@azure/identity 4.0.0-alpha.20230210.3 → 4.0.0-beta.1

package/dist/index.js

@@ -1,31 +1,23 @@
 'use strict';
 
-Object.defineProperty(exports, '__esModule', { value: true });
-
-var msalNode = require('@azure/msal-node');
-var logger$n = require('@azure/logger');
-var msalCommon = require('@azure/msal-common');
+var msalCommon = require('@azure/msal-node');
+var logger$o = require('@azure/logger');
 var abortController = require('@azure/abort-controller');
 var coreUtil = require('@azure/core-util');
-var uuid = require('uuid');
 var coreClient = require('@azure/core-client');
 var coreRestPipeline = require('@azure/core-rest-pipeline');
 var coreTracing = require('@azure/core-tracing');
 var fs = require('fs');
 var os = require('os');
 var path = require('path');
-var util = require('util');
+var promises = require('fs/promises');
 var https = require('https');
 var child_process = require('child_process');
 var crypto = require('crypto');
-var http = require('http');
+var util = require('util');
 var open = require('open');
-var stoppable = require('stoppable');
-
-function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
 
-function _interopNamespace(e) {
-    if (e && e.__esModule) return e;
+function _interopNamespaceDefault(e) {
     var n = Object.create(null);
     if (e) {
         Object.keys(e).forEach(function (k) {
@@ -38,21 +30,12 @@ function _interopNamespace(e) {
             }
         });
     }
-    n["default"] = e;
+    n.default = e;
     return Object.freeze(n);
 }
 
-var msalNode__namespace = /*#__PURE__*/_interopNamespace(msalNode);
-var msalCommon__namespace = /*#__PURE__*/_interopNamespace(msalCommon);
-var fs__default = /*#__PURE__*/_interopDefaultLegacy(fs);
-var os__default = /*#__PURE__*/_interopDefaultLegacy(os);
-var path__default = /*#__PURE__*/_interopDefaultLegacy(path);
-var https__default = /*#__PURE__*/_interopDefaultLegacy(https);
-var child_process__default = /*#__PURE__*/_interopDefaultLegacy(child_process);
-var child_process__namespace = /*#__PURE__*/_interopNamespace(child_process);
-var http__default = /*#__PURE__*/_interopDefaultLegacy(http);
-var open__default = /*#__PURE__*/_interopDefaultLegacy(open);
-var stoppable__default = /*#__PURE__*/_interopDefaultLegacy(stoppable);
+var msalCommon__namespace = /*#__PURE__*/_interopNamespaceDefault(msalCommon);
+var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_process);
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
@@ -174,10 +157,11 @@ class AuthenticationRequiredError extends Error {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * The AzureLogger used for all clients within the identity package
  */
-const logger$m = logger$n.createClientLogger("identity");
+const logger$n = logger$o.createClientLogger("identity");
 /**
  * Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
  * @param supportedEnvVars - List of environment variable names
@@ -217,7 +201,7 @@ function formatError(scope, error) {
  *   `[title] => [message]`
  *
  */
-function credentialLoggerInstance(title, parent, log = logger$m) {
+function credentialLoggerInstance(title, parent, log = logger$n) {
     const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;
     function info(message) {
         log.info(`${fullTitle} =>`, message);
@@ -246,7 +230,7 @@ function credentialLoggerInstance(title, parent, log = logger$m) {
  *   `[title] => getToken() => [message]`
  *
  */
-function credentialLogger(title, log = logger$m) {
+function credentialLogger(title, log = logger$n) {
     const credLogger = credentialLoggerInstance(title, undefined, log);
     return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
 }
@@ -300,8 +284,11 @@ const DefaultAuthorityHost = exports.AzureAuthorityHosts.AzurePublicCloud;
  * Allow acquiring tokens for any tenant for multi-tentant auth.
  */
 const ALL_TENANTS = ["*"];
+const CACHE_CAE_SUFFIX = ".cae";
+const CACHE_NON_CAE_SUFFIX = ".nocae";
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Latest AuthenticationRecord version
  * @internal
@@ -420,7 +407,7 @@ class MsalBaseUtilities {
      * Generates a UUID
      */
     generateUuid() {
-        return uuid.v4();
+        return coreUtil.randomUUID();
     }
     /**
      * Handles the MSAL authentication result.
@@ -467,12 +454,16 @@ class MsalBaseUtilities {
             error.name === "AbortError") {
             return error;
         }
+        if (error.name === "NativeAuthError") {
+            this.logger.info(formatError(scopes, `Error from the native broker: ${error.message} with status code: ${error.statusCode}`));
+            return error;
+        }
         return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });
     }
 }
 // transformations.ts
 function publicToMsal(account) {
-    const [environment] = account.authority.match(/([a-z]*\.[a-z]*\.[a-z]*)/) || [];
+    const [environment] = account.authority.match(/([a-z]*\.[a-z]*\.[a-z]*)/) || [""];
     return Object.assign(Object.assign({}, account), { localAccountId: account.homeAccountId, environment });
 }
 function msalToPublic(clientId, account) {
@@ -541,7 +532,7 @@ function createConfigurationErrorMessage(tenantId) {
  * or unless the original tenant Id is `adfs`.
  * @internal
  */
-function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowedTenantIds = []) {
+function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowedTenantIds = [], logger) {
     var _a;
     let resolvedTenantId;
     if (process.env.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH) {
@@ -557,18 +548,21 @@ function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowe
         resolvedTenantId !== tenantId &&
         !additionallyAllowedTenantIds.includes("*") &&
         !additionallyAllowedTenantIds.some((t) => t.localeCompare(resolvedTenantId) === 0)) {
-        throw new Error(createConfigurationErrorMessage(tenantId));
+        const message = createConfigurationErrorMessage(tenantId);
+        logger === null || logger === void 0 ? void 0 : logger.info(message);
+        throw new CredentialUnavailableError(message);
     }
     return resolvedTenantId;
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * @internal
  */
 function checkTenantId(logger, tenantId) {
-    if (!tenantId.match(/^[0-9a-zA-Z-.:/]+$/)) {
-        const error = new Error("Invalid tenant id provided. You can locate your tenant id by following the instructions listed here: https://docs.microsoft.com/partner-center/find-ids-and-domain-names.");
+    if (!tenantId.match(/^[0-9a-zA-Z-.]+$/)) {
+        const error = new Error("Invalid tenant id provided. You can locate your tenant id by following the instructions listed here: https://learn.microsoft.com/partner-center/find-ids-and-domain-names.");
         logger.info(formatError("", error));
         throw error;
     }
@@ -592,7 +586,7 @@ function resolveTenantId(logger, tenantId, clientId) {
 /**
  * @internal
  */
-function resolveAddionallyAllowedTenantIds(additionallyAllowedTenants) {
+function resolveAdditionallyAllowedTenantIds(additionallyAllowedTenants) {
     if (!additionallyAllowedTenants || additionallyAllowedTenants.length === 0) {
         return [];
     }
@@ -614,6 +608,7 @@ function getIdentityTokenEndpointSuffix(tenantId) {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Creates a span using the global tracer.
  * @internal
@@ -634,6 +629,7 @@ const azureArcAPIVersion = "2019-11-01";
 const azureFabricVersion = "2019-07-01-preview";
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
  * These are GET requests that require sending a `resource` parameter on the query.
@@ -663,7 +659,7 @@ function mapScopesToResource(scopes) {
  * Given a token response, return the expiration timestamp as the number of milliseconds from the Unix epoch.
  * @param body - A parsed response body from the authentication endpoint.
  */
-function parseExpiresOn(body) {
+function parseExpirationTimestamp(body) {
     if (typeof body.expires_on === "number") {
         return body.expires_on * 1000;
     }
@@ -684,6 +680,7 @@ function parseExpiresOn(body) {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const noCorrelationId = "noCorrelationId";
 /**
  * @internal
@@ -724,9 +721,11 @@ class IdentityClient extends coreClient.ServiceClient {
         this.authorityHost = baseUri;
         this.abortControllers = new Map();
         this.allowLoggingAccountIdentifiers = (_b = options === null || options === void 0 ? void 0 : options.loggingOptions) === null || _b === void 0 ? void 0 : _b.allowLoggingAccountIdentifiers;
+        // used for WorkloadIdentity
+        this.tokenCredentialOptions = Object.assign({}, options);
     }
     async sendTokenRequest(request) {
-        logger$m.info(`IdentityClient: sending token request to [${request.url}]`);
+        logger$n.info(`IdentityClient: sending token request to [${request.url}]`);
         const response = await this.sendRequest(request);
         if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
             const parsedBody = JSON.parse(response.bodyAsText);
@@ -737,16 +736,16 @@ class IdentityClient extends coreClient.ServiceClient {
             const token = {
                 accessToken: {
                     token: parsedBody.access_token,
-                    expiresOnTimestamp: parseExpiresOn(parsedBody),
+                    expiresOnTimestamp: parseExpirationTimestamp(parsedBody),
                 },
                 refreshToken: parsedBody.refresh_token,
             };
-            logger$m.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
+            logger$n.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
             return token;
         }
         else {
             const error = new AuthenticationError(response.status, response.bodyAsText);
-            logger$m.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
+            logger$n.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
             throw error;
         }
     }
@@ -754,7 +753,7 @@ class IdentityClient extends coreClient.ServiceClient {
         if (refreshToken === undefined) {
             return null;
         }
-        logger$m.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
+        logger$n.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
         const refreshParams = {
             grant_type: "refresh_token",
             client_id: clientId,
@@ -780,7 +779,7 @@ class IdentityClient extends coreClient.ServiceClient {
                     tracingOptions: updatedOptions.tracingOptions,
                 });
                 const response = await this.sendTokenRequest(request);
-                logger$m.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
+                logger$n.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
                 return response;
             }
             catch (err) {
@@ -789,11 +788,11 @@ class IdentityClient extends coreClient.ServiceClient {
                     // It's likely that the refresh token has expired, so
                     // return null so that the credential implementation will
                     // initiate the authentication flow again.
-                    logger$m.info(`IdentityClient: interaction required for client ID: ${clientId}`);
+                    logger$n.info(`IdentityClient: interaction required for client ID: ${clientId}`);
                     return null;
                 }
                 else {
-                    logger$m.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
+                    logger$n.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
                     throw err;
                 }
             }
@@ -869,6 +868,13 @@ class IdentityClient extends coreClient.ServiceClient {
             status: response.status,
         };
     }
+    /**
+     *
+     * @internal
+     */
+    getTokenCredentialOptions() {
+        return this.tokenCredentialOptions;
+    }
     /**
      * If allowLoggingAccountIdentifiers was set on the constructor options
      * we try to log the account identifiers by parsing the received access token.
@@ -895,10 +901,10 @@ class IdentityClient extends coreClient.ServiceClient {
             }
             const base64Metadata = accessToken.split(".")[1];
             const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
-            logger$m.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
+            logger$n.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
         }
         catch (e) {
-            logger$m.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
+            logger$n.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
         }
     }
 }
@@ -1019,6 +1025,7 @@ var RegionalAuthority;
 })(RegionalAuthority || (RegionalAuthority = {}));
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * The current persistence provider, undefined by default.
  * @internal
@@ -1033,6 +1040,25 @@ const msalNodeFlowCacheControl = {
         persistenceProvider = pluginProvider;
     },
 };
+/**
+ * The current native broker provider, undefined by default.
+ * @internal
+ */
+let nativeBrokerInfo = undefined;
+function hasNativeBroker() {
+    return nativeBrokerInfo !== undefined;
+}
+/**
+ * An object that allows setting the native broker provider.
