@azure/identity 3.3.2 → 4.0.0-alpha.20231026.4

package/dist/index.js

@@ -1,13 +1,9 @@
 'use strict';
 
-Object.defineProperty(exports, '__esModule', { value: true });
-
-var msalNode = require('@azure/msal-node');
+var msalCommon = require('@azure/msal-node');
 var logger$o = require('@azure/logger');
-var msalCommon = require('@azure/msal-common');
 var abortController = require('@azure/abort-controller');
 var coreUtil = require('@azure/core-util');
-var uuid = require('uuid');
 var coreClient = require('@azure/core-client');
 var coreRestPipeline = require('@azure/core-rest-pipeline');
 var coreTracing = require('@azure/core-tracing');
@@ -19,14 +15,9 @@ var https = require('https');
 var child_process = require('child_process');
 var crypto = require('crypto');
 var util = require('util');
-var http = require('http');
 var open = require('open');
-var stoppable = require('stoppable');
-
-function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
 
-function _interopNamespace(e) {
-    if (e && e.__esModule) return e;
+function _interopNamespaceDefault(e) {
     var n = Object.create(null);
     if (e) {
         Object.keys(e).forEach(function (k) {
@@ -39,21 +30,12 @@ function _interopNamespace(e) {
             }
         });
     }
-    n["default"] = e;
+    n.default = e;
     return Object.freeze(n);
 }
 
-var msalNode__namespace = /*#__PURE__*/_interopNamespace(msalNode);
-var msalCommon__namespace = /*#__PURE__*/_interopNamespace(msalCommon);
-var fs__default = /*#__PURE__*/_interopDefaultLegacy(fs);
-var os__default = /*#__PURE__*/_interopDefaultLegacy(os);
-var path__default = /*#__PURE__*/_interopDefaultLegacy(path);
-var https__default = /*#__PURE__*/_interopDefaultLegacy(https);
-var child_process__default = /*#__PURE__*/_interopDefaultLegacy(child_process);
-var child_process__namespace = /*#__PURE__*/_interopNamespace(child_process);
-var http__default = /*#__PURE__*/_interopDefaultLegacy(http);
-var open__default = /*#__PURE__*/_interopDefaultLegacy(open);
-var stoppable__default = /*#__PURE__*/_interopDefaultLegacy(stoppable);
+var msalCommon__namespace = /*#__PURE__*/_interopNamespaceDefault(msalCommon);
+var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_process);
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
@@ -175,6 +157,7 @@ class AuthenticationRequiredError extends Error {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * The AzureLogger used for all clients within the identity package
  */
@@ -257,7 +240,7 @@ function credentialLogger(title, log = logger$n) {
 /**
  * Current version of the `@azure/identity` package.
  */
-const SDK_VERSION = `3.3.2`;
+const SDK_VERSION = `4.0.0-beta.1`;
 /**
  * The default client ID for authentication
  * @internal
@@ -305,6 +288,7 @@ const CACHE_CAE_SUFFIX = ".cae";
 const CACHE_NON_CAE_SUFFIX = ".nocae";
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Latest AuthenticationRecord version
  * @internal
@@ -423,7 +407,7 @@ class MsalBaseUtilities {
      * Generates a UUID
      */
     generateUuid() {
-        return uuid.v4();
+        return coreUtil.randomUUID();
     }
     /**
      * Handles the MSAL authentication result.
@@ -470,6 +454,10 @@ class MsalBaseUtilities {
             error.name === "AbortError") {
             return error;
         }
+        if (error.name === "NativeAuthError") {
+            this.logger.info(formatError(scopes, `Error from the native broker: ${error.message} with status code: ${error.statusCode}`));
+            return error;
+        }
         return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });
     }
 }
@@ -534,6 +522,7 @@ function deserializeAuthenticationRecord(serializedRecord) {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 function createConfigurationErrorMessage(tenantId) {
     return `The current credential is not configured to acquire tokens for tenant ${tenantId}. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant.`;
 }
@@ -567,6 +556,7 @@ function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowe
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * @internal
  */
@@ -618,6 +608,7 @@ function getIdentityTokenEndpointSuffix(tenantId) {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Creates a span using the global tracer.
  * @internal
@@ -638,6 +629,7 @@ const azureArcAPIVersion = "2019-11-01";
 const azureFabricVersion = "2019-07-01-preview";
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
  * These are GET requests that require sending a `resource` parameter on the query.
@@ -688,6 +680,7 @@ function parseExpirationTimestamp(body) {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const noCorrelationId = "noCorrelationId";
 /**
  * @internal
@@ -1032,6 +1025,7 @@ var RegionalAuthority;
 })(RegionalAuthority || (RegionalAuthority = {}));
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * The current persistence provider, undefined by default.
