suppression>
-    <DiagnosticId>CP0002</DiagnosticId>
-    <Target>M:Microsoft.Identity.Abstractions.CredentialDescription.set_Certificate(System.Security.Cryptography.X509Certificates.X509Certificate2)</Target>
-    <Left>lib/net9.0/Microsoft.Identity.Abstractions.dll</Left>
-    <Right>lib/net10.0/Microsoft.Identity.Abstractions.dll</Right>
-  </Suppression>
   <Suppression>
     <DiagnosticId>CP0006</DiagnosticId>
     <Target>M:Microsoft.Identity.Abstractions.IDownstreamApi.PatchForAppAsync``1(System.String,``0,System.Action{Microsoft.Identity.Abstractions.DownstreamApiOptionsReadOnlyHttpMethod},System.Threading.CancellationToken)</Target>

From f18bc3cb6f979096ba9d161c09272867f4fb11cd Mon Sep 17 00:00:00 2001
From: Bogdan Gavril <bogavril@microsoft.com>
Date: Thu, 26 Mar 2026 16:40:39 +0000
Subject: [PATCH 5/5] Bump major version

---
 Directory.Build.props               |  2 +-
 Microsoft.Identity.Abstractions.sln | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 1f9718d..403eac7 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -1,7 +1,7 @@
 <Project>
   <PropertyGroup>
     <!-- This should be passed from the VSTS build -->
-    <MicrosoftIdentityAbstractionsVersion Condition="'$(MicrosoftIdentityAbstractionsVersion)' == ''">11.1.1</MicrosoftIdentityAbstractionsVersion>
+    <MicrosoftIdentityAbstractionsVersion Condition="'$(MicrosoftIdentityAbstractionsVersion)' == ''">12.0.0</MicrosoftIdentityAbstractionsVersion>
     <!-- This will generate AssemblyVersion, AssemblyFileVersion and AssemblyInformationVersion -->
     <Version>$(MicrosoftIdentityAbstractionsVersion)</Version>
     <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)\build\35MSSharedLib1024.snk</AssemblyOriginatorKeyFile>
diff --git a/Microsoft.Identity.Abstractions.sln b/Microsoft.Identity.Abstractions.sln
index 9786b25..fb5feb1 100644
--- a/Microsoft.Identity.Abstractions.sln
+++ b/Microsoft.Identity.Abstractions.sln
@@ -27,6 +27,28 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Abstract
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.Identity.Abstractions.AotTests", "test\Microsoft.Identity.Abstractions.AotTests\Microsoft.Identity.Abstractions.AotTests.csproj", "{39865C17-1E90-495D-BCB1-C171FCE7078D}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "build", "build", "{06A44D1E-DF13-47CD-A765-0E329E189715}"
+	ProjectSection(SolutionItems) = preProject
+		build\build.md = build\build.md
+		build\CodeCoverage.runsettings = build\CodeCoverage.runsettings
+		build\pipeline-releasebuild.yaml = build\pipeline-releasebuild.yaml
+		build\policheck_filetypes.xml = build\policheck_filetypes.xml
+		build\template-bootstrap-build.yaml = build\template-bootstrap-build.yaml
+		build\template-install-dotnet-core.yaml = build\template-install-dotnet-core.yaml
+		build\template-install-nuget.yaml = build\template-install-nuget.yaml
+		build\template-nuget-pack.yaml = build\template-nuget-pack.yaml
+		build\template-onebranch-build-and-sign.yaml = build\template-onebranch-build-and-sign.yaml
+		build\template-pack-and-sign-all-nugets.yaml = build\template-pack-and-sign-all-nugets.yaml
+		build\template-pack-and-sign-nuget.yaml = build\template-pack-and-sign-nuget.yaml
+		build\template-postbuild-code-analysis.yaml = build\template-postbuild-code-analysis.yaml
+		build\template-prebuild-code-analysis.yaml = build\template-prebuild-code-analysis.yaml
+		build\template-publish-analysis-and-cleanup.yaml = build\template-publish-analysis-and-cleanup.yaml
+		build\template-publish-packages-and-symbols.yaml = build\template-publish-packages-and-symbols.yaml
+		build\template-restore-build-MSIdentityAbstractions.yaml = build\template-restore-build-MSIdentityAbstractions.yaml
+		build\template-sign-binary.yaml = build\template-sign-binary.yaml
+		build\tsaConfig.json = build\tsaConfig.json
+	EndProjectSection
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU