@azure/identity 3.0.0-beta.1 → 3.0.0

package/dist/index.js

@@ -3,21 +3,21 @@
 Object.defineProperty(exports, '__esModule', { value: true });
 
 var msalNode = require('@azure/msal-node');
-var coreClient = require('@azure/core-client');
+var msalCommon = require('@azure/msal-common');
+var logger$m = require('@azure/logger');
+var abortController = require('@azure/abort-controller');
 var coreUtil = require('@azure/core-util');
+var uuid = require('uuid');
+var coreClient = require('@azure/core-client');
 var coreRestPipeline = require('@azure/core-rest-pipeline');
-var abortController = require('@azure/abort-controller');
 var coreTracing = require('@azure/core-tracing');
-var logger$m = require('@azure/logger');
-var msalCommon = require('@azure/msal-common');
-var uuid = require('uuid');
 var fs = require('fs');
 var os = require('os');
 var path = require('path');
-var child_process = require('child_process');
-var crypto = require('crypto');
 var util = require('util');
 var https = require('https');
+var child_process = require('child_process');
+var crypto = require('crypto');
 var http = require('http');
 var open = require('open');
 var stoppable = require('stoppable');
@@ -47,9 +47,9 @@ var msalCommon__namespace = /*#__PURE__*/_interopNamespace(msalCommon);
 var fs__default = /*#__PURE__*/_interopDefaultLegacy(fs);
 var os__default = /*#__PURE__*/_interopDefaultLegacy(os);
 var path__default = /*#__PURE__*/_interopDefaultLegacy(path);
+var https__default = /*#__PURE__*/_interopDefaultLegacy(https);
 var child_process__default = /*#__PURE__*/_interopDefaultLegacy(child_process);
 var child_process__namespace = /*#__PURE__*/_interopNamespace(child_process);
-var https__default = /*#__PURE__*/_interopDefaultLegacy(https);
 var http__default = /*#__PURE__*/_interopDefaultLegacy(http);
 var open__default = /*#__PURE__*/_interopDefaultLegacy(open);
 var stoppable__default = /*#__PURE__*/_interopDefaultLegacy(stoppable);
@@ -173,74 +173,6 @@ class AuthenticationRequiredError extends Error {
     }
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-function getIdentityTokenEndpointSuffix(tenantId) {
-    if (tenantId === "adfs") {
-        return "oauth2/token";
-    }
-    else {
-        return "oauth2/v2.0/token";
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * Current version of the `@azure/identity` package.
- */
-const SDK_VERSION = `3.0.0-beta.1`;
-/**
- * The default client ID for authentication
- * @internal
- */
-// TODO: temporary - this is the Azure CLI clientID - we'll replace it when
-// Developer Sign On application is available
-// https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Constants.cs#L9
-const DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
-/**
- * The default tenant for authentication
- * @internal
- */
-const DefaultTenantId = "common";
-/**
- * A list of known Azure authority hosts
- */
-exports.AzureAuthorityHosts = void 0;
-(function (AzureAuthorityHosts) {
-    /**
-     * China-based Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureChina"] = "https://login.chinacloudapi.cn";
-    /**
-     * Germany-based Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureGermany"] = "https://login.microsoftonline.de";
-    /**
-     * US Government Azure Authority Host
-     */
-    AzureAuthorityHosts["AzureGovernment"] = "https://login.microsoftonline.us";
-    /**
-     * Public Cloud Azure Authority Host
-     */
-    AzureAuthorityHosts["AzurePublicCloud"] = "https://login.microsoftonline.com";
-})(exports.AzureAuthorityHosts || (exports.AzureAuthorityHosts = {}));
-/**
- * The default authority host.
- */
-const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
-
-// Copyright (c) Microsoft Corporation.
-/**
- * Creates a span using the global tracer.
- * @internal
- */
-const tracingClient = coreTracing.createTracingClient({
-    namespace: "Microsoft.AAD",
-    packageName: "@azure/identity",
-    packageVersion: SDK_VERSION,
-});
-
 // Copyright (c) Microsoft Corporation.
 /**
  * The AzureLogger used for all clients within the identity package
@@ -293,11 +225,15 @@ function credentialLoggerInstance(title, parent, log = logger$l) {
     function warning(message) {
         log.warning(`${fullTitle} =>`, message);
     }
+    function verbose(message) {
+        log.verbose(`${fullTitle} =>`, message);
+    }
     return {
         title,
         fullTitle,
         info,
         warning,
+        verbose,
     };
 }
 /**
@@ -316,65 +252,402 @@ function credentialLogger(title, log = logger$l) {
 }
 
 // Copyright (c) Microsoft Corporation.
-const noCorrelationId = "noCorrelationId";
+// Licensed under the MIT license.
+/**
+ * Current version of the `@azure/identity` package.
+ */
+const SDK_VERSION = `3.0.0-beta.1`;
 /**
+ * The default client ID for authentication
  * @internal
  */
-function getIdentityClientAuthorityHost(options) {
-    // The authorityHost can come from options or from the AZURE_AUTHORITY_HOST environment variable.
-    let authorityHost = options === null || options === void 0 ? void 0 : options.authorityHost;
-    // The AZURE_AUTHORITY_HOST environment variable can only be provided in Node.js.
-    if (coreUtil.isNode) {
-        authorityHost = authorityHost !== null && authorityHost !== void 0 ? authorityHost : process.env.AZURE_AUTHORITY_HOST;
+// TODO: temporary - this is the Azure CLI clientID - we'll replace it when
+// Developer Sign On application is available
+// https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Constants.cs#L9
+const DeveloperSignOnClientId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46";
+/**
+ * The default tenant for authentication
+ * @internal
+ */
+const DefaultTenantId = "common";
+/**
+ * A list of known Azure authority hosts
+ */
+exports.AzureAuthorityHosts = void 0;
+(function (AzureAuthorityHosts) {
+    /**
+     * China-based Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureChina"] = "https://login.chinacloudapi.cn";
+    /**
+     * Germany-based Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureGermany"] = "https://login.microsoftonline.de";
+    /**
+     * US Government Azure Authority Host
+     */
+    AzureAuthorityHosts["AzureGovernment"] = "https://login.microsoftonline.us";
+    /**
+     * Public Cloud Azure Authority Host
+     */
+    AzureAuthorityHosts["AzurePublicCloud"] = "https://login.microsoftonline.com";
+})(exports.AzureAuthorityHosts || (exports.AzureAuthorityHosts = {}));
+/**
+ * The default authority host.
+ */
+const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
+/**
+ * Allow acquiring tokens for any tenant for multi-tentant auth.
+ */
+const ALL_TENANTS = ["*"];
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Latest AuthenticationRecord version
+ * @internal
+ */
+const LatestAuthenticationRecordVersion = "1.0";
+/**
+ * Ensures the validity of the MSAL token
+ * @internal
+ */
+function ensureValidMsalToken(scopes, logger, msalToken, getTokenOptions) {
+    const error = (message) => {
+        logger.getToken.info(message);
+        return new AuthenticationRequiredError({
+            scopes: Array.isArray(scopes) ? scopes : [scopes],
+            getTokenOptions,
+            message,
+        });
+    };
+    if (!msalToken) {
+        throw error("No response");
+    }
+    if (!msalToken.expiresOn) {
+        throw error(`Response had no "expiresOn" property.`);
+    }
+    if (!msalToken.accessToken) {
+        throw error(`Response had no "accessToken" property.`);
     }
-    // If the authorityHost is not provided, we use the default one from the public cloud: https://login.microsoftonline.com
-    return authorityHost !== null && authorityHost !== void 0 ? authorityHost : DefaultAuthorityHost;
 }
 /**
- * The network module used by the Identity credentials.
+ * Generates a valid authority by combining a host with a tenantId.
+ * @internal
+ */
+function getAuthority(tenantId, host) {
+    if (!host) {
+        host = DefaultAuthorityHost;
+    }
+    if (new RegExp(`${tenantId}/?$`).test(host)) {
+        return host;
+    }
+    if (host.endsWith("/")) {
+        return host + tenantId;
+    }
+    else {
+        return `${host}/${tenantId}`;
+    }
+}
+/**
+ * Generates the known authorities.
+ * If the Tenant Id is `adfs`, the authority can't be validated since the format won't match the expected one.
+ * For that reason, we have to force MSAL to disable validating the authority
+ * by sending it within the known authorities in the MSAL configuration.
+ * @internal
+ */
+function getKnownAuthorities(tenantId, authorityHost) {
+    if (tenantId === "adfs" && authorityHost) {
+        return [authorityHost];
+    }
+    return [];
+}
+/**
+ * Generates a logger that can be passed to the MSAL clients.
+ * @param logger - The logger of the credential.
+ * @internal
+ */
+const defaultLoggerCallback = (logger, platform = coreUtil.isNode ? "Node" : "Browser") => (level, message, containsPii) => {
+    if (containsPii) {
+        return;
+    }
+    switch (level) {
+        case msalCommon__namespace.LogLevel.Error:
+            logger.info(`MSAL ${platform} V2 error: ${message}`);
+            return;
+        case msalCommon__namespace.LogLevel.Info:
+            logger.info(`MSAL ${platform} V2 info message: ${message}`);
+            return;
+        case msalCommon__namespace.LogLevel.Verbose:
+            logger.info(`MSAL ${platform} V2 verbose message: ${message}`);
+            return;
+        case msalCommon__namespace.LogLevel.Warning:
+            logger.info(`MSAL ${platform} V2 warning: ${message}`);
+            return;
+    }
+};
+/**
+ * The common utility functions for the MSAL clients.
+ * Defined as a class so that the classes extending this one can have access to its methods and protected properties.
  *
- * It allows for credentials to abort any pending request independently of the MSAL flow,
- * by calling to the `abortRequests()` method.
+ * It keeps track of a logger and an in-memory copy of the AuthenticationRecord.
  *
+ * @internal
  */
-class IdentityClient extends coreClient.ServiceClient {
+class MsalBaseUtilities {
     constructor(options) {
-        var _a, _b;
-        const packageDetails = `azsdk-js-identity/${SDK_VERSION}`;
-        const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix)
-            ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
-            : `${packageDetails}`;
-        const baseUri = getIdentityClientAuthorityHost(options);
-        if (!baseUri.startsWith("https:")) {
-            throw new Error("The authorityHost address must use the 'https' protocol.");
-        }
-        super(Object.assign(Object.assign({ requestContentType: "application/json; charset=utf-8", retryOptions: {
-                maxRetries: 3,
-            } }, options), { userAgentOptions: {
-                userAgentPrefix,
-            }, baseUri }));
-        this.authorityHost = baseUri;
-        this.abortControllers = new Map();
-        this.allowLoggingAccountIdentifiers = (_b = options === null || options === void 0 ? void 0 : options.loggingOptions) === null || _b === void 0 ? void 0 : _b.allowLoggingAccountIdentifiers;
+        this.logger = options.logger;
+        this.account = options.authenticationRecord;
     }
-    async sendTokenRequest(request, expiresOnParser) {
-        logger$l.info(`IdentityClient: sending token request to [${request.url}]`);
-        const response = await this.sendRequest(request);
-        expiresOnParser =
-            expiresOnParser ||
-                ((responseBody) => {
-                    return Date.now() + responseBody.expires_in * 1000;
-                });
-        if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
-            const parsedBody = JSON.parse(response.bodyAsText);
-            if (!parsedBody.access_token) {
-                return null;
-            }
+    /**
+     * Generates a UUID
+     */
+    generateUuid() {
+        return uuid.v4();
+    }
+    /**
+     * Handles the MSAL authentication result.
+     * If the result has an account, we update the local account reference.
+     * If the token received is invalid, an error will be thrown depending on what's missing.
+     */
+    handleResult(scopes, clientId, result, getTokenOptions) {
+        if (result === null || result === void 0 ? void 0 : result.account) {
+            this.account = msalToPublic(clientId, result.account);
+        }
+        ensureValidMsalToken(scopes, this.logger, result, getTokenOptions);
+        this.logger.getToken.info(formatSuccess(scopes));
+        return {
+            token: result.accessToken,
+            expiresOnTimestamp: result.expiresOn.getTime(),
+        };
+    }
+    /**
+     * Handles MSAL errors.
+     */
+    handleError(scopes, error, getTokenOptions) {
+        if (error.name === "AuthError" ||
+            error.name === "ClientAuthError" ||
+            error.name === "BrowserAuthError") {
+            const msalError = error;
+            switch (msalError.errorCode) {
+                case "endpoints_resolution_error":
+                    this.logger.info(formatError(scopes, error.message));
+                    return new CredentialUnavailableError(error.message);
+                case "device_code_polling_cancelled":
+                    return new abortController.AbortError("The authentication has been aborted by the caller.");
+                case "consent_required":
+                case "interaction_required":
+                case "login_required":
+                    this.logger.info(formatError(scopes, `Authentication returned errorCode ${msalError.errorCode}`));
+                    break;
+                default:
+                    this.logger.info(formatError(scopes, `Failed to acquire token: ${error.message}`));
+                    break;
+            }
+        }
+        if (error.name === "ClientConfigurationError" ||
+            error.name === "BrowserConfigurationAuthError" ||
+            error.name === "AbortError") {
+            return error;
+        }
+        return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });
+    }
+}
+// transformations.ts
+function publicToMsal(account) {
+    const [environment] = account.authority.match(/([a-z]*\.[a-z]*\.[a-z]*)/) || [];
+    return Object.assign(Object.assign({}, account), { localAccountId: account.homeAccountId, environment });
+}
+function msalToPublic(clientId, account) {
+    const record = {
+        authority: getAuthority(account.tenantId, account.environment),
+        homeAccountId: account.homeAccountId,
+        tenantId: account.tenantId || DefaultTenantId,
+        username: account.username,
+        clientId,
+        version: LatestAuthenticationRecordVersion,
+    };
+    return record;
+}
+/**
+ * Serializes an `AuthenticationRecord` into a string.
+ *
+ * The output of a serialized authentication record will contain the following properties:
+ *
+ * - "authority"
+ * - "homeAccountId"
+ * - "clientId"
+ * - "tenantId"
+ * - "username"
+ * - "version"
+ *
+ * To later convert this string to a serialized `AuthenticationRecord`, please use the exported function `deserializeAuthenticationRecord()`.
+ */
+function serializeAuthenticationRecord(record) {
+    return JSON.stringify(record);
+}
+/**
+ * Deserializes a previously serialized authentication record from a string into an object.
+ *
+ * The input string must contain the following properties:
+ *
+ * - "authority"
+ * - "homeAccountId"
+ * - "clientId"
+ * - "tenantId"
+ * - "username"
+ * - "version"
+ *
+ * If the version we receive is unsupported, an error will be thrown.
+ *
+ * At the moment, the only available version is: "1.0", which is always set when the authentication record is serialized.
+ *
+ * @param serializedRecord - Authentication record previously serialized into string.
+ * @returns AuthenticationRecord.
+ */
+function deserializeAuthenticationRecord(serializedRecord) {
+    const parsed = JSON.parse(serializedRecord);
+    if (parsed.version && parsed.version !== LatestAuthenticationRecordVersion) {
+        throw Error("Unsupported AuthenticationRecord version");
+    }
+    return parsed;
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+function getIdentityTokenEndpointSuffix(tenantId) {
+    if (tenantId === "adfs") {
+        return "oauth2/token";
+    }
+    else {
+        return "oauth2/v2.0/token";
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Creates a span using the global tracer.
+ * @internal
+ */
+const tracingClient = coreTracing.createTracingClient({
+    namespace: "Microsoft.AAD",
+    packageName: "@azure/identity",
+    packageVersion: SDK_VERSION,
+});
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+const DefaultScopeSuffix = "/.default";
+const imdsHost = "http://169.254.169.254";
+const imdsEndpointPath = "/metadata/identity/oauth2/token";
+const imdsApiVersion = "2018-02-01";
+const azureArcAPIVersion = "2019-11-01";
+const azureFabricVersion = "2019-07-01-preview";
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
+ * These are GET requests that require sending a `resource` parameter on the query.
+ * This resource can be derived from the scopes received through the getToken call, as long as only one scope is received.
+ * Multiple scopes assume that the resulting token will have access to multiple resources, which won't be the case.
+ *
+ * For that reason, when we encounter multiple scopes, we return undefined.
+ * It's up to the individual MSI implementations to throw the errors (which helps us provide less generic errors).
