Sourced from Microsoft.Identity.Web's releases.

4.9.0

New features

• Sidecar: per-route override gating. New Sidecar:AllowOverrides configuration section provides explicit, per-route control over whether optionsOverride.* query-string parameters are honored. Authenticated routes default to allowing overrides (preserving existing behavior); unauthenticated routes default to rejecting them. optionsOverride.BaseUrl is unconditionally rejected on all routes as a hardening measure. See #​3794.

Bug fixes

• Fix AccountController.Challenge redirect URI validation to reject percent-encoded protocol-relative bypasses (%2F%2F, %5C%2F, etc.) that could be decoded by misconfigured reverse proxies. See #​3792.

Behavior changes

• DownstreamApi: reserved header filtering. Headers supplied via DownstreamApiOptions.ExtraHeaderParameters whose names match reserved HTTP headers (Authorization, Host, Content-Length, Proxy-Authorization, Sec-*, Proxy-*, etc.) or duplicate a header the library already set are now silently skipped. A warning-level log entry (ReservedHeaderIgnored / DuplicateHeaderIgnored) is emitted so operators can spot misconfigurations. No exception is thrown. See #​3793.

Dependencies updates

• Update Azure.Identity 1.11.4 → 1.17.2 and establish Microsoft.Extensions.* 8.0.x minimum on older TFMs. Azure.Identity 1.17.2 (sovereign-cloud fixes) pulls in Azure.Core 1.50.0, which introduces a transitive dependency on Microsoft.Extensions.DependencyInjection.Abstractions 8.0.2 on non-framework-coupled TFMs (net462, net472, netstandard2.0). This caused a CS0433 type collision with the previously-pinned Microsoft.Extensions.DependencyInjection 2.1.0. Rather than patch individual packages, the entire Microsoft.Extensions.* stack on these older TFMs has been bumped to 8.0.x, closing several 5-year version gaps and aligning with the net8.0 baseline. If your application targets net462, net472, or netstandard2.0, your resolved Microsoft.Extensions.* versions will increase (e.g., Extensions.Http 3.1.3 → 8.0.0, Extensions.DependencyInjection 2.1.0 → 8.0.0, Extensions.Caching.Memory 2.1.0/6.0.2 → 8.0.1). Applications already targeting net8.0+ are unaffected. See #​3787.
• Bump System.Text.Json 8.0.5 → 8.0.6 (CVE-2024-43485). See #​3787.
• Bump Microsoft.AspNetCore.DataProtection to 10.0.7 for CVE fix on net10.0. See #​3796.
• Bump OpenTelemetry.Exporter.OpenTelemetryProtocol 1.14.0 → 1.15.3. See #​3788.

Full Changelog: https://github.com/AzureAD/microsoft-identity-web/compare/4.8.0...4.9.0

4.8.0

What's Changed

• Bump flatted from 3.3.3 to 3.4.2 in /tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in https://github.com/AzureAD/microsoft-identity-web/pull/3753
• Update changelog.md for ID.Web 4.6.0 by @​bgavrilMS in https://github.com/AzureAD/microsoft-identity-web/pull/3756
• Add token binding to MicrosoftIdentityMessageHandler by @​cpp11nullptr in https://github.com/AzureAD/microsoft-identity-web/pull/3743
• Bump picomatch in /tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in https://github.com/AzureAD/microsoft-identity-web/pull/3759
• Documentation: Clarify managed identity credential types for containerized vs. VM/App Service deployments by @​Copilot in https://github.com/AzureAD/microsoft-identity-web/pull/3585
• Bump path-to-regexp from 8.3.0 to 8.4.0 in /tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in https://github.com/AzureAD/microsoft-identity-web/pull/3762
• Upgrade Microsoft Application Insights packages by @​RojaEnnam in https://github.com/AzureAD/microsoft-identity-web/pull/3763
• Use Abstractions 12 by @​pmaytak in https://github.com/AzureAD/microsoft-identity-web/pull/3761
• Post-4.7.0 by @​pmaytak in https://github.com/AzureAD/microsoft-identity-web/pull/3768
• Fix Comp Gov DOTNET-Security-10.0 by @​reginayap8 in https://github.com/AzureAD/microsoft-identity-web/pull/3769
• Upgrade CodeQL to V4: Fix 10 CodeQL Analysis Warnings and Errors by @​reginayap8 in https://github.com/AzureAD/microsoft-identity-web/pull/3770
• fix warnings by @​gladjohn in https://github.com/AzureAD/microsoft-identity-web/pull/3771
• adding examples for using postgres as a distributed cache by @​JaredMSFT in https://github.com/AzureAD/microsoft-identity-web/pull/3766
• Suppress AOT configuration-binding SYSLIB warnings in AotCompatibility test app by @​Copilot in https://github.com/AzureAD/microsoft-identity-web/pull/3774
• Bump vite from 7.1.11 to 7.3.2 in /tests/DevApps/SidecarAdapter/typescript by @​dependabot[bot] in https://github.com/AzureAD/microsoft-identity-web/pull/3772
• Skip legacy B2C local-account Todo UI test in WebAppUiTests by @​Copilot in https://github.com/AzureAD/microsoft-identity-web/pull/3778
• Fix initialization of ConfidentialClientApplicationOptions in MergedOptions by @​cpp11nullptr in https://github.com/AzureAD/microsoft-identity-web/pull/3760
• Bump net8/net9/net10 runtime package baselines to patched crypto servicing versions by @​Copilot in https://github.com/AzureAD/microsoft-identity-web/pull/3779
• Fix flaky certificate test failures on CI by @​gladjohn in https://github.com/AzureAD/microsoft-identity-web/pull/3780
• MTLS Without Tokens Support by @​tlupes in https://github.com/AzureAD/microsoft-identity-web/pull/3747
• Fix CredentialsProvider DI lifetime mismatch causing startup crash in Development by @​Avery-Dunn in https://github.com/AzureAD/microsoft-identity-web/pull/3783
• Remove unused DataProtection configuration from Sidecar by @​Copilot in https://github.com/AzureAD/microsoft-identity-web/pull/3776