  * @internal
@@ -1046,6 +1040,25 @@ const msalNodeFlowCacheControl = {
         persistenceProvider = pluginProvider;
     },
 };
+/**
+ * The current native broker provider, undefined by default.
+ * @internal
+ */
+let nativeBrokerInfo = undefined;
+function hasNativeBroker() {
+    return nativeBrokerInfo !== undefined;
+}
+/**
+ * An object that allows setting the native broker provider.
+ * @internal
+ */
+const msalNodeFlowNativeBrokerControl = {
+    setNativeBroker(broker) {
+        nativeBrokerInfo = {
+            broker,
+        };
+    },
+};
 /**
  * MSAL partial base client for Node.js.
  *
@@ -1057,12 +1070,8 @@ const msalNodeFlowCacheControl = {
  */
 class MsalNode extends MsalBaseUtilities {
     constructor(options) {
-        var _a, _b, _c, _d;
+        var _a, _b, _c, _d, _e, _f, _g;
         super(options);
-        // protected publicApp: msalNode.PublicClientApplication | undefined;
-        // protected publicAppCae: msalNode.PublicClientApplication | undefined;
-        // protected confidentialApp: msalNode.ConfidentialClientApplication | undefined;
-        // protected confidentialAppCae: msalNode.ConfidentialClientApplication | undefined;
         this.app = {};
         this.caeApp = {};
         this.requiresConfidential = false;
@@ -1073,14 +1082,17 @@ class MsalNode extends MsalBaseUtilities {
         if (options === null || options === void 0 ? void 0 : options.getAssertion) {
             this.getAssertion = options.getAssertion;
         }
+        this.enableBroker = (_b = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _b === void 0 ? void 0 : _b.enabled;
+        this.enableMsaPassthrough = (_c = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough;
+        this.parentWindowHandle = (_d = options.brokerOptions) === null || _d === void 0 ? void 0 : _d.parentWindowHandle;
         // If persistence has been configured
-        if (persistenceProvider !== undefined && ((_b = options.tokenCachePersistenceOptions) === null || _b === void 0 ? void 0 : _b.enabled)) {
+        if (persistenceProvider !== undefined && ((_e = options.tokenCachePersistenceOptions) === null || _e === void 0 ? void 0 : _e.enabled)) {
             const nonCaeOptions = Object.assign({ name: `${options.tokenCachePersistenceOptions.name}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
             const caeOptions = Object.assign({ name: `${options.tokenCachePersistenceOptions.name}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
             this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
             this.createCachePluginCae = () => persistenceProvider(caeOptions);
         }
-        else if ((_c = options.tokenCachePersistenceOptions) === null || _c === void 0 ? void 0 : _c.enabled) {
+        else if ((_f = options.tokenCachePersistenceOptions) === null || _f === void 0 ? void 0 : _f.enabled) {
             throw new Error([
                 "Persistent token caching was requested, but no persistence provider was configured.",
                 "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
@@ -1088,7 +1100,16 @@ class MsalNode extends MsalBaseUtilities {
                 "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`.",
             ].join(" "));
         }
-        this.azureRegion = (_d = options.regionalAuthority) !== null && _d !== void 0 ? _d : process.env.AZURE_REGIONAL_AUTHORITY_NAME;
+        // If broker has not been configured
+        if (!hasNativeBroker() && this.enableBroker) {
+            throw new Error([
+                "Broker for WAM was requested to be enabled, but no native broker was configured.",
+                "You must install the identity-broker plugin package (`npm install --save @azure/identity-broker`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`.",
+            ].join(" "));
+        }
+        this.azureRegion = (_g = options.regionalAuthority) !== null && _g !== void 0 ? _g : process.env.AZURE_REGIONAL_AUTHORITY_NAME;
         if (this.azureRegion === RegionalAuthority.AutoDiscoverRegion) {
             this.azureRegion = "AUTO_DISCOVER";
         }
@@ -1165,11 +1186,20 @@ class MsalNode extends MsalBaseUtilities {
                 cachePlugin: await this.createCachePlugin(),
             };
         }
+        if (hasNativeBroker() && this.enableBroker) {
+            this.msalConfig.broker = {
+                nativeBrokerPlugin: nativeBrokerInfo.broker,
+            };
+            if (!this.parentWindowHandle) {
+                // error should have been thrown from within the constructor of InteractiveBrowserCredential
+                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+            }
+        }
         if (options === null || options === void 0 ? void 0 : options.enableCae) {
-            this.caeApp.public = new msalNode__namespace.PublicClientApplication(this.msalConfig);
+            this.caeApp.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
         }
         else {
-            this.app.public = new msalNode__namespace.PublicClientApplication(this.msalConfig);
+            this.app.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
         }
         if (this.getAssertion) {
             this.msalConfig.auth.clientAssertion = await this.getAssertion();
@@ -1179,10 +1209,10 @@ class MsalNode extends MsalBaseUtilities {
             this.msalConfig.auth.clientAssertion ||
             this.msalConfig.auth.clientCertificate) {
             if (options === null || options === void 0 ? void 0 : options.enableCae) {
-                this.caeApp.confidential = new msalNode__namespace.ConfidentialClientApplication(this.msalConfig);
