AzureAD · RyAuld · Jan 27, 2026 · Jan 28, 2026 · Jan 28, 2026
@@ -1,7 +1,7 @@
 @Microsoft.Identity.Web.Sidecar_HostAddress = http://localhost:5178
 
 @AccessToken =
-@ApiName = 
+@ApiName =
 
 ###
 
@@ -23,7 +23,7 @@ Get {{Microsoft.Identity.Web.Sidecar_HostAddress}}/AuthorizationHeaderUnauthenti
 
 ###
 
-GET {{Microsoft.Identity.Web.Sidecar_HostAddress}}/AuthorizationHeader/{{ApiName}}?optionsOverride.Scopes=User.Read&optionsOverride.AcquireTokenOptions.Tenant=f645ad92-e38d-4d1a-b510-d1b09a74a8ca
+GET {{Microsoft.Identity.Web.Sidecar_HostAddress}}/AuthorizationHeader/{{ApiName}}?optionsOverride.Scopes=User.Read&optionsOverride.AcquireTokenOptions.Tenant=10c419d4-4a50-45b2-aa4e-919fb84df24f
 Authorization: Bearer {{AccessToken}}
 
 ###

@@ -7,7 +7,7 @@
     */
     "AzureAd": {
         "Instance": "https://login.microsoftonline.com/",
-        "TenantId": "", // f645ad92-e38d-4d1a-b510-d1b09a74a8ca
+        "TenantId": "", // 10c419d4-4a50-45b2-aa4e-919fb84df24f
         "ClientId": "", //"556d438d-2f4b-4add-9713-ede4e5f5d7da"
 
         // "Scopes": "" // access_as_user

@@ -2,7 +2,7 @@
     "AzureAd": {
         "Instance": "https://login.microsoftonline.com/",
         "Domain": "msidlab4.onmicrosoft.com",
-        "TenantId": "f645ad92-e38d-4d1a-b510-d1b09a74a8ca",
+        "TenantId": "10c419d4-4a50-45b2-aa4e-919fb84df24f",
         "ClientId": "9a192b78-6580-4f8a-aace-f36ffea4f7be",
         // To call an API
         "ClientSecret": "[secret-from-portal]",

@@ -1,7 +1,7 @@
 {
     "AzureAd": {
         "Instance": "https://login.microsoftonline.com/",
-        "TenantId": "f645ad92-e38d-4d1a-b510-d1b09a74a8ca",
+        "TenantId": "10c419d4-4a50-45b2-aa4e-919fb84df24f",
         "ClientId": "556d438d-2f4b-4add-9713-ede4e5f5d7da",
         "Scopes": "https://graph.microsoft.com/.default"
     },

@@ -13,7 +13,7 @@
     "AzureAd": {
         "Instance": "https://login.microsoftonline.com/",
         "Domain": "msidlab4.onmicrosoft.com",
-        "TenantId": "f645ad92-e38d-4d1a-b510-d1b09a74a8ca",
+        "TenantId": "10c419d4-4a50-45b2-aa4e-919fb84df24f",
         "ClientId": "9a192b78-6580-4f8a-aace-f36ffea4f7be",
         //"ClientSecret": "",
         "ClientCertificates": [

@@ -26,7 +26,7 @@ The examples depend on setting these variables
 ```sh
 $side_car_url = "<url sidecar is running at>"
 # Example values, use appropriate values for the token you want to request.
-$token = uv run --with msal get_token.py --client-id "f79f9db9-c582-4b7b-9d4c-0e8fd40623f0" --authority "https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca" --scope "api://556d438d-2f4b-4add-9713-ede4e5f5d7da/access_as_user"
+$token = uv run --with msal get_token.py --client-id "f79f9db9-c582-4b7b-9d4c-0e8fd40623f0" --authority "https://login.microsoftonline.com/10c419d4-4a50-45b2-aa4e-919fb84df24f" --scope "api://556d438d-2f4b-4add-9713-ede4e5f5d7da/access_as_user"
 ```
 
