Skip to content

⬆️ Bump Azure.Identity and Microsoft.Identity.Client #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

⬆️ Bump Azure.Identity and Microsoft.Identity.Client #62

wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Oct 27, 2025

Updated Azure.Identity from 1.11.4 to 1.17.0.

Release notes

Sourced from Azure.Identity's releases.

1.17.0

1.17.0 (2025-10-07)

Bugs Fixed

  • TenantId is now configured via MSAL's WithTenantId instead of WithTenantIdFromAuthority to prevent malformed Uris to the authority.

Other Changes

  • Deprecated BrowserCustomizationOptions.UseEmbeddedWebView property. This option requires additional dependencies on Microsoft.Identity.Client.Desktop and is no longer supported. Consider using brokered authentication instead.

1.16.0

1.16.0 (2025-09-09)

Features Added

  • Added a new DefaultAzureCredential constructor that accepts a custom environment variable name for credential configuration. This provides flexibility beyond the default AZURE_TOKEN_CREDENTIALS environment variable. The constructor accepts any environment variable name and uses the same credential selection logic as the existing AZURE_TOKEN_CREDENTIALS processing.
  • Added DefaultAzureCredential.DefaultEnvironmentVariableName constant property that returns "AZURE_TOKEN_CREDENTIALS" for convenience when referencing the default environment variable name.
  • AzureCliCredential, AzurePowerShellCredential, and AzureDeveloperCliCredential now throw an AuthenticationFailedException when the TokenRequestContext includes claims, as these credentials do not support claims challenges. The exception message includes guidance for handling such scenarios.
  • When AZURE_TOKEN_CREDENTIALS or the equivalent custom environment variable is configured to ManagedIdentityCredential, the DefaultAzureCredential does not issue a probe request and performs retries with exponential backoff.

Bugs Fixed

  • Fixed AzureDeveloperCliCredential hanging when the AZD_DEBUG environment variable is set by adding the --no-prompt flag to prevent interactive prompts (#​52005).
  • BrokerCredential is now included in the chain when AZURE_TOKEN_CREDENTIALS is set to dev.
  • Fixed an issue that prevented ManagedIdentityCredential from utilizing the token cache in Workload Identity Federation environments.
  • Fixed a bug in DefaultAzureCredential that caused the credential chain to be constructed incorrectly when using AZURE_TOKEN_CREDENTIALS in combination with DefaultAzureCredentialOptions.

Other Changes

  • The BrokerCredential is now always included in the DefaultAzureCredential chain. If the Azure.Identity.Broker package is not referenced, an exception will be thrown when GetToken is called, making its behavior consistent with the rest of the credentials in the chain.
  • Updated Microsoft.Identity.Client dependency to version 4.76.0.
  • Updated Microsoft.Identity.Client.Extensions.Msal dependency to version 4.76.0.

1.13.0

1.13.0 (2025-09-22)

Other Changes

  • Updated the Azure.Identity dependency to version 1.16.0

1.13.0-beta.1

1.13.0-beta.1 (2025-10-22)

Features Added

1.12.0

1.12.0 (2025-09-19)

Features Added

Other Changes

  • Upgraded Azure.Core from 1.47.3 to 1.48.0

Commits viewable in compare view.

Updated Microsoft.Identity.Client from 4.61.3 to 4.76.0.

Release notes

Sourced from Microsoft.Identity.Client's releases.

4.76.0

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-authentication-library-for-dotnet@4.74.1...4.76.0

4.74.1

Bug fixes

4.74.0

Features

Bug fixes

4.73.1

What's Changed

Full Changelog: AzureAD/microsoft-authentication-library-for-dotnet@4.73.0...4.73.1

4.73.0

What's Changed

Full Changelog: AzureAD/microsoft-authentication-library-for-dotnet@4.72.1...4.73.0

4.72.1

4.72.1

Bug Fixes

Full Changelog: AzureAD/microsoft-authentication-library-for-dotnet@4.72.0...4.72.1

4.72.0

4.72.0

Features

Bug Fixes

  • Ensure additional cache parameters are persisted in cache serializationIssue #​5261

4.71.1

Bug Fixes

Full Changelog: AzureAD/microsoft-authentication-library-for-dotnet@4.71.0...4.71.1

4.71.0

Bug Fixes

  • Enable the Service Fabric flow to get a httpClient from the factory with ssl validation callback. See Issue #​5220

Full changelog: 4.70.2 .. 4.71.0

4.70.2

What's Changed

Full Changelog: AzureAD/microsoft-authentication-library-for-dotnet@4.70.1...4.70.2