+ */
+function mapScopesToResource(scopes) {
+    let scope = "";
+    if (Array.isArray(scopes)) {
+        if (scopes.length !== 1) {
+            return;
+        }
+        scope = scopes[0];
+    }
+    else if (typeof scopes === "string") {
+        scope = scopes;
+    }
+    if (!scope.endsWith(DefaultScopeSuffix)) {
+        return scope;
+    }
+    return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
+}
+/**
+ * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.
+ * @param body - A parsed response body from the authentication endpoint.
+ */
+function parseExpiresOn(body) {
+    if (typeof body.expires_on === "number") {
+        return body.expires_on * 1000;
+    }
+    if (typeof body.expires_on === "string") {
+        const asNumber = +body.expires_on;
+        if (!isNaN(asNumber)) {
+            return asNumber * 1000;
+        }
+        const asDate = Date.parse(body.expires_on);
+        if (!isNaN(asDate)) {
+            return asDate;
+        }
+    }
+    if (typeof body.expires_in === "number") {
+        return Date.now() + body.expires_in * 1000;
+    }
+    throw new Error(`Failed to parse token expiration from body. expires_in="${body.expires_in}", expires_on="${body.expires_on}"`);
+}
+
+// Copyright (c) Microsoft Corporation.
+const noCorrelationId = "noCorrelationId";
+/**
+ * @internal
+ */
+function getIdentityClientAuthorityHost(options) {
+    // The authorityHost can come from options or from the AZURE_AUTHORITY_HOST environment variable.
+    let authorityHost = options === null || options === void 0 ? void 0 : options.authorityHost;
+    // The AZURE_AUTHORITY_HOST environment variable can only be provided in Node.js.
+    if (coreUtil.isNode) {
+        authorityHost = authorityHost !== null && authorityHost !== void 0 ? authorityHost : process.env.AZURE_AUTHORITY_HOST;
+    }
+    // If the authorityHost is not provided, we use the default one from the public cloud: https://login.microsoftonline.com
+    return authorityHost !== null && authorityHost !== void 0 ? authorityHost : DefaultAuthorityHost;
+}
+/**
+ * The network module used by the Identity credentials.
+ *
+ * It allows for credentials to abort any pending request independently of the MSAL flow,
+ * by calling to the `abortRequests()` method.
+ *
+ */
+class IdentityClient extends coreClient.ServiceClient {
+    constructor(options) {
+        var _a, _b;
+        const packageDetails = `azsdk-js-identity/${SDK_VERSION}`;
+        const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix)
+            ? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
+            : `${packageDetails}`;
+        const baseUri = getIdentityClientAuthorityHost(options);
+        if (!baseUri.startsWith("https:")) {
+            throw new Error("The authorityHost address must use the 'https' protocol.");
+        }
+        super(Object.assign(Object.assign({ requestContentType: "application/json; charset=utf-8", retryOptions: {
+                maxRetries: 3,
+            } }, options), { userAgentOptions: {
+                userAgentPrefix,
+            }, baseUri }));
+        this.authorityHost = baseUri;
+        this.abortControllers = new Map();
+        this.allowLoggingAccountIdentifiers = (_b = options === null || options === void 0 ? void 0 : options.loggingOptions) === null || _b === void 0 ? void 0 : _b.allowLoggingAccountIdentifiers;
+    }
+    async sendTokenRequest(request) {
+        logger$l.info(`IdentityClient: sending token request to [${request.url}]`);
+        const response = await this.sendRequest(request);
+        if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
+            const parsedBody = JSON.parse(response.bodyAsText);
+            if (!parsedBody.access_token) {
+                return null;
+            }
             this.logIdentifiers(response);
             const token = {
                 accessToken: {
                     token: parsedBody.access_token,
-                    expiresOnTimestamp: expiresOnParser(parsedBody),
+                    expiresOnTimestamp: parseExpiresOn(parsedBody),
                 },
                 refreshToken: parsedBody.refresh_token,
             };
@@ -387,7 +660,7 @@ class IdentityClient extends coreClient.ServiceClient {
             throw error;
         }
     }
-    async refreshAccessToken(tenantId, clientId, scopes, refreshToken, clientSecret, expiresOnParser, options = {}) {
+    async refreshAccessToken(tenantId, clientId, scopes, refreshToken, clientSecret, options = {}) {
         if (refreshToken === undefined) {
             return null;
         }
@@ -416,7 +689,7 @@ class IdentityClient extends coreClient.ServiceClient {
                     }),
                     tracingOptions: updatedOptions.tracingOptions,
                 });
-                const response = await this.sendTokenRequest(request, expiresOnParser);
+                const response = await this.sendTokenRequest(request);
                 logger$l.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
                 return response;
             }
@@ -541,271 +814,7 @@ class IdentityClient extends coreClient.ServiceClient {
 }
 
 // Copyright (c) Microsoft Corporation.
-function checkTenantId(logger, tenantId) {
-    if (!tenantId.match(/^[0-9a-zA-Z-.:/]+$/)) {
-        const error = new Error("Invalid tenant id provided. You can locate your tenant id by following the instructions listed here: https://docs.microsoft.com/partner-center/find-ids-and-domain-names.");
-        logger.info(formatError("", error));
-        throw error;
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-function resolveTenantId(logger, tenantId, clientId) {
-    if (tenantId) {
-        checkTenantId(logger, tenantId);
-        return tenantId;
-    }
-    if (!clientId) {
-        clientId = DeveloperSignOnClientId;
-    }
-    if (clientId !== DeveloperSignOnClientId) {
-        return "common";
-    }
-    return "organizations";
-}
-
-// Copyright (c) Microsoft Corporation.
-/**
- * Latest AuthenticationRecord version
- * @internal
- */
-const LatestAuthenticationRecordVersion = "1.0";
-/**
- * Ensures the validity of the MSAL token
- * @internal
- */
-function ensureValidMsalToken(scopes, logger, msalToken, getTokenOptions) {
-    const error = (message) => {
-        logger.getToken.info(message);
-        return new AuthenticationRequiredError({
-            scopes: Array.isArray(scopes) ? scopes : [scopes],
-            getTokenOptions,
-            message,
-        });
-    };
-    if (!msalToken) {
-        throw error("No response");
-    }
-    if (!msalToken.expiresOn) {
-        throw error(`Response had no "expiresOn" property.`);
-    }
-    if (!msalToken.accessToken) {
-        throw error(`Response had no "accessToken" property.`);
-    }
-}
-/**
- * Generates a valid authority by combining a host with a tenantId.
- * @internal
- */
-function getAuthority(tenantId, host) {
-    if (!host) {
-        host = DefaultAuthorityHost;
-    }
-    if (new RegExp(`${tenantId}/?$`).test(host)) {
-        return host;
-    }
-    if (host.endsWith("/")) {
-        return host + tenantId;
-    }
-    else {
-        return `${host}/${tenantId}`;
-    }
-}
-/**
- * Generates the known authorities.
- * If the Tenant Id is `adfs`, the authority can't be validated since the format won't match the expected one.
- * For that reason, we have to force MSAL to disable validating the authority
- * by sending it within the known authorities in the MSAL configuration.
- * @internal
- */
-function getKnownAuthorities(tenantId, authorityHost) {
-    if (tenantId === "adfs" && authorityHost) {
-        return [authorityHost];
-    }
-    return [];
-}
-/**
- * Generates a logger that can be passed to the MSAL clients.
- * @param logger - The logger of the credential.
- * @internal
- */
-const defaultLoggerCallback = (logger, platform = coreUtil.isNode ? "Node" : "Browser") => (level, message, containsPii) => {
-    if (containsPii) {
-        return;
-    }
-    switch (level) {
-        case msalCommon__namespace.LogLevel.Error:
-            logger.info(`MSAL ${platform} V2 error: ${message}`);
-            return;
-        case msalCommon__namespace.LogLevel.Info:
-            logger.info(`MSAL ${platform} V2 info message: ${message}`);
-            return;
-        case msalCommon__namespace.LogLevel.Verbose:
-            logger.info(`MSAL ${platform} V2 verbose message: ${message}`);
-            return;
-        case msalCommon__namespace.LogLevel.Warning:
-            logger.info(`MSAL ${platform} V2 warning: ${message}`);
-            return;
-    }
-};
-/**
- * The common utility functions for the MSAL clients.
- * Defined as a class so that the classes extending this one can have access to its methods and protected properties.
- *
- * It keeps track of a logger and an in-memory copy of the AuthenticationRecord.
- *
- * @internal
- */
-class MsalBaseUtilities {
-    constructor(options) {
-        this.logger = options.logger;
-        this.account = options.authenticationRecord;
-    }
-    /**
-     * Generates a UUID
-     */
-    generateUuid() {
-        return uuid.v4();
-    }
-    /**
-     * Handles the MSAL authentication result.
-     * If the result has an account, we update the local account reference.
-     * If the token received is invalid, an error will be thrown depending on what's missing.
-     */
-    handleResult(scopes, clientId, result, getTokenOptions) {
-        if (result === null || result === void 0 ? void 0 : result.account) {
-            this.account = msalToPublic(clientId, result.account);
-        }
-        ensureValidMsalToken(scopes, this.logger, result, getTokenOptions);
-        this.logger.getToken.info(formatSuccess(scopes));
-        return {
-            token: result.accessToken,
-            expiresOnTimestamp: result.expiresOn.getTime(),
-        };
-    }
-    /**
-     * Handles MSAL errors.
-     */
-    handleError(scopes, error, getTokenOptions) {
-        if (error.name === "AuthError" ||
-            error.name === "ClientAuthError" ||
-            error.name === "BrowserAuthError") {
-            const msalError = error;
-            switch (msalError.errorCode) {
-                case "endpoints_resolution_error":
-                    this.logger.info(formatError(scopes, error.message));
-                    return new CredentialUnavailableError(error.message);
-                case "device_code_polling_cancelled":
-                    return new abortController.AbortError("The authentication has been aborted by the caller.");
-                case "consent_required":
-                case "interaction_required":
-                case "login_required":
-                    this.logger.info(formatError(scopes, `Authentication returned errorCode ${msalError.errorCode}`));
-                    break;
-                default:
-                    this.logger.info(formatError(scopes, `Failed to acquire token: ${error.message}`));
-                    break;
-            }
-        }
-        if (error.name === "ClientConfigurationError" ||
-            error.name === "BrowserConfigurationAuthError" ||
-            error.name === "AbortError") {
-            return error;
-        }
-        return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });
-    }
-}
-// transformations.ts
-function publicToMsal(account) {
-    const [environment] = account.authority.match(/([a-z]*\.[a-z]*\.[a-z]*)/) || [];
-    return Object.assign(Object.assign({}, account), { localAccountId: account.homeAccountId, environment });
-}
-function msalToPublic(clientId, account) {
-    const record = {
-        authority: getAuthority(account.tenantId, account.environment),
-        homeAccountId: account.homeAccountId,
-        tenantId: account.tenantId || DefaultTenantId,
-        username: account.username,
-        clientId,
-        version: LatestAuthenticationRecordVersion,
-    };
-    return record;
-}
-/**
- * Serializes an `AuthenticationRecord` into a string.
- *
- * The output of a serialized authentication record will contain the following properties:
- *
- * - "authority"
- * - "homeAccountId"
- * - "clientId"
- * - "tenantId"
- * - "username"
- * - "version"
- *
- * To later convert this string to a serialized `AuthenticationRecord`, please use the exported function `deserializeAuthenticationRecord()`.
- */
-function serializeAuthenticationRecord(record) {
-    return JSON.stringify(record);
-}
-/**
- * Deserializes a previously serialized authentication record from a string into an object.
- *
- * The input string must contain the following properties:
- *
- * - "authority"
- * - "homeAccountId"
- * - "clientId"
- * - "tenantId"
- * - "username"
- * - "version"
- *
- * If the version we receive is unsupported, an error will be thrown.
- *
- * At the moment, the only available version is: "1.0", which is always set when the authentication record is serialized.
- *
- * @param serializedRecord - Authentication record previously serialized into string.
- * @returns AuthenticationRecord.
- */
-function deserializeAuthenticationRecord(serializedRecord) {
-    const parsed = JSON.parse(serializedRecord);
-    if (parsed.version && parsed.version !== LatestAuthenticationRecordVersion) {
-        throw Error("Unsupported AuthenticationRecord version");
-    }
-    return parsed;
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * @internal
- */
-const multiTenantDisabledErrorMessage = "A getToken request was attempted with a tenant different than the tenant configured at the initialization of the credential, but multi-tenant authentication has been disabled by the environment variable AZURE_IDENTITY_DISABLE_MULTITENANTAUTH.";
-/**
- * @internal
- */
-const multiTenantADFSErrorMessage = "A new tenant Id can't be assigned through the GetTokenOptions when a credential has been originally configured to use the tenant `adfs`.";
-/**
- * Of getToken contains a tenantId, this functions allows picking this tenantId as the appropriate for authentication,
- * unless multitenant authentication has been disabled through the AZURE_IDENTITY_DISABLE_MULTITENANTAUTH (on Node.js),
- * or unless the original tenant Id is `adfs`.
- * @internal
- */
-function processMultiTenantRequest(tenantId, getTokenOptions) {
-    if (!(getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId)) {
-        return tenantId;
-    }
-    if (process.env.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH) {
-        throw new Error(multiTenantDisabledErrorMessage);
-    }
-    if (tenantId === "adfs") {
-        throw new Error(multiTenantADFSErrorMessage);
-    }
-    return getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId;
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
+// Licensed under the MIT license.
 /**
  * Helps specify a regional authority, or "AutoDiscoverRegion" to auto-detect the region.
  */
@@ -920,21 +929,93 @@ var RegionalAuthority;
 })(RegionalAuthority || (RegionalAuthority = {}));
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+function createConfigurationErrorMessage(tenantId) {
+    return `The current credential is not configured to acquire tokens for tenant ${tenantId}. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant.`;
+}
 /**
- * The current persistence provider, undefined by default.
+ * Of getToken contains a tenantId, this functions allows picking this tenantId as the appropriate for authentication,
+ * unless multitenant authentication has been disabled through the AZURE_IDENTITY_DISABLE_MULTITENANTAUTH (on Node.js),
+ * or unless the original tenant Id is `adfs`.
  * @internal
  */
-let persistenceProvider = undefined;
+function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowedTenantIds = []) {
+    var _a;
+    let resolvedTenantId;
+    if (process.env.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH) {
+        resolvedTenantId = tenantId;
+    }
+    else if (tenantId === "adfs") {
+        resolvedTenantId = tenantId;
+    }
+    else {
+        resolvedTenantId = (_a = getTokenOptions === null || getTokenOptions === void 0 ? void 0 : getTokenOptions.tenantId) !== null && _a !== void 0 ? _a : tenantId;
+    }
+    if (tenantId &&
+        resolvedTenantId !== tenantId &&
+        !additionallyAllowedTenantIds.includes("*") &&
+        !additionallyAllowedTenantIds.some((t) => t.localeCompare(resolvedTenantId) === 0)) {
+        throw new Error(createConfigurationErrorMessage(tenantId));
+    }
+    return resolvedTenantId;
+}
+
+// Copyright (c) Microsoft Corporation.
 /**
- * An object that allows setting the persistence provider.
  * @internal
  */
-const msalNodeFlowCacheControl = {
-    setPersistence(pluginProvider) {
-        persistenceProvider = pluginProvider;
-    },
-};
-/**
+function checkTenantId(logger, tenantId) {
+    if (!tenantId.match(/^[0-9a-zA-Z-.:/]+$/)) {
+        const error = new Error("Invalid tenant id provided. You can locate your tenant id by following the instructions listed here: https://docs.microsoft.com/partner-center/find-ids-and-domain-names.");
+        logger.info(formatError("", error));
+        throw error;
+    }
+}
+/**
+ * @internal
+ */
+function resolveTenantId(logger, tenantId, clientId) {
+    if (tenantId) {
+        checkTenantId(logger, tenantId);
+        return tenantId;
+    }
+    if (!clientId) {
+        clientId = DeveloperSignOnClientId;
+    }
+    if (clientId !== DeveloperSignOnClientId) {
+        return "common";
+    }
+    return "organizations";
+}
+/**
+ * @internal
+ */
+function resolveAddionallyAllowedTenantIds(additionallyAllowedTenants) {
+    if (!additionallyAllowedTenants || additionallyAllowedTenants.length === 0) {
+        return [];
+    }
+    if (additionallyAllowedTenants.includes("*")) {
+        return ALL_TENANTS;
+    }
+    return additionallyAllowedTenants;
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * The current persistence provider, undefined by default.
