// the find
AzureAD/microsoft-authentication-library-for-dotnet
Microsoft Authentication Library (MSAL) for .NET
The official Microsoft Authentication Library for .NET — handles OAuth2/OIDC token acquisition against Azure AD (Entra ID), B2C, and managed identity endpoints. If you're building .NET apps that need to talk to Microsoft identity, this is the library you use, not a library you choose. It covers every flow: interactive, device code, client credentials, OBO, WAM broker, managed identity.
Managed identity support is genuinely good — IMDS v1/v2, Azure Arc, and the newer MSI v2 with key attestation are all handled, with retry logic baked in. The token cache is properly designed: in-memory with a documented extensibility layer (MsalCacheHelper) for cross-platform persistence (DPAPI on Windows, Keychain on Mac, libsecret on Linux). The fluent builder API makes it hard to misconfigure a flow — required vs. optional parameters are enforced at compile time. The mTLS Proof-of-Possession (mtls-POP) work is ahead of most identity SDKs; the skills directory even includes working code examples.
The surface area is enormous and the versioning policy is aggressive — minor versions older than N-1 are unsupported, so you're expected to update constantly or you're on your own. The confidential client flow (client credentials) has a subtle cache partitioning gotcha: if you share one `IConfidentialClientApplication` instance across tenants or scopes without setting the right options, you'll silently get wrong tokens from cache. Error handling is inconsistent — some failures throw `MsalServiceException` with useful error codes, others surface as inner exceptions that you have to unwrap. The new MSI v2 / key attestation features are Windows-only (KeyGuard, hardware binding) with no Linux equivalent, which isn't obvious from the top-level API.