 Example: validate an authorization header returned by `get_token.py`:

@@ -27,7 +27,7 @@ const loginRequest: LoginRequest = {
 const pca = new PublicClientApplication({
     auth: {
         clientId: "f79f9db9-c582-4b7b-9d4c-0e8fd40623f0",
-        authority: "https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca",
+        authority: "https://login.microsoftonline.com/10c419d4-4a50-45b2-aa4e-919fb84df24f",
     }
 });
 

@@ -2,7 +2,7 @@
     "AzureAd": {
         "Instance": "https://login.microsoftonline.com/",
         "Domain": "msidlab4.onmicrosoft.com",
-        "TenantId": "f645ad92-e38d-4d1a-b510-d1b09a74a8ca",
+        "TenantId": "10c419d4-4a50-45b2-aa4e-919fb84df24f",
         "ClientId": "9a192b78-6580-4f8a-aace-f36ffea4f7be",
         // To call an API
         //"EnablePiiLogging": true,

@@ -2,7 +2,7 @@
     "AzureAd": {
         "Instance": "https://login.microsoftonline.com/",
         "Domain": "msidlab4.onmicrosoft.com",
-        "TenantId": "f645ad92-e38d-4d1a-b510-d1b09a74a8ca",
+        "TenantId": "10c419d4-4a50-45b2-aa4e-919fb84df24f",
         "ClientId": "9a192b78-6580-4f8a-aace-f36ffea4f7be",
         "CallbackPath": "/signin-oidc",
         "SignedOutCallbackPath ": "/signout-callback-oidc",

@@ -16,7 +16,7 @@
 
 namespace TodoListService.Controllers
 {
-    /* equivalent 
+    /* equivalent
     [Authorize(Policy = "RequiredScope(|AzureAd:Scope")]
     [Authorize(Policy = "RequiredScope(User.Read")]
     */
@@ -61,7 +61,7 @@ public async Task<IEnumerable<Todo>> GetAsync()
 
             await RegisterPeriodicCallbackForLongProcessing(null);
 
-            // string token1 = await _tokenAcquisition.GetAccessTokenForUserAsync(new string[] { "user.read" }, "f645ad92-e38d-4d1a-b510-d1b09a74a8ca").ConfigureAwait(false);
+            // string token1 = await _tokenAcquisition.GetAccessTokenForUserAsync(new string[] { "user.read" }, "10c419d4-4a50-45b2-aa4e-919fb84df24f").ConfigureAwait(false);
             // string token2 = await _tokenAcquisition.GetAccessTokenForUserAsync(new string[] { "user.read" }, "3ebb7dbb-24a5-4083-b60c-5a5977aabf3d").ConfigureAwait(false);
 
             await Task.FromResult(0); // fix CS1998 while the lines about the 2 tokens are commented out.
@@ -92,7 +92,7 @@ private async Task RegisterPeriodicCallbackForLongProcessing(string keyHint)
             Timer timer = new Timer(async (state) =>
             {
                 HttpClient httpClient = new HttpClient();
-                
+
                 var message = await httpClient.GetAsync(url); // CodeQL [SM03781] Requests are made to a sample controller on localhost
             }, null, 1000, 1000 * 60 * 1);  // Callback every minute
         }

@@ -2,11 +2,11 @@
     "AzureAd": {
         "Instance": "https://login.microsoftonline.com/",
         "Domain": "msidlab4.onmicrosoft.com",
-        "TenantId": "f645ad92-e38d-4d1a-b510-d1b09a74a8ca",
+        "TenantId": "10c419d4-4a50-45b2-aa4e-919fb84df24f",
         "ClientId": "556d438d-2f4b-4add-9713-ede4e5f5d7da", //"712ae8d7-548a-4306-95b6-ee9117ee86f0", JWE clientID
 