+ * @internal
+ */
+let persistenceProvider = undefined;
+/**
+ * An object that allows setting the persistence provider.
+ * @internal
+ */
+const msalNodeFlowCacheControl = {
+    setPersistence(pluginProvider) {
+        persistenceProvider = pluginProvider;
+    },
+};
+/**
  * MSAL partial base client for Node.js.
  *
  * It completes the input configuration with some default values.
@@ -1239,6 +1320,7 @@ class VisualStudioCodeCredential {
         else {
             this.tenantId = CommonTenantId;
         }
+        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         checkUnsupportedTenant(this.tenantId);
     }
     /**
@@ -1272,7 +1354,8 @@ class VisualStudioCodeCredential {
     async getToken(scopes, options) {
         var _a, _b;
         await this.prepareOnce();
-        const tenantId = processMultiTenantRequest(this.tenantId, options) || this.tenantId;
+        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds) ||
+            this.tenantId;
         if (findCredentials === undefined) {
             throw new CredentialUnavailableError([
                 "No implementation of `VisualStudioCodeCredential` is available.",
@@ -1365,1711 +1448,1655 @@ function useIdentityPlugin(plugin) {
 }
 
 // Copyright (c) Microsoft Corporation.
+const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
+const logger$j = credentialLogger(msiName$6);
 /**
- * @internal
- */
-const logger$j = credentialLogger("ChainedTokenCredential");
-/**
- * Enables multiple `TokenCredential` implementations to be tried in order
- * until one of the getToken methods returns an access token.
+ * Generates the options used on the request for an access token.
  */
-class ChainedTokenCredential {
-    /**
-     * Creates an instance of ChainedTokenCredential using the given credentials.
-     *
-     * @param sources - `TokenCredential` implementations to be tried in order.
-     *
-     * Example usage:
-     * ```javascript
-     * const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
-     * const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, anotherSecret);
-     * const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);
-     * ```
-     */
-    constructor(...sources) {
-        /**
-         * The message to use when the chained token fails to get a token
-         */
-        this.UnavailableMessage = "ChainedTokenCredential => failed to retrieve a token from the included credentials";
-        this._sources = [];
-        this._sources = sources;
+function prepareRequestOptions$6(scopes, clientId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$6}: Multiple scopes are not supported.`);
     }
-    /**
-     * Returns the first access token returned by one of the chained
-     * `TokenCredential` implementations.  Throws an {@link AggregateAuthenticationError}
-     * when one or more credentials throws an {@link AuthenticationError} and
-     * no credentials have returned an access token.
-     *
-     * This method is called automatically by Azure SDK client libraries. You may call this method
-     * directly, but you must also handle token caching and token refreshing.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                `TokenCredential` implementation might make.
-     */
-    async getToken(scopes, options = {}) {
-        let token = null;
-        let successfulCredentialName = "";
-        const errors = [];
-        return tracingClient.withSpan("ChainedTokenCredential.getToken", options, async (updatedOptions) => {
-            for (let i = 0; i < this._sources.length && token === null; i++) {
-                try {
-                    token = await this._sources[i].getToken(scopes, updatedOptions);
-                    successfulCredentialName = this._sources[i].constructor.name;
-                }
-                catch (err) {
-                    if (err.name === "CredentialUnavailableError" ||
-                        err.name === "AuthenticationRequiredError") {
-                        errors.push(err);
-                    }
-                    else {
-                        logger$j.getToken.info(formatError(scopes, err));
-                        throw err;
-                    }
-                }
-            }
-            if (!token && errors.length > 0) {
-                const err = new AggregateAuthenticationError(errors, "ChainedTokenCredential authentication failed.");
-                logger$j.getToken.info(formatError(scopes, err));
-                throw err;
-            }
-            logger$j.getToken.info(`Result for ${successfulCredentialName}: ${formatSuccess(scopes)}`);
-            if (token === null) {
-                throw new CredentialUnavailableError("Failed to retrieve a valid token");
-            }
-            return token;
-        });
+    const queryParameters = {
+        resource,
+        "api-version": "2017-09-01",
+    };
+    if (clientId) {
+        queryParameters.clientid = clientId;
     }
-}
-
-// Copyright (c) Microsoft Corporation.
-/**
- * Throws if the received scope is not valid.
- * @internal
- */
-function ensureValidScope(scope, logger) {
-    if (!scope.match(/^[0-9a-zA-Z-.:/]+$/)) {
-        const error = new Error("Invalid scope was specified by the user or calling client");
-        logger.getToken.info(formatError(scope, error));
-        throw error;
+    const query = new URLSearchParams(queryParameters);
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.MSI_ENDPOINT) {
+        throw new Error(`${msiName$6}: Missing environment variable: MSI_ENDPOINT`);
     }
+    if (!process.env.MSI_SECRET) {
+        throw new Error(`${msiName$6}: Missing environment variable: MSI_SECRET`);
+    }
+    return {
+        url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            secret: process.env.MSI_SECRET,
+        }),
+    };
 }
 /**
- * Returns the resource out of a scope.
- * @internal
- */
-function getScopeResource(scope) {
-    return scope.replace(/\/.default$/, "");
-}
-
-// Copyright (c) Microsoft Corporation.
-/**
- * Mockable reference to the CLI credential cliCredentialFunctions
- * @internal
+ * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
  */
-const cliCredentialInternals = {
-    /**
-     * @internal
-     */
-    getSafeWorkingDir() {
-        if (process.platform === "win32") {
-            if (!process.env.SystemRoot) {
-                throw new Error("Azure CLI credential expects a 'SystemRoot' environment variable");
-            }
-            return process.env.SystemRoot;
+const appServiceMsi2017 = {
+    async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$j.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
+            return false;
         }
-        else {
-            return "/bin";
+        const env = process.env;
+        const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
+        if (!result) {
+            logger$j.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
         }
+        return result;
     },
-    /**
-     * Gets the access token from Azure CLI
-     * @param resource - The resource to use when getting the token
-     * @internal
-     */
-    async getAzureCliAccessToken(resource, tenantId) {
-        let tenantSection = [];
-        if (tenantId) {
-            tenantSection = ["--tenant", tenantId];
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        if (resourceId) {
+            logger$j.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
         }
-        return new Promise((resolve, reject) => {
-            try {
-                child_process__default["default"].execFile("az", [
-                    "account",
-                    "get-access-token",
-                    "--output",
-                    "json",
-                    "--resource",
-                    resource,
-                    ...tenantSection,
-                ], { cwd: cliCredentialInternals.getSafeWorkingDir(), shell: true }, (error, stdout, stderr) => {
-                    resolve({ stdout: stdout, stderr: stderr, error });
-                });
-            }
-            catch (err) {
-                reject(err);
-            }
-        });
+        logger$j.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$6(scopes, clientId)), { 
+            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+            allowInsecureConnection: true }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return (tokenResponse && tokenResponse.accessToken) || null;
     },
 };
-const logger$i = credentialLogger("AzureCliCredential");
+
+// Copyright (c) Microsoft Corporation.
+const msiName$5 = "ManagedIdentityCredential - CloudShellMSI";
+const logger$i = credentialLogger(msiName$5);
 /**
- * This credential will use the currently logged-in user login information
- * via the Azure CLI ('az') commandline tool.
- * To do so, it will read the user access token and expire time
- * with Azure CLI command "az account get-access-token".
+ * Generates the options used on the request for an access token.
  */
-class AzureCliCredential {
-    /**
-     * Creates an instance of the {@link AzureCliCredential}.
-     *
-     * To use this credential, ensure that you have already logged
-     * in via the 'az' tool using the command "az login" from the commandline.
-     *
-     * @param options - Options, to optionally allow multi-tenant requests.
-     */
-    constructor(options) {
-        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+function prepareRequestOptions$5(scopes, clientId, resourceId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
     }
-    /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    async getToken(scopes, options = {}) {
-        const tenantId = processMultiTenantRequest(this.tenantId, options);
-        if (tenantId) {
-            checkTenantId(logger$i, tenantId);
-        }
-        const scope = typeof scopes === "string" ? scopes : scopes[0];
-        logger$i.getToken.info(`Using the scope ${scope}`);
-        ensureValidScope(scope, logger$i);
-        const resource = getScopeResource(scope);
-        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
-            var _a, _b, _c, _d;
-            try {
-                const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId);
-                const specificScope = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("(.*)az login --scope(.*)");
-                const isLoginError = ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("(.*)az login(.*)")) && !specificScope;
-                const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("az:(.*)not found")) || ((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'az' is not recognized"));
-                if (isNotInstallError) {
-                    const error = new CredentialUnavailableError("Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
-                    logger$i.getToken.info(formatError(scopes, error));
-                    throw error;
-                }
-                if (isLoginError) {
-                    const error = new CredentialUnavailableError("Please run 'az login' from a command prompt to authenticate before using this credential.");
-                    logger$i.getToken.info(formatError(scopes, error));
-                    throw error;
-                }
-                try {
-                    const responseData = obj.stdout;
-                    const response = JSON.parse(responseData);
-                    logger$i.getToken.info(formatSuccess(scopes));
-                    const returnValue = {
-                        token: response.accessToken,
-                        expiresOnTimestamp: new Date(response.expiresOn).getTime(),
-                    };
-                    return returnValue;
-                }
-                catch (e) {
-                    if (obj.stderr) {
-                        throw new CredentialUnavailableError(obj.stderr);
-                    }
-                    throw e;
-                }
-            }
-            catch (err) {
-                const error = err.name === "CredentialUnavailableError"
-                    ? err
-                    : new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
-                logger$i.getToken.info(formatError(scopes, error));
-                throw error;
-            }
-        });
+    const body = {
+        resource,
+    };
+    if (clientId) {
+        body.client_id = clientId;
+    }
+    if (resourceId) {
+        body.msi_res_id = resourceId;
+    }
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.MSI_ENDPOINT) {
+        throw new Error(`${msiName$5}: Missing environment variable: MSI_ENDPOINT`);
     }
+    const params = new URLSearchParams(body);
+    return {
+        url: process.env.MSI_ENDPOINT,
+        method: "POST",
+        body: params.toString(),
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            Metadata: "true",
+            "Content-Type": "application/x-www-form-urlencoded",
+        }),
+    };
 }
-
-// Copyright (c) Microsoft Corporation.
 /**
- * Easy to mock childProcess utils.
- * @internal
+ * Defines how to determine whether the Azure Cloud Shell MSI is available, and also how to retrieve a token from the Azure Cloud Shell MSI.
+ * Since Azure Managed Identities aren't available in the Azure Cloud Shell, we log a warning for users that try to access cloud shell using user assigned identity.
  */
-const processUtils = {
-    /**
-     * Promisifying childProcess.execFile
-     * @internal
-     */
-    execFile(file, params, options) {
-        return new Promise((resolve, reject) => {
-            child_process__namespace.execFile(file, params, options, (error, stdout, stderr) => {
-                if (Buffer.isBuffer(stdout)) {
-                    stdout = stdout.toString("utf8");
-                }
-                if (Buffer.isBuffer(stderr)) {
-                    stderr = stderr.toString("utf8");
-                }
-                if (stderr || error) {
-                    reject(stderr ? new Error(stderr) : error);
-                }
-                else {
-                    resolve(stdout);
-                }
-            });
-        });
+const cloudShellMsi = {
+    async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$i.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const result = Boolean(process.env.MSI_ENDPOINT);
+        if (!result) {
+            logger$i.info(`${msiName$5}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        if (clientId) {
+            logger$i.warning(`${msiName$5}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+        }
+        if (resourceId) {
+            logger$i.warning(`${msiName$5}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
+        }
+        logger$i.info(`${msiName$5}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId, resourceId)), { 
+            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+            allowInsecureConnection: true }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return (tokenResponse && tokenResponse.accessToken) || null;
     },
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$h = credentialLogger("AzurePowerShellCredential");
-const isWindows = process.platform === "win32";
+const msiName$4 = "ManagedIdentityCredential - IMDS";
+const logger$h = credentialLogger(msiName$4);
 /**
- * Returns a platform-appropriate command name by appending ".exe" on Windows.
- *
- * @internal
+ * Generates the options used on the request for an access token.
  */
-function formatCommand(commandName) {
-    if (isWindows) {
-        return `${commandName}.exe`;
+function prepareRequestOptions$4(scopes, clientId, resourceId, options) {
+    var _a;
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$4}: Multiple scopes are not supported.`);
     }
-    else {
-        return commandName;
+    const { skipQuery, skipMetadataHeader } = options || {};
+    let query = "";
+    // Pod Identity will try to process this request even if the Metadata header is missing.
+    // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.
+    if (!skipQuery) {
+        const queryParameters = {
+            resource,
+            "api-version": imdsApiVersion,
+        };
+        if (clientId) {
+            queryParameters.client_id = clientId;
+        }
+        if (resourceId) {
+            queryParameters.msi_res_id = resourceId;
+        }
+        const params = new URLSearchParams(queryParameters);
+        query = `?${params.toString()}`;
     }
-}
-/**
- * Receives a list of commands to run, executes them, then returns the outputs.
- * If anything fails, an error is thrown.
- * @internal
- */
-async function runCommands(commands) {
-    const results = [];
-    for (const command of commands) {
-        const [file, ...parameters] = command;
-        const result = (await processUtils.execFile(file, parameters, { encoding: "utf8" }));
-        results.push(result);
+    const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
+    const rawHeaders = {
+        Accept: "application/json",
+        Metadata: "true",
+    };
+    // Remove the Metadata header to invoke a request error from some IMDS endpoints.
+    if (skipMetadataHeader) {
+        delete rawHeaders.Metadata;
     }
-    return results;
+    return {
+        // In this case, the `?` should be added in the "query" variable `skipQuery` is not set.
+        url: `${url}${query}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders(rawHeaders),
+    };
 }
-/**
- * Known PowerShell errors
- * @internal
- */
-const powerShellErrors = {
-    login: "Run Connect-AzAccount to login",
-    installed: "The specified module 'Az.Accounts' with version '2.2.0' was not loaded because no valid module file was found in any module directory",
+// 800ms -> 1600ms -> 3200ms
+const imdsMsiRetryConfig = {
+    maxRetries: 3,
+    startDelayInMs: 800,
+    intervalIncrement: 2,
 };
 /**
- * Messages to use when throwing in this credential.
- * @internal
+ * Defines how to determine whether the Azure IMDS MSI is available, and also how to retrieve a token from the Azure IMDS MSI.
  */
-const powerShellPublicErrorMessages = {
-    login: "Please run 'Connect-AzAccount' from PowerShell to authenticate before using this credential.",
-    installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force".`,
-    troubleshoot: `To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.`,
+const imdsMsi = {
+    async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions = {}, }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$h.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        // if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
+        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
+            return true;
+        }
+        if (!identityClient) {
+            throw new Error("Missing IdentityClient");
+        }
+        const requestOptions = prepareRequestOptions$4(resource, clientId, resourceId, {
+            skipMetadataHeader: true,
+            skipQuery: true,
+        });
+        return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions, async (options) => {
+            var _a;
+            requestOptions.tracingOptions = options.tracingOptions;
+            // Create a request with a timeout since we expect that
+            // not having a "Metadata" header should cause an error to be
+            // returned quickly from the endpoint, proving its availability.
+            const request = coreRestPipeline.createPipelineRequest(requestOptions);
+            // Default to 300 if the default of 0 is used.
+            // Negative values can still be used to disable the timeout.
+            request.timeout = ((_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) || 300;
+            // This MSI uses the imdsEndpoint to get the token, which only uses http://
+            request.allowInsecureConnection = true;
+            try {
+                logger$h.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
+                await identityClient.sendRequest(request);
+            }
+            catch (err) {
+                // If the request failed, or Node.js was unable to establish a connection,
+                // or the host was down, we'll assume the IMDS endpoint isn't available.