New Contributors

• @​RojaEnnam made their first contribution in https://github.com/AzureAD/microsoft-identity-web/pull/3763
• @​reginayap8 made their first contribution in https://github.com/AzureAD/microsoft-identity-web/pull/3769
• @​JaredMSFT made their first contribution in https://github.com/AzureAD/microsoft-identity-web/pull/3766

Full Changelog: https://github.com/AzureAD/microsoft-identity-web/compare/4.6.0...4.8.0

4.7.0

4.7.0

Bug fixes

• Updates to Microsoft.Identity.Abstractions 12.0.0 to revert breaking changes introduced in Abstractions 11.0.0. (On .NET 10 target, Certificate extension method in CredentialDescription was reverted to normal property.) See #​3767.

4.6.0

What's Changed

• Move boilerplate code skills to IdWeb, and add Aspire DevApp demonstrating Blazor authentication components by @​Copilot in https://github.com/AzureAD/microsoft-identity-web/pull/3721
• Bump MSAL to 4.83.1 and re-enable Managed Identity CAE tests by @​Copilot in https://github.com/AzureAD/microsoft-identity-web/pull/3746
• Bump Abstractions to 11.2 by @​bgavrilMS in https://github.com/AzureAD/microsoft-identity-web/pull/3749
• Update documentation to reference Blazor helpers from Microsoft.Identity.Web package by @​Copilot in https://github.com/AzureAD/microsoft-identity-web/pull/3723

Full Changelog: https://github.com/AzureAD/microsoft-identity-web/compare/4.5.0...4.6.0

4.5.0

New features

• Add support for certificate store lookup by subject name. See #​3742.

Dependencies updates

• Bump minimatch in /tests/DevApps/SidecarAdapter/typescript. See #​3739.
• Bump rollup from 4.52.3 to 4.59.0 in /tests/DevApps/SidecarAdapter/typescript. See #​3740.

4.4.0

New features

• Add AOT-compatible web API authentication for .NET 10+. See #​3705 and #​3664.
• Propagate long-running web API session key back to callers in user token acquisition. See #​3728.
• Add OBO event initialization for OBO APIs. See #​3724.
• Add support for calling WithClientClaims flow for token acquisition. See #​3623.
• Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #​3680.

Bug fixes

• Throw InvalidOperationException with actionable message when a custom credential is not registered. See #​3626.
• Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #​3717.
• Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #​3714.
• Add a retry counter for acquire token and updated tests with a fake secret. See #​3682.
• Fix OBO user error handling. See #​3712.
• Fix override merging for app token (and others). See #​3644.
• Fix certificate reload logic to only trigger on certificate-specific errors. See #​3653.
• Update ROPC flow CCA to pass SendX5C to MSAL. See #​3671.

Dependencies updates

• Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #​3725.
• Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #​3730.
• Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #​3726.
• Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #​3699.
• Update to MSAL 4.81.0. See #​3665.

Documentation

• Add documentation for auto-generated session key for long-running OBO session. See #​3729.
• Improve the Aspire doc article and skills. See #​3695.
• Add an article and agent skill to add Entra ID to an Aspire app. See #​3689.
• Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #​3667.
• Add Copilot explore tool functionality. See #​3694.