         // Or instead of Instance + TenantId, you can use the Authority
-        // "Authority": "https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/",
+        // "Authority": "https://login.microsoftonline.com/10c419d4-4a50-45b2-aa4e-919fb84df24f/",
 
         // To exercise the signing-key issuer:
         // - uncomment the following line (Authority)

@@ -2,7 +2,7 @@
     "AzureAd": {
         "Instance": "https://login.microsoftonline.com/",
         "Domain": "msidlab4.onmicrosoft.com",
-        "TenantId": "f645ad92-e38d-4d1a-b510-d1b09a74a8ca",
+        "TenantId": "10c419d4-4a50-45b2-aa4e-919fb84df24f",
         "ClientId": "556d438d-2f4b-4add-9713-ede4e5f5d7da",
         "ClientCertificates": [
             {

@@ -2,7 +2,7 @@
     "AzureAd": {
         "Instance": "https://login.microsoftonline.com/",
         "Domain": "msidlab4.onmicrosoft.com",
-        "TenantId": "f645ad92-e38d-4d1a-b510-d1b09a74a8ca",
+        "TenantId": "10c419d4-4a50-45b2-aa4e-919fb84df24f",
         "ClientId": "556d438d-2f4b-4add-9713-ede4e5f5d7da", //"712ae8d7-548a-4306-95b6-ee9117ee86f0", JWE clientID
         // "ClientSecret": "",
         "Scopes": "access_as_user",

@@ -12,7 +12,7 @@
     <!--<add key="ida:ClientId" value="556d438d-2f4b-4add-9713-ede4e5f5d7da"/>
     <add key="ida:AADInstance" value="https://login.microsoftonline.com/"/>
     <add key="ida:Domain" value="msidlab4.onmicrosoft.com"/>
-    <add key="ida:TenantId" value="f645ad92-e38d-4d1a-b510-d1b09a74a8ca"/>
+    <add key="ida:TenantId" value="10c419d4-4a50-45b2-aa4e-919fb84df24f"/>
     <add key="ida:PostLogoutRedirectUri" value="https://localhost:44386/signin-oidc"/>-->
   </appSettings>
   <system.web>

@@ -2,7 +2,7 @@
     "AzureAd": {
         "Instance": "https://login.microsoftonline.com/",
         "Domain": "msidlab4.onmicrosoft.com",
-        "TenantId": "f645ad92-e38d-4d1a-b510-d1b09a74a8ca",
+        "TenantId": "10c419d4-4a50-45b2-aa4e-919fb84df24f",
         "ClientId": "9a192b78-6580-4f8a-aace-f36ffea4f7be",
         "RedirectUri": "https://localhost:44386/",
         //        "ClientSecret": "",

@@ -3,7 +3,7 @@
     "AzureAd": {
         "Instance": "https://login.microsoftonline.com/",
         "Domain": "msidlab4.onmicrosoft.com",
-        "TenantId": "f645ad92-e38d-4d1a-b510-d1b09a74a8ca",
+        "TenantId": "10c419d4-4a50-45b2-aa4e-919fb84df24f",
         "ClientId": "9a192b78-6580-4f8a-aace-f36ffea4f7be",
         "CallbackPath": "/signin-oidc",
         "SignedOutCallbackPath ": "/signout-callback-oidc",

@@ -2,7 +2,7 @@
     "AzureAd": {
         "Instance": "https://login.microsoftonline.com/",
         "Domain": "msidlab4.onmicrosoft.com",
-        "TenantId": "f645ad92-e38d-4d1a-b510-d1b09a74a8ca",
+        "TenantId": "10c419d4-4a50-45b2-aa4e-919fb84df24f",
         "ClientId": "9a192b78-6580-4f8a-aace-f36ffea4f7be",
         "ClientCertificates": [
             {