+                if (coreUtil.isError(err)) {
+                    logger$h.verbose(`${msiName$4}: Caught error ${err.name}: ${err.message}`);
+                }
+                logger$h.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
+                return false;
+            }
+            // If we received any response, the endpoint is available
+            logger$h.info(`${msiName$4}: The Azure IMDS endpoint is available`);
+            return true;
+        });
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
+            logger$h.info(`${msiName$4}: Using the Azure IMDS endpoint coming from the environment variable AZURE_POD_IDENTITY_AUTHORITY_HOST=${process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST}.`);
+        }
+        else {
+            logger$h.info(`${msiName$4}: Using the default Azure IMDS endpoint ${imdsHost}.`);
+        }
+        let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
+        for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
+            try {
+                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
+                const tokenResponse = await identityClient.sendTokenRequest(request);
+                return (tokenResponse && tokenResponse.accessToken) || null;
+            }
+            catch (error) {
+                if (error.statusCode === 404) {
+                    await coreUtil.delay(nextDelayInMs);
+                    nextDelayInMs *= imdsMsiRetryConfig.intervalIncrement;
+                    continue;
+                }
+                throw error;
+            }
+        }
+        throw new AuthenticationError(404, `${msiName$4}: Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
+    },
 };
-// PowerShell Azure User not logged in error check.
-const isLoginError = (err) => err.message.match(`(.*)${powerShellErrors.login}(.*)`);
-// Az Module not Installed in Azure PowerShell check.
-const isNotInstalledError = (err) => err.message.match(powerShellErrors.installed);
+
+// Copyright (c) Microsoft Corporation.
+const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
+const logger$g = credentialLogger(msiName$3);
 /**
- * The PowerShell commands to be tried, in order.
- *
- * @internal
+ * Generates the options used on the request for an access token.
  */
-const commandStack = [formatCommand("pwsh")];
-if (isWindows) {
-    commandStack.push(formatCommand("powershell"));
-}
-/**
- * This credential will use the currently logged-in user information from the
- * Azure PowerShell module. To do so, it will read the user access token and
- * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`
- */
-class AzurePowerShellCredential {
-    /**
-     * Creates an instance of the {@link AzurePowerShellCredential}.
-     *
-     * To use this credential:
-     * - Install the Azure Az PowerShell module with:
-     *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
-     * - You have already logged in to Azure PowerShell using the command
-     * `Connect-AzAccount` from the command line.
-     *
-     * @param options - Options, to optionally allow multi-tenant requests.
-     */
-    constructor(options) {
-        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
-    }
-    /**
-     * Gets the access token from Azure PowerShell
-     * @param resource - The resource to use when getting the token
-     */
-    async getAzurePowerShellAccessToken(resource, tenantId) {
-        // Clone the stack to avoid mutating it while iterating
-        for (const powerShellCommand of [...commandStack]) {
-            try {
-                await runCommands([[powerShellCommand, "/?"]]);
-            }
-            catch (e) {
-                // Remove this credential from the original stack so that we don't try it again.
-                commandStack.shift();
-                continue;
-            }
-            let tenantSection = "";
-            if (tenantId) {
-                tenantSection = `-TenantId "${tenantId}"`;
-            }
-            const results = await runCommands([
-                [
-                    powerShellCommand,
-                    "-Command",
-                    "Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru",
-                ],
-                [
-                    powerShellCommand,
-                    "-Command",
-                    `Get-AzAccessToken ${tenantSection} -ResourceUrl "${resource}" | ConvertTo-Json`,
-                ],
-            ]);
-            const result = results[1];
-            try {
-                return JSON.parse(result);
-            }
-            catch (e) {
-                throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
-            }
-        }
-        throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);
-    }
-    /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
-     * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this TokenCredential implementation might make.
-     */
-    async getToken(scopes, options = {}) {
-        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
-            const tenantId = processMultiTenantRequest(this.tenantId, options);
-            if (tenantId) {
-                checkTenantId(logger$h, tenantId);
-            }
-            const scope = typeof scopes === "string" ? scopes : scopes[0];
-            ensureValidScope(scope, logger$h);
-            logger$h.getToken.info(`Using the scope ${scope}`);
-            const resource = getScopeResource(scope);
-            try {
-                const response = await this.getAzurePowerShellAccessToken(resource, tenantId);
-                logger$h.getToken.info(formatSuccess(scopes));
-                return {
-                    token: response.Token,
-                    expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),
-                };
-            }
-            catch (err) {
-                if (isNotInstalledError(err)) {
-                    const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);
-                    logger$h.getToken.info(formatError(scope, error));
-                    throw error;
-                }
-                else if (isLoginError(err)) {
-                    const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);
-                    logger$h.getToken.info(formatError(scope, error));
-                    throw error;
-                }
-                const error = new CredentialUnavailableError(`${err}. ${powerShellPublicErrorMessages.troubleshoot}`);
-                logger$h.getToken.info(formatError(scope, error));
-                throw error;
-            }
-        });
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-/**
- * MSAL client secret client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
- * @internal
- */
-class MsalClientSecret extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.requiresConfidential = true;
-        this.msalConfig.auth.clientSecret = options.clientSecret;
-    }
-    async doGetToken(scopes, options = {}) {
-        try {
-            const result = await this.confidentialApp.acquireTokenByClientCredential({
-                scopes,
-                correlationId: options.correlationId,
-                azureRegion: this.azureRegion,
-                authority: options.authority,
-                claims: options.claims,
-            });
-            // The Client Credential flow does not return an account,
-            // so each time getToken gets called, we will have to acquire a new token through the service.
-            return this.handleResult(scopes, this.clientId, result || undefined);
-        }
-        catch (err) {
-            throw this.handleError(scopes, err, options);
-        }
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-const logger$g = credentialLogger("ClientSecretCredential");
-/**
- * Enables authentication to Azure Active Directory using a client secret
- * that was generated for an App Registration. More information on how
- * to configure a client secret can be found here:
- *
- * https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
- *
- */
-class ClientSecretCredential {
-    /**
-     * Creates an instance of the ClientSecretCredential with the details
-     * needed to authenticate against Azure Active Directory with a client
-     * secret.
-     *
-     * @param tenantId - The Azure Active Directory tenant (directory) ID.
-     * @param clientId - The client (application) ID of an App Registration in the tenant.
-     * @param clientSecret - A client secret that was generated for the App Registration.
-     * @param options - Options for configuring the client which makes the authentication request.
-     */
-    constructor(tenantId, clientId, clientSecret, options = {}) {
-        if (!tenantId || !clientId || !clientSecret) {
-            throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
-        }
-        this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$g,
-            clientId,
-            tenantId,
-            clientSecret, tokenCredentialOptions: options }));
-    }
-    /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    async getToken(scopes, options = {}) {
-        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-            return this.msalFlow.getToken(arrayScopes, newOptions);
-        });
-    }
-}
-
-// Copyright (c) Microsoft Corporation.
-const readFileAsync$2 = util.promisify(fs.readFile);
-/**
- * Tries to asynchronously load a certificate from the given path.
- *
- * @param configuration - Either the PEM value or the path to the certificate.
- * @param sendCertificateChain - Option to include x5c header for SubjectName and Issuer name authorization.
- * @returns - The certificate parts, or `undefined` if the certificate could not be loaded.
- * @internal
- */
-async function parseCertificate(configuration, sendCertificateChain) {
-    const certificateParts = {};
-    const certificate = configuration
-        .certificate;
-    const certificatePath = configuration
-        .certificatePath;
-    certificateParts.certificateContents =
-        certificate || (await readFileAsync$2(certificatePath, "utf8"));
-    if (sendCertificateChain) {
-        certificateParts.x5c = certificateParts.certificateContents;
-    }
-    const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
-    const publicKeys = [];
-    // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
-    let match;
-    do {
-        match = certificatePattern.exec(certificateParts.certificateContents);
-        if (match) {
-            publicKeys.push(match[3]);
-        }
-    } while (match);
-    if (publicKeys.length === 0) {
-        throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
-    }
-    certificateParts.thumbprint = crypto.createHash("sha1")
-        .update(Buffer.from(publicKeys[0], "base64"))
-        .digest("hex")
-        .toUpperCase();
-    return certificateParts;
-}
-/**
- * MSAL client certificate client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
- * @internal
- */
-class MsalClientCertificate extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.requiresConfidential = true;
-        this.configuration = options.configuration;
-        this.sendCertificateChain = options.sendCertificateChain;
-    }
-    // Changing the MSAL configuration asynchronously
-    async init(options) {
-        try {
-            const parts = await parseCertificate(this.configuration, this.sendCertificateChain);
-            let privateKey;
-            if (this.configuration.certificatePassword !== undefined) {
-                const privateKeyObject = crypto.createPrivateKey({
-                    key: parts.certificateContents,
-                    passphrase: this.configuration.certificatePassword,
-                    format: "pem",
-                });
-                privateKey = privateKeyObject
-                    .export({
-                    format: "pem",
-                    type: "pkcs8",
-                })
-                    .toString();
-            }
-            else {
-                privateKey = parts.certificateContents;
-            }
-            this.msalConfig.auth.clientCertificate = {
-                thumbprint: parts.thumbprint,
-                privateKey: privateKey,
-                x5c: parts.x5c,
-            };
-        }
-        catch (error) {
-            this.logger.info(formatError("", error));
-            throw error;
-        }
-        return super.init(options);
+function prepareRequestOptions$3(scopes, clientId, resourceId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
     }
-    async doGetToken(scopes, options = {}) {
-        try {
-            const clientCredReq = {
-                scopes,
-                correlationId: options.correlationId,
-                azureRegion: this.azureRegion,
-                authority: options.authority,
-                claims: options.claims,
-            };
-            const result = await this.confidentialApp.acquireTokenByClientCredential(clientCredReq);
-            // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
-            // The Client Credential flow does not return the account information from the authentication service,
-            // so each time getToken gets called, we will have to acquire a new token through the service.
-            return this.handleResult(scopes, this.clientId, result || undefined);
-        }
-        catch (err) {
-            throw this.handleError(scopes, err, options);
-        }
+    const queryParameters = {
+        resource,
+        "api-version": azureArcAPIVersion,
+    };
+    if (clientId) {
+        queryParameters.client_id = clientId;
     }
-}
-
-// Copyright (c) Microsoft Corporation.
-const credentialName$2 = "ClientCertificateCredential";
-const logger$f = credentialLogger(credentialName$2);
-/**
- * Enables authentication to Azure Active Directory using a PEM-encoded
- * certificate that is assigned to an App Registration. More information
- * on how to configure certificate authentication can be found here:
- *
- * https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
- *
- */
-class ClientCertificateCredential {
-    constructor(tenantId, clientId, certificatePathOrConfiguration, options = {}) {
-        if (!tenantId || !clientId) {
-            throw new Error(`${credentialName$2}: tenantId and clientId are required parameters.`);
-        }
-        const configuration = Object.assign({}, (typeof certificatePathOrConfiguration === "string"
-            ? {
-                certificatePath: certificatePathOrConfiguration,
-            }
-            : certificatePathOrConfiguration));
-        const certificate = configuration
-            .certificate;
-        const certificatePath = configuration.certificatePath;
-        if (!configuration || !(certificate || certificatePath)) {
-            throw new Error(`${credentialName$2}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
-        }
-        if (certificate && certificatePath) {
-            throw new Error(`${credentialName$2}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
-        }
-        this.msalFlow = new MsalClientCertificate(Object.assign(Object.assign({}, options), { configuration,
-            logger: logger$f,
-            clientId,
-            tenantId, sendCertificateChain: options.sendCertificateChain, tokenCredentialOptions: options }));
+    if (resourceId) {
+        queryParameters.msi_res_id = resourceId;
     }
-    /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    async getToken(scopes, options = {}) {
-        return tracingClient.withSpan(`${credentialName$2}.getToken`, options, async (newOptions) => {
-            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-            return this.msalFlow.getToken(arrayScopes, newOptions);
-        });
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error(`${msiName$3}: Missing environment variable: IDENTITY_ENDPOINT`);
     }
+    const query = new URLSearchParams(queryParameters);
+    return coreRestPipeline.createPipelineRequest({
+        // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            Metadata: "true",
+        }),
+    });
 }
-
-// Copyright (c) Microsoft Corporation.
 /**
- * MSAL username and password client. Calls to the MSAL's public application's `acquireTokenByUsernamePassword` during `doGetToken`.
- * @internal
+ * Retrieves the file contents at the given path using promises.
+ * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.
  */
-class MsalUsernamePassword extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.username = options.username;
-        this.password = options.password;
-    }
-    async doGetToken(scopes, options) {
-        try {
-            const requestOptions = {
-                scopes,
-                username: this.username,
-                password: this.password,
-                correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-                authority: options === null || options === void 0 ? void 0 : options.authority,
-                claims: options === null || options === void 0 ? void 0 : options.claims,
-            };
-            const result = await this.publicApp.acquireTokenByUsernamePassword(requestOptions);
-            return this.handleResult(scopes, this.clientId, result || undefined);
-        }
-        catch (error) {
-            throw this.handleError(scopes, error, options);
+function readFileAsync$2(path, options) {
+    return new Promise((resolve, reject) => fs.readFile(path, options, (err, data) => {
+        if (err) {
+            reject(err);
         }
-    }
+        resolve(data);
+    }));
 }
-
-// Copyright (c) Microsoft Corporation.
-const logger$e = credentialLogger("UsernamePasswordCredential");
 /**
- * Enables authentication to Azure Active Directory with a user's
- * username and password. This credential requires a high degree of
- * trust so you should only use it when other, more secure credential
- * types can't be used.
+ * Does a request to the authentication provider that results in a file path.
  */
-class UsernamePasswordCredential {
-    /**
-     * Creates an instance of the UsernamePasswordCredential with the details
-     * needed to authenticate against Azure Active Directory with a username
-     * and password.
-     *
-     * @param tenantId - The Azure Active Directory tenant (directory).
-     * @param clientId - The client (application) ID of an App Registration in the tenant.
-     * @param username - The user account's e-mail address (user name).
-     * @param password - The user account's account password
-     * @param options - Options for configuring the client which makes the authentication request.
-     */
-    constructor(tenantId, clientId, username, password, options = {}) {
-        if (!tenantId || !clientId || !username || !password) {
-            throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
+async function filePathRequest(identityClient, requestPrepareOptions) {
+    const response = await identityClient.sendRequest(coreRestPipeline.createPipelineRequest(requestPrepareOptions));
+    if (response.status !== 401) {
+        let message = "";
+        if (response.bodyAsText) {
+            message = ` Response: ${response.bodyAsText}`;
         }
-        this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$e,
-            clientId,
-            tenantId,
-            username,
-            password, tokenCredentialOptions: options || {} }));
+        throw new AuthenticationError(response.status, `${msiName$3}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
     }
-    /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     *
-     * If the user provided the option `disableAutomaticAuthentication`,
-     * once the token can't be retrieved silently,
-     * this method won't attempt to request user interaction to retrieve the token.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    async getToken(scopes, options = {}) {
-        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-            return this.msalFlow.getToken(arrayScopes, newOptions);
-        });
+    const authHeader = response.headers.get("www-authenticate") || "";
+    try {
+        return authHeader.split("=").slice(1)[0];
+    }
+    catch (e) {
+        throw Error(`Invalid www-authenticate header format: ${authHeader}`);
     }
 }
+/**
+ * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
+ */
+const arcMsi = {
+    async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$g.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
+        if (!result) {
+            logger$g.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        var _a;
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        if (clientId) {
+            logger$g.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+        }
+        if (resourceId) {
+            logger$g.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
+        }
+        logger$g.info(`${msiName$3}: Authenticating.`);
+        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
+        const filePath = await filePathRequest(identityClient, requestOptions);
+        if (!filePath) {
+            throw new Error(`${msiName$3}: Failed to find the token file.`);
+        }
+        const key = await readFileAsync$2(filePath, { encoding: "utf-8" });
+        (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({}, requestOptions), { 
+            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+            allowInsecureConnection: true }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return (tokenResponse && tokenResponse.accessToken) || null;
+    },
+};
 
 // Copyright (c) Microsoft Corporation.
+const msiName$2 = "ManagedIdentityCredential - Token Exchange";
+const logger$f = credentialLogger(msiName$2);
+const readFileAsync$1 = util.promisify(fs__default["default"].readFile);
 /**
- * Contains the list of all supported environment variable names so that an
- * appropriate error message can be generated when no credentials can be
- * configured.
- *
- * @internal
+ * Generates the options used on the request for an access token.