+ * @internal
+ */
+const msalNodeFlowNativeBrokerControl = {
+    setNativeBroker(broker) {
+        nativeBrokerInfo = {
+            broker,
+        };
+    },
+};
 /**
  * MSAL partial base client for Node.js.
  *
@@ -1044,21 +1070,29 @@ const msalNodeFlowCacheControl = {
  */
 class MsalNode extends MsalBaseUtilities {
     constructor(options) {
-        var _a, _b, _c, _d;
+        var _a, _b, _c, _d, _e, _f, _g;
         super(options);
+        this.app = {};
+        this.caeApp = {};
         this.requiresConfidential = false;
         this.msalConfig = this.defaultNodeMsalConfig(options);
         this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
         this.clientId = this.msalConfig.auth.clientId;
         if (options === null || options === void 0 ? void 0 : options.getAssertion) {
             this.getAssertion = options.getAssertion;
         }
+        this.enableBroker = (_b = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _b === void 0 ? void 0 : _b.enabled;
+        this.enableMsaPassthrough = (_c = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough;
+        this.parentWindowHandle = (_d = options.brokerOptions) === null || _d === void 0 ? void 0 : _d.parentWindowHandle;
         // If persistence has been configured
-        if (persistenceProvider !== undefined && ((_b = options.tokenCachePersistenceOptions) === null || _b === void 0 ? void 0 : _b.enabled)) {
-            this.createCachePlugin = () => persistenceProvider(options.tokenCachePersistenceOptions);
+        if (persistenceProvider !== undefined && ((_e = options.tokenCachePersistenceOptions) === null || _e === void 0 ? void 0 : _e.enabled)) {
+            const nonCaeOptions = Object.assign({ name: `${options.tokenCachePersistenceOptions.name}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            const caeOptions = Object.assign({ name: `${options.tokenCachePersistenceOptions.name}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
+            this.createCachePluginCae = () => persistenceProvider(caeOptions);
         }
-        else if ((_c = options.tokenCachePersistenceOptions) === null || _c === void 0 ? void 0 : _c.enabled) {
+        else if ((_f = options.tokenCachePersistenceOptions) === null || _f === void 0 ? void 0 : _f.enabled) {
             throw new Error([
                 "Persistent token caching was requested, but no persistence provider was configured.",
                 "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
@@ -1066,7 +1100,16 @@ class MsalNode extends MsalBaseUtilities {
                 "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`.",
             ].join(" "));
         }
-        this.azureRegion = (_d = options.regionalAuthority) !== null && _d !== void 0 ? _d : process.env.AZURE_REGIONAL_AUTHORITY_NAME;
+        // If broker has not been configured
+        if (!hasNativeBroker() && this.enableBroker) {
+            throw new Error([
+                "Broker for WAM was requested to be enabled, but no native broker was configured.",
+                "You must install the identity-broker plugin package (`npm install --save @azure/identity-broker`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`.",
+            ].join(" "));
+        }
+        this.azureRegion = (_g = options.regionalAuthority) !== null && _g !== void 0 ? _g : process.env.AZURE_REGIONAL_AUTHORITY_NAME;
         if (this.azureRegion === RegionalAuthority.AutoDiscoverRegion) {
             this.azureRegion = "AUTO_DISCOVER";
         }
@@ -1075,15 +1118,13 @@ class MsalNode extends MsalBaseUtilities {
      * Generates a MSAL configuration that generally works for Node.js
      */
     defaultNodeMsalConfig(options) {
+        var _a;
         const clientId = options.clientId || DeveloperSignOnClientId;
         const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
         this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
         const authority = getAuthority(tenantId, this.authorityHost);
         this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
-        let clientCapabilities = ["cp1"];
-        if (process.env.AZURE_IDENTITY_DISABLE_CP1) {
-            clientCapabilities = [];
-        }
+        const clientCapabilities = [];
         return {
             auth: {
                 clientId,
@@ -1096,11 +1137,27 @@ class MsalNode extends MsalBaseUtilities {
                 networkClient: this.identityClient,
                 loggerOptions: {
                     loggerCallback: defaultLoggerCallback(options.logger),
-                    logLevel: getMSALLogLevel(logger$n.getLogLevel()),
+                    logLevel: getMSALLogLevel(logger$o.getLogLevel()),
+                    piiLoggingEnabled: (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.enableUnsafeSupportLogging,
                 },
             },
         };
     }
+    getApp(appType, enableCae) {
+        const app = enableCae ? this.caeApp : this.app;
+        if (appType === "publicFirst") {
+            return (app.public || app.confidential);
+        }
+        else if (appType === "confidentialFirst") {
+            return (app.confidential || app.public);
+        }
+        else if (appType === "confidential") {
+            return app.confidential;
+        }
+        else {
+            return app.public;
+        }
+    }
     /**
      * Prepares the MSAL applications.
      */
@@ -1112,15 +1169,38 @@ class MsalNode extends MsalBaseUtilities {
                 this.identityClient.abortRequests(options.correlationId);
             });
         }
-        if (this.publicApp || this.confidentialApp) {
+        const app = (options === null || options === void 0 ? void 0 : options.enableCae) ? this.caeApp : this.app;
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.msalConfig.auth.clientCapabilities = ["cp1"];
+        }
+        if (app.public || app.confidential) {
             return;
         }
+        if ((options === null || options === void 0 ? void 0 : options.enableCae) && this.createCachePluginCae !== undefined) {
+            this.msalConfig.cache = {
+                cachePlugin: await this.createCachePluginCae(),
+            };
+        }
         if (this.createCachePlugin !== undefined) {
             this.msalConfig.cache = {
                 cachePlugin: await this.createCachePlugin(),
             };
         }
-        this.publicApp = new msalNode__namespace.PublicClientApplication(this.msalConfig);
+        if (hasNativeBroker() && this.enableBroker) {
+            this.msalConfig.broker = {
+                nativeBrokerPlugin: nativeBrokerInfo.broker,
+            };
+            if (!this.parentWindowHandle) {
+                // error should have been thrown from within the constructor of InteractiveBrowserCredential
+                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+            }
+        }
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.caeApp.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
+        }
+        else {
+            this.app.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
+        }
         if (this.getAssertion) {
             this.msalConfig.auth.clientAssertion = await this.getAssertion();
         }
@@ -1128,7 +1208,12 @@ class MsalNode extends MsalBaseUtilities {
         if (this.msalConfig.auth.clientSecret ||
             this.msalConfig.auth.clientAssertion ||
             this.msalConfig.auth.clientCertificate) {
-            this.confidentialApp = new msalNode__namespace.ConfidentialClientApplication(this.msalConfig);
+            if (options === null || options === void 0 ? void 0 : options.enableCae) {
+                this.caeApp.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
+            }
+            else {
+                this.app.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
+            }
         }
         else {
             if (this.requiresConfidential) {
@@ -1156,12 +1241,11 @@ class MsalNode extends MsalBaseUtilities {
     /**
      * Returns the existing account, attempts to load the account from MSAL.
      */
-    async getActiveAccount() {
-        var _a, _b, _c;
+    async getActiveAccount(enableCae = false) {
         if (this.account) {
             return this.account;
         }
-        const cache = (_b = (_a = this.confidentialApp) === null || _a === void 0 ? void 0 : _a.getTokenCache()) !== null && _b !== void 0 ? _b : (_c = this.publicApp) === null || _c === void 0 ? void 0 : _c.getTokenCache();
+        const cache = this.getApp("confidentialFirst", enableCae).getTokenCache();
         const accountsByTenant = await (cache === null || cache === void 0 ? void 0 : cache.getAllAccounts());
         if (!accountsByTenant) {
             return;
@@ -1184,8 +1268,8 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
      * Attempts to retrieve a token from cache.
      */
     async getTokenSilent(scopes, options) {
-        var _a, _b;
-        await this.getActiveAccount();
+        var _a, _b, _c;
+        await this.getActiveAccount(options === null || options === void 0 ? void 0 : options.enableCae);
         if (!this.account) {
             throw new AuthenticationRequiredError({
                 scopes,
@@ -1201,9 +1285,28 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
             authority: options === null || options === void 0 ? void 0 : options.authority,
             claims: options === null || options === void 0 ? void 0 : options.claims,
         };
+        if (hasNativeBroker() && this.enableBroker) {
+            if (!silentRequest.tokenQueryParameters) {
+                silentRequest.tokenQueryParameters = {};
+            }
+            if (!this.parentWindowHandle) {
+                // error should have been thrown from within the constructor of InteractiveBrowserCredential
+                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+            }
+            if (this.enableMsaPassthrough) {
+                silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
+            }
+        }
         try {
             this.logger.info("Attempting to acquire token silently");
-            const response = (_b = (await ((_a = this.confidentialApp) === null || _a === void 0 ? void 0 : _a.acquireTokenSilent(silentRequest)))) !== null && _b !== void 0 ? _b : (await this.publicApp.acquireTokenSilent(silentRequest));
+            /**
+             * The following code to retrieve all accounts is done as a workaround in an attempt to force the
+             * refresh of the token cache with the token and the account passed in through the
+             * `authenticationRecord` parameter. See issue - https://github.com/Azure/azure-sdk-for-js/issues/24349#issuecomment-1496715651
+             * This workaround serves as a workaround for silent authentication not happening when authenticationRecord is passed.
+             */
+            await ((_a = this.getApp("publicFirst", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
+            const response = (_c = (await ((_b = this.getApp("confidential", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenSilent(silentRequest));
             return this.handleResult(scopes, this.clientId, response || undefined);
         }
         catch (err) {
@@ -1252,9 +1355,10 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const CommonTenantId = "common";
 const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
-const logger$l = credentialLogger("VisualStudioCodeCredential");
+const logger$m = credentialLogger("VisualStudioCodeCredential");
 let findCredentials = undefined;
 const vsCodeCredentialControl = {
     setVsCodeCredentialFinder(finder) {
@@ -1286,10 +1390,10 @@ function getPropertyFromVSCode(property) {
     const settingsPath = ["User", "settings.json"];
     // Eventually we can add more folders for more versions of VSCode.
     const vsCodeFolder = "Code";
-    const homedir = os__default["default"].homedir();
+    const homedir = os.homedir();
     function loadProperty(...pathSegments) {
-        const fullPath = path__default["default"].join(...pathSegments, vsCodeFolder, ...settingsPath);
-        const settings = JSON.parse(fs__default["default"].readFileSync(fullPath, { encoding: "utf8" }));
+        const fullPath = path.join(...pathSegments, vsCodeFolder, ...settingsPath);
+        const settings = JSON.parse(fs.readFileSync(fullPath, { encoding: "utf8" }));
         return settings[property];
     }
     try {
@@ -1307,7 +1411,7 @@ function getPropertyFromVSCode(property) {
         }
     }
     catch (e) {
-        logger$l.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
+        logger$m.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
         return;
     }
 }
@@ -1340,13 +1444,13 @@ class VisualStudioCodeCredential {
         const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
         this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
         if (options && options.tenantId) {
-            checkTenantId(logger$l, options.tenantId);
+            checkTenantId(logger$m, options.tenantId);
             this.tenantId = options.tenantId;
         }
         else {
             this.tenantId = CommonTenantId;
         }
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         checkUnsupportedTenant(this.tenantId);
     }
     /**
@@ -1380,8 +1484,7 @@ class VisualStudioCodeCredential {
     async getToken(scopes, options) {
         var _a, _b;
         await this.prepareOnce();
-        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds) ||
-            this.tenantId;
+        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds, logger$m) || this.tenantId;
         if (findCredentials === undefined) {
             throw new CredentialUnavailableError([
                 "No implementation of `VisualStudioCodeCredential` is available.",
@@ -1395,7 +1498,7 @@ class VisualStudioCodeCredential {
         // Check to make sure the scope we get back is a valid scope
         if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
             const error = new Error("Invalid scope was specified by the user or calling client");
-            logger$l.getToken.info(formatError(scopes, error));
+            logger$m.getToken.info(formatError(scopes, error));
             throw error;
         }
         if (scopeString.indexOf("offline_access") < 0) {
@@ -1415,24 +1518,25 @@ class VisualStudioCodeCredential {
         if (refreshToken) {
             const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
             if (tokenResponse) {
-                logger$l.getToken.info(formatSuccess(scopes));
+                logger$m.getToken.info(formatSuccess(scopes));
                 return tokenResponse.accessToken;
             }
             else {
                 const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
-                logger$l.getToken.info(formatError(scopes, error));
+                logger$m.getToken.info(formatError(scopes, error));
                 throw error;
             }
         }
         else {
             const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
-            logger$l.getToken.info(formatError(scopes, error));
+            logger$m.getToken.info(formatError(scopes, error));
             throw error;
         }
     }
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * The context passed to an Identity plugin. This contains objects that
  * plugins can use to set backend implementations.
