Logging in MSAL applications

Microsoft Authentication Library (MSAL) apps generate log messages that can help diagnose issues. An app can configure logging with a few lines of code, and have custom control over the level of detail and whether or not personal and organizational data is logged. We recommend you create an MSAL logging callback and provide a way for users to submit logs when they have authentication issues.

Logging levels

MSAL provides several levels of logging detail:

  • Error: Indicates something has gone wrong and an error was generated. Use for debugging and identifying problems.
  • Warning: There hasn't necessarily been an error or failure, but are intended for diagnostics and pinpointing problems.
  • Info: MSAL will log events intended for informational purposes not necessarily intended for debugging.
  • Verbose: Default. MSAL logs the full details of library behavior.

Personal and organizational data

By default, the MSAL logger doesn't capture any highly sensitive personal or organizational data. The library provides the option to enable logging personal and organizational data if you decide to do so.

For details about MSAL logging in a particular language, choose the tab matching your language:

Logging in MSAL.NET


See the MSAL.NET wiki for samples of MSAL.NET logging and more.

In MSAL 3.x, logging is set per application at app creation using the .WithLogging builder modifier. This method takes optional parameters:

  • Level enables you to decide which level of logging you want. Setting it to Errors will only get errors
  • PiiLoggingEnabled enables you to log personal and organizational data if set to true. By default this is set to false, so that your application does not log personal data.
  • LogCallback is set to a delegate that does the logging. If PiiLoggingEnabled is true, this method will receive the messages twice: once with the containsPii parameter equals false and the message without personal data, and a second time with the containsPii parameter equals to true and the message might contain personal data. In some cases (when the message does not contain personal data), the message will be the same.
  • DefaultLoggingEnabled enables the default logging for the platform. By default it's false. If you set it to true it uses Event Tracing in Desktop/UWP applications, NSLog on iOS and logcat on Android.
class Program
  private static void Log(LogLevel level, string message, bool containsPii)
     if (containsPii)
        Console.ForegroundColor = ConsoleColor.Red;
     Console.WriteLine($"{level} {message}");

  static void Main(string[] args)
    var scopes = new string[] { "User.Read" };

    var application = PublicClientApplicationBuilder.Create("<clientID>")
                      .WithLogging(Log, LogLevel.Info, true)

    AuthenticationResult result = application.AcquireTokenInteractive(scopes)