  */
-const AllSupportedEnvironmentVariables = [
-    "AZURE_TENANT_ID",
-    "AZURE_CLIENT_ID",
-    "AZURE_CLIENT_SECRET",
-    "AZURE_CLIENT_CERTIFICATE_PATH",
-    "AZURE_CLIENT_CERTIFICATE_PASSWORD",
-    "AZURE_USERNAME",
-    "AZURE_PASSWORD",
-];
-const credentialName$1 = "EnvironmentCredential";
-const logger$d = credentialLogger(credentialName$1);
+function prepareRequestOptions$2(scopes, clientAssertion, clientId) {
+    var _a;
+    const bodyParams = {
+        scope: Array.isArray(scopes) ? scopes.join(" ") : scopes,
+        client_assertion: clientAssertion,
+        client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+        client_id: clientId,
+        grant_type: "client_credentials",
+    };
+    const urlParams = new URLSearchParams(bodyParams);
+    const url = new URL(`${process.env.AZURE_TENANT_ID}/oauth2/v2.0/token`, (_a = process.env.AZURE_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : DefaultAuthorityHost);
+    return {
+        url: url.toString(),
+        method: "POST",
+        body: urlParams.toString(),
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+        }),
+    };
+}
 /**
- * Enables authentication to Azure Active Directory using client secret
- * details configured in environment variables
+ * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
  */
-class EnvironmentCredential {
-    /**
-     * Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
-     *
-     * Required environment variables:
-     * - `AZURE_TENANT_ID`: The Azure Active Directory tenant (directory) ID.
-     * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
-     *
-     * Environment variables used for client credential authentication:
-     * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
-     * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
-     * - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file.
-     *
-     * Alternatively, users can provide environment variables for username and password authentication:
-     * - `AZURE_USERNAME`: Username to authenticate with.
-     * - `AZURE_PASSWORD`: Password to authenticate with.
-     *
-     * If the environment variables required to perform the authentication are missing, a {@link CredentialUnavailableError} will be thrown.
-     * If the authentication fails, or if there's an unknown error, an {@link AuthenticationError} will be thrown.
-     *
-     * @param options - Options for configuring the client which makes the authentication request.
-     */
-    constructor(options) {
-        // Keep track of any missing environment variables for error details
-        this._credential = undefined;
-        const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
-        logger$d.info(`Found the following environment variables: ${assigned}`);
-        const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
-        if (tenantId) {
-            checkTenantId(logger$d, tenantId);
-        }
-        if (tenantId && clientId && clientSecret) {
-            logger$d.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
-            this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);
-            return;
-        }
-        const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
-        const certificatePassword = process.env.AZURE_CLIENT_CERTIFICATE_PASSWORD;
-        if (tenantId && clientId && certificatePath) {
-            logger$d.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
-            this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath, certificatePassword }, options);
-            return;
+function tokenExchangeMsi() {
+    const azureFederatedTokenFilePath = process.env.AZURE_FEDERATED_TOKEN_FILE;
+    let azureFederatedTokenFileContent = undefined;
+    let cacheDate = undefined;
+    // Only reads from the assertion file once every 5 minutes
+    async function readAssertion() {
+        // Cached assertions expire after 5 minutes
+        if (cacheDate !== undefined && Date.now() - cacheDate >= 1000 * 60 * 5) {
+            azureFederatedTokenFileContent = undefined;
         }
-        const username = process.env.AZURE_USERNAME;
-        const password = process.env.AZURE_PASSWORD;
-        if (tenantId && clientId && username && password) {
-            logger$d.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
-            this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, options);
+        if (!azureFederatedTokenFileContent) {
+            const file = await readFileAsync$1(azureFederatedTokenFilePath, "utf8");
+            const value = file.trim();
+            if (!value) {
+                throw new Error(`No content on the file ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
+            }
+            else {
+                azureFederatedTokenFileContent = value;
+                cacheDate = Date.now();
+            }
         }
+        return azureFederatedTokenFileContent;
     }
-    /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - Optional parameters. See {@link GetTokenOptions}.
-     */
-    async getToken(scopes, options = {}) {
-        return tracingClient.withSpan(`${credentialName$1}.getToken`, options, async (newOptions) => {
-            if (this._credential) {
-                try {
-                    const result = await this._credential.getToken(scopes, newOptions);
-                    logger$d.getToken.info(formatSuccess(scopes));
-                    return result;
-                }
-                catch (err) {
-                    const authenticationError = new AuthenticationError(400, {
-                        error: `${credentialName$1} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
-                        error_description: err.message.toString().split("More details:").join(""),
-                    });
-                    logger$d.getToken.info(formatError(scopes, authenticationError));
-                    throw authenticationError;
-                }
+    return {
+        async isAvailable({ clientId }) {
+            const env = process.env;
+            const result = Boolean((clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && azureFederatedTokenFilePath);
+            if (!result) {
+                logger$f.info(`${msiName$2}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
             }
-            throw new CredentialUnavailableError(`${credentialName$1} is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`);
-        });
-    }
+            return result;
+        },
+        async getToken(configuration, getTokenOptions = {}) {
+            const { identityClient, scopes, clientId } = configuration;
+            logger$f.info(`${msiName$2}: Using the client assertion coming from environment variables.`);
+            let assertion;
+            try {
+                assertion = await readAssertion();
+            }
+            catch (err) {
+                throw new Error(`${msiName$2}: Failed to read ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
+            }
+            const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, assertion, clientId || process.env.AZURE_CLIENT_ID)), { 
+                // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+                allowInsecureConnection: true }));
+            const tokenResponse = await identityClient.sendTokenRequest(request);
+            return (tokenResponse && tokenResponse.accessToken) || null;
+        },
+    };
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const DefaultScopeSuffix = "/.default";
-const imdsHost = "http://169.254.169.254";
-const imdsEndpointPath = "/metadata/identity/oauth2/token";
-const imdsApiVersion = "2018-02-01";
-const azureArcAPIVersion = "2019-11-01";
-const azureFabricVersion = "2019-07-01-preview";
-
-// Copyright (c) Microsoft Corporation.
+// This MSI can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
+//
+//   FROM node:12
+//   RUN wget https://host.any/path/bash.sh
+//   CMD ["bash", "bash.sh"]
+//
+// Where the bash script contains:
+//
+//   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
+//
+const msiName$1 = "ManagedIdentityCredential - Fabric MSI";
+const logger$e = credentialLogger(msiName$1);
 /**
- * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
- * These are GET requests that require sending a `resource` parameter on the query.
- * This resource can be derived from the scopes received through the getToken call, as long as only one scope is received.
- * Multiple scopes assume that the resulting token will have access to multiple resources, which won't be the case.
- *
- * For that reason, when we encounter multiple scopes, we return undefined.
- * It's up to the individual MSI implementations to throw the errors (which helps us provide less generic errors).
+ * Generates the options used on the request for an access token.
  */
-function mapScopesToResource(scopes) {
-    let scope = "";
-    if (Array.isArray(scopes)) {
-        if (scopes.length !== 1) {
-            return;
-        }
-        scope = scopes[0];
+function prepareRequestOptions$1(scopes, clientId, resourceId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$1}: Multiple scopes are not supported.`);
     }
-    else if (typeof scopes === "string") {
-        scope = scopes;
+    const queryParameters = {
+        resource,
+        "api-version": azureFabricVersion,
+    };
+    if (clientId) {
+        queryParameters.client_id = clientId;
+    }
+    if (resourceId) {
+        queryParameters.msi_res_id = resourceId;
+    }
+    const query = new URLSearchParams(queryParameters);
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error("Missing environment variable: IDENTITY_ENDPOINT");
     }
-    if (!scope.endsWith(DefaultScopeSuffix)) {
-        return scope;
+    if (!process.env.IDENTITY_HEADER) {
+        throw new Error("Missing environment variable: IDENTITY_HEADER");
     }
-    return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
+    return {
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            secret: process.env.IDENTITY_HEADER,
+        }),
+    };
 }
-
-// Copyright (c) Microsoft Corporation.
-const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
-const logger$c = credentialLogger(msiName$6);
 /**
- * Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
+ * Defines how to determine whether the Azure Service Fabric MSI is available, and also how to retrieve a token from the Azure Service Fabric MSI.
  */
-function expiresOnParser$3(requestBody) {
-    // App Service always returns string expires_on values.
-    return Date.parse(requestBody.expires_on);
-}
+const fabricMsi = {
+    async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$e.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const env = process.env;
+        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
+        if (!result) {
+            logger$e.info(`${msiName$1}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { scopes, identityClient, clientId, resourceId } = configuration;
+        if (resourceId) {
+            logger$e.warning(`${msiName$1}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+        }
+        logger$e.info([
+            `${msiName$1}:`,
+            "Using the endpoint and the secret coming from the environment variables:",
+            `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
+            "IDENTITY_HEADER=[REDACTED] and",
+            "IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
+        ].join(" "));
+        const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId, resourceId)));
+        request.agent = new https__default["default"].Agent({
+            // This is necessary because Service Fabric provides a self-signed certificate.
+            // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
+            rejectUnauthorized: false,
+        });
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return (tokenResponse && tokenResponse.accessToken) || null;
+    },
+};
+
+// Copyright (c) Microsoft Corporation.
+const msiName = "ManagedIdentityCredential - AppServiceMSI 2019";
+const logger$d = credentialLogger(msiName);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$6(scopes, clientId) {
+function prepareRequestOptions(scopes, clientId, resourceId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
-        throw new Error(`${msiName$6}: Multiple scopes are not supported.`);
+        throw new Error(`${msiName}: Multiple scopes are not supported.`);
     }
     const queryParameters = {
         resource,
-        "api-version": "2017-09-01",
+        "api-version": "2019-08-01",
     };
     if (clientId) {
-        queryParameters.clientid = clientId;
+        queryParameters.client_id = clientId;
+    }
+    if (resourceId) {
+        queryParameters.mi_res_id = resourceId;
     }
     const query = new URLSearchParams(queryParameters);
     // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.MSI_ENDPOINT) {
-        throw new Error(`${msiName$6}: Missing environment variable: MSI_ENDPOINT`);
+    if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error(`${msiName}: Missing environment variable: IDENTITY_ENDPOINT`);
     }
-    if (!process.env.MSI_SECRET) {
-        throw new Error(`${msiName$6}: Missing environment variable: MSI_SECRET`);
+    if (!process.env.IDENTITY_HEADER) {
+        throw new Error(`${msiName}: Missing environment variable: IDENTITY_HEADER`);
     }
     return {
-        url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
         method: "GET",
         headers: coreRestPipeline.createHttpHeaders({
             Accept: "application/json",
-            secret: process.env.MSI_SECRET,
+            "X-IDENTITY-HEADER": process.env.IDENTITY_HEADER,
         }),
     };
 }
 /**
  * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
  */
-const appServiceMsi2017 = {
+const appServiceMsi2019 = {
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$c.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
+            logger$d.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const env = process.env;
-        const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
+        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
         if (!result) {
-            logger$c.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
+            logger$d.info(`${msiName}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        logger$d.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)), { 
+            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+            allowInsecureConnection: true }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return (tokenResponse && tokenResponse.accessToken) || null;
+    },
+};
+
+// Copyright (c) Microsoft Corporation.
+const logger$c = credentialLogger("ManagedIdentityCredential");
+/**
+ * Attempts authentication using a managed identity available at the deployment environment.
+ * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
+ * Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.
+ *
+ * More information about configuring managed identities can be found here:
+ * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
+ */
+class ManagedIdentityCredential {
+    /**
+     * @internal
+     * @hidden
+     */
+    constructor(clientIdOrOptions, options) {
+        this.isEndpointUnavailable = null;
+        let _options;
+        if (typeof clientIdOrOptions === "string") {
+            this.clientId = clientIdOrOptions;
+            _options = options;
+        }
+        else {
+            this.clientId = clientIdOrOptions === null || clientIdOrOptions === void 0 ? void 0 : clientIdOrOptions.clientId;
+            _options = clientIdOrOptions;
+        }
+        this.resourceId = _options === null || _options === void 0 ? void 0 : _options.resourceId;
+        // For JavaScript users.
+        if (this.clientId && this.resourceId) {
+            throw new Error(`${ManagedIdentityCredential.name} - Client Id and Resource Id can't be provided at the same time.`);
+        }
+        this.identityClient = new IdentityClient(_options);
+        this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
+                maxRetries: 0,
+            } }));
+    }
+    async cachedAvailableMSI(scopes, getTokenOptions) {
+        if (this.cachedMSI) {
+            return this.cachedMSI;
+        }
+        const MSIs = [
+            arcMsi,
+            fabricMsi,
+            appServiceMsi2019,
+            appServiceMsi2017,
+            cloudShellMsi,
+            tokenExchangeMsi(),
+            imdsMsi,
+        ];
+        for (const msi of MSIs) {
+            if (await msi.isAvailable({
+                scopes,
+                identityClient: this.isAvailableIdentityClient,
+                clientId: this.clientId,
+                resourceId: this.resourceId,
+                getTokenOptions,
+            })) {
+                this.cachedMSI = msi;
+                return msi;
+            }
+        }
+        throw new CredentialUnavailableError(`${ManagedIdentityCredential.name} - No MSI credential available`);
+    }
+    async authenticateManagedIdentity(scopes, getTokenOptions) {
+        const { span, updatedOptions } = tracingClient.startSpan(`${ManagedIdentityCredential.name}.authenticateManagedIdentity`, getTokenOptions);
+        try {
+            // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
+            const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);
+            return availableMSI.getToken({
+                identityClient: this.identityClient,
+                scopes,
+                clientId: this.clientId,
+                resourceId: this.resourceId,
+            }, updatedOptions);
+        }
+        catch (err) {
+            span.setStatus({
+                status: "error",
+                error: err,
+            });
+            throw err;
+        }
+        finally {
+            span.end();
+        }
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options) {
+        let result = null;
+        const { span, updatedOptions } = tracingClient.startSpan(`${ManagedIdentityCredential.name}.getToken`, options);
+        try {
+            // isEndpointAvailable can be true, false, or null,
+            // If it's null, it means we don't yet know whether
+            // the endpoint is available and need to check for it.
+            if (this.isEndpointUnavailable !== true) {
+                result = await this.authenticateManagedIdentity(scopes, updatedOptions);
+                if (result === null) {
+                    // If authenticateManagedIdentity returns null,
+                    // it means no MSI endpoints are available.
+                    // If so, we avoid trying to reach to them in future requests.
+                    this.isEndpointUnavailable = true;
+                    // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
+                    // yet we had no access token. For this reason, we'll throw once with a specific message:
+                    const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
+                    logger$c.getToken.info(formatError(scopes, error));
+                    throw error;
+                }
+                // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
+                // We will assume that this endpoint is reachable from this point forward,
+                // and avoid pinging again to it.
+                this.isEndpointUnavailable = false;
+            }
+            else {
+                // We've previously determined that the endpoint was unavailable,
+                // either because it was unreachable or permanently unable to authenticate.
+                const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
+                logger$c.getToken.info(formatError(scopes, error));
+                throw error;
+            }
+            logger$c.getToken.info(formatSuccess(scopes));
+            return result;
+        }
+        catch (err) {
+            // CredentialUnavailable errors are expected to reach here.
+            // We intend them to bubble up, so that DefaultAzureCredential can catch them.
+            if (err.name === "AuthenticationRequiredError") {
+                throw err;
+            }
+            // Expected errors to reach this point:
+            // - Errors coming from a method unexpectedly breaking.
+            // - When identityClient.sendTokenRequest throws, in which case
+            //   if the status code was 400, it means that the endpoint is working,
+            //   but no identity is available.
+            span.setStatus({
+                status: "error",
+                error: err,
+            });
+            // If either the network is unreachable,
+            // we can safely assume the credential is unavailable.
+            if (err.code === "ENETUNREACH") {
+                const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
+                logger$c.getToken.info(formatError(scopes, error));
+                throw error;
+            }
+            // If either the host was unreachable,
+            // we can safely assume the credential is unavailable.
+            if (err.code === "EHOSTUNREACH") {
+                const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. No managed identity endpoint found. Message: ${err.message}`);
+                logger$c.getToken.info(formatError(scopes, error));
+                throw error;
+            }
+            // If err.statusCode has a value of 400, it comes from sendTokenRequest,
+            // and it means that the endpoint is working, but that no identity is available.
+            if (err.statusCode === 400) {
+                throw new CredentialUnavailableError(`${ManagedIdentityCredential.name}: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
+            }
+            // If the error has no status code, we can assume there was no available identity.
+            // This will throw silently during any ChainedTokenCredential.
