Skip to content

PII

Jump to bottom
Bogdan Gavril edited this page Jan 9, 2023 · 5 revisions

What MSAL will never log

  • tokens (access tokens, id tokens, refresh tokens, client assertions generated by MSAL etc.)
  • passwords (in any case MSAL is only given the password in the Username / Password (ROPC) flow. MSAL does not have access to the password entered by the user in a browser)
  • authorization codes
  • PKCE code
  • successful network responses from the /authorize or /token endpoint (they might contain tokens or auth codes)
  • network requests (they might contain passwords)
  • private keys of certs

What MSALs consider as PII

  • username
  • login hint
  • id token claims (note that MSAL only parses the id token, it never looks at access token / refresh token)
  • authorization uri (it may contain a login hint)
  • Object ID aka oid

What MSALs do not consider as PII

  • IDs related to an organization / tenant (not the user) - tenant id, directory id, directory name (e.g. contonso.onmicrosoft.com)
  • authority
  • client / application id
  • exception messages and stack traces, including error codes coming from AAD
  • HTTP details other than request / response (e.g. HTTP status codes, payload size etc.)
  • correlation id
  • runtime details (OS name, .NET version)

Getting started with MSAL.NET

Acquiring tokens

Desktop/Mobile apps

Web Apps / Web APIs / daemon apps

Advanced topics

News

FAQ

Other resources

Clone this wiki locally