+                this.caeApp.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
             }
             else {
-                this.app.confidential = new msalNode__namespace.ConfidentialClientApplication(this.msalConfig);
+                this.app.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
             }
         }
         else {
@@ -1255,6 +1285,18 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             authority: options === null || options === void 0 ? void 0 : options.authority,
             claims: options === null || options === void 0 ? void 0 : options.claims,
         };
+        if (hasNativeBroker() && this.enableBroker) {
+            if (!silentRequest.tokenQueryParameters) {
+                silentRequest.tokenQueryParameters = {};
+            }
+            if (!this.parentWindowHandle) {
+                // error should have been thrown from within the constructor of InteractiveBrowserCredential
+                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+            }
+            if (this.enableMsaPassthrough) {
+                silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
+            }
+        }
         try {
             this.logger.info("Attempting to acquire token silently");
             /**
@@ -1313,6 +1355,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const CommonTenantId = "common";
 const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
 const logger$m = credentialLogger("VisualStudioCodeCredential");
@@ -1347,10 +1390,10 @@ function getPropertyFromVSCode(property) {
     const settingsPath = ["User", "settings.json"];
     // Eventually we can add more folders for more versions of VSCode.
     const vsCodeFolder = "Code";
-    const homedir = os__default["default"].homedir();
+    const homedir = os.homedir();
     function loadProperty(...pathSegments) {
-        const fullPath = path__default["default"].join(...pathSegments, vsCodeFolder, ...settingsPath);
-        const settings = JSON.parse(fs__default["default"].readFileSync(fullPath, { encoding: "utf8" }));
+        const fullPath = path.join(...pathSegments, vsCodeFolder, ...settingsPath);
+        const settings = JSON.parse(fs.readFileSync(fullPath, { encoding: "utf8" }));
         return settings[property];
     }
     try {
@@ -1493,6 +1536,7 @@ class VisualStudioCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * The context passed to an Identity plugin. This contains objects that
  * plugins can use to set backend implementations.
@@ -1500,6 +1544,7 @@ class VisualStudioCodeCredential {
  */
 const pluginContext = {
     cachePluginControl: msalNodeFlowCacheControl,
+    nativeBrokerPluginControl: msalNodeFlowNativeBrokerControl,
     vsCodeCredentialControl: vsCodeCredentialControl,
 };
 /**
@@ -1534,6 +1579,7 @@ function useIdentityPlugin(plugin) {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
 const logger$l = credentialLogger(msiName$6);
 /**
@@ -1601,6 +1647,7 @@ const appServiceMsi2017 = {
 };
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const msiName$5 = "ManagedIdentityCredential - CloudShellMSI";
 const logger$k = credentialLogger(msiName$5);
 /**
@@ -1672,6 +1719,7 @@ const cloudShellMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const msiName$4 = "ManagedIdentityCredential - IMDS";
 const logger$j = credentialLogger(msiName$4);
 /**
@@ -1814,6 +1862,7 @@ const imdsMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
 const logger$i = credentialLogger(msiName$3);
 /**
@@ -1924,6 +1973,7 @@ const arcMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * MSAL client assertion client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
  * @internal
@@ -1963,6 +2013,7 @@ class MsalClientAssertion extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const logger$h = credentialLogger("ClientAssertionCredential");
 /**
  * Authenticates a service principal with a JWT assertion.
@@ -1970,10 +2021,10 @@ const logger$h = credentialLogger("ClientAssertionCredential");
 class ClientAssertionCredential {
     /**
      * Creates an instance of the ClientAssertionCredential with the details
-     * needed to authenticate against Azure Active Directory with a client
+     * needed to authenticate against Microsoft Entra ID with a client
      * assertion provided by the developer through the `getAssertion` function parameter.
      *
-     * @param tenantId - The Azure Active Directory tenant (directory) ID.
+     * @param tenantId - The Microsoft Entra tenant (directory) ID.
      * @param clientId - The client (application) ID of an App Registration in the tenant.
      * @param getAssertion - A function that retrieves the assertion for the credential to use.
      * @param options - Options for configuring the client which makes the authentication request.
@@ -1989,7 +2040,7 @@ class ClientAssertionCredential {
         this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$h, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -2006,6 +2057,7 @@ class ClientAssertionCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const credentialName$3 = "WorkloadIdentityCredential";
 /**
  * Contains the list of all supported environment variable names so that an
@@ -2029,14 +2081,14 @@ const logger$g = credentialLogger(credentialName$3);
  * Identity authentication, you can avoid the need to manage and rotate service principals or managed identities for
  * each application on each VM. Additionally, because SACs are created automatically and managed by Azure, you don't
  * need to worry about storing and securing sensitive credentials themselves.