@@ -2,7 +2,7 @@
     "AzureAd": {
         "Instance": "https://login.microsoftonline.com/",
         "Domain": "msidlab4.onmicrosoft.com",
-        "TenantId": "f645ad92-e38d-4d1a-b510-d1b09a74a8ca",
+        "TenantId": "10c419d4-4a50-45b2-aa4e-919fb84df24f",
         "ClientId": "556d438d-2f4b-4add-9713-ede4e5f5d7da"
     },
     "Kestrel": {

@@ -1,7 +1,7 @@
 {
     "AzureAd": {
         "Instance": "https://login.microsoftonline.com/",
-        "TenantId": "f645ad92-e38d-4d1a-b510-d1b09a74a8ca",
+        "TenantId": "10c419d4-4a50-45b2-aa4e-919fb84df24f",
         "ClientId": "556d438d-2f4b-4add-9713-ede4e5f5d7da",
         "Scopes": "Weather.All",
         "TokenDecryptionCredentials": [

@@ -34,7 +34,7 @@
     <!--CVE-2021-24112-->
     <SystemDrawingCommonVersion>5.0.3</SystemDrawingCommonVersion>
     <SystemManagementVersion>8.0.0</SystemManagementVersion>
-    <MicrosoftIdentityLabApiVersion>1.0.2</MicrosoftIdentityLabApiVersion>
+    <MicrosoftIdentityLabApiVersion>2.0.0-preview</MicrosoftIdentityLabApiVersion>
     <SystemNetHttpVersion>4.3.4</SystemNetHttpVersion>
     <SystemTextRegularExpressionsVersion>4.3.1</SystemTextRegularExpressionsVersion>
     <MoqVersion>4.18.4</MoqVersion>

@@ -8,7 +8,7 @@
 using Microsoft.Extensions.Hosting;
 using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.Test.Common;
-using Microsoft.Identity.Lab.Api;
+using Microsoft.Identity.Test.LabInfrastructure;
 using Microsoft.Identity.Web.TokenCacheProviders.InMemory;
 
 namespace IntegrationTestService

@@ -3,13 +3,13 @@
         "Instance": "https://login.microsoftonline.com/",
         "Domain": "msidlab4.onmicrosoft.com",
         "TenantId": "common",
-        "ClientId": "f4aa5217-e87c-42b2-82af-5624dd14ee72"
+        "ClientId": "8837cde9-4029-4bfc-9259-e9e70ce670f7"
     },
     "AzureAd2": {
         "Instance": "https://login.microsoftonline.com/",
         "Domain": "msidlab4.onmicrosoft.com",
         "TenantId": "common",
-        "ClientId": "f4aa5217-e87c-42b2-82af-5624dd14ee72"
+        "ClientId": "8837cde9-4029-4bfc-9259-e9e70ce670f7"
     },
     "CalledApi": {
         "Scopes": [ "user.read" ],

@@ -13,7 +13,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
 using Microsoft.Identity.Abstractions;
-using Microsoft.Identity.Lab.Api;
+using Microsoft.Identity.Test.LabInfrastructure;
 using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.Test.Common;
 using Microsoft.Identity.Web.Test.Common.Mocks;
@@ -48,7 +48,7 @@ public async Task CrossCloudFicIntegrationTest()
 
             // this is how the authentication options can be configured in code rather than
             // in the appsettings file, though using the appsettings file is recommended
-            /*            
+            /*
             tokenAcquirerFactory.Services.Configure<MicrosoftIdentityApplicationOptions>(options =>
             {
                 options.Instance = "https://login.microsoftonline.com/";

