Document mTLS PoP usage in MSAL (all pop features are on internal preview) #5584
Conversation
Added documentation for using managed identities with mTLS proof-of-possession in MSAL.NET, including code examples and installation instructions.
There was a problem hiding this comment.
Pull Request Overview
This PR adds comprehensive documentation for using mTLS (mutual TLS) proof-of-possession tokens with managed identities in MSAL.NET. The feature is currently in internal preview and extends the existing managed identity experience by binding tokens to X.509 certificates for enhanced security. The documentation provides clear migration paths from Bearer tokens to mTLS PoP tokens, showing developers how to minimally modify their existing code.
Key Changes:
- Added complete guide for mTLS PoP with managed identities including installation instructions for the preview NuGet package
- Provided side-by-side code examples comparing Bearer token flow vs. mTLS PoP flow for both system-assigned and user-assigned managed identities
- Documented how to use binding certificates with HttpClient for mTLS handshakes when calling APIs like Microsoft Graph
|
@copilot can you address all open comments |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Refactor mTLS HttpClient creation and usage for better performance and clarity.
| .ConfigureAwait(false); | ||
|
|
||
| // result.TokenType == "mtls_pop" | ||
| // result.BindingCertificate is the client cert to use for mTLS |
There was a problem hiding this comment.
| // result.BindingCertificate is the client cert to use for mTLS | |
| // result.BindingCertificate is the client cert to use for mTLS in step 4 |
| .ExecuteAsync() | ||
| .ConfigureAwait(false); | ||
|
|
||
| // result.TokenType == "mtls_pop" |
There was a problem hiding this comment.
Why are these lines commented?
There was a problem hiding this comment.
just a comment in the code.
neha-bhargava
left a comment
neha-bhargava
left a comment
There was a problem hiding this comment.
Approve with comments
Updated the documentation for using managed identities with mTLS proof-of-possession in MSAL.NET, including changes to titles, descriptions, and code examples.
gladjohn
changed the title
Co-authored-by: Neha Bhargava <61847233+neha-bhargava@users.noreply.github.com>
| ms.date: 11/17/2025 | ||
| --- | ||
|
|
||
| # Use mTLS proof-of-possession (mTLS PoP) tokens in MSAL.NET (internal Microsoft only - preview) |
There was a problem hiding this comment.
| # Use mTLS proof-of-possession (mTLS PoP) tokens in MSAL.NET (internal Microsoft only - preview) | |
| # Use mTLS proof-of-possession (mTLS PoP) tokens in MSAL.NET (preview) |
|
|
||
| ## Overview | ||
|
|
||
| mTLS PoP builds directly on top of existing MSAL experiences: |
There was a problem hiding this comment.
This doc is too long. Can we skip this intro and head directly to code snippets?
There was a problem hiding this comment.
Application developers. My point is that you can be more concise, for example by using a diff code snippet.
some old code
+ some new code
| The following example shows how to use either a user-assigned or system-assigned managed identity. | ||
|
|
||
| ```csharp | ||
| using System.Threading.Tasks; |
| - exposes the `WithMtlsProofOfPossession()` extension for managed identity flows, and | ||
| - brings in a native dependency used to attest managed identity keys (for example KeyGuard keys) via Microsoft Azure Attestation (MAA). | ||
|
|
||
| ### 1.2 Current experience – Bearer (Graph) |
There was a problem hiding this comment.
Why include Bearer flow? It's not changed.
| using System.Threading.Tasks; | ||
| using Microsoft.Identity.Client; | ||
|
|
||
| // Choose the appropriate managed identity: |
There was a problem hiding this comment.
nit: Just give an example with a user assigned managed identity, this is the recommended way
There was a problem hiding this comment.
that will lead to questions about is SAMI supported? SAMI is supported.
| .Build(); | ||
|
|
||
| // Microsoft Graph as the target API | ||
| const string graphResource = "https://graph.microsoft.com/"; |
There was a problem hiding this comment.
I'd use the scope here, i.e. with .default
I'd also not use a constant string, just set it directly.
There was a problem hiding this comment.
this is just an extension of what we published in our MSAL usage docs - https://learn.microsoft.com/en-us/entra/msal/dotnet/advanced/managed-identity
Are you suggesting that we change the pattern? and use default everywhere?
|
|
||
| AuthenticationResult mtlsPopResult = await mi | ||
| .AcquireTokenForManagedIdentity(graphResource) | ||
| .WithMtlsProofOfPossession() // <-- new API |
There was a problem hiding this comment.
| .WithMtlsProofOfPossession() // <-- new API | |
| .WithMtlsProofOfPossession() // <-- new API from Microsoft.Identity.Client.MtlsPoP package |
There was a problem hiding this comment.
we started off,
This package:
- exposes the `WithMtlsProofOfPossession()` extension for managed identity flows, and
- brings in a native dependency used to attest managed identity keys (for example KeyGuard keys) via Microsoft Azure Attestation (MAA).
wouldn't this be redundant?
| > For SNI-based confidential clients, mTLS PoP is provided by the MSAL.NET preview package itself. | ||
| > You do **not** need the `Microsoft.Identity.Client.MtlsPop` package for this scenario. | ||
|
|
||
| ### 2.1 Current experience – Bearer with SN/I certificate |
There was a problem hiding this comment.
Should we remove ### 2.1 Current experience – Bearer with SN/I certificate
| ConfidentialClientApplicationBuilder | ||
| .Create(clientId) | ||
| .WithAuthority($"https://login.microsoftonline.com/{tenantId}") | ||
| .WithAzureRegion("east us") // Required for SNI |
|
|
||
| --- | ||
|
|
||
| ## 3. Use mTLS PoP with federated identity credentials (FIC) |
There was a problem hiding this comment.
You should give examples of:
MSI + FIC
OIDC + FIC
Added documentation for using managed identities with mTLS proof-of-possession in MSAL.NET, including code examples and installation instructions.