- * The WorkloadIdentityCredential supports Azure workload identity authentication on Azure Kubernetes and acquires
+ * The WorkloadIdentityCredential supports Microsoft Entra Workload ID authentication on Azure Kubernetes and acquires
  * a token using the SACs available in the Azure Kubernetes environment.
- * Refer to <a href="https://learn.microsoft.com/azure/aks/workload-identity-overview">Azure Active Directory
- * Workload Identity</a> for more information.
+ * Refer to <a href="https://learn.microsoft.com/azure/aks/workload-identity-overview">Microsoft Entra
+ * Workload ID</a> for more information.
  */
 class WorkloadIdentityCredential {
     /**
-     * WorkloadIdentityCredential supports Azure workload identity on Kubernetes.
+     * WorkloadIdentityCredential supports Microsoft Entra Workload ID on Kubernetes.
      *
      * @param options - The identity client options to use for authentication.
      */
@@ -2060,7 +2112,7 @@ class WorkloadIdentityCredential {
         }
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -2104,6 +2156,7 @@ class WorkloadIdentityCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const msiName$2 = "ManagedIdentityCredential - Token Exchange";
 const logger$f = credentialLogger(msiName$2);
 /**
@@ -2133,6 +2186,7 @@ function tokenExchangeMsi() {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 // This MSI can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
 //
 //   FROM node:12
@@ -2211,7 +2265,7 @@ const fabricMsi = {
             "IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
         ].join(" "));
         const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId, resourceId)));
-        request.agent = new https__default["default"].Agent({
+        request.agent = new https.Agent({
             // This is necessary because Service Fabric provides a self-signed certificate.
             // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
             rejectUnauthorized: false,
@@ -2222,6 +2276,7 @@ const fabricMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const msiName = "ManagedIdentityCredential - AppServiceMSI 2019";
 const logger$d = credentialLogger(msiName);
 /**
@@ -2289,6 +2344,7 @@ const appServiceMsi2019 = {
 };
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const logger$c = credentialLogger("ManagedIdentityCredential");
 /**
  * Attempts authentication using a managed identity available at the deployment environment.
@@ -2328,8 +2384,9 @@ class ManagedIdentityCredential {
         /**  authority host validation and metadata discovery to be skipped in managed identity
          * since this wasn't done previously before adding token cache support
          */
-        this.confidentialApp = new msalNode.ConfidentialClientApplication({
+        this.confidentialApp = new msalCommon.ConfidentialClientApplication({
             auth: {
+                authority: "https://login.microsoftonline.com/managed_identity",
                 clientId: (_a = this.clientId) !== null && _a !== void 0 ? _a : DeveloperSignOnClientId,
                 clientSecret: "dummy-secret",
                 cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}',
@@ -2394,7 +2451,7 @@ class ManagedIdentityCredential {
         }
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
      *
@@ -2417,7 +2474,7 @@ class ManagedIdentityCredential {
                 else {
                     const appTokenParameters = {
                         correlationId: this.identityClient.getCorrelationId(),
-                        tenantId: (options === null || options === void 0 ? void 0 : options.tenantId) || "organizations",
+                        tenantId: (options === null || options === void 0 ? void 0 : options.tenantId) || "managed_identity",
                         scopes: Array.isArray(scopes) ? scopes : [scopes],
                         claims: options === null || options === void 0 ? void 0 : options.claims,
                     };
@@ -2578,6 +2635,7 @@ class ManagedIdentityCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Ensures the scopes value is an array.
  * @internal
@@ -2605,6 +2663,7 @@ function getScopeResource(scope) {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Mockable reference to the CLI credential cliCredentialFunctions
  * @internal
@@ -2636,7 +2695,7 @@ const cliCredentialInternals = {
         }
         return new Promise((resolve, reject) => {
             try {
-                child_process__default["default"].execFile("az", [
+                child_process.execFile("az", [
                     "account",
                     "get-access-token",
                     "--output",
@@ -2679,7 +2738,7 @@ class AzureCliCredential {
         this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -2741,6 +2800,7 @@ class AzureCliCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Easy to mock childProcess utils.
  * @internal
@@ -2771,6 +2831,7 @@ const processUtils = {
 };
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const logger$a = credentialLogger("AzurePowerShellCredential");
 const isWindows = process.platform === "win32";
 /**
@@ -2904,7 +2965,7 @@ class AzurePowerShellCredential {
         throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -2948,6 +3009,7 @@ class AzurePowerShellCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * @internal
  */
@@ -3026,6 +3088,7 @@ class ChainedTokenCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const readFileAsync = util.promisify(fs.readFile);
 /**
  * Tries to asynchronously load a certificate from the given path.