@@ -1440,6 +1544,7 @@ class VisualStudioCodeCredential {
  */
 const pluginContext = {
     cachePluginControl: msalNodeFlowCacheControl,
+    nativeBrokerPluginControl: msalNodeFlowNativeBrokerControl,
     vsCodeCredentialControl: vsCodeCredentialControl,
 };
 /**
@@ -1474,12 +1579,13 @@ function useIdentityPlugin(plugin) {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
-const logger$k = credentialLogger(msiName$6);
+const logger$l = credentialLogger(msiName$6);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$6(scopes, clientId) {
+function prepareRequestOptions$5(scopes, clientId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
         throw new Error(`${msiName$6}: Multiple scopes are not supported.`);
@@ -1512,26 +1618,27 @@ function prepareRequestOptions$6(scopes, clientId) {
  * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
  */
 const appServiceMsi2017 = {
+    name: "appServiceMsi2017",
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$k.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
+            logger$l.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const env = process.env;
         const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
         if (!result) {
-            logger$k.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
+            logger$l.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
         }
         return result;
     },
     async getToken(configuration, getTokenOptions = {}) {
         const { identityClient, scopes, clientId, resourceId } = configuration;
         if (resourceId) {
-            logger$k.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+            logger$l.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
         }
-        logger$k.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$6(scopes, clientId)), { 
+        logger$l.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId)), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
             allowInsecureConnection: true }));
         const tokenResponse = await identityClient.sendTokenRequest(request);
@@ -1540,12 +1647,13 @@ const appServiceMsi2017 = {
 };
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const msiName$5 = "ManagedIdentityCredential - CloudShellMSI";
-const logger$j = credentialLogger(msiName$5);
+const logger$k = credentialLogger(msiName$5);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$5(scopes, clientId, resourceId) {
+function prepareRequestOptions$4(scopes, clientId, resourceId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
         throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
@@ -1580,28 +1688,29 @@ function prepareRequestOptions$5(scopes, clientId, resourceId) {
  * Since Azure Managed Identities aren't available in the Azure Cloud Shell, we log a warning for users that try to access cloud shell using user assigned identity.
  */
 const cloudShellMsi = {
+    name: "cloudShellMsi",
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$j.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
+            logger$k.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const result = Boolean(process.env.MSI_ENDPOINT);
         if (!result) {
-            logger$j.info(`${msiName$5}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
+            logger$k.info(`${msiName$5}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
         }
         return result;
     },
     async getToken(configuration, getTokenOptions = {}) {
         const { identityClient, scopes, clientId, resourceId } = configuration;
         if (clientId) {
-            logger$j.warning(`${msiName$5}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+            logger$k.warning(`${msiName$5}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
         }
         if (resourceId) {
-            logger$j.warning(`${msiName$5}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
+            logger$k.warning(`${msiName$5}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
         }
-        logger$j.info(`${msiName$5}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId, resourceId)), { 
+        logger$k.info(`${msiName$5}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
             allowInsecureConnection: true }));
         const tokenResponse = await identityClient.sendTokenRequest(request);
@@ -1610,12 +1719,13 @@ const cloudShellMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const msiName$4 = "ManagedIdentityCredential - IMDS";
-const logger$i = credentialLogger(msiName$4);
+const logger$j = credentialLogger(msiName$4);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$4(scopes, clientId, resourceId, options) {
+function prepareRequestOptions$3(scopes, clientId, resourceId, options) {
     var _a;
     const resource = mapScopesToResource(scopes);
     if (!resource) {
@@ -1665,10 +1775,11 @@ const imdsMsiRetryConfig = {
  * Defines how to determine whether the Azure IMDS MSI is available, and also how to retrieve a token from the Azure IMDS MSI.
  */
 const imdsMsi = {
+    name: "imdsMsi",
     async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions = {}, }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$i.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
+            logger$j.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         // if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
@@ -1678,52 +1789,62 @@ const imdsMsi = {
         if (!identityClient) {
             throw new Error("Missing IdentityClient");
         }
-        const requestOptions = prepareRequestOptions$4(resource, clientId, resourceId, {
+        const requestOptions = prepareRequestOptions$3(resource, clientId, resourceId, {
             skipMetadataHeader: true,
             skipQuery: true,
         });
         return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions, async (options) => {
-            var _a;
+            var _a, _b;
             requestOptions.tracingOptions = options.tracingOptions;
             // Create a request with a timeout since we expect that
             // not having a "Metadata" header should cause an error to be
             // returned quickly from the endpoint, proving its availability.
             const request = coreRestPipeline.createPipelineRequest(requestOptions);
-            // Default to 300 if the default of 0 is used.
+            // Default to 1000 if the default of 0 is used.
             // Negative values can still be used to disable the timeout.
-            request.timeout = ((_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) || 300;
+            request.timeout = ((_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) || 1000;
             // This MSI uses the imdsEndpoint to get the token, which only uses http://
             request.allowInsecureConnection = true;
+            let response;
             try {
-                logger$i.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
-                await identityClient.sendRequest(request);
+                logger$j.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
+                response = await identityClient.sendRequest(request);
             }
             catch (err) {
                 // If the request failed, or Node.js was unable to establish a connection,
                 // or the host was down, we'll assume the IMDS endpoint isn't available.
                 if (coreUtil.isError(err)) {
-                    logger$i.verbose(`${msiName$4}: Caught error ${err.name}: ${err.message}`);
+                    logger$j.verbose(`${msiName$4}: Caught error ${err.name}: ${err.message}`);
                 }
-                logger$i.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
+                // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network"
+                // rather than just timing out, as expected.
+                logger$j.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
                 return false;
             }
+            if (response.status === 403) {
+                if ((_b = response.bodyAsText) === null || _b === void 0 ? void 0 : _b.includes("A socket operation was attempted to an unreachable network")) {
+                    logger$j.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
+                    logger$j.info(`${msiName$4}: ${response.bodyAsText}`);
+                    return false;
+                }
+            }
             // If we received any response, the endpoint is available
-            logger$i.info(`${msiName$4}: The Azure IMDS endpoint is available`);
+            logger$j.info(`${msiName$4}: The Azure IMDS endpoint is available`);
             return true;
         });
     },
     async getToken(configuration, getTokenOptions = {}) {
         const { identityClient, scopes, clientId, resourceId } = configuration;
         if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
-            logger$i.info(`${msiName$4}: Using the Azure IMDS endpoint coming from the environment variable AZURE_POD_IDENTITY_AUTHORITY_HOST=${process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST}.`);
+            logger$j.info(`${msiName$4}: Using the Azure IMDS endpoint coming from the environment variable AZURE_POD_IDENTITY_AUTHORITY_HOST=${process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST}.`);
         }
         else {
-            logger$i.info(`${msiName$4}: Using the default Azure IMDS endpoint ${imdsHost}.`);
+            logger$j.info(`${msiName$4}: Using the default Azure IMDS endpoint ${imdsHost}.`);
         }
         let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
         for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
             try {
-                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
+                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
                 const tokenResponse = await identityClient.sendTokenRequest(request);
                 return (tokenResponse && tokenResponse.accessToken) || null;
             }
@@ -1741,12 +1862,13 @@ const imdsMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
-const logger$h = credentialLogger(msiName$3);
+const logger$i = credentialLogger(msiName$3);
 /**
  * Generates the options used on the request for an access token.
  */
-function prepareRequestOptions$3(scopes, clientId, resourceId) {
+function prepareRequestOptions$2(scopes, clientId, resourceId) {
     const resource = mapScopesToResource(scopes);
     if (!resource) {
         throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
@@ -1780,7 +1902,7 @@ function prepareRequestOptions$3(scopes, clientId, resourceId) {
  * Retrieves the file contents at the given path using promises.
  * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.
  */
-function readFileAsync$2(path, options) {
+function readFileAsync$1(path, options) {
     return new Promise((resolve, reject) => fs.readFile(path, options, (err, data) => {
         if (err) {
             reject(err);
@@ -1812,15 +1934,16 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
  * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
  */
 const arcMsi = {
+    name: "arc",
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$h.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
+            logger$i.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
         if (!result) {
-            logger$h.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
+            logger$i.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
         }
         return result;
     },
@@ -1828,18 +1951,18 @@ const arcMsi = {
         var _a;
         const { identityClient, scopes, clientId, resourceId } = configuration;
         if (clientId) {
-            logger$h.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+            logger$i.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
         }
         if (resourceId) {
-            logger$h.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
+            logger$i.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
         }
-        logger$h.info(`${msiName$3}: Authenticating.`);
-        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
+        logger$i.info(`${msiName$3}: Authenticating.`);
+        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId, resourceId)), { allowInsecureConnection: true });
         const filePath = await filePathRequest(identityClient, requestOptions);
         if (!filePath) {
             throw new Error(`${msiName$3}: Failed to find the token file.`);
         }
-        const key = await readFileAsync$2(filePath, { encoding: "utf-8" });
+        const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
         (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
         const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({}, requestOptions), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
@@ -1850,87 +1973,220 @@ const arcMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-const msiName$2 = "ManagedIdentityCredential - Token Exchange";
-const logger$g = credentialLogger(msiName$2);
-const readFileAsync$1 = util.promisify(fs__default["default"].readFile);
+// Licensed under the MIT license.
 /**
- * Generates the options used on the request for an access token.
+ * MSAL client assertion client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
+ * @internal
  */
-function prepareRequestOptions$2(scopes, clientAssertion, clientId) {
-    var _a;
-    const bodyParams = {
-        scope: Array.isArray(scopes) ? scopes.join(" ") : scopes,
-        client_assertion: clientAssertion,
-        client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-        client_id: clientId,
-        grant_type: "client_credentials",
-    };
-    const urlParams = new URLSearchParams(bodyParams);
-    const url = new URL(`${process.env.AZURE_TENANT_ID}/oauth2/v2.0/token`, (_a = process.env.AZURE_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : DefaultAuthorityHost);
-    return {
-        url: url.toString(),
-        method: "POST",
-        body: urlParams.toString(),
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-        }),
-    };
+class MsalClientAssertion extends MsalNode {
+    constructor(options) {
+        super(options);
+        this.requiresConfidential = true;
+        this.getAssertion = options.getAssertion;
+    }
+    async doGetToken(scopes, options = {}) {
+        try {
+            const assertion = await this.getAssertion();
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential({
+                scopes,
+                correlationId: options.correlationId,
+                azureRegion: this.azureRegion,
+                authority: options.authority,
+                claims: options.claims,
+                clientAssertion: assertion,
+            });
+            // The Client Credential flow does not return an account,
+            // so each time getToken gets called, we will have to acquire a new token through the service.
