Skip to content

Use IIdentityLogger for MSAL logging in TokenAcquisition and ManagedIdentityClientAssertion (#3820)#3880

Merged
neha-bhargava merged 1 commit into
AzureAD:masterfrom
neha-bhargava:nebharg/3820-structured-msal-logging
Jun 19, 2026
Merged

Use IIdentityLogger for MSAL logging in TokenAcquisition and ManagedIdentityClientAssertion (#3820)#3880
neha-bhargava merged 1 commit into
AzureAD:masterfrom
neha-bhargava:nebharg/3820-structured-msal-logging

Conversation

@neha-bhargava

Copy link
Copy Markdown
Contributor

Summary

Fixes #3820.

TokenAcquisition and ManagedIdentityClientAssertion configured MSAL's internal logging via the legacy WithLogging(LogCallback, …) overload. That callback hands back a single pre-formatted string, so the entire MSAL log line (MSAL version, runtime, OS, correlation id, message) was flattened into one unstructured ILogger message, and the log-level threshold was computed up front by a hand-rolled ConvertMicrosoftExtensionsLogLevelToMsal helper.

This PR switches all MSAL logging configuration to the IIdentityLogger overload, passing IdentityLoggerAdapter from Microsoft.IdentityModel.LoggingExtensions — the same adapter IdentityWeb already uses for Wilson logging in MicrosoftIdentityBaseAuthenticationBuilder. MSAL now emits each log entry at its proper level and ILogger owns the filtering.

Changes

  • TokenAcquisition.cs (confidential client build) — use new IdentityLoggerAdapter(_logger).
  • TokenAcquisition.ManagedIdentity.cs (managed identity build) — use new IdentityLoggerAdapter(_logger).
  • ManagedIdentityClientAssertion.cs (Certificateless) — use new IdentityLoggerAdapter(_logger); added the Microsoft.IdentityModel.LoggingExtensions package reference to the project.
  • Removed the now-unused Log callbacks and ConvertMicrosoftExtensionsLogLevelToMsal helpers from both types.
  • Changelog entry under Behavior changes.

Notes / out of scope

  • The issue also observes that ManagedIdentityClientAssertion's log entries carry the source context Microsoft.Identity.Web.DefaultCertificateLoader. That comes from the ILogger category supplied by the caller that constructs the assertion, not from the logging API used here, so it is intentionally left out of this change. Happy to follow up separately if a dedicated category is desired.

Testing

  • Microsoft.Identity.Web.TokenAcquisition and Microsoft.Identity.Web.Certificateless build clean (0 warnings) across all target frameworks.
  • Microsoft.Identity.Web.Test builds clean; no existing tests referenced the removed private helpers.

…dentityClientAssertion

Route MSAL's internal logging through IdentityLoggerAdapter (the
IIdentityLogger overload of WithLogging) instead of the legacy
LogCallback. Previously the whole MSAL log line (version, platform,
correlation id, message) was flattened into a single unstructured
ILogger message and the log-level threshold was computed manually.
IdentityLoggerAdapter preserves per-entry log levels and lets ILogger
own filtering, matching the pattern already used for Wilson logging in
MicrosoftIdentityBaseAuthenticationBuilder.

Removes the now-unused Log callback and ConvertMicrosoftExtensionsLogLevelToMsal
helpers in both types, and adds the Microsoft.IdentityModel.LoggingExtensions
package reference to the Certificateless project.

Fixes AzureAD#3820

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@neha-bhargava neha-bhargava requested a review from a team as a code owner June 19, 2026 18:32

@trwalke trwalke left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The log level we use in MSAL is slightly different from the one used in IdWeb since IdWeb used the standard .Net log levels. will this translation still happen correctly?

https://learn.microsoft.com/en-us/aspnet/core/fundamentals/logging/?view=aspnetcore-10.0#log-level

@neha-bhargava

Copy link
Copy Markdown
Contributor Author

Good question — there are two hops now (MSAL LogLevelEventLogLevelILogger level). Traced both upstream (MSAL LoggerHelper.GetEventLogLevel + Wilson IdentityLoggerAdapter):

MSAL LogLevel new old callback
Error LogError LogError
Warning LogWarning LogWarning
Info LogInformation LogInformation
Verbose LogDebug LogDebug
Always LogTrace LogInformation

4/5 are identical. Only Always shifts (Info → Trace), and that's just MSAL's "health metric" lines — not the Info/Error/Warning logs this PR is about. It's the standard MSAL → IIdentityLoggerIdentityLoggerAdapter behavior, i.e. the same adapter we already use for Wilson logging. Filtering is also now per-entry via ILogger.IsEnabled instead of a one-time threshold computed at construction. I can drop in a small custom IIdentityLogger if we want Always to stay at Information, but I'd lean toward matching the rest of the stack.