@@ -3131,10 +3194,11 @@ class MsalClientCertificate extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const credentialName$2 = "ClientCertificateCredential";
 const logger$8 = credentialLogger(credentialName$2);
 /**
- * Enables authentication to Azure Active Directory using a PEM-encoded
+ * Enables authentication to Microsoft Entra ID using a PEM-encoded
  * certificate that is assigned to an App Registration. More information
  * on how to configure certificate authentication can be found here:
  *
@@ -3168,7 +3232,7 @@ class ClientCertificateCredential {
             tenantId, sendCertificateChain: options.sendCertificateChain, tokenCredentialOptions: options }));
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -3185,6 +3249,7 @@ class ClientCertificateCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * MSAL client secret client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
  * @internal
@@ -3215,22 +3280,23 @@ class MsalClientSecret extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const logger$7 = credentialLogger("ClientSecretCredential");
 /**
- * Enables authentication to Azure Active Directory using a client secret
+ * Enables authentication to Microsoft Entra ID using a client secret
  * that was generated for an App Registration. More information on how
  * to configure a client secret can be found here:
  *
- * https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
+ * https://learn.microsoft.com/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
  *
  */
 class ClientSecretCredential {
     /**
      * Creates an instance of the ClientSecretCredential with the details
-     * needed to authenticate against Azure Active Directory with a client
+     * needed to authenticate against Microsoft Entra ID with a client
      * secret.
      *
-     * @param tenantId - The Azure Active Directory tenant (directory) ID.
+     * @param tenantId - The Microsoft Entra tenant (directory) ID.
      * @param clientId - The client (application) ID of an App Registration in the tenant.
      * @param clientSecret - A client secret that was generated for the App Registration.
      * @param options - Options for configuring the client which makes the authentication request.
@@ -3247,7 +3313,7 @@ class ClientSecretCredential {
             clientSecret, tokenCredentialOptions: options }));
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -3264,6 +3330,7 @@ class ClientSecretCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * MSAL username and password client. Calls to the MSAL's public application's `acquireTokenByUsernamePassword` during `doGetToken`.
  * @internal
@@ -3294,9 +3361,10 @@ class MsalUsernamePassword extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const logger$6 = credentialLogger("UsernamePasswordCredential");
 /**
- * Enables authentication to Azure Active Directory with a user's
+ * Enables authentication to Microsoft Entra ID with a user's
  * username and password. This credential requires a high degree of
  * trust so you should only use it when other, more secure credential
  * types can't be used.
@@ -3304,10 +3372,10 @@ const logger$6 = credentialLogger("UsernamePasswordCredential");
 class UsernamePasswordCredential {
     /**
      * Creates an instance of the UsernamePasswordCredential with the details
-     * needed to authenticate against Azure Active Directory with a username
+     * needed to authenticate against Microsoft Entra ID with a username
      * and password.
      *
-     * @param tenantId - The Azure Active Directory tenant (directory).
+     * @param tenantId - The Microsoft Entra tenant (directory).
      * @param clientId - The client (application) ID of an App Registration in the tenant.
      * @param username - The user account's e-mail address (user name).
      * @param password - The user account's account password
@@ -3326,7 +3394,7 @@ class UsernamePasswordCredential {
             password, tokenCredentialOptions: options || {} }));
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
@@ -3347,6 +3415,7 @@ class UsernamePasswordCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Contains the list of all supported environment variable names so that an
  * appropriate error message can be generated when no credentials can be
@@ -3372,7 +3441,7 @@ function getAdditionallyAllowedTenants() {
 const credentialName$1 = "EnvironmentCredential";
 const logger$5 = credentialLogger(credentialName$1);
 /**
- * Enables authentication to Azure Active Directory using a client secret or certificate, or as a user
+ * Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user
  * with a username and password.
  */
 class EnvironmentCredential {
@@ -3380,7 +3449,7 @@ class EnvironmentCredential {
      * Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
      *
      * Required environment variables:
-     * - `AZURE_TENANT_ID`: The Azure Active Directory tenant (directory) ID.
+     * - `AZURE_TENANT_ID`: The Microsoft Entra tenant (directory) ID.
      * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
      *
      * If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants
@@ -3431,7 +3500,7 @@ class EnvironmentCredential {
         }
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - Optional parameters. See {@link GetTokenOptions}.
