Handling of personally-identifiable information in MSAL.NET

Data classification

Microsoft defines the following data classification. MSAL libraries, for simplicity, expose a single PII (personally identifiable information) enablement flag for logging. This single flag combines all categories covered by the data classification document.

Logging approach

To read more about how MSAL.NET does logging, refer to Logging in MSAL.NET. Specifically, logging data that contains personally-identifiable information (PII) will require the use of the enablePiiLogging flag when using WithLogging(IIdentityLogger, Boolean).

Note

Using enablePiiLogging will influence what PII is shown in MSAL exception messages, including those that stem from the using the Web Account Manager (WAM). This also coveres end-user identifiable information (EUII), such as UPN, name, or email.

What MSAL will never log

  • Tokens, including access tokens, ID tokens, refresh tokens, and client assertions generated by MSAL.
  • Passwords, as MSAL is only given the password during the username and password flow. MSAL does not have access to the password entered by the user in a browser.
  • Authorization codes.
  • PKCE code.
  • Successful network responses from the /authorize or /token endpoints because they may contain tokens or auth codes.
  • Network requests, as they may contain passwords.
  • Private keys of certificates.

What MSAL considers as PII

  • Username.
  • Login hint.
  • ID token claims, which include names, address, or other user details. MSAL only parses the ID token, it never looks at access or refresh tokens.
  • Authorization URI, as it may contain a login hint.
  • Object ID (i.e. oid claim).

What MSAL does not consider as PII

  • IDs related to an organization or tenant (not the user) like tenant ID, directory ID, or directory name (e.g. contoso.onmicrosoft.com).
  • Authority.
  • Scopes and resource names.
  • Client (application) ID.
  • Service principal details, such as object ID and client ID.
  • Exception messages and stack traces, including error codes coming from Microsoft Entra ID.
  • HTTP details other than request and response (for example, HTTP status codes or payload size).
  • Correlation IDs.
  • Runtime details, such as OS name, .NET platform version.
  • Internal API details, such as class names, method names.
  • Request details, such as algorithm names (e.g. RSA) or OIDC constants.
  • Certificate thumbprints other than key IDs.

PII in exceptions

MSAL generates exception messages that do not contain PII. MsalException instances, generated by MSAL or passed from Microsoft Entra ID, are considered to not contain PII.

Some framework exception may contain PII, although this is rare (e.g. a PathInvalidException may contain the username). MSAL takes care to not log framework exceptions which may contain PII.

Organization identifiable information

MSAL can log organization identifiable information (OII) because, as per the official data classification, organization identifiable information is not considered PII. OII includes data like tenant ID, object ID for service principals, or scope names. The application developer still controls the destination of this logging data.