@@ -1,5 +1,5 @@
 {
-    "token_endpoint": "https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/oauth2/v2.0/token",
+    "token_endpoint": "https://login.microsoftonline.com/10c419d4-4a50-45b2-aa4e-919fb84df24f/oauth2/v2.0/token",
     "token_endpoint_auth_methods_supported": [
         "client_secret_post",
         "private_key_jwt",
@@ -29,14 +29,14 @@
         "email",
         "offline_access"
     ],
-    "issuer": "https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/v2.0",
+    "issuer": "https://login.microsoftonline.com/10c419d4-4a50-45b2-aa4e-919fb84df24f/v2.0",
     "request_uri_parameter_supported": false,
     "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo",
-    "authorization_endpoint": "https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/oauth2/v2.0/authorize",
-    "device_authorization_endpoint": "https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/oauth2/v2.0/devicecode",
+    "authorization_endpoint": "https://login.microsoftonline.com/10c419d4-4a50-45b2-aa4e-919fb84df24f/oauth2/v2.0/authorize",
+    "device_authorization_endpoint": "https://login.microsoftonline.com/10c419d4-4a50-45b2-aa4e-919fb84df24f/oauth2/v2.0/devicecode",
     "http_logout_supported": true,
     "frontchannel_logout_supported": true,
-    "end_session_endpoint": "https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/oauth2/v2.0/logout",
+    "end_session_endpoint": "https://login.microsoftonline.com/10c419d4-4a50-45b2-aa4e-919fb84df24f/oauth2/v2.0/logout",
     "claims_supported": [
         "sub",
         "iss",
@@ -58,7 +58,7 @@
         "c_hash",
         "email"
     ],
-    "kerberos_endpoint": "https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/kerberos",
+    "kerberos_endpoint": "https://login.microsoftonline.com/10c419d4-4a50-45b2-aa4e-919fb84df24f/kerberos",
     "tenant_region_scope": "NA",
     "cloud_instance_name": "microsoftonline.com",
     "cloud_graph_host_name": "graph.windows.net",

@@ -15,7 +15,7 @@
 using Microsoft.Extensions.Options;
 using Microsoft.Graph;
 using Microsoft.Identity.Abstractions;
-using Microsoft.Identity.Lab.Api;
+using Microsoft.Identity.Test.LabInfrastructure;
 using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.Test.Common;
 using Microsoft.Identity.Web.TestOnly;
@@ -106,14 +106,14 @@
             var tokenAcquirerFactory = TokenAcquirerFactory.GetDefaultInstance();
             _ = tokenAcquirerFactory.Build();
 
-            var labResponse = await LabUserHelper.GetSpecificUserAsync(TestConstants.OBOUser);
+            var userConfig = await LabResponseHelper.GetUserConfigAsync("MSAL-User-Default-JSON");
 
             ITokenAcquirer tokenAcquirer = tokenAcquirerFactory.GetTokenAcquirer(
                authority: "https://login.microsoftonline.com/organizations",
                clientId: "9a192b78-6580-4f8a-aace-f36ffea4f7be",
                clientCredentials: s_clientCredentials);
 
-            var user = ClaimsPrincipalFactory.FromUsernamePassword(labResponse.User.Upn, labResponse.User.GetOrFetchPassword());
+            var user = ClaimsPrincipalFactory.FromUsernamePassword(userConfig.UPN, LabResponseHelper.FetchUserPassword(userConfig.LabName));
 
             var result = await tokenAcquirer.GetTokenForUserAsync(
                 scopes: new[] { "https://graph.microsoft.com/.default" }, user: user);
@@ -136,14 +136,14 @@
             var tokenAcquirerFactory = TokenAcquirerFactory.GetDefaultInstance();
             _ = tokenAcquirerFactory.Build();
 
-            var labResponse = await LabUserHelper.GetSpecificUserAsync(TestConstants.OBOUser);
+            var userConfig = await LabResponseHelper.GetUserConfigAsync("MSAL-User-Default-JSON");
 
             ITokenAcquirer tokenAcquirer = tokenAcquirerFactory.GetTokenAcquirer(
                authority: "https://login.microsoftonline.com/organizations",
                clientId: "9a192b78-6580-4f8a-aace-f36ffea4f7be",
                clientCredentials: s_clientCredentials);
 