+            return this.handleResult(scopes, this.clientId, result || undefined);
+        }
+        catch (err) {
+            let err2 = err;
+            if (err === null || err === undefined) {
+                err2 = new Error(JSON.stringify(err));
+            }
+            else {
+                err2 = coreUtil.isError(err) ? err : new Error(String(err));
+            }
+            throw this.handleError(scopes, err2, options);
+        }
+    }
 }
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+const logger$h = credentialLogger("ClientAssertionCredential");
 /**
- * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
+ * Authenticates a service principal with a JWT assertion.
  */
-function tokenExchangeMsi() {
-    const azureFederatedTokenFilePath = process.env.AZURE_FEDERATED_TOKEN_FILE;
-    let azureFederatedTokenFileContent = undefined;
-    let cacheDate = undefined;
-    // Only reads from the assertion file once every 5 minutes
-    async function readAssertion() {
+class ClientAssertionCredential {
+    /**
+     * Creates an instance of the ClientAssertionCredential with the details
+     * needed to authenticate against Microsoft Entra ID with a client
+     * assertion provided by the developer through the `getAssertion` function parameter.
+     *
+     * @param tenantId - The Microsoft Entra tenant (directory) ID.
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param getAssertion - A function that retrieves the assertion for the credential to use.
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId, clientId, getAssertion, options = {}) {
+        if (!tenantId || !clientId || !getAssertion) {
+            throw new Error("ClientAssertionCredential: tenantId, clientId, and clientAssertion are required parameters.");
+        }
+        this.tenantId = tenantId;
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.clientId = clientId;
+        this.options = options;
+        this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$h, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$h);
+            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
+            return this.msalFlow.getToken(arrayScopes, newOptions);
+        });
+    }
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+const credentialName$3 = "WorkloadIdentityCredential";
+/**
+ * Contains the list of all supported environment variable names so that an
+ * appropriate error message can be generated when no credentials can be
+ * configured.
+ *
+ * @internal
+ */
+const SupportedWorkloadEnvironmentVariables = [
+    "AZURE_TENANT_ID",
+    "AZURE_CLIENT_ID",
+    "AZURE_FEDERATED_TOKEN_FILE",
+];
+const logger$g = credentialLogger(credentialName$3);
+/**
+ * Workload Identity authentication is a feature in Azure that allows applications running on virtual machines (VMs)
+ * to access other Azure resources without the need for a service principal or managed identity. With Workload Identity
+ * authentication, applications authenticate themselves using their own identity, rather than using a shared service
+ * principal or managed identity. Under the hood, Workload Identity authentication uses the concept of Service Account
+ * Credentials (SACs), which are automatically created by Azure and stored securely in the VM. By using Workload
+ * Identity authentication, you can avoid the need to manage and rotate service principals or managed identities for
+ * each application on each VM. Additionally, because SACs are created automatically and managed by Azure, you don't
+ * need to worry about storing and securing sensitive credentials themselves.
+ * The WorkloadIdentityCredential supports Microsoft Entra Workload ID authentication on Azure Kubernetes and acquires
+ * a token using the SACs available in the Azure Kubernetes environment.
+ * Refer to <a href="https://learn.microsoft.com/azure/aks/workload-identity-overview">Microsoft Entra
+ * Workload ID</a> for more information.
+ */
+class WorkloadIdentityCredential {
+    /**
+     * WorkloadIdentityCredential supports Microsoft Entra Workload ID on Kubernetes.
+     *
+     * @param options - The identity client options to use for authentication.
+     */
+    constructor(options) {
+        this.azureFederatedTokenFileContent = undefined;
+        this.cacheDate = undefined;
+        // Logging environment variables for error details
+        const assignedEnv = processEnvVars(SupportedWorkloadEnvironmentVariables).assigned.join(", ");
+        logger$g.info(`Found the following environment variables: ${assignedEnv}`);
+        const workloadIdentityCredentialOptions = options !== null && options !== void 0 ? options : {};
+        const tenantId = workloadIdentityCredentialOptions.tenantId || process.env.AZURE_TENANT_ID;
+        const clientId = workloadIdentityCredentialOptions.clientId || process.env.AZURE_CLIENT_ID;
+        this.federatedTokenFilePath =
+            workloadIdentityCredentialOptions.tokenFilePath || process.env.AZURE_FEDERATED_TOKEN_FILE;
+        if (tenantId) {
+            checkTenantId(logger$g, tenantId);
+        }
+        if (clientId && tenantId && this.federatedTokenFilePath) {
+            logger$g.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
+            this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
+        }
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options) {
+        if (!this.client) {
+            const errorMessage = `${credentialName$3}: is unavailable. tenantId, clientId, and federatedTokenFilePath are required parameters. 
+      In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables - 
+      "AZURE_TENANT_ID",
+      "AZURE_CLIENT_ID",
+      "AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot  `;
+            logger$g.info(errorMessage);
+            throw new CredentialUnavailableError(errorMessage);
+        }
+        logger$g.info("Invoking getToken() of Client Assertion Credential");
+        return this.client.getToken(scopes, options);
+    }
+    async readFileContents() {
         // Cached assertions expire after 5 minutes
-        if (cacheDate !== undefined && Date.now() - cacheDate >= 1000 * 60 * 5) {
-            azureFederatedTokenFileContent = undefined;
+        if (this.cacheDate !== undefined && Date.now() - this.cacheDate >= 1000 * 60 * 5) {
+            this.azureFederatedTokenFileContent = undefined;
+        }
+        if (!this.federatedTokenFilePath) {
+            throw new CredentialUnavailableError(`${credentialName$3}: is unavailable. Invalid file path provided ${this.federatedTokenFilePath}.`);
         }
-        if (!azureFederatedTokenFileContent) {
-            const file = await readFileAsync$1(azureFederatedTokenFilePath, "utf8");
+        if (!this.azureFederatedTokenFileContent) {
+            const file = await promises.readFile(this.federatedTokenFilePath, "utf8");
             const value = file.trim();
             if (!value) {
-                throw new Error(`No content on the file ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
+                throw new CredentialUnavailableError(`${credentialName$3}: is unavailable. No content on the file ${this.federatedTokenFilePath}.`);
             }
             else {
-                azureFederatedTokenFileContent = value;
-                cacheDate = Date.now();
+                this.azureFederatedTokenFileContent = value;
+                this.cacheDate = Date.now();
             }
         }
-        return azureFederatedTokenFileContent;
+        return this.azureFederatedTokenFileContent;
     }
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+const msiName$2 = "ManagedIdentityCredential - Token Exchange";
+const logger$f = credentialLogger(msiName$2);
+/**
+ * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
+ */
+function tokenExchangeMsi() {
     return {
+        name: "tokenExchangeMsi",
         async isAvailable({ clientId }) {
             const env = process.env;
-            const result = Boolean((clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && azureFederatedTokenFilePath);
+            const result = Boolean((clientId || env.AZURE_CLIENT_ID) &&
+                env.AZURE_TENANT_ID &&
+                process.env.AZURE_FEDERATED_TOKEN_FILE);
             if (!result) {
-                logger$g.info(`${msiName$2}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
+                logger$f.info(`${msiName$2}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
             }
             return result;
         },
         async getToken(configuration, getTokenOptions = {}) {
-            const { identityClient, scopes, clientId } = configuration;
-            logger$g.info(`${msiName$2}: Using the client assertion coming from environment variables.`);
-            let assertion;
-            try {
-                assertion = await readAssertion();
-            }
-            catch (err) {
-                throw new Error(`${msiName$2}: Failed to read ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
-            }
-            const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, assertion, clientId || process.env.AZURE_CLIENT_ID)), { 
-                // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-                allowInsecureConnection: true }));
-            const tokenResponse = await identityClient.sendTokenRequest(request);
-            return (tokenResponse && tokenResponse.accessToken) || null;
+            const { scopes, clientId } = configuration;
+            const identityClientTokenCredentialOptions = {};
+            const workloadIdentityCredential = new WorkloadIdentityCredential(Object.assign(Object.assign({ clientId, tenantId: process.env.AZURE_TENANT_ID, tokenFilePath: process.env.AZURE_FEDERATED_TOKEN_FILE }, identityClientTokenCredentialOptions), { disableInstanceDiscovery: true }));
+            const token = await workloadIdentityCredential.getToken(scopes, getTokenOptions);
+            return token;
         },
     };
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 // This MSI can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
 //
 //   FROM node:12
@@ -1942,7 +2198,7 @@ function tokenExchangeMsi() {
 //   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
 //
 const msiName$1 = "ManagedIdentityCredential - Fabric MSI";
-const logger$f = credentialLogger(msiName$1);
+const logger$e = credentialLogger(msiName$1);
 /**
  * Generates the options used on the request for an access token.
  */
@@ -1982,25 +2238,26 @@ function prepareRequestOptions$1(scopes, clientId, resourceId) {
  * Defines how to determine whether the Azure Service Fabric MSI is available, and also how to retrieve a token from the Azure Service Fabric MSI.
  */
 const fabricMsi = {
+    name: "fabricMsi",
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$f.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
+            logger$e.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const env = process.env;
         const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
         if (!result) {
-            logger$f.info(`${msiName$1}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
+            logger$e.info(`${msiName$1}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
         }
         return result;
     },
     async getToken(configuration, getTokenOptions = {}) {
         const { scopes, identityClient, clientId, resourceId } = configuration;
         if (resourceId) {
-            logger$f.warning(`${msiName$1}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+            logger$e.warning(`${msiName$1}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
         }
-        logger$f.info([
+        logger$e.info([
             `${msiName$1}:`,
             "Using the endpoint and the secret coming from the environment variables:",
             `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
@@ -2008,7 +2265,7 @@ const fabricMsi = {
             "IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
         ].join(" "));
         const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId, resourceId)));
-        request.agent = new https__default["default"].Agent({
+        request.agent = new https.Agent({
             // This is necessary because Service Fabric provides a self-signed certificate.
             // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
             rejectUnauthorized: false,
@@ -2019,8 +2276,9 @@ const fabricMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const msiName = "ManagedIdentityCredential - AppServiceMSI 2019";
-const logger$e = credentialLogger(msiName);
+const logger$d = credentialLogger(msiName);
 /**
  * Generates the options used on the request for an access token.
  */
@@ -2060,22 +2318,23 @@ function prepareRequestOptions(scopes, clientId, resourceId) {
  * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
  */
 const appServiceMsi2019 = {
+    name: "appServiceMsi2019",
     async isAvailable({ scopes }) {
         const resource = mapScopesToResource(scopes);
         if (!resource) {
-            logger$e.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
+            logger$d.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
             return false;
         }
         const env = process.env;
         const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
         if (!result) {
-            logger$e.info(`${msiName}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
+            logger$d.info(`${msiName}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
         }
         return result;
     },
     async getToken(configuration, getTokenOptions = {}) {
         const { identityClient, scopes, clientId, resourceId } = configuration;
-        logger$e.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
+        logger$d.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
         const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
             allowInsecureConnection: true }));
@@ -2085,14 +2344,15 @@ const appServiceMsi2019 = {
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$d = credentialLogger("ManagedIdentityCredential");
+// Licensed under the MIT license.
+const logger$c = credentialLogger("ManagedIdentityCredential");
 /**
  * Attempts authentication using a managed identity available at the deployment environment.
  * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
  * Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.