4.70.1

What's Changed

Full Changelog: AzureAD/microsoft-authentication-library-for-dotnet@4.70.0...4.70.1

4.70.0

Features

  • Added a .WithAccessTokenSha256ToRefresh() method to AcquireTokenForClientParameterBuilder for ConfidentialClientApplication, allowing finer control over token refresh scenarios. Issue #​5111, PR #​5179
  • Added TokenCacheNotificationArgs.NoDistributedCacheUseReason in order to indicate that the configured serialized cache should not be a distributed cache to prevent issues when acquiring tokens. Issue #​5199

Bug Fixes

  • Removed invalid tenant checks (/organizations or /common) in MTLS flows for AAD/dSTS authorities. Issue #​5093
  • Fixed an issue where specifying a null service config region in MTLS scenarios did not correctly throw an exception. Issue #​5181

4.69.1

4.69.1

Features

  • Enabled broker support on the Linux platform. See Issue #​5086
  • Added a WithCertificate(..., bool associateTokensWithCertificateSerialNumber) overload to enable the use of the certificate's serial number as part of the cache key for tokens. Issue #​5150

Bug Fixes

  • MSAL will now stop replacing "%20" with "+" since it is obsolete. See Issue #​5061
  • Exposed client capabilities in AssertionRequestOptions for MSI FIC scenarios Issue #​4948
  • Added the missing claims in SignedAssertion when using the AssertionRequestOptions Delegate Issue #​5143

4.68.0

Features

  • Added WithFmiPath() api to support FMI scenarios in MSAL. See Issue #​5110
  • MSAL will now pass Client sku and Version to MsalRuntime for MSAL Runtime's client telemetry. See Issue #​5103

Bug Fixes

  • Reordered the condition for ManagedIdentitySource.MachineLearning to be checked after ManagedIdentitySource.AppService instead of before it. See Issue #​5077
  • Improved Managed Identity Source Detection Logging for Debugging. See Issue #​5097
  • When a 404 error occurs, MSAL will now include the endpoint and authority URLs in the exception message for better debugging. See Issue #​4769
  • MSAL will now set UseShellExecute to false in OpenLinuxBrowser. See Issue #​5075
  • Fixed a threading exception when using ExtraQueryParameters. See Issue #​5108

4.67.2

Bug Fixes

  • Fixed an issue with Managed Identity source detection where Azure ML was prioritized incorrectly over Azure App Service, causing token acquisition failures. See Bug #​5077

4.67.1

Bug Fixes

  • Added support for Azure Machine Learning (Azure ML) Managed Identity (MSI) to address missing functionality for token acquisition in Azure Machine Learning environments. See Bug #​4984

4.67.0

New Features

  • MSAL.NET now supports acquiring token for Client Credentials flow with a Subject Name Issuer (SNI) certificate over Mutual TLS (mTLS) for first-party applications. See Issue #​4986
  • Bumped NET SDK from net6 to net8, aligning MSAL.NET with the latest .NET standards and features. See Feature Request #​5025
  • Public API analyzer integrated to enhance API compliance and stability. See Feature Request #​4931

Bug Fixes

  • Improved AcquireTokenSilent logging and handling of Family of Client IDs (FOCI). See Bug #​4988
  • Fixed issues where DurationTotalInMs in AuthenticationResultMetadata differed from Stopwatch measurements. See Bug #​4895
  • Resolved incorrect computation of OTel durations in L1 cache and during the creation of POP tokens. See Bug #​5036
  • Addressed an issue where AbstractAcquireTokenParameterBuilder<T>.WithAdfsAuthority threw exceptions when the tenant ID was null and the authority host URI ended in /adfs. See Bug #​4860
  • Fixed a parsing issue in Managed Identity to align with Azure.Identity's behavior for handling invalid JSON responses. See Bug #​5016

Deprecated

4.66.2

4.66.2

Bug Fixes

  • Fixed a bug where MSAL .NET fails to launch the iOS broker on IOS 18.0.1. See Issue #​4958

4.66.1

Bug Fixes

  • Fixed a bug where MSAL .NET fails to correctly handle the expires_on field for Managed Identity tokens in ISO 8601 format. This fix ensures accurate parsing of ISO 8601 date-time formats during token acquisition. See Issue #​4963