@@ -3459,6 +3528,7 @@ class EnvironmentCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Mockable reference to the Developer CLI credential cliCredentialFunctions
  * @internal
@@ -3490,7 +3560,7 @@ const developerCliCredentialInternals = {
         }
         return new Promise((resolve, reject) => {
             try {
-                child_process__default["default"].execFile("azd", [
+                child_process.execFile("azd", [
                     "auth",
                     "token",
                     "--output",
@@ -3515,11 +3585,11 @@ const logger$4 = credentialLogger("AzureDeveloperCliCredential");
  * Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy
  * resources in Azure. It's built on top of the Azure CLI and provides additional functionality specific
  * to Azure developers. It allows users to authenticate as a user and/or a service principal against
- * <a href="https://learn.microsoft.com/azure/active-directory/fundamentals/">Azure Active Directory (Azure AD)
- * </a>. The AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of
+ * <a href="https://learn.microsoft.com/azure/active-directory/fundamentals/">Microsoft Entra ID</a>. The
+ * AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of
  * the logged-in user or service principal in the Azure Developer CLI. It acts as the Azure Developer CLI logged in user or
  * service principal and executes an Azure CLI command underneath to authenticate the application against
- * Azure Active Directory.
+ * Microsoft Entra ID.
  *
  * <h2> Configure AzureDeveloperCliCredential </h2>
  *
@@ -3554,7 +3624,7 @@ class AzureDeveloperCliCredential {
         this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -3622,6 +3692,7 @@ class AzureDeveloperCliCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * A shim around ManagedIdentityCredential that adapts it to accept
  * `DefaultAzureCredentialOptions`.
@@ -3718,12 +3789,13 @@ class DefaultAzureCredential extends ChainedTokenCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * A call to open(), but mockable
  * @internal
  */
 const interactiveBrowserMockable = {
-    open: open__default["default"],
+    open,
 };
 /**
  * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`
@@ -3732,182 +3804,106 @@ const interactiveBrowserMockable = {
  */
 class MsalOpenBrowser extends MsalNode {
     constructor(options) {
+        var _a, _b;
         super(options);
-        this.logger = credentialLogger("Node.js MSAL Open Browser");
-        this.redirectUri = options.redirectUri;
         this.loginHint = options.loginHint;
-        const url = new URL(this.redirectUri);
-        this.port = parseInt(url.port);
-        if (isNaN(this.port)) {
-            this.port = 80;
-        }
-        this.hostname = url.hostname;
-    }
-    async acquireTokenByCode(request, enableCae) {
-        return this.getApp("public", enableCae).acquireTokenByCode(request);
+        this.errorTemplate = (_a = options.browserCustomizationOptions) === null || _a === void 0 ? void 0 : _a.errorMessage;
+        this.successTemplate = (_b = options.browserCustomizationOptions) === null || _b === void 0 ? void 0 : _b.successMessage;
+        this.logger = credentialLogger("Node.js MSAL Open Browser");
     }
-    doGetToken(scopes, options) {
-        return new Promise((resolve, reject) => {
-            const socketToDestroy = [];
-            const requestListener = (req, res) => {
-                var _a;
-                if (!req.url) {
-                    reject(new Error(`Interactive Browser Authentication Error "Did not receive token with a valid expiration"`));
-                    return;
-                }
-                let url;
-                try {
-                    url = new URL(req.url, this.redirectUri);
-                }
-                catch (e) {
-                    reject(new Error(`Interactive Browser Authentication Error "Did not receive token with a valid expiration"`));
-                    return;
-                }
-                const tokenRequest = {
-                    code: url.searchParams.get("code"),
-                    redirectUri: this.redirectUri,
-                    scopes: scopes,
-                    authority: options === null || options === void 0 ? void 0 : options.authority,
-                    codeVerifier: (_a = this.pkceCodes) === null || _a === void 0 ? void 0 : _a.verifier,
-                };
-                this.acquireTokenByCode(tokenRequest, options === null || options === void 0 ? void 0 : options.enableCae)
-                    .then((authResponse) => {
-                    if (authResponse === null || authResponse === void 0 ? void 0 : authResponse.account) {
-                        this.account = msalToPublic(this.clientId, authResponse.account);
-                    }
-                    const successMessage = `Authentication Complete. You can close the browser and return to the application.`;
-                    if (authResponse && authResponse.expiresOn) {
-                        const expiresOnTimestamp = authResponse === null || authResponse === void 0 ? void 0 : authResponse.expiresOn.valueOf();
-                        res.writeHead(200);
-                        res.end(successMessage);
-                        this.logger.getToken.info(formatSuccess(scopes));
-                        resolve({
-                            expiresOnTimestamp,
-                            token: authResponse.accessToken,
-                        });
-                    }
-                    else {
-                        const errorMessage = formatError(scopes, `${url.searchParams.get("error")}. ${url.searchParams.get("error_description")}`);
-                        res.writeHead(500);
-                        res.end(errorMessage);
-                        this.logger.getToken.info(errorMessage);
-                        reject(new Error(`Interactive Browser Authentication Error "Did not receive token with a valid expiration"`));
-                    }
-                    cleanup();
-                    return;
-                })
-                    .catch(() => {
-                    const errorMessage = formatError(scopes, `${url.searchParams.get("error")}. ${url.searchParams.get("error_description")}`);