  *
  * More information about configuring managed identities can be found here:
- * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
+ * https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
  */
 class ManagedIdentityCredential {
     /**
@@ -2102,6 +2362,7 @@ class ManagedIdentityCredential {
     constructor(clientIdOrOptions, options) {
         var _a;
         this.isEndpointUnavailable = null;
+        this.isAppTokenProviderInitialized = false;
         let _options;
         if (typeof clientIdOrOptions === "string") {
             this.clientId = clientIdOrOptions;
@@ -2123,12 +2384,19 @@ class ManagedIdentityCredential {
         /**  authority host validation and metadata discovery to be skipped in managed identity
          * since this wasn't done previously before adding token cache support
          */
-        this.confidentialApp = new msalNode.ConfidentialClientApplication({
+        this.confidentialApp = new msalCommon.ConfidentialClientApplication({
             auth: {
+                authority: "https://login.microsoftonline.com/managed_identity",
                 clientId: (_a = this.clientId) !== null && _a !== void 0 ? _a : DeveloperSignOnClientId,
                 clientSecret: "dummy-secret",
                 cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}',
                 authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/common/kerberos","tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}',
+                clientCapabilities: [],
+            },
+            system: {
+                loggerOptions: {
+                    logLevel: getMSALLogLevel(logger$o.getLogLevel()),
+                },
             },
         });
     }
@@ -2183,7 +2451,7 @@ class ManagedIdentityCredential {
         }
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
      *
@@ -2199,35 +2467,22 @@ class ManagedIdentityCredential {
             // If it's null, it means we don't yet know whether
             // the endpoint is available and need to check for it.
             if (this.isEndpointUnavailable !== true) {
-                const appTokenParameters = {
-                    correlationId: this.identityClient.getCorrelationId(),
-                    tenantId: (options === null || options === void 0 ? void 0 : options.tenantId) || "organizations",
-                    scopes: Array.isArray(scopes) ? scopes : [scopes],
-                    claims: options === null || options === void 0 ? void 0 : options.claims,
-                };
-                this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters = appTokenParameters) => {
-                    logger$d.info(`SetAppTokenProvider invoked with parameters- ${JSON.stringify(appTokenProviderParameters)}`);
-                    const resultToken = await this.authenticateManagedIdentity(scopes, Object.assign(Object.assign({}, updatedOptions), appTokenProviderParameters));
-                    if (resultToken) {
-                        logger$d.info(`SetAppTokenProvider has saved the token in cache`);
-                        const expiresInSeconds = (resultToken === null || resultToken === void 0 ? void 0 : resultToken.expiresOnTimestamp)
-                            ? Math.floor((resultToken.expiresOnTimestamp - Date.now()) / 1000)
-                            : 0;
-                        return {
-                            accessToken: resultToken === null || resultToken === void 0 ? void 0 : resultToken.token,
-                            expiresInSeconds,
-                        };
-                    }
-                    else {
-                        logger$d.info(`SetAppTokenProvider token has "no_access_token_returned" as the saved token`);
-                        return {
-                            accessToken: "no_access_token_returned",
-                            expiresInSeconds: 0,
-                        };
-                    }
-                });
-                const authenticationResult = await this.confidentialApp.acquireTokenByClientCredential(Object.assign({}, appTokenParameters));
-                result = this.handleResult(scopes, authenticationResult || undefined);
+                const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);
+                if (availableMSI.name === "tokenExchangeMsi") {
+                    result = await this.authenticateManagedIdentity(scopes, updatedOptions);
+                }
+                else {
+                    const appTokenParameters = {
+                        correlationId: this.identityClient.getCorrelationId(),
+                        tenantId: (options === null || options === void 0 ? void 0 : options.tenantId) || "managed_identity",
+                        scopes: Array.isArray(scopes) ? scopes : [scopes],
+                        claims: options === null || options === void 0 ? void 0 : options.claims,
+                    };
+                    // Added a check to see if SetAppTokenProvider was already defined.
+                    this.initializeSetAppTokenProvider();
+                    const authenticationResult = await this.confidentialApp.acquireTokenByClientCredential(Object.assign({}, appTokenParameters));
+                    result = this.handleResult(scopes, authenticationResult || undefined);
+                }
                 if (result === null) {
                     // If authenticateManagedIdentity returns null,
                     // it means no MSI endpoints are available.
@@ -2236,7 +2491,7 @@ class ManagedIdentityCredential {
                     // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
                     // yet we had no access token. For this reason, we'll throw once with a specific message:
                     const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
-                    logger$d.getToken.info(formatError(scopes, error));
+                    logger$c.getToken.info(formatError(scopes, error));
                     throw error;
                 }
                 // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
@@ -2248,10 +2503,10 @@ class ManagedIdentityCredential {
                 // We've previously determined that the endpoint was unavailable,
                 // either because it was unreachable or permanently unable to authenticate.
                 const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
-                logger$d.getToken.info(formatError(scopes, error));
+                logger$c.getToken.info(formatError(scopes, error));
                 throw error;
             }
-            logger$d.getToken.info(formatSuccess(scopes));
+            logger$c.getToken.info(formatSuccess(scopes));
             return result;
         }
         catch (err) {
@@ -2273,14 +2528,14 @@ class ManagedIdentityCredential {
             // we can safely assume the credential is unavailable.
             if (err.code === "ENETUNREACH") {
                 const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
-                logger$d.getToken.info(formatError(scopes, error));
+                logger$c.getToken.info(formatError(scopes, error));
                 throw error;
             }
             // If either the host was unreachable,
             // we can safely assume the credential is unavailable.
             if (err.code === "EHOSTUNREACH") {
                 const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. No managed identity endpoint found. Message: ${err.message}`);
-                logger$d.getToken.info(formatError(scopes, error));
+                logger$c.getToken.info(formatError(scopes, error));
                 throw error;
             }
             // If err.statusCode has a value of 400, it comes from sendTokenRequest,
@@ -2288,6 +2543,15 @@ class ManagedIdentityCredential {
             if (err.statusCode === 400) {
                 throw new CredentialUnavailableError(`${ManagedIdentityCredential.name}: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
             }
+            // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network"
+            // rather than just timing out, as expected.
+            if (err.statusCode === 403 || err.code === 403) {
+                if (err.message.includes("A socket operation was attempted to an unreachable network")) {
+                    const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
+                    logger$c.getToken.info(formatError(scopes, error));
+                    throw error;
+                }
+            }
             // If the error has no status code, we can assume there was no available identity.
             // This will throw silently during any ChainedTokenCredential.
             if (err.statusCode === undefined) {
@@ -2311,7 +2575,7 @@ class ManagedIdentityCredential {
      */
     handleResult(scopes, result, getTokenOptions) {
         this.ensureValidMsalToken(scopes, result, getTokenOptions);
-        logger$d.getToken.info(formatSuccess(scopes));
+        logger$c.getToken.info(formatSuccess(scopes));
         return {
             token: result.accessToken,
             expiresOnTimestamp: result.expiresOn.getTime(),
@@ -2323,7 +2587,7 @@ class ManagedIdentityCredential {
      */
     ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
         const error = (message) => {
-            logger$d.getToken.info(message);
+            logger$c.getToken.info(message);
             return new AuthenticationRequiredError({
                 scopes: Array.isArray(scopes) ? scopes : [scopes],
                 getTokenOptions,
@@ -2340,9 +2604,38 @@ class ManagedIdentityCredential {
             throw error(`Response had no "accessToken" property.`);
         }
     }
+    initializeSetAppTokenProvider() {
+        if (!this.isAppTokenProviderInitialized) {
+            this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters) => {
+                logger$c.info(`SetAppTokenProvider invoked with parameters- ${JSON.stringify(appTokenProviderParameters)}`);
+                const getTokenOptions = Object.assign({}, appTokenProviderParameters);
+                logger$c.info(`authenticateManagedIdentity invoked with scopes- ${JSON.stringify(appTokenProviderParameters.scopes)} and getTokenOptions - ${JSON.stringify(getTokenOptions)}`);
+                const resultToken = await this.authenticateManagedIdentity(appTokenProviderParameters.scopes, getTokenOptions);
+                if (resultToken) {
+                    logger$c.info(`SetAppTokenProvider will save the token in cache`);
+                    const expiresInSeconds = (resultToken === null || resultToken === void 0 ? void 0 : resultToken.expiresOnTimestamp)
+                        ? Math.floor((resultToken.expiresOnTimestamp - Date.now()) / 1000)
+                        : 0;
+                    return {
+                        accessToken: resultToken === null || resultToken === void 0 ? void 0 : resultToken.token,
+                        expiresInSeconds,
+                    };
+                }
+                else {
+                    logger$c.info(`SetAppTokenProvider token has "no_access_token_returned" as the saved token`);
+                    return {
+                        accessToken: "no_access_token_returned",
+                        expiresInSeconds: 0,
+                    };
+                }
+            });
+            this.isAppTokenProviderInitialized = true;
+        }
+    }
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Ensures the scopes value is an array.
  * @internal
@@ -2354,8 +2647,8 @@ function ensureScopes(scopes) {
  * Throws if the received scope is not valid.
  * @internal
  */
-function ensureValidScope(scope, logger) {
-    if (!scope.match(/^[0-9a-zA-Z-.:/]+$/)) {
+function ensureValidScopeForDevTimeCreds(scope, logger) {
+    if (!scope.match(/^[0-9a-zA-Z-_.:/]+$/)) {
         const error = new Error("Invalid scope was specified by the user or calling client");
         logger.getToken.info(formatError(scope, error));
         throw error;
@@ -2370,6 +2663,7 @@ function getScopeResource(scope) {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Mockable reference to the CLI credential cliCredentialFunctions
  * @internal
@@ -2394,14 +2688,14 @@ const cliCredentialInternals = {
      * @param resource - The resource to use when getting the token
      * @internal
      */
-    async getAzureCliAccessToken(resource, tenantId) {
+    async getAzureCliAccessToken(resource, tenantId, timeout) {
         let tenantSection = [];
         if (tenantId) {
             tenantSection = ["--tenant", tenantId];
         }
         return new Promise((resolve, reject) => {
             try {
-                child_process__default["default"].execFile("az", [
+                child_process.execFile("az", [
                     "account",
                     "get-access-token",
                     "--output",
@@ -2409,7 +2703,7 @@ const cliCredentialInternals = {
                     "--resource",
                     resource,
                     ...tenantSection,
-                ], { cwd: cliCredentialInternals.getSafeWorkingDir(), shell: true }, (error, stdout, stderr) => {
+                ], { cwd: cliCredentialInternals.getSafeWorkingDir(), shell: true, timeout }, (error, stdout, stderr) => {
                     resolve({ stdout: stdout, stderr: stderr, error });
                 });
             }
@@ -2419,7 +2713,7 @@ const cliCredentialInternals = {
         });
     },
 };
-const logger$c = credentialLogger("AzureCliCredential");
+const logger$b = credentialLogger("AzureCliCredential");
 /**
  * This credential will use the currently logged-in user login information
  * via the Azure CLI ('az') commandline tool.
@@ -2436,11 +2730,15 @@ class AzureCliCredential {
      * @param options - Options, to optionally allow multi-tenant requests.