+            if (err.statusCode === undefined) {
+                throw new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Authentication failed. Message ${err.message}`);
+            }
+            // Any other error should break the chain.
+            throw new AuthenticationError(err.statusCode, {
+                error: `${ManagedIdentityCredential.name} authentication failed.`,
+                error_description: err.message,
+            });
         }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        if (resourceId) {
-            logger$c.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+        finally {
+            // Finally is always called, both if we return and if we throw in the above try/catch.
+            span.end();
         }
-        logger$c.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$6(scopes, clientId)), { 
-            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-            allowInsecureConnection: true }));
-        const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$3);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
+    }
+}
 
 // Copyright (c) Microsoft Corporation.
-const msiName$5 = "ManagedIdentityCredential - CloudShellMSI";
-const logger$b = credentialLogger(msiName$5);
 /**
- * Generates the options used on the request for an access token.
+ * Ensures the scopes value is an array.
+ * @internal
  */
-function prepareRequestOptions$5(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
-    }
-    const body = {
-        resource,
-    };
-    if (clientId) {
-        body.client_id = clientId;
-    }
-    if (resourceId) {
-        body.msi_res_id = resourceId;
-    }
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.MSI_ENDPOINT) {
-        throw new Error(`${msiName$5}: Missing environment variable: MSI_ENDPOINT`);
-    }
-    const params = new URLSearchParams(body);
-    return {
-        url: process.env.MSI_ENDPOINT,
-        method: "POST",
-        body: params.toString(),
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            Metadata: "true",
-            "Content-Type": "application/x-www-form-urlencoded",
-        }),
-    };
+function ensureScopes(scopes) {
+    return Array.isArray(scopes) ? scopes : [scopes];
 }
 /**
- * Defines how to determine whether the Azure Cloud Shell MSI is available, and also how to retrieve a token from the Azure Cloud Shell MSI.
- * Since Azure Managed Identities aren't available in the Azure Cloud Shell, we log a warning for users that try to access cloud shell using user assigned identity.
- */
-const cloudShellMsi = {
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$b.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        const result = Boolean(process.env.MSI_ENDPOINT);
-        if (!result) {
-            logger$b.info(`${msiName$5}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
-        }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        if (clientId) {
-            logger$b.warning(`${msiName$5}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
-        }
-        if (resourceId) {
-            logger$b.warning(`${msiName$5}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
-        }
-        logger$b.info(`${msiName$5}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId, resourceId)), { 
-            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-            allowInsecureConnection: true }));
-        const tokenResponse = await identityClient.sendTokenRequest(request);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
-
-// Copyright (c) Microsoft Corporation.
-const msiName$4 = "ManagedIdentityCredential - IMDS";
-const logger$a = credentialLogger(msiName$4);
-/**
- * Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
+ * Throws if the received scope is not valid.
+ * @internal
  */
-function expiresOnParser$2(requestBody) {
-    if (requestBody.expires_on) {
-        // Use the expires_on timestamp if it's available
-        const expires = +requestBody.expires_on * 1000;
-        logger$a.info(`${msiName$4}: Using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
-        return expires;
-    }
-    else {
-        // If these aren't possible, use expires_in and calculate a timestamp
-        const expires = Date.now() + requestBody.expires_in * 1000;
-        logger$a.info(`${msiName$4}: IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
-        return expires;
+function ensureValidScope(scope, logger) {
+    if (!scope.match(/^[0-9a-zA-Z-.:/]+$/)) {
+        const error = new Error("Invalid scope was specified by the user or calling client");
+        logger.getToken.info(formatError(scope, error));
+        throw error;
     }
 }
 /**
- * Generates the options used on the request for an access token.
+ * Returns the resource out of a scope.
+ * @internal
  */
-function prepareRequestOptions$4(scopes, clientId, resourceId, options) {
-    var _a;
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$4}: Multiple scopes are not supported.`);
-    }
-    const { skipQuery, skipMetadataHeader } = options || {};
-    let query = "";
-    // Pod Identity will try to process this request even if the Metadata header is missing.
-    // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.
-    if (!skipQuery) {
-        const queryParameters = {
-            resource,
-            "api-version": imdsApiVersion,
-        };
-        if (clientId) {
-            queryParameters.client_id = clientId;
-        }
-        if (resourceId) {
-            queryParameters.msi_res_id = resourceId;
-        }
-        const params = new URLSearchParams(queryParameters);
-        query = `?${params.toString()}`;
-    }
-    const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
-    const rawHeaders = {
-        Accept: "application/json",
-        Metadata: "true",
-    };
-    // Remove the Metadata header to invoke a request error from some IMDS endpoints.
-    if (skipMetadataHeader) {
-        delete rawHeaders.Metadata;
-    }
-    return {
-        // In this case, the `?` should be added in the "query" variable `skipQuery` is not set.
-        url: `${url}${query}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders(rawHeaders),
-    };
+function getScopeResource(scope) {
+    return scope.replace(/\/.default$/, "");
 }
-// 800ms -> 1600ms -> 3200ms
-const imdsMsiRetryConfig = {
-    maxRetries: 3,
-    startDelayInMs: 800,
-    intervalIncrement: 2,
-};
+
+// Copyright (c) Microsoft Corporation.
 /**
- * Defines how to determine whether the Azure IMDS MSI is available, and also how to retrieve a token from the Azure IMDS MSI.
+ * Mockable reference to the CLI credential cliCredentialFunctions
+ * @internal
  */
-const imdsMsi = {
-    async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions = {}, }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$a.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
-            return false;
+const cliCredentialInternals = {
+    /**
+     * @internal
+     */
+    getSafeWorkingDir() {
+        if (process.platform === "win32") {
+            if (!process.env.SystemRoot) {
+                throw new Error("Azure CLI credential expects a 'SystemRoot' environment variable");
+            }
+            return process.env.SystemRoot;
         }
-        // if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
-        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
-            return true;
+        else {
+            return "/bin";
         }
-        if (!identityClient) {
-            throw new Error("Missing IdentityClient");
+    },
+    /**
+     * Gets the access token from Azure CLI
+     * @param resource - The resource to use when getting the token
+     * @internal
+     */
+    async getAzureCliAccessToken(resource, tenantId) {
+        let tenantSection = [];
+        if (tenantId) {
+            tenantSection = ["--tenant", tenantId];
         }
-        const requestOptions = prepareRequestOptions$4(resource, clientId, resourceId, {
-            skipMetadataHeader: true,
-            skipQuery: true,
+        return new Promise((resolve, reject) => {
+            try {
+                child_process__default["default"].execFile("az", [
+                    "account",
+                    "get-access-token",
+                    "--output",
+                    "json",
+                    "--resource",
+                    resource,
+                    ...tenantSection,
+                ], { cwd: cliCredentialInternals.getSafeWorkingDir(), shell: true }, (error, stdout, stderr) => {
+                    resolve({ stdout: stdout, stderr: stderr, error });
+                });
+            }
+            catch (err) {
+                reject(err);
+            }
         });
-        return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions, async (options) => {
-            var _a, _b;
-            requestOptions.tracingOptions = options.tracingOptions;
+    },
+};
+const logger$b = credentialLogger("AzureCliCredential");
+/**
+ * This credential will use the currently logged-in user login information
+ * via the Azure CLI ('az') commandline tool.
+ * To do so, it will read the user access token and expire time
+ * with Azure CLI command "az account get-access-token".
+ */
+class AzureCliCredential {
+    /**
+     * Creates an instance of the {@link AzureCliCredential}.
+     *
+     * To use this credential, ensure that you have already logged
+     * in via the 'az' tool using the command "az login" from the commandline.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
+     */
+    constructor(options) {
+        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
+        const scope = typeof scopes === "string" ? scopes : scopes[0];
+        logger$b.getToken.info(`Using the scope ${scope}`);
+        ensureValidScope(scope, logger$b);
+        const resource = getScopeResource(scope);
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
+            var _a, _b, _c, _d;
             try {
-                // Create a request with a timeout since we expect that
-                // not having a "Metadata" header should cause an error to be
-                // returned quickly from the endpoint, proving its availability.
-                const request = coreRestPipeline.createPipelineRequest(requestOptions);
-                request.timeout = (_b = (_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) !== null && _b !== void 0 ? _b : 300;
-                // This MSI uses the imdsEndpoint to get the token, which only uses http://
-                request.allowInsecureConnection = true;
+                const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId);
+                const specificScope = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("(.*)az login --scope(.*)");
+                const isLoginError = ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("(.*)az login(.*)")) && !specificScope;
+                const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("az:(.*)not found")) || ((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'az' is not recognized"));
+                if (isNotInstallError) {
+                    const error = new CredentialUnavailableError("Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
+                    logger$b.getToken.info(formatError(scopes, error));
+                    throw error;
+                }
+                if (isLoginError) {
+                    const error = new CredentialUnavailableError("Please run 'az login' from a command prompt to authenticate before using this credential.");
+                    logger$b.getToken.info(formatError(scopes, error));
+                    throw error;
+                }
                 try {
-                    logger$a.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
-                    await identityClient.sendRequest(request);
+                    const responseData = obj.stdout;
+                    const response = JSON.parse(responseData);
+                    logger$b.getToken.info(formatSuccess(scopes));
+                    const returnValue = {
+                        token: response.accessToken,
+                        expiresOnTimestamp: new Date(response.expiresOn).getTime(),
+                    };
+                    return returnValue;
                 }
-                catch (err) {
-                    if ((err.name === "RestError" && err.code === coreRestPipeline.RestError.REQUEST_SEND_ERROR) ||
-                        err.name === "AbortError" ||
-                        err.code === "ENETUNREACH" || // Network unreachable
-                        err.code === "ECONNREFUSED" || // connection refused
-                        err.code === "EHOSTDOWN" // host is down
-                    ) {
-                        // If the request failed, or Node.js was unable to establish a connection,
-                        // or the host was down, we'll assume the IMDS endpoint isn't available.
-                        logger$a.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
-                        return false;
+                catch (e) {
+                    if (obj.stderr) {
+                        throw new CredentialUnavailableError(obj.stderr);
                     }
+                    throw e;
                 }
-                // If we received any response, the endpoint is available
-                logger$a.info(`${msiName$4}: The Azure IMDS endpoint is available`);
-                return true;
             }
             catch (err) {
-                // createWebResource failed.
-                // This error should bubble up to the user.
-                logger$a.info(`${msiName$4}: Error when creating the WebResource for the Azure IMDS endpoint: ${err.message}`);
-                throw err;
+                const error = err.name === "CredentialUnavailableError"
+                    ? err
+                    : new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
+                logger$b.getToken.info(formatError(scopes, error));
+                throw error;
             }
         });
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        logger$a.info(`${msiName$4}: Using the Azure IMDS endpoint coming from the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
-        let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
-        for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
-            try {
-                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
-                const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$2);
-                return (tokenResponse && tokenResponse.accessToken) || null;
-            }
-            catch (error) {
-                if (error.statusCode === 404) {
-                    await coreUtil.delay(nextDelayInMs);
-                    nextDelayInMs *= imdsMsiRetryConfig.intervalIncrement;
-                    continue;
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * Easy to mock childProcess utils.
+ * @internal
+ */
+const processUtils = {
+    /**
+     * Promisifying childProcess.execFile
+     * @internal
+     */
+    execFile(file, params, options) {
+        return new Promise((resolve, reject) => {
+            child_process__namespace.execFile(file, params, options, (error, stdout, stderr) => {
+                if (Buffer.isBuffer(stdout)) {
+                    stdout = stdout.toString("utf8");
                 }
-                throw error;
-            }
-        }
-        throw new AuthenticationError(404, `${msiName$4}: Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
+                if (Buffer.isBuffer(stderr)) {
+                    stderr = stderr.toString("utf8");
+                }
+                if (stderr || error) {
+                    reject(stderr ? new Error(stderr) : error);
+                }
+                else {
+                    resolve(stdout);
+                }
+            });
+        });
     },
 };
 
 // Copyright (c) Microsoft Corporation.
-const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
-const logger$9 = credentialLogger(msiName$3);
+const logger$a = credentialLogger("AzurePowerShellCredential");
+const isWindows = process.platform === "win32";
 /**
- * Generates the options used on the request for an access token.
+ * Returns a platform-appropriate command name by appending ".exe" on Windows.
+ *
+ * @internal
  */
-function prepareRequestOptions$3(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
-    }
-    const queryParameters = {
-        resource,
-        "api-version": azureArcAPIVersion,
-    };
-    if (clientId) {
-        queryParameters.client_id = clientId;
-    }
-    if (resourceId) {
-        queryParameters.msi_res_id = resourceId;
+function formatCommand(commandName) {
+    if (isWindows) {
+        return `${commandName}.exe`;
     }
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error(`${msiName$3}: Missing environment variable: IDENTITY_ENDPOINT`);
+    else {
+        return commandName;
     }
-    const query = new URLSearchParams(queryParameters);
-    return coreRestPipeline.createPipelineRequest({
-        // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token
-        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            Metadata: "true",
-        }),
-    });
 }
 /**
- * Retrieves the file contents at the given path using promises.
- * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.
+ * Receives a list of commands to run, executes them, then returns the outputs.
+ * If anything fails, an error is thrown.
+ * @internal
  */
-function readFileAsync$1(path, options) {
-    return new Promise((resolve, reject) => fs.readFile(path, options, (err, data) => {
-        if (err) {
-            reject(err);
-        }
-        resolve(data);
-    }));
+async function runCommands(commands) {
+    const results = [];
+    for (const command of commands) {
+        const [file, ...parameters] = command;
+        const result = (await processUtils.execFile(file, parameters, { encoding: "utf8" }));
+        results.push(result);
+    }
+    return results;
 }
 /**
- * Does a request to the authentication provider that results in a file path.
+ * Known PowerShell errors
+ * @internal
  */
-async function filePathRequest(identityClient, requestPrepareOptions) {
-    const response = await identityClient.sendRequest(coreRestPipeline.createPipelineRequest(requestPrepareOptions));
-    if (response.status !== 401) {
-        let message = "";
-        if (response.bodyAsText) {
-            message = ` Response: ${response.bodyAsText}`;
-        }
-        throw new AuthenticationError(response.status, `${msiName$3}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
-    }
-    const authHeader = response.headers.get("www-authenticate") || "";
-    try {
-        return authHeader.split("=").slice(1)[0];
-    }
-    catch (e) {
-        throw Error(`Invalid www-authenticate header format: ${authHeader}`);
-    }
-}
+const powerShellErrors = {
+    login: "Run Connect-AzAccount to login",
+    installed: "The specified module 'Az.Accounts' with version '2.2.0' was not loaded because no valid module file was found in any module directory",
+};
 /**
- * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
+ * Messages to use when throwing in this credential.
+ * @internal
  */
-const arcMsi = {
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$9.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
-        if (!result) {
-            logger$9.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
-        }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        var _a;
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        if (clientId) {
-            logger$9.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
-        }
-        if (resourceId) {
-            logger$9.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
-        }
-        logger$9.info(`${msiName$3}: Authenticating.`);
-        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
-        const filePath = await filePathRequest(identityClient, requestOptions);
-        if (!filePath) {
-            throw new Error(`${msiName$3}: Failed to find the token file.`);
-        }
-        const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
-        (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({}, requestOptions), { 
-            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-            allowInsecureConnection: true }));
-        const tokenResponse = await identityClient.sendTokenRequest(request);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
+const powerShellPublicErrorMessages = {
+    login: "Please run 'Connect-AzAccount' from PowerShell to authenticate before using this credential.",
+    installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force".`,
+    troubleshoot: `To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.`,
 };
-
-// Copyright (c) Microsoft Corporation.
-const msiName$2 = "ManagedIdentityCredential - Token Exchange";
-const logger$8 = credentialLogger(msiName$2);
-const readFileAsync = util.promisify(fs__default["default"].readFile);
+// PowerShell Azure User not logged in error check.
+const isLoginError = (err) => err.message.match(`(.*)${powerShellErrors.login}(.*)`);
+// Az Module not Installed in Azure PowerShell check.
+const isNotInstalledError = (err) => err.message.match(powerShellErrors.installed);
 /**
- * Generates the options used on the request for an access token.
+ * The PowerShell commands to be tried, in order.
