title | description |
---|---|
Handling of personally-identifiable information in MSAL.NET |
Outlines what MSAL considers to be personally identifiable information. |
Microsoft defines the following data classification. MSAL libraries, for simplicity, expose a single PII (personally identifiable information) enablement flag for logging. This single flag combines all categories covered by the data classification document.
To read more about how MSAL.NET does logging, refer to Logging in MSAL.NET. Specifically, logging data that contains personally-identifiable information (PII) will require the use of the enablePiiLogging
flag when using xref:Microsoft.Identity.Client.BaseAbstractApplicationBuilder%601.WithLogging(Microsoft.IdentityModel.Abstractions.IIdentityLogger,System.Boolean).
Note
Using enablePiiLogging
will influence what PII is shown in MSAL exception messages, including those that stem from the using the Web Account Manager (WAM). This also coveres end-user identifiable information (EUII), such as UPN, name, or email.
- Tokens, including access tokens, ID tokens, refresh tokens, and client assertions generated by MSAL.
- Passwords, as MSAL is only given the password during the username and password flow. MSAL does not have access to the password entered by the user in a browser.
- Authorization codes.
- PKCE code.
- Successful network responses from the
/authorize
or/token
endpoints because they may contain tokens or auth codes. - Network requests, as they may contain passwords.
- Private keys of certificates.
- Username.
- Login hint.
- ID token claims, which include names, address, or other user details. MSAL only parses the ID token, it never looks at access or refresh tokens.
- Authorization URI, as it may contain a login hint.
- Object ID (i.e.
oid
claim).
- IDs related to an organization or tenant (not the user) like tenant ID, directory ID, or directory name (e.g.
contoso.onmicrosoft.com
). - Authority.
- Scopes and resource names.
- Client (application) ID.
- Service principal details, such as object ID and client ID.
- Exception messages and stack traces, including error codes coming from Microsoft Entra ID.
- HTTP details other than request and response (for example, HTTP status codes or payload size).
- Correlation IDs.
- Runtime details, such as OS name, .NET platform version.
- Internal API details, such as class names, method names.
- Request details, such as algorithm names (e.g. RSA) or OIDC constants.
- Certificate thumbprints other than key IDs.
MSAL generates exception messages that do not contain PII. xref:Microsoft.Identity.Client.MsalException instances, generated by MSAL or passed from Microsoft Entra ID, are considered to not contain PII.
Some framework exception may contain PII, although this is rare (e.g. a PathInvalidException
may contain the username). MSAL takes care to not log framework exceptions which may contain PII.
MSAL can log organization identifiable information (OII) because, as per the official data classification, organization identifiable information is not considered PII. OII includes data like tenant ID, object ID for service principals, or scope names. The application developer still controls the destination of this logging data.