      */
     constructor(options) {
-        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        if (options === null || options === void 0 ? void 0 : options.tenantId) {
+            checkTenantId(logger$b, options === null || options === void 0 ? void 0 : options.tenantId);
+            this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        }
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -2449,31 +2747,34 @@ class AzureCliCredential {
      */
     async getToken(scopes, options = {}) {
         const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
+        if (tenantId) {
+            checkTenantId(logger$b, tenantId);
+        }
         const scope = typeof scopes === "string" ? scopes : scopes[0];
-        logger$c.getToken.info(`Using the scope ${scope}`);
-        ensureValidScope(scope, logger$c);
-        const resource = getScopeResource(scope);
+        logger$b.getToken.info(`Using the scope ${scope}`);
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
             var _a, _b, _c, _d;
             try {
-                const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId);
+                ensureValidScopeForDevTimeCreds(scope, logger$b);
+                const resource = getScopeResource(scope);
+                const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId, this.timeout);
                 const specificScope = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("(.*)az login --scope(.*)");
                 const isLoginError = ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("(.*)az login(.*)")) && !specificScope;
                 const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("az:(.*)not found")) || ((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'az' is not recognized"));
                 if (isNotInstallError) {
                     const error = new CredentialUnavailableError("Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
-                    logger$c.getToken.info(formatError(scopes, error));
+                    logger$b.getToken.info(formatError(scopes, error));
                     throw error;
                 }
                 if (isLoginError) {
                     const error = new CredentialUnavailableError("Please run 'az login' from a command prompt to authenticate before using this credential.");
-                    logger$c.getToken.info(formatError(scopes, error));
+                    logger$b.getToken.info(formatError(scopes, error));
                     throw error;
                 }
                 try {
                     const responseData = obj.stdout;
                     const response = JSON.parse(responseData);
-                    logger$c.getToken.info(formatSuccess(scopes));
+                    logger$b.getToken.info(formatSuccess(scopes));
                     const returnValue = {
                         token: response.accessToken,
                         expiresOnTimestamp: new Date(response.expiresOn).getTime(),
@@ -2491,7 +2792,7 @@ class AzureCliCredential {
                 const error = err.name === "CredentialUnavailableError"
                     ? err
                     : new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
-                logger$c.getToken.info(formatError(scopes, error));
+                logger$b.getToken.info(formatError(scopes, error));
                 throw error;
             }
         });
@@ -2499,6 +2800,7 @@ class AzureCliCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Easy to mock childProcess utils.
  * @internal
@@ -2529,7 +2831,8 @@ const processUtils = {
 };
 
 // Copyright (c) Microsoft Corporation.
-const logger$b = credentialLogger("AzurePowerShellCredential");
+// Licensed under the MIT license.
+const logger$a = credentialLogger("AzurePowerShellCredential");
 const isWindows = process.platform === "win32";
 /**
  * Returns a platform-appropriate command name by appending ".exe" on Windows.
@@ -2549,11 +2852,14 @@ function formatCommand(commandName) {
  * If anything fails, an error is thrown.
  * @internal
  */
-async function runCommands(commands) {
+async function runCommands(commands, timeout) {
     const results = [];
     for (const command of commands) {
         const [file, ...parameters] = command;
-        const result = (await processUtils.execFile(file, parameters, { encoding: "utf8" }));
+        const result = (await processUtils.execFile(file, parameters, {
+            encoding: "utf8",
+            timeout,
+        }));
         results.push(result);
     }
     return results;
@@ -2606,18 +2912,22 @@ class AzurePowerShellCredential {
      * @param options - Options, to optionally allow multi-tenant requests.
      */
     constructor(options) {
-        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        if (options === null || options === void 0 ? void 0 : options.tenantId) {
+            checkTenantId(logger$a, options === null || options === void 0 ? void 0 : options.tenantId);
+            this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        }
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
     /**
      * Gets the access token from Azure PowerShell
      * @param resource - The resource to use when getting the token
      */
-    async getAzurePowerShellAccessToken(resource, tenantId) {
+    async getAzurePowerShellAccessToken(resource, tenantId, timeout) {
         // Clone the stack to avoid mutating it while iterating
         for (const powerShellCommand of [...commandStack]) {
             try {
-                await runCommands([[powerShellCommand, "/?"]]);
+                await runCommands([[powerShellCommand, "/?"]], timeout);
             }
             catch (e) {
                 // Remove this credential from the original stack so that we don't try it again.
@@ -2631,11 +2941,15 @@ class AzurePowerShellCredential {
             const results = await runCommands([
                 [
                     powerShellCommand,
+                    "-NoProfile",
+                    "-NonInteractive",
                     "-Command",
                     "Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru",
                 ],
                 [
                     powerShellCommand,
+                    "-NoProfile",
+                    "-NonInteractive",
                     "-Command",
                     `Get-AzAccessToken ${tenantSection} -ResourceUrl "${resource}" | ConvertTo-Json`,
                 ],
@@ -2651,7 +2965,7 @@ class AzurePowerShellCredential {
         throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -2661,12 +2975,15 @@ class AzurePowerShellCredential {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
             const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
             const scope = typeof scopes === "string" ? scopes : scopes[0];
-            ensureValidScope(scope, logger$b);
-            logger$b.getToken.info(`Using the scope ${scope}`);
-            const resource = getScopeResource(scope);
+            if (tenantId) {
+                checkTenantId(logger$a, tenantId);
+            }
             try {
-                const response = await this.getAzurePowerShellAccessToken(resource, tenantId);
-                logger$b.getToken.info(formatSuccess(scopes));
+                ensureValidScopeForDevTimeCreds(scope, logger$a);
+                logger$a.getToken.info(`Using the scope ${scope}`);
+                const resource = getScopeResource(scope);
+                const response = await this.getAzurePowerShellAccessToken(resource, tenantId, this.timeout);
+                logger$a.getToken.info(formatSuccess(scopes));
                 return {
                     token: response.Token,
                     expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),
@@ -2675,16 +2992,16 @@ class AzurePowerShellCredential {
             catch (err) {
                 if (isNotInstalledError(err)) {
                     const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);
-                    logger$b.getToken.info(formatError(scope, error));
+                    logger$a.getToken.info(formatError(scope, error));
                     throw error;
                 }
                 else if (isLoginError(err)) {
                     const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);
-                    logger$b.getToken.info(formatError(scope, error));
+                    logger$a.getToken.info(formatError(scope, error));
                     throw error;
                 }
                 const error = new CredentialUnavailableError(`${err}. ${powerShellPublicErrorMessages.troubleshoot}`);
-                logger$b.getToken.info(formatError(scope, error));
+                logger$a.getToken.info(formatError(scope, error));
                 throw error;
             }
         });
@@ -2692,10 +3009,11 @@ class AzurePowerShellCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * @internal
  */
-const logger$a = credentialLogger("ChainedTokenCredential");
+const logger$9 = credentialLogger("ChainedTokenCredential");
 /**
  * Enables multiple `TokenCredential` implementations to be tried in order
  * until one of the getToken methods returns an access token.
@@ -2731,14 +3049,18 @@ class ChainedTokenCredential {
      *                `TokenCredential` implementation might make.
      */
     async getToken(scopes, options = {}) {
+        const { token } = await this.getTokenInternal(scopes, options);
+        return token;
+    }
+    async getTokenInternal(scopes, options = {}) {
         let token = null;
-        let successfulCredentialName = "";
+        let successfulCredential;
         const errors = [];
         return tracingClient.withSpan("ChainedTokenCredential.getToken", options, async (updatedOptions) => {
             for (let i = 0; i < this._sources.length && token === null; i++) {
                 try {
                     token = await this._sources[i].getToken(scopes, updatedOptions);
-                    successfulCredentialName = this._sources[i].constructor.name;
+                    successfulCredential = this._sources[i];
                 }
                 catch (err) {
                     if (err.name === "CredentialUnavailableError" ||
@@ -2746,26 +3068,27 @@ class ChainedTokenCredential {
                         errors.push(err);
                     }
                     else {
-                        logger$a.getToken.info(formatError(scopes, err));
+                        logger$9.getToken.info(formatError(scopes, err));
                         throw err;
                     }
                 }
             }
             if (!token && errors.length > 0) {
                 const err = new AggregateAuthenticationError(errors, "ChainedTokenCredential authentication failed.");
-                logger$a.getToken.info(formatError(scopes, err));
+                logger$9.getToken.info(formatError(scopes, err));
                 throw err;
             }
-            logger$a.getToken.info(`Result for ${successfulCredentialName}: ${formatSuccess(scopes)}`);
+            logger$9.getToken.info(`Result for ${successfulCredential.constructor.name}: ${formatSuccess(scopes)}`);
             if (token === null) {
                 throw new CredentialUnavailableError("Failed to retrieve a valid token");
             }
-            return token;
+            return { token, successfulCredential };
         });
     }
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const readFileAsync = util.promisify(fs.readFile);
 /**
  * Tries to asynchronously load a certificate from the given path.
@@ -2858,7 +3181,7 @@ class MsalClientCertificate extends MsalNode {
                 authority: options.authority,
                 claims: options.claims,
             };
-            const result = await this.confidentialApp.acquireTokenByClientCredential(clientCredReq);
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential(clientCredReq);
             // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
             // The Client Credential flow does not return the account information from the authentication service,
             // so each time getToken gets called, we will have to acquire a new token through the service.
@@ -2871,14 +3194,15 @@ class MsalClientCertificate extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const credentialName$2 = "ClientCertificateCredential";
-const logger$9 = credentialLogger(credentialName$2);
+const logger$8 = credentialLogger(credentialName$2);
 /**
- * Enables authentication to Azure Active Directory using a PEM-encoded
+ * Enables authentication to Microsoft Entra ID using a PEM-encoded
  * certificate that is assigned to an App Registration. More information
  * on how to configure certificate authentication can be found here:
  *
- * https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
+ * https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
  *
  */
 class ClientCertificateCredential {
@@ -2887,7 +3211,7 @@ class ClientCertificateCredential {
             throw new Error(`${credentialName$2}: tenantId and clientId are required parameters.`);
         }
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         const configuration = Object.assign({}, (typeof certificatePathOrConfiguration === "string"
             ? {
                 certificatePath: certificatePathOrConfiguration,
@@ -2903,12 +3227,12 @@ class ClientCertificateCredential {
             throw new Error(`${credentialName$2}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
         }
         this.msalFlow = new MsalClientCertificate(Object.assign(Object.assign({}, options), { configuration,
-            logger: logger$9,
+            logger: logger$8,
             clientId,
             tenantId, sendCertificateChain: options.sendCertificateChain, tokenCredentialOptions: options }));
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -2917,7 +3241,7 @@ class ClientCertificateCredential {
      */
     async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${credentialName$2}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$8);
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });
@@ -2925,6 +3249,7 @@ class ClientCertificateCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * MSAL client secret client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
  * @internal
@@ -2937,7 +3262,7 @@ class MsalClientSecret extends MsalNode {
     }
     async doGetToken(scopes, options = {}) {
         try {
-            const result = await this.confidentialApp.acquireTokenByClientCredential({
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenByClientCredential({
                 scopes,
                 correlationId: options.correlationId,
                 azureRegion: this.azureRegion,
@@ -2955,22 +3280,23 @@ class MsalClientSecret extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$8 = credentialLogger("ClientSecretCredential");
+// Licensed under the MIT license.
+const logger$7 = credentialLogger("ClientSecretCredential");
 /**
- * Enables authentication to Azure Active Directory using a client secret
+ * Enables authentication to Microsoft Entra ID using a client secret
  * that was generated for an App Registration. More information on how
  * to configure a client secret can be found here:
  *
- * https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
+ * https://learn.microsoft.com/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
  *
  */
 class ClientSecretCredential {
     /**
      * Creates an instance of the ClientSecretCredential with the details
-     * needed to authenticate against Azure Active Directory with a client
+     * needed to authenticate against Microsoft Entra ID with a client
      * secret.
      *
-     * @param tenantId - The Azure Active Directory tenant (directory) ID.
+     * @param tenantId - The Microsoft Entra tenant (directory) ID.