+ *
+ * @internal
  */
-function prepareRequestOptions$2(scopes, clientAssertion, clientId) {
-    var _a;
-    const bodyParams = {
-        scope: Array.isArray(scopes) ? scopes.join(" ") : scopes,
-        client_assertion: clientAssertion,
-        client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-        client_id: clientId,
-        grant_type: "client_credentials",
-    };
-    const urlParams = new URLSearchParams(bodyParams);
-    const url = new URL(`${process.env.AZURE_TENANT_ID}/oauth2/v2.0/token`, (_a = process.env.AZURE_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : DefaultAuthorityHost);
-    return {
-        url: url.toString(),
-        method: "POST",
-        body: urlParams.toString(),
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-        }),
-    };
+const commandStack = [formatCommand("pwsh")];
+if (isWindows) {
+    commandStack.push(formatCommand("powershell"));
 }
 /**
- * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
+ * This credential will use the currently logged-in user information from the
+ * Azure PowerShell module. To do so, it will read the user access token and
+ * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`
  */
-function tokenExchangeMsi() {
-    const azureFederatedTokenFilePath = process.env.AZURE_FEDERATED_TOKEN_FILE;
-    let azureFederatedTokenFileContent = undefined;
-    let cacheDate = undefined;
-    // Only reads from the assertion file once every 5 minutes
-    async function readAssertion() {
-        // Cached assertions expire after 5 minutes
-        if (cacheDate !== undefined && Date.now() - cacheDate >= 1000 * 60 * 5) {
-            azureFederatedTokenFileContent = undefined;
-        }
-        if (!azureFederatedTokenFileContent) {
-            const file = await readFileAsync(azureFederatedTokenFilePath, "utf8");
-            const value = file.trim();
-            if (!value) {
-                throw new Error(`No content on the file ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
+class AzurePowerShellCredential {
+    /**
+     * Creates an instance of the {@link AzurePowerShellCredential}.
+     *
+     * To use this credential:
+     * - Install the Azure Az PowerShell module with:
+     *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
+     * - You have already logged in to Azure PowerShell using the command
+     * `Connect-AzAccount` from the command line.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
+     */
+    constructor(options) {
+        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+    }
+    /**
+     * Gets the access token from Azure PowerShell
+     * @param resource - The resource to use when getting the token
+     */
+    async getAzurePowerShellAccessToken(resource, tenantId) {
+        // Clone the stack to avoid mutating it while iterating
+        for (const powerShellCommand of [...commandStack]) {
+            try {
+                await runCommands([[powerShellCommand, "/?"]]);
+            }
+            catch (e) {
+                // Remove this credential from the original stack so that we don't try it again.
+                commandStack.shift();
+                continue;
+            }
+            let tenantSection = "";
+            if (tenantId) {
+                tenantSection = `-TenantId "${tenantId}"`;
             }
-            else {
-                azureFederatedTokenFileContent = value;
-                cacheDate = Date.now();
+            const results = await runCommands([
+                [
+                    powerShellCommand,
+                    "-Command",
+                    "Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru",
+                ],
+                [
+                    powerShellCommand,
+                    "-Command",
+                    `Get-AzAccessToken ${tenantSection} -ResourceUrl "${resource}" | ConvertTo-Json`,
+                ],
+            ]);
+            const result = results[1];
+            try {
+                return JSON.parse(result);
+            }
+            catch (e) {
+                throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
             }
         }
-        return azureFederatedTokenFileContent;
+        throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);
     }
-    return {
-        async isAvailable({ clientId }) {
-            const env = process.env;
-            const result = Boolean((clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && azureFederatedTokenFilePath);
-            if (!result) {
-                logger$8.info(`${msiName$2}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
-            }
-            return result;
-        },
-        async getToken(configuration, getTokenOptions = {}) {
-            const { identityClient, scopes, clientId } = configuration;
-            logger$8.info(`${msiName$2}: Using the client assertion coming from environment variables.`);
-            let assertion;
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
+            const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
+            const scope = typeof scopes === "string" ? scopes : scopes[0];
+            ensureValidScope(scope, logger$a);
+            logger$a.getToken.info(`Using the scope ${scope}`);
+            const resource = getScopeResource(scope);
             try {
-                assertion = await readAssertion();
+                const response = await this.getAzurePowerShellAccessToken(resource, tenantId);
+                logger$a.getToken.info(formatSuccess(scopes));
+                return {
+                    token: response.Token,
+                    expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),
+                };
             }
             catch (err) {
-                throw new Error(`${msiName$2}: Failed to read ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
+                if (isNotInstalledError(err)) {
+                    const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);
+                    logger$a.getToken.info(formatError(scope, error));
+                    throw error;
+                }
+                else if (isLoginError(err)) {
+                    const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);
+                    logger$a.getToken.info(formatError(scope, error));
+                    throw error;
+                }
+                const error = new CredentialUnavailableError(`${err}. ${powerShellPublicErrorMessages.troubleshoot}`);
+                logger$a.getToken.info(formatError(scope, error));
+                throw error;
             }
-            const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, assertion, clientId || process.env.AZURE_CLIENT_ID)), { 
-                // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-                allowInsecureConnection: true }));
-            const tokenResponse = await identityClient.sendTokenRequest(request);
-            return (tokenResponse && tokenResponse.accessToken) || null;
-        },
-    };
+        });
+    }
 }
 
 // Copyright (c) Microsoft Corporation.
-// This MSI can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
-//
-//   FROM node:12
-//   RUN wget https://host.any/path/bash.sh
-//   CMD ["bash", "bash.sh"]
-//
-// Where the bash script contains:
-//
-//   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
-//
-const msiName$1 = "ManagedIdentityCredential - Fabric MSI";
-const logger$7 = credentialLogger(msiName$1);
 /**
- * Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
+ * @internal
+ */
+const logger$9 = credentialLogger("ChainedTokenCredential");
+/**
+ * Enables multiple `TokenCredential` implementations to be tried in order
+ * until one of the getToken methods returns an access token.
  */
-function expiresOnParser$1(requestBody) {
-    // Parses a string representation of the milliseconds since epoch into a number value
-    return Number(requestBody.expires_on);
+class ChainedTokenCredential {
+    /**
+     * Creates an instance of ChainedTokenCredential using the given credentials.
+     *
+     * @param sources - `TokenCredential` implementations to be tried in order.
+     *
+     * Example usage:
+     * ```javascript
+     * const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
+     * const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, anotherSecret);
+     * const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);
+     * ```
+     */
+    constructor(...sources) {
+        /**
+         * The message to use when the chained token fails to get a token
+         */
+        this.UnavailableMessage = "ChainedTokenCredential => failed to retrieve a token from the included credentials";
+        this._sources = [];
+        this._sources = sources;
+    }
+    /**
+     * Returns the first access token returned by one of the chained
+     * `TokenCredential` implementations.  Throws an {@link AggregateAuthenticationError}
+     * when one or more credentials throws an {@link AuthenticationError} and
+     * no credentials have returned an access token.
+     *
+     * This method is called automatically by Azure SDK client libraries. You may call this method
+     * directly, but you must also handle token caching and token refreshing.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                `TokenCredential` implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        let token = null;
+        let successfulCredentialName = "";
+        const errors = [];
+        return tracingClient.withSpan("ChainedTokenCredential.getToken", options, async (updatedOptions) => {
+            for (let i = 0; i < this._sources.length && token === null; i++) {
+                try {
+                    token = await this._sources[i].getToken(scopes, updatedOptions);
+                    successfulCredentialName = this._sources[i].constructor.name;
+                }
+                catch (err) {
+                    if (err.name === "CredentialUnavailableError" ||
+                        err.name === "AuthenticationRequiredError") {
+                        errors.push(err);
+                    }
+                    else {
+                        logger$9.getToken.info(formatError(scopes, err));
+                        throw err;
+                    }
+                }
+            }
+            if (!token && errors.length > 0) {
+                const err = new AggregateAuthenticationError(errors, "ChainedTokenCredential authentication failed.");
+                logger$9.getToken.info(formatError(scopes, err));
+                throw err;
+            }
+            logger$9.getToken.info(`Result for ${successfulCredentialName}: ${formatSuccess(scopes)}`);
+            if (token === null) {
+                throw new CredentialUnavailableError("Failed to retrieve a valid token");
+            }
+            return token;
+        });
+    }
 }
+
+// Copyright (c) Microsoft Corporation.
+const readFileAsync = util.promisify(fs.readFile);
 /**
- * Generates the options used on the request for an access token.
+ * Tries to asynchronously load a certificate from the given path.
+ *
+ * @param configuration - Either the PEM value or the path to the certificate.
+ * @param sendCertificateChain - Option to include x5c header for SubjectName and Issuer name authorization.
+ * @returns - The certificate parts, or `undefined` if the certificate could not be loaded.
+ * @internal
  */
-function prepareRequestOptions$1(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$1}: Multiple scopes are not supported.`);
+async function parseCertificate(configuration, sendCertificateChain) {
+    const certificateParts = {};
+    const certificate = configuration
+        .certificate;
+    const certificatePath = configuration
+        .certificatePath;
+    certificateParts.certificateContents =
+        certificate || (await readFileAsync(certificatePath, "utf8"));
+    if (sendCertificateChain) {
+        certificateParts.x5c = certificateParts.certificateContents;
     }
-    const queryParameters = {
-        resource,
-        "api-version": azureFabricVersion,
-    };
-    if (clientId) {
-        queryParameters.client_id = clientId;
+    const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
+    const publicKeys = [];
+    // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
+    let match;
+    do {
+        match = certificatePattern.exec(certificateParts.certificateContents);
+        if (match) {
+            publicKeys.push(match[3]);
+        }
+    } while (match);
+    if (publicKeys.length === 0) {
+        throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
     }
-    if (resourceId) {
-        queryParameters.msi_res_id = resourceId;
+    certificateParts.thumbprint = crypto.createHash("sha1")
+        .update(Buffer.from(publicKeys[0], "base64"))
+        .digest("hex")
+        .toUpperCase();
+    return certificateParts;
+}
+/**
+ * MSAL client certificate client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
+ * @internal
+ */
+class MsalClientCertificate extends MsalNode {
+    constructor(options) {
+        super(options);
+        this.requiresConfidential = true;
+        this.configuration = options.configuration;
+        this.sendCertificateChain = options.sendCertificateChain;
     }
-    const query = new URLSearchParams(queryParameters);
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error("Missing environment variable: IDENTITY_ENDPOINT");
+    // Changing the MSAL configuration asynchronously
+    async init(options) {
+        try {
+            const parts = await parseCertificate(this.configuration, this.sendCertificateChain);
+            let privateKey;
+            if (this.configuration.certificatePassword !== undefined) {
+                const privateKeyObject = crypto.createPrivateKey({
+                    key: parts.certificateContents,
+                    passphrase: this.configuration.certificatePassword,
+                    format: "pem",
+                });
+                privateKey = privateKeyObject
+                    .export({
+                    format: "pem",
+                    type: "pkcs8",
+                })
+                    .toString();
+            }
+            else {
+                privateKey = parts.certificateContents;
+            }
+            this.msalConfig.auth.clientCertificate = {
+                thumbprint: parts.thumbprint,
+                privateKey: privateKey,
+                x5c: parts.x5c,
+            };
+        }
+        catch (error) {
+            this.logger.info(formatError("", error));
+            throw error;
+        }
+        return super.init(options);
     }
-    if (!process.env.IDENTITY_HEADER) {
-        throw new Error("Missing environment variable: IDENTITY_HEADER");
+    async doGetToken(scopes, options = {}) {
+        try {
+            const clientCredReq = {
+                scopes,
+                correlationId: options.correlationId,
+                azureRegion: this.azureRegion,
+                authority: options.authority,
+                claims: options.claims,
+            };
+            const result = await this.confidentialApp.acquireTokenByClientCredential(clientCredReq);
+            // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
+            // The Client Credential flow does not return the account information from the authentication service,
+            // so each time getToken gets called, we will have to acquire a new token through the service.
+            return this.handleResult(scopes, this.clientId, result || undefined);
+        }
+        catch (err) {
+            throw this.handleError(scopes, err, options);
+        }
     }
-    return {
-        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            secret: process.env.IDENTITY_HEADER,
-        }),
-    };
 }
+
+// Copyright (c) Microsoft Corporation.
+const credentialName$2 = "ClientCertificateCredential";
+const logger$8 = credentialLogger(credentialName$2);
 /**
- * Defines how to determine whether the Azure Service Fabric MSI is available, and also how to retrieve a token from the Azure Service Fabric MSI.
+ * Enables authentication to Azure Active Directory using a PEM-encoded
+ * certificate that is assigned to an App Registration. More information
+ * on how to configure certificate authentication can be found here:
+ *
+ * https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
+ *
  */
-const fabricMsi = {
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$7.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
-            return false;
+class ClientCertificateCredential {
+    constructor(tenantId, clientId, certificatePathOrConfiguration, options = {}) {
+        if (!tenantId || !clientId) {
+            throw new Error(`${credentialName$2}: tenantId and clientId are required parameters.`);
         }
-        const env = process.env;
-        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
-        if (!result) {
-            logger$7.info(`${msiName$1}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
+        this.tenantId = tenantId;
+        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        const configuration = Object.assign({}, (typeof certificatePathOrConfiguration === "string"
+            ? {
+                certificatePath: certificatePathOrConfiguration,
+            }
+            : certificatePathOrConfiguration));
+        const certificate = configuration
+            .certificate;
+        const certificatePath = configuration.certificatePath;
+        if (!configuration || !(certificate || certificatePath)) {
+            throw new Error(`${credentialName$2}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
         }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { scopes, identityClient, clientId, resourceId } = configuration;
-        if (resourceId) {
-            logger$7.warning(`${msiName$1}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+        if (certificate && certificatePath) {
+            throw new Error(`${credentialName$2}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
         }
-        logger$7.info([
-            `${msiName$1}:`,
-            "Using the endpoint and the secret coming from the environment variables:",
-            `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
-            "IDENTITY_HEADER=[REDACTED] and",
-            "IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
-        ].join(" "));
-        const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId, resourceId)));
-        request.agent = new https__default["default"].Agent({
-            // This is necessary because Service Fabric provides a self-signed certificate.
-            // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
-            rejectUnauthorized: false,
+        this.msalFlow = new MsalClientCertificate(Object.assign(Object.assign({}, options), { configuration,
+            logger: logger$8,
+            clientId,
+            tenantId, sendCertificateChain: options.sendCertificateChain, tokenCredentialOptions: options }));
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${credentialName$2}.getToken`, options, async (newOptions) => {
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, newOptions);
         });
-        const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$1);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
+    }
+}
 
 // Copyright (c) Microsoft Corporation.
-const msiName = "ManagedIdentityCredential - AppServiceMSI 2019";
-const logger$6 = credentialLogger(msiName);
 /**
- * Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
+ * MSAL client secret client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
+ * @internal
  */
-function expiresOnParser(requestBody) {
-    // App Service always returns string expires_on values.
-    return Date.parse(requestBody.expires_on);
+class MsalClientSecret extends MsalNode {
+    constructor(options) {
+        super(options);
+        this.requiresConfidential = true;
+        this.msalConfig.auth.clientSecret = options.clientSecret;
+    }
+    async doGetToken(scopes, options = {}) {
+        try {
+            const result = await this.confidentialApp.acquireTokenByClientCredential({
+                scopes,
+                correlationId: options.correlationId,
+                azureRegion: this.azureRegion,
+                authority: options.authority,
+                claims: options.claims,
+            });
+            // The Client Credential flow does not return an account,
+            // so each time getToken gets called, we will have to acquire a new token through the service.
+            return this.handleResult(scopes, this.clientId, result || undefined);
+        }
+        catch (err) {
+            throw this.handleError(scopes, err, options);
+        }
+    }
 }
+
+// Copyright (c) Microsoft Corporation.
+const logger$7 = credentialLogger("ClientSecretCredential");
 /**
- * Generates the options used on the request for an access token.
+ * Enables authentication to Azure Active Directory using a client secret
+ * that was generated for an App Registration. More information on how
+ * to configure a client secret can be found here:
+ *
+ * https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
+ *
  */
-function prepareRequestOptions(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName}: Multiple scopes are not supported.`);
-    }
-    const queryParameters = {
-        resource,
-        "api-version": "2019-08-01",
-    };
-    if (clientId) {
-        queryParameters.client_id = clientId;
+class ClientSecretCredential {
+    /**
+     * Creates an instance of the ClientSecretCredential with the details
+     * needed to authenticate against Azure Active Directory with a client
+     * secret.