@neha-bhargava neha-bhargava merged commit 0b50731 into AzureAD:master Jun 19, 2026
4 checks passed
This was referenced Jun 24, 2026
github-actions Bot pushed a commit to EelcoLos/nx-tinkering that referenced this pull request Jun 30, 2026
Pinned
[Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web)
at 4.11.0.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.Identity.Web's
releases](https://github.com/AzureAD/microsoft-identity-web/releases)._

## 4.11.0

## What's Changed
* Bump vitest from 3.2.4 to 4.1.0 in
/tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in
AzureAD/microsoft-identity-web#3836
* Bump MSAL.NET to 4.84.2 and align OWIN binding redirects by @​gladjohn
with @​Copilot in
AzureAD/microsoft-identity-web#3844
* docs(design): devex proposal for mTLS PoP on Managed Identity and FIC
by @​gladjohn in
AzureAD/microsoft-identity-web#3832
* Prevent OpenIdConnectMiddlewareDiagnostics from logging sensitive
values by @​iarekk in
AzureAD/microsoft-identity-web#3850
* Add MSI mTLS PoP support: pure MI + FIC-with-MI (impl for devex
#​3832) by @​gladjohn in
AzureAD/microsoft-identity-web#3839
* docs(design): devex proposal for Bearer tokens with bound credentials
by @​gladjohn in
AzureAD/microsoft-identity-web#3833
* Add bound-credential support for Bearer tokens (cert + mTLS) by
@​gladjohn in
AzureAD/microsoft-identity-web#3835
* Upgrade IdWeb Sidecar to .NET 10 (LTS) by @​soodt in
AzureAD/microsoft-identity-web#3841
* MTLS Without Tokens Support - MicrosoftIdentityMessageHandler Support
by @​tlupes in
AzureAD/microsoft-identity-web#3815
* fix: include isTokenBinding in CCA cache key to prevent bearer/PoP
collision by @​gladjohn in
AzureAD/microsoft-identity-web#3867
* Test + doc: x-ms-tokenboundauth header for AKV mTLS PoP via
ExtraHeaderParameters by @​gladjohn in
AzureAD/microsoft-identity-web#3864
* Add mTLS PoP Copilot skill (certificate, MSI, FIC) by @​gladjohn in
AzureAD/microsoft-identity-web#3872
* Fix CVE-2026-48109: Pin MessagePack to patched version 2.5.301 by
@​soodt in AzureAD/microsoft-identity-web#3865
* Sidecar: gate agent identity parameters behind AllowOverrides by
@​iNinja in AzureAD/microsoft-identity-web#3871
* Bump System.Formats.Asn1 base version to 10.0.2 by @​iarekk in
AzureAD/microsoft-identity-web#3875
* Bump Microsoft.IdentityModel.* from 8.18.0 to 8.19.1 by @​iarekk in
AzureAD/microsoft-identity-web#3879
* Use IIdentityLogger for MSAL logging in TokenAcquisition and
ManagedIdentityClientAssertion (#​3820) by @​neha-bhargava in
AzureAD/microsoft-identity-web#3880
* Update Microsoft.Identity.Abstractions to 12.2.0 and MSAL to 4.85.0 by
@​neha-bhargava in
AzureAD/microsoft-identity-web#3881
* Surface MSAL AuthenticationResultMetadata + exception details on
AcquireTokenResult by @​neha-bhargava in
AzureAD/microsoft-identity-web#3856
* Flow outgoing request to header providers via AcquireTokenOptions by
@​neha-bhargava in
AzureAD/microsoft-identity-web#3876
* Throw on Authority vs Instance/TenantId conflict (OIDC + MSAL parity)
by @​iarekk in
AzureAD/microsoft-identity-web#3873
* Delete .github/workflows/evergreen.yml by @​bgavrilMS in
AzureAD/microsoft-identity-web#3803
* Add comprehensive authority configuration and precedence documentation
by @​jmprieur with @​Copilot in
AzureAD/microsoft-identity-web#3617
* Bump js-yaml from 4.1.1 to 4.2.0 in
/tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in
AzureAD/microsoft-identity-web#3862
* Move authority docs into docs/authority-configuration/ subfolder by
@​iarekk in AzureAD/microsoft-identity-web#3885
* Revert "Throw on Authority vs Instance/TenantId conflict (#​3873)" by
@​iarekk in AzureAD/microsoft-identity-web#3888
* Update Microsoft.Identity.Client to 4.85.1 by @​neha-bhargava in
AzureAD/microsoft-identity-web#3889
* Enable E2E test coverage on internal Azure DevOps pipelines by
@​gladjohn in
AzureAD/microsoft-identity-web#3883
* Bump esbuild and tsx in /tests/DevApps/SidecarAdapter/typescript by
@​dependabot[bot] in
AzureAD/microsoft-identity-web#3859
* Skip AcquireTokenWithMtlsPop test: AAD westus3 test slice returns
Bearer by @​neha-bhargava in
AzureAD/microsoft-identity-web#3892

## New Contributors
* @​iarekk made their first contribution in
AzureAD/microsoft-identity-web#3850
* @​soodt made their first contribution in
AzureAD/microsoft-identity-web#3841

**Full Changelog**:
AzureAD/microsoft-identity-web@4.10.0...4.11.0

Commits viewable in [compare
view](AzureAD/microsoft-identity-web@4.10.0...4.11.0).
</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

TokenAcquisition and exposes MSAL logging as unstructured logs

3 participants