-                    res.writeHead(500);
-                    res.end(errorMessage);
-                    this.logger.getToken.info(errorMessage);
-                    reject(new Error(`Interactive Browser Authentication Error "Did not receive token with a valid expiration"`));
-                    cleanup();
-                });
+    async doGetToken(scopes, options) {
+        var _a;
+        try {
+            const interactiveRequest = {
+                openBrowser: async (url) => {
+                    await interactiveBrowserMockable.open(url, { wait: true, newInstance: true });
+                },
+                scopes,
+                authority: options === null || options === void 0 ? void 0 : options.authority,
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+                correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
+                loginHint: this.loginHint,
+                errorTemplate: this.errorTemplate,
+                successTemplate: this.successTemplate,
             };
-            const app = http__default["default"].createServer(requestListener);
-            const server = stoppable__default["default"](app);
-            const listen = app.listen(this.port, this.hostname, () => this.logger.info(`InteractiveBrowserCredential listening on port ${this.port}!`));
-            function cleanup() {
-                if (listen) {
-                    listen.close();
-                }
-                for (const socket of socketToDestroy) {
-                    socket.destroy();
-                }
-                if (server) {
-                    server.close();
-                    server.stop();
-                }
-            }
-            app.on("connection", (socket) => socketToDestroy.push(socket));
-            app.on("error", (err) => {
-                cleanup();
-                const code = err.code;
-                if (code === "EACCES" || code === "EADDRINUSE") {
-                    reject(new CredentialUnavailableError([
-                        `InteractiveBrowserCredential: Access denied to port ${this.port}.`,
-                        `Try sending a redirect URI with a different port, as follows:`,
-                        '`new InteractiveBrowserCredential({ redirectUri: "http://localhost:1337" })`',
-                    ].join(" ")));
+            if (hasNativeBroker() && this.enableBroker) {
+                this.logger.verbose("Authentication will resume through the broker");
+                if (this.parentWindowHandle) {
+                    interactiveRequest.windowHandle = Buffer.from(this.parentWindowHandle);
                 }
                 else {
-                    reject(new CredentialUnavailableError(`InteractiveBrowserCredential: Failed to start the necessary web server. Error: ${err.message}`));
+                    // error should have been thrown from within the constructor of InteractiveBrowserCredential
+                    this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
                 }
-            });
-            app.on("listening", () => {
-                const openPromise = this.openAuthCodeUrl(scopes, options);
-                const abortSignal = options === null || options === void 0 ? void 0 : options.abortSignal;
-                if (abortSignal) {
-                    abortSignal.addEventListener("abort", () => {
-                        cleanup();
-                        reject(new Error("Aborted"));
-                    });
+                if (this.enableMsaPassthrough) {
+                    ((_a = interactiveRequest.tokenQueryParameters) !== null && _a !== void 0 ? _a : (interactiveRequest.tokenQueryParameters = {}))["msal_request_type"] =
+                        "consumer_passthrough";
                 }
-                openPromise.catch((e) => {
-                    cleanup();
-                    reject(e);
-                });
-            });
-        });
-    }
-    async openAuthCodeUrl(scopeArray, options) {
-        // Initialize CryptoProvider instance
-        const cryptoProvider = new msalNode__namespace.CryptoProvider();
-        // Generate PKCE Codes before starting the authorization flow
-        this.pkceCodes = await cryptoProvider.generatePkceCodes();
-        const authCodeUrlParameters = {
-            scopes: scopeArray,
-            correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-            redirectUri: this.redirectUri,
-            authority: options === null || options === void 0 ? void 0 : options.authority,
-            claims: options === null || options === void 0 ? void 0 : options.claims,
-            loginHint: this.loginHint,
-            codeChallenge: this.pkceCodes.challenge,
-            codeChallengeMethod: "S256", // Use SHA256 Algorithm
-        };
-        const response = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).getAuthCodeUrl(authCodeUrlParameters);
-        try {
-            // A new instance on macOS only which allows it to not hang, does not fix the issue on linux
-            await interactiveBrowserMockable.open(response, { wait: true, newInstance: true });
+            }
+            if (hasNativeBroker() && !this.enableBroker) {
+                this.logger.verbose("Authentication will resume normally without the broker, since it's not enabled");
+            }
+            const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenInteractive(interactiveRequest);
+            if (result.fromNativeBroker) {
+                this.logger.verbose(`This result is returned from native broker`);
+            }
+            return this.handleResult(scopes, this.clientId, result || undefined);
         }
-        catch (e) {
-            throw new CredentialUnavailableError(`InteractiveBrowserCredential: Could not open a browser window. Error: ${e.message}`);
+        catch (err) {
+            throw this.handleError(scopes, err, options);
         }
     }
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const logger$3 = credentialLogger("InteractiveBrowserCredential");
 /**
- * Enables authentication to Azure Active Directory inside of the web browser
+ * Enables authentication to Microsoft Entra ID inside of the web browser
  * using the interactive login flow.