      * @param clientId - The client (application) ID of an App Registration in the tenant.
      * @param clientSecret - A client secret that was generated for the App Registration.
      * @param options - Options for configuring the client which makes the authentication request.
@@ -2980,14 +3306,14 @@ class ClientSecretCredential {
             throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
         }
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$8,
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$7,
             clientId,
             tenantId,
             clientSecret, tokenCredentialOptions: options }));
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -2996,7 +3322,7 @@ class ClientSecretCredential {
      */
     async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$7);
             const arrayScopes = ensureScopes(scopes);
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });
@@ -3004,6 +3330,7 @@ class ClientSecretCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * MSAL username and password client. Calls to the MSAL's public application's `acquireTokenByUsernamePassword` during `doGetToken`.
  * @internal
@@ -3024,7 +3351,7 @@ class MsalUsernamePassword extends MsalNode {
                 authority: options === null || options === void 0 ? void 0 : options.authority,
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             };
-            const result = await this.publicApp.acquireTokenByUsernamePassword(requestOptions);
+            const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByUsernamePassword(requestOptions);
             return this.handleResult(scopes, this.clientId, result || undefined);
         }
         catch (error) {
@@ -3034,9 +3361,10 @@ class MsalUsernamePassword extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-const logger$7 = credentialLogger("UsernamePasswordCredential");
+// Licensed under the MIT license.
+const logger$6 = credentialLogger("UsernamePasswordCredential");
 /**
- * Enables authentication to Azure Active Directory with a user's
+ * Enables authentication to Microsoft Entra ID with a user's
  * username and password. This credential requires a high degree of
  * trust so you should only use it when other, more secure credential
  * types can't be used.
@@ -3044,10 +3372,10 @@ const logger$7 = credentialLogger("UsernamePasswordCredential");
 class UsernamePasswordCredential {
     /**
      * Creates an instance of the UsernamePasswordCredential with the details
-     * needed to authenticate against Azure Active Directory with a username
+     * needed to authenticate against Microsoft Entra ID with a username
      * and password.
      *
-     * @param tenantId - The Azure Active Directory tenant (directory).
+     * @param tenantId - The Microsoft Entra tenant (directory).
      * @param clientId - The client (application) ID of an App Registration in the tenant.
      * @param username - The user account's e-mail address (user name).
      * @param password - The user account's account password
@@ -3058,15 +3386,15 @@ class UsernamePasswordCredential {
             throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
         }
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$7,
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$6,
             clientId,
             tenantId,
             username,
             password, tokenCredentialOptions: options || {} }));
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
@@ -3079,7 +3407,7 @@ class UsernamePasswordCredential {
      */
     async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$6);
             const arrayScopes = ensureScopes(scopes);
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });
@@ -3087,6 +3415,7 @@ class UsernamePasswordCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Contains the list of all supported environment variable names so that an
  * appropriate error message can be generated when no credentials can be
@@ -3110,9 +3439,9 @@ function getAdditionallyAllowedTenants() {
     return additionallyAllowedValues.split(";");
 }
 const credentialName$1 = "EnvironmentCredential";
-const logger$6 = credentialLogger(credentialName$1);
+const logger$5 = credentialLogger(credentialName$1);
 /**
- * Enables authentication to Azure Active Directory using a client secret or certificate, or as a user
+ * Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user
  * with a username and password.
  */
 class EnvironmentCredential {
@@ -3120,7 +3449,7 @@ class EnvironmentCredential {
      * Creates an instance of the EnvironmentCredential class and decides what credential to use depending on the available environment variables.
      *
      * Required environment variables:
-     * - `AZURE_TENANT_ID`: The Azure Active Directory tenant (directory) ID.
+     * - `AZURE_TENANT_ID`: The Microsoft Entra tenant (directory) ID.
      * - `AZURE_CLIENT_ID`: The client (application) ID of an App Registration in the tenant.
      *
      * If setting the AZURE_TENANT_ID, then you can also set the additionally allowed tenants
@@ -3144,34 +3473,34 @@ class EnvironmentCredential {
         // Keep track of any missing environment variables for error details
         this._credential = undefined;
         const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
-        logger$6.info(`Found the following environment variables: ${assigned}`);
+        logger$5.info(`Found the following environment variables: ${assigned}`);
         const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
         const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();
         const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds });
         if (tenantId) {
-            checkTenantId(logger$6, tenantId);
+            checkTenantId(logger$5, tenantId);
         }
         if (tenantId && clientId && clientSecret) {
-            logger$6.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
+            logger$5.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
             this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, newOptions);
             return;
         }
         const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
         const certificatePassword = process.env.AZURE_CLIENT_CERTIFICATE_PASSWORD;
         if (tenantId && clientId && certificatePath) {
-            logger$6.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
+            logger$5.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
             this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath, certificatePassword }, newOptions);
             return;
         }
         const username = process.env.AZURE_USERNAME;
         const password = process.env.AZURE_PASSWORD;
         if (tenantId && clientId && username && password) {
-            logger$6.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
+            logger$5.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
             this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, newOptions);
         }
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - Optional parameters. See {@link GetTokenOptions}.
@@ -3181,7 +3510,7 @@ class EnvironmentCredential {
             if (this._credential) {
                 try {
                     const result = await this._credential.getToken(scopes, newOptions);
-                    logger$6.getToken.info(formatSuccess(scopes));
+                    logger$5.getToken.info(formatSuccess(scopes));
                     return result;
                 }
                 catch (err) {
@@ -3189,7 +3518,7 @@ class EnvironmentCredential {
                         error: `${credentialName$1} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
                         error_description: err.message.toString().split("More details:").join(""),
                     });
-                    logger$6.getToken.info(formatError(scopes, authenticationError));
+                    logger$5.getToken.info(formatError(scopes, authenticationError));
                     throw authenticationError;
                 }
             }
@@ -3199,6 +3528,7 @@ class EnvironmentCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Mockable reference to the Developer CLI credential cliCredentialFunctions
  * @internal
@@ -3223,21 +3553,24 @@ const developerCliCredentialInternals = {
      * @param scopes - The scopes to use when getting the token
      * @internal
      */
-    async getAzdAccessToken(scopes, tenantId) {
+    async getAzdAccessToken(scopes, tenantId, timeout) {
         let tenantSection = [];
         if (tenantId) {
             tenantSection = ["--tenant-id", tenantId];
         }
         return new Promise((resolve, reject) => {
             try {
-                child_process__default["default"].execFile("azd", [
+                child_process.execFile("azd", [
                     "auth",
                     "token",
                     "--output",
                     "json",
                     ...scopes.reduce((previous, current) => previous.concat("--scope", current), []),
                     ...tenantSection,
-                ], { cwd: developerCliCredentialInternals.getSafeWorkingDir(), shell: true }, (error, stdout, stderr) => {
+                ], {
+                    cwd: developerCliCredentialInternals.getSafeWorkingDir(),
+                    timeout,
+                }, (error, stdout, stderr) => {
                     resolve({ stdout, stderr, error });
                 });
             }
@@ -3247,28 +3580,51 @@ const developerCliCredentialInternals = {
         });
     },
 };
-const logger$5 = credentialLogger("AzureDeveloperCliCredential");
+const logger$4 = credentialLogger("AzureDeveloperCliCredential");
 /**
- * This credential will use the currently logged-in user login information
- * via the Azure Developer CLI ('az') commandline tool.
- * To do so, it will read the user access token and expire time
- * with Azure Developer CLI command "azd auth token".
+ * Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy
+ * resources in Azure. It's built on top of the Azure CLI and provides additional functionality specific
+ * to Azure developers. It allows users to authenticate as a user and/or a service principal against
+ * <a href="https://learn.microsoft.com/azure/active-directory/fundamentals/">Microsoft Entra ID</a>. The
+ * AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of
+ * the logged-in user or service principal in the Azure Developer CLI. It acts as the Azure Developer CLI logged in user or
+ * service principal and executes an Azure CLI command underneath to authenticate the application against
+ * Microsoft Entra ID.
+ *
+ * <h2> Configure AzureDeveloperCliCredential </h2>
+ *
+ * To use this credential, the developer needs to authenticate locally in Azure Developer CLI using one of the
+ * commands below:
+ *
+ * <ol>
+ *     <li>Run "azd auth login" in Azure Developer CLI to authenticate interactively as a user.</li>
+ *     <li>Run "azd auth login --client-id clientID --client-secret clientSecret
+ *     --tenant-id tenantID" to authenticate as a service principal.</li>
+ * </ol>
+ *
+ * You may need to repeat this process after a certain time period, depending on the refresh token validity in your
+ * organization. Generally, the refresh token validity period is a few weeks to a few months.
+ * AzureDeveloperCliCredential will prompt you to sign in again.
  */
 class AzureDeveloperCliCredential {
     /**
      * Creates an instance of the {@link AzureDeveloperCliCredential}.
      *
      * To use this credential, ensure that you have already logged
-     * in via the 'azd' tool using the command "azd login" from the commandline.
+     * in via the 'azd' tool using the command "azd auth login" from the commandline.
      *
      * @param options - Options, to optionally allow multi-tenant requests.
      */
     constructor(options) {
-        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        if (options === null || options === void 0 ? void 0 : options.tenantId) {
+            checkTenantId(logger$4, options === null || options === void 0 ? void 0 : options.tenantId);
+            this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        }
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -3277,6 +3633,9 @@ class AzureDeveloperCliCredential {
      */
     async getToken(scopes, options = {}) {
         const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
+        if (tenantId) {
+            checkTenantId(logger$4, tenantId);
+        }
         let scopeList;
         if (typeof scopes === "string") {
             scopeList = [scopes];
@@ -3284,27 +3643,31 @@ class AzureDeveloperCliCredential {
         else {
             scopeList = scopes;
         }
-        logger$5.getToken.info(`Using the scopes ${scopes}`);
+        logger$4.getToken.info(`Using the scopes ${scopes}`);
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
-            var _a, _b, _c;
+            var _a, _b, _c, _d;
             try {
-                const obj = await developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId);
-                const isNotLoggedInError = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("not logged in, run `azd login` to login");
-                const isNotInstallError = ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("azd:(.*)not found")) ||
-                    ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.startsWith("'azd' is not recognized"));
+                scopeList.forEach((scope) => {
+                    ensureValidScopeForDevTimeCreds(scope, logger$4);
+                });
+                const obj = await developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId, this.timeout);
+                const isNotLoggedInError = ((_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("not logged in, run `azd login` to login")) ||
+                    ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("not logged in, run `azd auth login` to login"));
+                const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("azd:(.*)not found")) ||
+                    ((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'azd' is not recognized"));
                 if (isNotInstallError || (obj.error && obj.error.code === "ENOENT")) {
-                    const error = new CredentialUnavailableError("Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then, once installed, authenticate to your Azure account using 'azd login'.");
-                    logger$5.getToken.info(formatError(scopes, error));
+                    const error = new CredentialUnavailableError("Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
+                    logger$4.getToken.info(formatError(scopes, error));
                     throw error;
                 }
                 if (isNotLoggedInError) {
-                    const error = new CredentialUnavailableError("Please run 'azd login' from a command prompt to authenticate before using this credential.");
-                    logger$5.getToken.info(formatError(scopes, error));
+                    const error = new CredentialUnavailableError("Please run 'azd auth login' from a command prompt to authenticate before using this credential. For more information, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
+                    logger$4.getToken.info(formatError(scopes, error));
                     throw error;
                 }
                 try {
                     const resp = JSON.parse(obj.stdout);
-                    logger$5.getToken.info(formatSuccess(scopes));
+                    logger$4.getToken.info(formatSuccess(scopes));
                     return {
                         token: resp.token,
                         expiresOnTimestamp: new Date(resp.expiresOn).getTime(),
@@ -3321,7 +3684,7 @@ class AzureDeveloperCliCredential {
                 const error = err.name === "CredentialUnavailableError"
                     ? err
                     : new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
-                logger$5.getToken.info(formatError(scopes, error));
+                logger$4.getToken.info(formatError(scopes, error));
                 throw error;
             }
         });
@@ -3329,6 +3692,7 @@ class AzureDeveloperCliCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * A shim around ManagedIdentityCredential that adapts it to accept
  * `DefaultAzureCredentialOptions`.