-            var user = ClaimsPrincipalFactory.FromUsernamePassword(labResponse.User.Upn, labResponse.User.GetOrFetchPassword());
+            var user = ClaimsPrincipalFactory.FromUsernamePassword(userConfig.UPN, LabResponseHelper.FetchUserPassword(userConfig.LabName));
 
             var result = await tokenAcquirer.GetTokenForUserAsync(
                 scopes: new[] { "https://graph.microsoft.com/.default" }, user: user);
@@ -468,10 +468,10 @@
 
             var jsonWebToken = new JsonWebToken(result.AccessToken);
             Assert.True(jsonWebToken.TryGetPayloadValue("cnf", out object? cnfClaim), "The mTLS PoP token should contain a 'cnf' claim");
-            
+
             var cnfJson = JsonSerializer.Deserialize<JsonElement>(cnfClaim!.ToString()!);
             Assert.True(cnfJson.TryGetProperty("x5t#S256", out var x5tS256), "The mTLS PoP 'cnf' claim should contain an 'x5t#S256' property");
-            
+
             var x5tS256Value = x5tS256.GetString();
             Assert.False(string.IsNullOrEmpty(x5tS256Value));
         }

@@ -8,7 +8,7 @@
 using System.Runtime.Versioning;
 using System.Threading.Tasks;
 using Azure.Identity;
-using Microsoft.Identity.Lab.Api;
+using Microsoft.Identity.Test.LabInfrastructure;
 using Microsoft.Playwright;
 using Xunit;
 using Xunit.Abstractions;
@@ -102,7 +102,7 @@
                    if (InitialConnectionRetryCount == 0) { throw ex; }
                }
            }
            LabResponse labResponse = await LabUserHelper.GetB2CLocalAccountAsync();

            // Initial sign in
            _output.WriteLine("Starting web app sign-in flow.");

@@ -7,7 +7,7 @@
 using System.IO;
 using System.Runtime.Versioning;
 using System.Threading.Tasks;
-using Microsoft.Identity.Lab.Api;
+using Microsoft.Identity.Test.LabInfrastructure;
 using Microsoft.Playwright;
 using Xunit;
 using Xunit.Abstractions;
@@ -29,7 +29,7 @@
     private readonly string _uiTestAssemblyLocation = typeof(TestingWebAppLocally).Assembly.Location;
     private readonly LocatorAssertionsToBeVisibleOptions _assertVisibleOptions = new() { Timeout = 15000 };
 
-    public TestingWebAppLocally(ITestOutputHelper output) 
+    public TestingWebAppLocally(ITestOutputHelper output)
     {
         _output = output;
     }
@@ -38,11 +38,11 @@
     [SupportedOSPlatform("windows")]
     public async Task ChallengeUser_MicrosoftIdFlow_LocalApp_ValidEmailPasswordAsync()
     {
-        LabResponse labResponse = await LabUserHelper.GetDefaultUserAsync();
+        var userConfig = await LabResponseHelper.GetUserConfigAsync("MSAL-User-Default-JSON");
 
         var clientEnvVars = new Dictionary<string, string>();
 
-        await ExecuteWebAppCallsGraphFlowAsync(labResponse.User.Upn, labResponse.User.GetOrFetchPassword(), clientEnvVars, TraceFileClassName);
+        await ExecuteWebAppCallsGraphFlowAsync(userConfig.UPN, LabResponseHelper.FetchUserPassword(userConfig.LabName), clientEnvVars, TraceFileClassName);
     }
 
     [Theory(Skip = "https://github.com/AzureAD/microsoft-identity-web/issues/3288")]
@@ -60,7 +60,7 @@
            {"AzureAd__Instance", "" }
        };

        await ExecuteWebAppCallsGraphFlowAsync("idlab@msidlabciam6.onmicrosoft.com", LabUserHelper.FetchUserPassword("msidlabciam6"), clientEnvVars, TraceFileClassNameCiam);
    }

    private async Task ExecuteWebAppCallsGraphFlowAsync(string upn, string credential, Dictionary<string, string>? clientEnvVars, string traceFileClassName)