  */
 class InteractiveBrowserCredential {
     /**
      * Creates an instance of InteractiveBrowserCredential with the details needed.
      *
-     * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
+     * This credential uses the [Authorization Code Flow](https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
      * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
      * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
      *
-     * For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
-     * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
+     * For Node.js, if a `clientId` is provided, the Microsoft Entra application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
+     * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://learn.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
      *
      * @param options - Options for configuring the client which makes the authentication requests.
      */
-    constructor(options = {}) {
+    constructor(options) {
+        var _a, _b, _c;
         const redirectUri = typeof options.redirectUri === "function"
             ? options.redirectUri()
             : options.redirectUri || "http://localhost";
         this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$3,
-            redirectUri }));
+        const ibcNodeOptions = options;
+        if ((_a = ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.brokerOptions) === null || _a === void 0 ? void 0 : _a.enabled) {
+            if (!((_b = ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.brokerOptions) === null || _b === void 0 ? void 0 : _b.parentWindowHandle)) {
+                throw new Error("In order to do WAM authentication, `parentWindowHandle` under `brokerOptions` is a required parameter");
+            }
+            else {
+                this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$3,
+                    redirectUri, browserCustomizationOptions: ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.browserCustomizationOptions, brokerOptions: {
+                        enabled: true,
+                        parentWindowHandle: ibcNodeOptions.brokerOptions.parentWindowHandle,
+                        legacyEnableMsaPassthrough: (_c = ibcNodeOptions.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough,
+                    } }));
+            }
+        }
+        else {
+            this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$3,
+                redirectUri, browserCustomizationOptions: ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.browserCustomizationOptions }));
+        }
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
@@ -3926,7 +3922,7 @@ class InteractiveBrowserCredential {
         });
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
@@ -3948,6 +3944,7 @@ class InteractiveBrowserCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * MSAL device code client. Calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`.
  * @internal
@@ -3980,6 +3977,7 @@ class MsalDeviceCode extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const logger$2 = credentialLogger("DeviceCodeCredential");
 /**
  * Method that logs the user code from the DeviceCodeCredential.
@@ -3989,13 +3987,13 @@ function defaultDeviceCodePromptCallback(deviceCodeInfo) {
     console.log(deviceCodeInfo.message);
 }
 /**
- * Enables authentication to Azure Active Directory using a device code
+ * Enables authentication to Microsoft Entra ID using a device code
  * that the user can enter into https://microsoft.com/devicelogin.
  */
 class DeviceCodeCredential {
     /**
      * Creates an instance of DeviceCodeCredential with the details needed
-     * to initiate the device code authorization flow with Azure Active Directory.
+     * to initiate the device code authorization flow with Microsoft Entra ID.
      *
      * A message will be logged, giving users a code that they can use to authenticate once they go to https://microsoft.com/devicelogin
      *
@@ -4020,7 +4018,7 @@ class DeviceCodeCredential {
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
@@ -4039,7 +4037,7 @@ class DeviceCodeCredential {
         });
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
@@ -4058,6 +4056,7 @@ class DeviceCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`
  * to trigger the authentication flow, and then respond based on the values obtained from the redirect callback
@@ -4101,13 +4100,14 @@ class MsalAuthorizationCode extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const logger$1 = credentialLogger("AuthorizationCodeCredential");
 /**
- * Enables authentication to Azure Active Directory using an authorization code
+ * Enables authentication to Microsoft Entra ID using an authorization code
  * that was obtained through the authorization code flow, described in more detail
- * in the Azure Active Directory documentation:
+ * in the Microsoft Entra ID documentation:
  *
- * https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
+ * https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow
  */
 class AuthorizationCodeCredential {
     /**
@@ -4138,7 +4138,7 @@ class AuthorizationCodeCredential {
             tenantId, tokenCredentialOptions: options || {}, logger: logger$1, redirectUri: this.redirectUri, authorizationCode: this.authorizationCode }));
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -4156,6 +4156,7 @@ class AuthorizationCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * MSAL on behalf of flow. Calls to MSAL's confidential application's `acquireTokenOnBehalfOf` during `doGetToken`.
  * @internal
@@ -4209,6 +4210,7 @@ class MsalOnBehalfOf extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const credentialName = "OnBehalfOfCredential";
 const logger = credentialLogger(credentialName);
 /**
@@ -4228,7 +4230,7 @@ class OnBehalfOfCredential {
         this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign({}, this.options), { logger, tokenCredentialOptions: this.options }));
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -4244,6 +4246,7 @@ class OnBehalfOfCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Returns a new instance of the {@link DefaultAzureCredential}.
  */