Handling of personally-identifiable information in MSAL.NET
Data classification
Microsoft defines the following data classification. MSAL libraries, for simplicity, expose a single "allow PII" (personally identifiable information) flag for logging. This single flag combines all data categories mention above.
What MSAL will never log
- tokens (access tokens, ID tokens, refresh tokens, client assertions generated by MSAL, etc.)
- passwords (MSAL is only given the password during the Username / Password (ROPC) flow. MSAL does not have access to the password entered by the user in a browser.)
- authorization codes
- PKCE code
- successful network responses from the /authorize or /token endpoints (because they may contain tokens or auth codes)
- network requests (they may contain passwords)
- private keys of certificates
What MSAL considers as PII
- username
- login hint
- ID token claims, which include names, address, and other user details (MSAL only parses the ID token, it never looks at access or refresh tokens)
- authorization URI (it may contain a login hint)
- object ID (i.e.
oidclaim)
What MSAL does not consider as PII
- IDs related to an organization or tenant, not the user, like tenant ID, directory ID, directory name (e.g. contonso.onmicrosoft.com)
- authority
- scopes and resource names
- client (application) ID
- service principal details (object ID, client ID)
- exception messages and stack traces, including error codes coming from Microsoft Entra ID
- HTTP details other than request and response (HTTP status codes, payload size, etc.)
- correlation ID
- runtime details (OS name, .NET version)
- internal API details (class names, method names)
- request details (algorithm names (e.g. RSA), OIDC constants, etc.)
- certificate thumbprints other than key IDs
PII in exceptions
MSAL generates exception messages that do not contain PII. MsalExceptions, generated by MSAL or passed from Microsoft Entra ID) are considered to not contain PII.
Some framework exception may contain PII, although this is rare (e.g. a PathInvalidException may contain the username). SDKs take care to not log framework exceptions which may contain PII.
Organization identifiable information
MSAL can log organization identifiable information (OII) because as per the official data classification, organization identifiable information is not PII. OII includes data like tenant ID, object ID for service principals, scope names. Remember that the app developer still controls the destination of this logging data.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for