4.66.0

4.66.0

New Features

  • Enabled extended functionality in the MSAL authentication flow through the implementation of IAuthenticationOperation. This allows for custom extensions in the authentication flow by providing an authentication operation interface. See Issue #​4956
  • MSAL.NET will now opt-in to regional ESTS when the environment variable MSAL_FORCE_REGION is set (e.g., MSAL_FORCE_REGION=eastus). This automatically directs MSAL to use the specified region for token acquisition. If the region is explicitly set to "DisableMsalForceRegion", MSAL will not opt-in to regional ESTS. Use of the WithAzureRegion(xyz) API takes precedence over the environment variable. See Issue #​4930

4.65.2-Preview

  • Refactored CDT Prototype
  • Moved prototype to separate folder
  • Removed dependency on MSAL internals

4.65.0

New Features

  • Update telemetry to include the caller SDK details. See Issue #​4863
  • MSAL.Net now exposes an API to enable developers to cache additional values in the token response. See Issue #​4922
  • Managed identity .WithClaims() and .WithClientCapabilities() APIs are now generally available. See Issue #​4921

Bug Fixes

  • Fix a bug where MSAL .Net fails for DSTS authority when using .WithTenantIdFromAuthority(). See Issue #​4927

4.64.1

4.64.0

4.64.0

New Features

  • Added managed identity support for Azure ARC on Linux. See Issue #​4358
  • Added Username and password support for confidential clients. See Issue #​3774

Bug Fixes

  • Resolved SHA2 issues that break custom claims during authentication flows. See Issue #​4868

4.63.0

New Features

  • Implemented Claims API to Bypass Cache When Claims are Present in MSAL with Managed Identity. This is still an experimental API and may change in the future. See Issue #​4845

Bug Fixes

  • Fixed an issue where SHR POP tokens were broken due to an invalid algorithm. The algorithm has been corrected to PS256 from RS256. See Issue #​4839

4.62.0

New Features

  • Updated the Service Fabric managed identity flow to validate the server certificate. See Issue #​4462
  • Updated MSAL exception when server returns 500 to include request URI. See Issue #​4412
  • Removed unused telemetry headers WithClientTelemetry and last_telemetry header. See Issue #​4815

Bug Fixes

  • Fix for silent token acquisition failing after device code flow when broker is enabled. See Issue #​4786
  • Fix the computation of TotalDurationInMs for linux platform. See Issue #​4784
  • Added 'haschrome=1' to avoid unexpected back buttons on the first page in embedded browser. See Issue #​4836

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
⬆️ Bump Azure.Identity and Microsoft.Identity.Client
5a379cb 
Bumps Azure.Identity from 1.11.4 to 1.17.0
Bumps Microsoft.Identity.Client from 4.61.3 to 4.76.0

---
updated-dependencies:
- dependency-name: Azure.Identity
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: Microsoft.Identity.Client
  dependency-version: 4.76.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: Azure.Identity
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: Microsoft.Identity.Client
  dependency-version: 4.76.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Oct 27, 2025

Labels

The following labels could not be found: dependencies, nuget, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions
Copy link

github-actions bot commented Oct 27, 2025

🛡️ Security Scan Summary

Scan Date: Mon Oct 27 07:08:11 UTC 2025
Commit: e7b0131

🔍 Scan Results

Tool Status Details
TruffleHog ✅ Secure No secrets detected
.NET Vulnerability Scan ℹ️ Skipped Scan not executed
CodeQL 📊 Uploaded Results uploaded to GitHub Security tab - manual review required
Semgrep SAST ✅ Secure No security issues detected
Trivy Filesystem ℹ️ Skipped Scan not executed
OWASP Dependency Check ℹ️ Skipped Scan not executed
OWASP ZAP Dynamic Scan ℹ️ Skipped Scan not executed
Security Configuration ℹ️ Skipped Audit not executed

⚠️ CRITICAL: CodeQL Security Analysis

IMPORTANT: This summary may show CodeQL as 'secure' even if issues exist.
ALWAYS check the GitHub Security Tab for CodeQL findings.
High/Critical CodeQL issues MUST be resolved before merge, regardless of this summary.

📋 Recommendations

  • PRIORITY: Check GitHub Security tab for CodeQL findings
  • Fix all high/critical CodeQL issues before merge
  • Review all findings in the Security tab
  • Update vulnerable dependencies promptly
  • Follow secure coding practices from copilot-instructions.md
  • Regular security reviews and updates

Security scan generated by Setlist Studio CI/CD Pipeline 🔒

@eugenecp eugenecp closed this Oct 28, 2025
@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Oct 28, 2025

OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/nuget/src/SetlistStudio.Infrastructure/multi-6ed0ff32cc branch October 28, 2025 15:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@eugenecp eugenecp

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eugenecp