Fundamentals

• Remove unnecessary warning suppression. See #​3715.
• Migrate labs to Lab.API 2.x (first pass). See #​3710.
• Update Sidecar E2E test constants. See #​3693.
• Fix intermittent failures in CertificatesObserverTests. See #​3687.
• Add validation baseline exclusions. See #​3684.
• Add dSTS integration tests. See #​3677.
• Fix FIC test. See #​3663.
• Update IdentityWeb version, build logic, and validation. See #​3659.

New Contributors

• @​XiaoxinMS2 made their first contribution in https://github.com/AzureAD/microsoft-identity-web/pull/3677
• @​RyAuld made their first contribution in https://github.com/AzureAD/microsoft-identity-web/pull/3687
• @​agocke made their first contribution in https://github.com/AzureAD/microsoft-identity-web/pull/3664
• @​MZOLN made their first contribution in https://github.com/AzureAD/microsoft-identity-web/pull/3700
• @​christian-posta made their first contribution in https://github.com/AzureAD/microsoft-identity-web/pull/3644
• @​4gust made their first contribution in https://github.com/AzureAD/microsoft-identity-web/pull/3682
• @​rayluo made their first contribution in https://github.com/AzureAD/microsoft-identity-web/pull/3714

4.4.0-preview.1

New features

• Add AOT-compatible web API authentication for .NET 10+. See #​3705 and #​3664.
• Propagate long-running web API session key back to callers in user token acquisition. See #​3728.
• Add OBO event initialization for OBO APIs. See #​3724.
• Add support for calling WithClientClaims flow for token acquisition. See #​3623.
• Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #​3680.

Bug fixes

• Throw InvalidOperationException with actionable message when a custom credential is not registered. See #​3626.
• Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #​3717.
• Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #​3714.
• Add a retry counter for acquire token and updated tests with a fake secret. See #​3682.
• Fix OBO user error handling. See #​3712.
• Fix override merging for app token (and others). See #​3644.
• Fix certificate reload logic to only trigger on certificate-specific errors. See #​3653.
• Update ROPC flow CCA to pass SendX5C to MSAL. See #​3671.

Dependencies updates

• Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #​3725.
• Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #​3730.
• Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #​3726.
• Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #​3699.
• Update to MSAL 4.81.0. See #​3665.

Documentation

• Add documentation for auto-generated session key for long-running OBO session. See #​3729.
• Improve the Aspire doc article and skills. See #​3695.
• Add an article and agent skill to add Entra ID to an Aspire app. See #​3689.
• Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #​3667.
• Add Copilot explore tool functionality. See #​3694.

Fundamentals

• Remove unnecessary warning suppression. See #​3715.
• Migrate labs to Lab.API 2.x (first pass). See #​3710.
• Update Sidecar E2E test constants. See #​3693.
• Fix intermittent failures in CertificatesObserverTests. See #​3687.
• Add validation baseline exclusions. See #​3684.
• Add dSTS integration tests. See #​3677.
• Fix FIC test. See #​3663.
• Update IdentityWeb version, build logic, and validation. See #​3659.

4.3.0

New features

• Added token binding (mTLS PoP) scenario for confidential client (app-only) token acquisition and downstream API calls. See #​3622.

Dependencies updates

• Bumped qs from 6.14.0 to 6.14.1 in /tests/DevApps/SidecarAdapter/typescript. See #​3660.

Documentation

• Modernized Identity Web documentation, which is now can be found in docs. See #​3566.
• Added token binding (mTLS PoP) documentation. See #​3661.

4.2.0

What's Changed

New features

• Added CAE claims support for FIC + Managed Identity. See #​3647 for details.
• Added AddMicrosoftIdentityMessageHandler extension methods for IHttpClientBuilder. See #​3649 for details.

Bug fixes

• Fixed tenant not being propagated in credential FIC acquisition. See #​3633 for details.
• Fixed ForAgentIdentity hardcoded 'AzureAd' ConfigurationSection to respect AuthenticationOptionsName. See #​3635 for details.
• Fixed GetTokenAcquirer to propagate MicrosoftEntraApplicationOptions properties. See #​3651 for details.
• Added meaningful error message when identity configuration is missing. See #​3637 for details.