+     *
+     * @param tenantId - The Azure Active Directory tenant (directory) ID.
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param clientSecret - A client secret that was generated for the App Registration.
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId, clientId, clientSecret, options = {}) {
+        if (!tenantId || !clientId || !clientSecret) {
+            throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
+        }
+        this.tenantId = tenantId;
+        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$7,
+            clientId,
+            tenantId,
+            clientSecret, tokenCredentialOptions: options }));
     }
-    if (resourceId) {
-        queryParameters.mi_res_id = resourceId;
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
+            const arrayScopes = ensureScopes(scopes);
+            return this.msalFlow.getToken(arrayScopes, newOptions);
+        });
     }
-    const query = new URLSearchParams(queryParameters);
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error(`${msiName}: Missing environment variable: IDENTITY_ENDPOINT`);
+}
+
+// Copyright (c) Microsoft Corporation.
+/**
+ * MSAL username and password client. Calls to the MSAL's public application's `acquireTokenByUsernamePassword` during `doGetToken`.
+ * @internal
+ */
+class MsalUsernamePassword extends MsalNode {
+    constructor(options) {
+        super(options);
+        this.username = options.username;
+        this.password = options.password;
     }
-    if (!process.env.IDENTITY_HEADER) {
-        throw new Error(`${msiName}: Missing environment variable: IDENTITY_HEADER`);
+    async doGetToken(scopes, options) {
+        try {
+            const requestOptions = {
+                scopes,
+                username: this.username,
+                password: this.password,
+                correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
+                authority: options === null || options === void 0 ? void 0 : options.authority,
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+            };
+            const result = await this.publicApp.acquireTokenByUsernamePassword(requestOptions);
+            return this.handleResult(scopes, this.clientId, result || undefined);
+        }
+        catch (error) {
+            throw this.handleError(scopes, error, options);
+        }
     }
-    return {
-        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            "X-IDENTITY-HEADER": process.env.IDENTITY_HEADER,
-        }),
-    };
 }
+
+// Copyright (c) Microsoft Corporation.
+const logger$6 = credentialLogger("UsernamePasswordCredential");
 /**
- * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
+ * Enables authentication to Azure Active Directory with a user's
+ * username and password. This credential requires a high degree of
+ * trust so you should only use it when other, more secure credential
+ * types can't be used.
  */
-const appServiceMsi2019 = {
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$6.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        const env = process.env;
-        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
-        if (!result) {
-            logger$6.info(`${msiName}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
+class UsernamePasswordCredential {
+    /**
+     * Creates an instance of the UsernamePasswordCredential with the details
+     * needed to authenticate against Azure Active Directory with a username
+     * and password.
+     *
+     * @param tenantId - The Azure Active Directory tenant (directory).
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param username - The user account's e-mail address (user name).
+     * @param password - The user account's account password
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId, clientId, username, password, options = {}) {
+        if (!tenantId || !clientId || !username || !password) {
+            throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
         }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        logger$6.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)), { 
-            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-            allowInsecureConnection: true }));
-        const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
+        this.tenantId = tenantId;
+        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$6,
+            clientId,
+            tenantId,
+            username,
+            password, tokenCredentialOptions: options || {} }));
+    }
+    /**
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * If the user provided the option `disableAutomaticAuthentication`,
+     * once the token can't be retrieved silently,
+     * this method won't attempt to request user interaction to retrieve the token.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
+            const arrayScopes = ensureScopes(scopes);
+            return this.msalFlow.getToken(arrayScopes, newOptions);
+        });
+    }
+}
 
 // Copyright (c) Microsoft Corporation.
-const logger$5 = credentialLogger("ManagedIdentityCredential");
 /**
- * Attempts authentication using a managed identity available at the deployment environment.
- * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
- * Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.
+ * Contains the list of all supported environment variable names so that an
+ * appropriate error message can be generated when no credentials can be
+ * configured.
  *
- * More information about configuring managed identities can be found here:
- * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
+ * @internal
  */
-class ManagedIdentityCredential {
+const AllSupportedEnvironmentVariables = [
+    "AZURE_TENANT_ID",
+    "AZURE_CLIENT_ID",
+    "AZURE_CLIENT_SECRET",
+    "AZURE_CLIENT_CERTIFICATE_PATH",
+    "AZURE_CLIENT_CERTIFICATE_PASSWORD",
+    "AZURE_USERNAME",
+    "AZURE_PASSWORD",
+    "AZURE_ADDITIONALLY_ALLOWED_TENANTS",
+];
+function getAdditionallyAllowedTenants() {
+    var _a;
+    const additionallyAllowedValues = (_a = process.env.AZURE_ADDITIONALLY_ALLOWED_TENANTS) !== null && _a !== void 0 ? _a : "";
+    return additionallyAllowedValues.split(";");
+}
+const credentialName$1 = "EnvironmentCredential";
+const logger$5 = credentialLogger(credentialName$1);
+/**
+ * Enables authentication to Azure Active Directory using client secret
+ * details configured in environment variables
+ */
+class EnvironmentCredential {
     /**
-     * @internal
-     * @hidden
+     * Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
+     *
+     * Required environment variables:
+     * - `AZURE_TENANT_ID`: The Azure Active Directory tenant (directory) ID.
+     * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
+     *
+     * If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants
+     * - `AZURE_ADDITIONALLY_ALLOWED_TENANTS`: For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens with a single semicolon delimited string. Use * to allow all tenants.
+     *
+     * Environment variables used for client credential authentication:
+     * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
+     * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
+     * - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file.
+     *
+     * Alternatively, users can provide environment variables for username and password authentication:
+     * - `AZURE_USERNAME`: Username to authenticate with.
+     * - `AZURE_PASSWORD`: Password to authenticate with.
+     *
+     * If the environment variables required to perform the authentication are missing, a {@link CredentialUnavailableError} will be thrown.
+     * If the authentication fails, or if there's an unknown error, an {@link AuthenticationError} will be thrown.
+     *
+     * @param options - Options for configuring the client which makes the authentication request.
      */
-    constructor(clientIdOrOptions, options) {
-        this.isEndpointUnavailable = null;
-        let _options;
-        if (typeof clientIdOrOptions === "string") {
-            this.clientId = clientIdOrOptions;
-            _options = options;
-        }
-        else {
-            this.clientId = clientIdOrOptions === null || clientIdOrOptions === void 0 ? void 0 : clientIdOrOptions.clientId;
-            _options = clientIdOrOptions;
-        }
-        this.resourceId = _options === null || _options === void 0 ? void 0 : _options.resourceId;
-        // For JavaScript users.
-        if (this.clientId && this.resourceId) {
-            throw new Error(`${ManagedIdentityCredential.name} - Client Id and Resource Id can't be provided at the same time.`);
-        }
-        this.identityClient = new IdentityClient(_options);
-        this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
-                maxRetries: 0,
-            } }));
-    }
-    async cachedAvailableMSI(scopes, getTokenOptions) {
-        if (this.cachedMSI) {
-            return this.cachedMSI;
-        }
-        const MSIs = [
-            arcMsi,
-            fabricMsi,
-            appServiceMsi2019,
-            appServiceMsi2017,
-            cloudShellMsi,
-            tokenExchangeMsi(),
-            imdsMsi,
-        ];
-        for (const msi of MSIs) {
-            if (await msi.isAvailable({
-                scopes,
-                identityClient: this.isAvailableIdentityClient,
-                clientId: this.clientId,
-                resourceId: this.resourceId,
-                getTokenOptions,
-            })) {
-                this.cachedMSI = msi;
-                return msi;
-            }
+    constructor(options) {
+        // Keep track of any missing environment variables for error details
+        this._credential = undefined;
+        const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
+        logger$5.info(`Found the following environment variables: ${assigned}`);
+        const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
+        const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();
+        const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds });
+        if (tenantId) {
+            checkTenantId(logger$5, tenantId);
         }
-        throw new CredentialUnavailableError(`${ManagedIdentityCredential.name} - No MSI credential available`);
-    }
-    async authenticateManagedIdentity(scopes, getTokenOptions) {
-        const { span, updatedOptions } = tracingClient.startSpan(`${ManagedIdentityCredential.name}.authenticateManagedIdentity`, getTokenOptions);
-        try {
-            // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
-            const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);
-            return availableMSI.getToken({
-                identityClient: this.identityClient,
-                scopes,
-                clientId: this.clientId,
-                resourceId: this.resourceId,
-            }, updatedOptions);
+        if (tenantId && clientId && clientSecret) {
+            logger$5.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
+            this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, newOptions);
+            return;
         }
-        catch (err) {
-            span.setStatus({
-                status: "error",
-                error: err,
-            });
-            throw err;
+        const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
+        const certificatePassword = process.env.AZURE_CLIENT_CERTIFICATE_PASSWORD;
+        if (tenantId && clientId && certificatePath) {
+            logger$5.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
+            this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath, certificatePassword }, newOptions);
+            return;
         }
-        finally {
-            span.end();
+        const username = process.env.AZURE_USERNAME;
+        const password = process.env.AZURE_PASSWORD;
+        if (tenantId && clientId && username && password) {
+            logger$5.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
+            this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, newOptions);
         }
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
+     * @param options - Optional parameters. See {@link GetTokenOptions}.
      */
-    async getToken(scopes, options) {
-        let result = null;
-        const { span, updatedOptions } = tracingClient.startSpan(`${ManagedIdentityCredential.name}.getToken`, options);
-        try {
-            // isEndpointAvailable can be true, false, or null,
-            // If it's null, it means we don't yet know whether
-            // the endpoint is available and need to check for it.
-            if (this.isEndpointUnavailable !== true) {
-                result = await this.authenticateManagedIdentity(scopes, updatedOptions);
-                if (result === null) {
-                    // If authenticateManagedIdentity returns null,
-                    // it means no MSI endpoints are available.
-                    // If so, we avoid trying to reach to them in future requests.
-                    this.isEndpointUnavailable = true;
-                    // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
-                    // yet we had no access token. For this reason, we'll throw once with a specific message:
-                    const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
-                    logger$5.getToken.info(formatError(scopes, error));
-                    throw error;
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${credentialName$1}.getToken`, options, async (newOptions) => {
+            if (this._credential) {
+                try {
+                    const result = await this._credential.getToken(scopes, newOptions);
+                    logger$5.getToken.info(formatSuccess(scopes));
+                    return result;
+                }
+                catch (err) {
+                    const authenticationError = new AuthenticationError(400, {
+                        error: `${credentialName$1} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
+                        error_description: err.message.toString().split("More details:").join(""),
+                    });
+                    logger$5.getToken.info(formatError(scopes, authenticationError));
+                    throw authenticationError;
                 }
-                // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
-                // We will assume that this endpoint is reachable from this point forward,
-                // and avoid pinging again to it.
-                this.isEndpointUnavailable = false;
-            }
-            else {
-                // We've previously determined that the endpoint was unavailable,
-                // either because it was unreachable or permanently unable to authenticate.
-                const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
-                logger$5.getToken.info(formatError(scopes, error));
-                throw error;
-            }
-            logger$5.getToken.info(formatSuccess(scopes));
-            return result;
-        }
-        catch (err) {
-            // CredentialUnavailable errors are expected to reach here.
-            // We intend them to bubble up, so that DefaultAzureCredential can catch them.
-            if (err.name === "AuthenticationRequiredError") {
-                throw err;
-            }
-            // Expected errors to reach this point:
-            // - Errors coming from a method unexpectedly breaking.
-            // - When identityClient.sendTokenRequest throws, in which case
-            //   if the status code was 400, it means that the endpoint is working,
-            //   but no identity is available.
-            span.setStatus({
-                status: "error",
-                error: err,
-            });
-            // If either the network is unreachable,
-            // we can safely assume the credential is unavailable.
-            if (err.code === "ENETUNREACH") {
-                const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
-                logger$5.getToken.info(formatError(scopes, error));
-                throw error;
-            }
-            // If either the host was unreachable,
-            // we can safely assume the credential is unavailable.
-            if (err.code === "EHOSTUNREACH") {
-                const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. No managed identity endpoint found. Message: ${err.message}`);
-                logger$5.getToken.info(formatError(scopes, error));
-                throw error;
-            }
-            // If err.statusCode has a value of 400, it comes from sendTokenRequest,
-            // and it means that the endpoint is working, but that no identity is available.
-            if (err.statusCode === 400) {
-                throw new CredentialUnavailableError(`${ManagedIdentityCredential.name}: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
-            }
-            // If the error has no status code, we can assume there was no available identity.
-            // This will throw silently during any ChainedTokenCredential.
-            if (err.statusCode === undefined) {
-                throw new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Authentication failed. Message ${err.message}`);
             }
-            // Any other error should break the chain.
-            throw new AuthenticationError(err.statusCode, {
-                error: `${ManagedIdentityCredential.name} authentication failed.`,
-                error_description: err.message,
-            });
-        }
-        finally {
-            // Finally is always called, both if we return and if we throw in the above try/catch.
-            span.end();
-        }
+            throw new CredentialUnavailableError(`${credentialName$1} is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`);
+        });
     }
 }
 
@@ -3179,6 +3206,7 @@ class ClientAssertionCredential {
             throw new Error("ClientAssertionCredential: tenantId, clientId, and clientAssertion are required parameters.");
         }
         this.tenantId = tenantId;
+        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.clientId = clientId;
         this.options = options;
         this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$4, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
@@ -3193,6 +3221,7 @@ class ClientAssertionCredential {
      */
     async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });
@@ -3382,6 +3411,8 @@ class InteractiveBrowserCredential {
         const redirectUri = typeof options.redirectUri === "function"
             ? options.redirectUri()
             : options.redirectUri || "http://localhost";
+        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$3,
             redirectUri }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
@@ -3400,7 +3431,8 @@ class InteractiveBrowserCredential {
      */
     async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
+            const arrayScopes = ensureScopes(scopes);
             return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
         });
     }
@@ -3419,7 +3451,7 @@ class InteractiveBrowserCredential {
      */
     async authenticate(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.authenticate`, options, async (newOptions) => {
-            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            const arrayScopes = ensureScopes(scopes);
             await this.msalFlow.getToken(arrayScopes, newOptions);
             return this.msalFlow.getActiveAccount();
         });
@@ -3493,6 +3525,8 @@ class DeviceCodeCredential {
      * @param options - Options for configuring the client which makes the authentication requests.
      */
     constructor(options) {
+        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.msalFlow = new MsalDeviceCode(Object.assign(Object.assign({}, options), { logger: logger$2, userPromptCallback: (options === null || options === void 0 ? void 0 : options.userPromptCallback) || defaultDeviceCodePromptCallback, tokenCredentialOptions: options || {} }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
@@ -3510,7 +3544,8 @@ class DeviceCodeCredential {
      */
     async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
+            const arrayScopes = ensureScopes(scopes);
             return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
         });
     }
@@ -3604,6 +3639,9 @@ class AuthorizationCodeCredential {
             clientSecret = undefined;
             options = redirectUriOrOptions;
         }
+        // TODO: Validate tenant if provided
+        this.tenantId = tenantId;
+        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.msalFlow = new MsalAuthorizationCode(Object.assign(Object.assign({}, options), { clientSecret,
             clientId,
             tenantId, tokenCredentialOptions: options || {}, logger: logger$1, redirectUri: this.redirectUri, authorizationCode: this.authorizationCode }));
@@ -3618,7 +3656,9 @@ class AuthorizationCodeCredential {
      */
     async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            const tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
+            newOptions.tenantId = tenantId;
+            const arrayScopes = ensureScopes(scopes);
             return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
         });
     }
@@ -3688,10 +3728,12 @@ class OnBehalfOfCredential {
         this.options = options;
         const { clientSecret } = options;
         const { certificatePath } = options;
-        const { tenantId, clientId, userAssertionToken } = options;
+        const { tenantId, clientId, userAssertionToken, additionallyAllowedTenants: additionallyAllowedTenantIds, } = options;
         if (!tenantId || !clientId || !(clientSecret || certificatePath) || !userAssertionToken) {
             throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
         }
+        this.tenantId = tenantId;
+        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(additionallyAllowedTenantIds);
         this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign({}, this.options), { logger, tokenCredentialOptions: this.options }));
     }
     /**
@@ -3703,7 +3745,8 @@ class OnBehalfOfCredential {
      */
     async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {
-            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
+            const arrayScopes = ensureScopes(scopes);
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });
     }