Dependencies updates

• Update Microsoft.Identity.Abstractions to version 10.0.0.
• Bump express from 5.1.0 to 5.2.0 in /tests/DevApps/SidecarAdapter/typescript. #​3636
• Bump jws from 3.2.2 to 3.2.3 in /tests/DevApps/SidecarAdapter/typescript. #​3641

Fundamentals

• Update support policy. #​3656
• Update agent identity coordinates in E2E tests after deauth. #​3640
• Update E2E agent identity configuration to new tenant. #​3646

Full Changelog: https://github.com/AzureAD/microsoft-identity-web/compare/4.1.1...4.2.0

4.1.1

Bug fixes

• Authority-only configuration parsing improvements: Early parsing of Authority into Instance/TenantId and defensive fallback in PrepareAuthorityInstanceForMsal. Behavior is backward compatible; Authority is still ignored when Instance/TenantId explicitly provided—now surfaced via a warning. See #​3612.

New features

• Added warning diagnostics for conflicting Authority vs Instance/TenantId: Emitting a single structured warning when both styles are provided. See #​3611.

Fundamentals

• Expanded authority test matrix: Coverage for AAD (v1/v2), B2C (/tfp/ normalization, policy path), CIAM (PreserveAuthority), query parameters, scheme-less forms, and conflict scenarios. See #​3610.

4.1.0

New features

• Migrate to .NET 10 GA. #​3449 and #​3590

Dependencies updates

• Bump MSAL.NET to version 4.79.2 and handle changes to deprecated WithExtraQueryParameters APIs. #​3583
• Update Microsoft.IdentityModel and Abstractions versions. #​3604
• Update coverlet.collector to 6.0.4. #​3587
• Update package validation baseline version to 4.0.0. #​3589
• Bump js-yaml from 4.1.0 to 4.1.1 in /tests/DevApps/SidecarAdapter/typescript. #​3595

Entra ID SDK sidecar

• Restrict hosts to localhost for sidecar. #​3579
• Update http file to match endpoints. #​3555
• Revise sidecar issue template for Entra ID. #​3577

Documentation

• Update README to include Entra SDK container info. #​3578

Fundamentals

• Include NET 9.0 in template-install-dependencies. #​3593
• Fix CodeQL alerts. #​3591
• Suppression file is needed. #​3592

4.0.1

Bugs fixes

• Correctly compute Application Key when credential usage fails.
• Fix bugs where agent user identities didn't work with non-default authentication schemes.

Fundamentals

• Update .net version to CG compliance

Sidecar

• Configure Sidecar to default AllowWebApiToBeAuthorizedByACL to true as the container doesn't do authZ

4.0.0

4.0.0

Breaking Changes

Removed support for .NET 6.0 and .NET 7.0 - Microsoft Identity Web 4.0.0 no longer targets .NET 6.0 and .NET 7.0, following Microsoft's support lifecycle. The supported target frameworks are now .NET 8.0, .NET 9.0, .NET Framework 4.6.2, .NET Framework 4.7.2, and .NET Standard 2.0.

See MIGRATION_GUIDE_V4

New features

• Various improvements to performance logging, authentication, and credential loading capabilities.
• Bumped MSAL.NET to 4.77.1
• Added credential description extensibility. For details, see #​3487
• Added a new CerticateObserverAction type: SuccessfullyUsed and support for multiple certificate observers for improved certificate lifecycle management and telemetry. See #​3505
• Add specification of OID (in addition to upn) when requesting an authorization header for Agent User Identity. See #​3513
• Added ClaimsPrincipal and ClaimsIdentity extension methods for agent identity detection in web APIs enabling developers to easily detect agent identities and retrieve parent agent blueprint from token claims. See #​3515
• Added MicrosoftIdentityMessageHandler for flexible HttpClient authentication. Provides composable alternative to DownstreamApi with per-request authentication configuration. Supports WWW-Authenticate challenge handling. See #​3503
• Support for multiple certificate observers. See #​3506
• The Microsoft.Identity.Web.Sidecar will provide a container solution for validation and token acquisition in any-language. See #​3524

Bug Fixes

• Fixed TokenAcquirerFactory null reference when AppContext.BaseDirectory is root path. See #​3443
• Fixed IDW10405 error when using managed identity with common tenant. See #​3415
• Removed hard dependency on IConfiguration in OidcIdpSignedAssertionLoader. See #​3414

Fundamentals

• Various improvements to .NET support and dependency optimizations.
• Added doc for Agent identities. See Agent identities
• Combined and fixed test collections. See #​3472
• Migrate repository agent rules from .clinerules to agents.md. See #​3475
• Add .NET 6.x setup step to dotnetcore.yml workflow, as the default build agents don't have it any longer. See #​3489
• Renamed NET 7 tests to ThreadingTests for framework independence. See #​3501

Commits viewable in compare view.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)