@@ -3339,14 +3703,21 @@ class DefaultManagedIdentityCredential extends ManagedIdentityCredential {
     // Constructor overload with just the other default options
     // Last constructor overload with Union of all options not required since the above two constructor overloads have optional properties
     constructor(options) {
-        var _a;
+        var _a, _b, _c;
         const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
+        const workloadIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _b !== void 0 ? _b : managedIdentityClientId;
         const managedResourceId = options === null || options === void 0 ? void 0 : options.managedIdentityResourceId;
+        const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
+        const tenantId = (_c = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _c !== void 0 ? _c : process.env.AZURE_TENANT_ID;
         // ManagedIdentityCredential throws if both the resourceId and the clientId are provided.
         if (managedResourceId) {
             const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
             super(managedIdentityResourceIdOptions);
         }
+        else if (workloadFile && workloadIdentityClientId) {
+            const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId: tenantId });
+            super(workloadIdentityClientId, workloadIdentityCredentialOptions);
+        }
         else if (managedIdentityClientId) {
             const managedIdentityClientOptions = Object.assign(Object.assign({}, options), { clientId: managedIdentityClientId });
             super(managedIdentityClientOptions);
@@ -3356,112 +3727,75 @@ class DefaultManagedIdentityCredential extends ManagedIdentityCredential {
         }
     }
 }
-const defaultCredentials = [
-    EnvironmentCredential,
-    DefaultManagedIdentityCredential,
-    AzureDeveloperCliCredential,
-    AzureCliCredential,
-    AzurePowerShellCredential,
-];
 /**
- * Provides a default {@link ChainedTokenCredential} configuration that should
- * work for most applications that use the Azure SDK.
+ * A shim around WorkloadIdentityCredential that adapts it to accept
+ * `DefaultAzureCredentialOptions`.
+ *
+ * @internal
  */
-class DefaultAzureCredential extends ChainedTokenCredential {
+class DefaultWorkloadIdentityCredential extends WorkloadIdentityCredential {
+    // Constructor overload with just the other default options
+    // Last constructor overload with Union of all options not required since the above two constructor overloads have optional properties
     constructor(options) {
-        super(...defaultCredentials.map((ctor) => new ctor(options)));
+        var _a, _b, _c;
+        const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
+        const workloadIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _b !== void 0 ? _b : managedIdentityClientId;
+        const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
+        const tenantId = (_c = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _c !== void 0 ? _c : process.env.AZURE_TENANT_ID;
+        if (workloadFile && workloadIdentityClientId) {
+            const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId, clientId: workloadIdentityClientId, tokenFilePath: workloadFile });
+            super(workloadIdentityCredentialOptions);
+        }
+        else if (tenantId) {
+            const workloadIdentityClientTenantOptions = Object.assign(Object.assign({}, options), { tenantId });
+            super(workloadIdentityClientTenantOptions);
+        }
+        else {
+            super(options);
+        }
     }
 }
-
-// Copyright (c) Microsoft Corporation.
-/**
- * MSAL client assertion client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
- * @internal
- */
-class MsalClientAssertion extends MsalNode {
+class DefaultAzureDeveloperCliCredential extends AzureDeveloperCliCredential {
     constructor(options) {
-        super(options);
-        this.requiresConfidential = true;
-        this.getAssertion = options.getAssertion;
+        super(Object.assign({ processTimeoutInMs: options === null || options === void 0 ? void 0 : options.processTimeoutInMs }, options));
     }
-    async doGetToken(scopes, options = {}) {
-        try {
-            const assertion = await this.getAssertion();
-            const result = await this.confidentialApp.acquireTokenByClientCredential({
-                scopes,
-                correlationId: options.correlationId,
-                azureRegion: this.azureRegion,
-                authority: options.authority,
-                claims: options.claims,
-                clientAssertion: assertion,
-            });
-            // The Client Credential flow does not return an account,
-            // so each time getToken gets called, we will have to acquire a new token through the service.
-            return this.handleResult(scopes, this.clientId, result || undefined);
-        }
-        catch (err) {
-            let err2 = err;
-            if (err === null || err === undefined) {
-                err2 = new Error(JSON.stringify(err));
-            }
-            else {
-                err2 = coreUtil.isError(err) ? err : new Error(String(err));
-            }
-            throw this.handleError(scopes, err2, options);
-        }
+}
+class DefaultAzureCliCredential extends AzureCliCredential {
+    constructor(options) {
+        super(Object.assign({ processTimeoutInMs: options === null || options === void 0 ? void 0 : options.processTimeoutInMs }, options));
     }
 }
-
-// Copyright (c) Microsoft Corporation.
-const logger$4 = credentialLogger("ClientAssertionCredential");
+class DefaultAzurePowershellCredential extends AzurePowerShellCredential {
+    constructor(options) {
+        super(Object.assign({ processTimeoutInMs: options === null || options === void 0 ? void 0 : options.processTimeoutInMs }, options));
+    }
+}
+const defaultCredentials = [
+    EnvironmentCredential,
+    DefaultWorkloadIdentityCredential,
+    DefaultManagedIdentityCredential,
+    DefaultAzureCliCredential,
+    DefaultAzurePowershellCredential,
+    DefaultAzureDeveloperCliCredential,
+];
 /**
- * Authenticates a service principal with a JWT assertion.
+ * Provides a default {@link ChainedTokenCredential} configuration that should
+ * work for most applications that use the Azure SDK.
  */
-class ClientAssertionCredential {
-    /**
-     * Creates an instance of the ClientAssertionCredential with the details
-     * needed to authenticate against Azure Active Directory with a client
-     * assertion provided by the developer through the `getAssertion` function parameter.
-     *
-     * @param tenantId - The Azure Active Directory tenant (directory) ID.
-     * @param clientId - The client (application) ID of an App Registration in the tenant.
-     * @param getAssertion - A function that retrieves the assertion for the credential to use.
-     * @param options - Options for configuring the client which makes the authentication request.
-     */
-    constructor(tenantId, clientId, getAssertion, options = {}) {
-        if (!tenantId || !clientId || !getAssertion) {
-            throw new Error("ClientAssertionCredential: tenantId, clientId, and clientAssertion are required parameters.");
-        }
-        this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        this.clientId = clientId;
-        this.options = options;
-        this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$4, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
-    }
-    /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    async getToken(scopes, options = {}) {
-        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
-            const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
-            return this.msalFlow.getToken(arrayScopes, newOptions);
-        });
+class DefaultAzureCredential extends ChainedTokenCredential {
+    constructor(options) {
+        super(...defaultCredentials.map((ctor) => new ctor(options)));
     }
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * A call to open(), but mockable
  * @internal
  */
 const interactiveBrowserMockable = {
-    open: open__default["default"],
+    open,
 };
 /**
  * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`
@@ -3470,182 +3804,106 @@ const interactiveBrowserMockable = {
  */
 class MsalOpenBrowser extends MsalNode {
     constructor(options) {
+        var _a, _b;
         super(options);
-        this.logger = credentialLogger("Node.js MSAL Open Browser");
-        this.redirectUri = options.redirectUri;
         this.loginHint = options.loginHint;
-        const url = new URL(this.redirectUri);
-        this.port = parseInt(url.port);
-        if (isNaN(this.port)) {
-            this.port = 80;
-        }
-        this.hostname = url.hostname;
-    }
-    async acquireTokenByCode(request) {
-        return this.publicApp.acquireTokenByCode(request);
+        this.errorTemplate = (_a = options.browserCustomizationOptions) === null || _a === void 0 ? void 0 : _a.errorMessage;
+        this.successTemplate = (_b = options.browserCustomizationOptions) === null || _b === void 0 ? void 0 : _b.successMessage;
+        this.logger = credentialLogger("Node.js MSAL Open Browser");
     }
-    doGetToken(scopes, options) {
-        return new Promise((resolve, reject) => {
-            const socketToDestroy = [];
-            const requestListener = (req, res) => {
-                var _a;
-                if (!req.url) {
-                    reject(new Error(`Interactive Browser Authentication Error "Did not receive token with a valid expiration"`));
-                    return;
-                }
-                let url;
-                try {
-                    url = new URL(req.url, this.redirectUri);
-                }
-                catch (e) {
-                    reject(new Error(`Interactive Browser Authentication Error "Did not receive token with a valid expiration"`));
-                    return;
-                }
-                const tokenRequest = {
-                    code: url.searchParams.get("code"),
-                    redirectUri: this.redirectUri,
-                    scopes: scopes,
-                    authority: options === null || options === void 0 ? void 0 : options.authority,
-                    codeVerifier: (_a = this.pkceCodes) === null || _a === void 0 ? void 0 : _a.verifier,
-                };
-                this.acquireTokenByCode(tokenRequest)
-                    .then((authResponse) => {
-                    if (authResponse === null || authResponse === void 0 ? void 0 : authResponse.account) {
-                        this.account = msalToPublic(this.clientId, authResponse.account);
-                    }
-                    const successMessage = `Authentication Complete. You can close the browser and return to the application.`;
-                    if (authResponse && authResponse.expiresOn) {
-                        const expiresOnTimestamp = authResponse === null || authResponse === void 0 ? void 0 : authResponse.expiresOn.valueOf();
-                        res.writeHead(200);
-                        res.end(successMessage);
-                        this.logger.getToken.info(formatSuccess(scopes));
-                        resolve({
-                            expiresOnTimestamp,
-                            token: authResponse.accessToken,
-                        });
-                    }
-                    else {
-                        const errorMessage = formatError(scopes, `${url.searchParams.get("error")}. ${url.searchParams.get("error_description")}`);
-                        res.writeHead(500);
-                        res.end(errorMessage);
-                        this.logger.getToken.info(errorMessage);
-                        reject(new Error(`Interactive Browser Authentication Error "Did not receive token with a valid expiration"`));
-                    }
-                    cleanup();
-                    return;
-                })
-                    .catch(() => {
-                    const errorMessage = formatError(scopes, `${url.searchParams.get("error")}. ${url.searchParams.get("error_description")}`);
-                    res.writeHead(500);
-                    res.end(errorMessage);
-                    this.logger.getToken.info(errorMessage);
-                    reject(new Error(`Interactive Browser Authentication Error "Did not receive token with a valid expiration"`));
-                    cleanup();
-                });
+    async doGetToken(scopes, options) {
+        var _a;
+        try {
+            const interactiveRequest = {
+                openBrowser: async (url) => {
+                    await interactiveBrowserMockable.open(url, { wait: true, newInstance: true });
+                },
+                scopes,
+                authority: options === null || options === void 0 ? void 0 : options.authority,
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+                correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
+                loginHint: this.loginHint,
+                errorTemplate: this.errorTemplate,
+                successTemplate: this.successTemplate,
             };
-            const app = http__default["default"].createServer(requestListener);
-            const server = stoppable__default["default"](app);
-            const listen = app.listen(this.port, this.hostname, () => this.logger.info(`InteractiveBrowserCredential listening on port ${this.port}!`));
-            function cleanup() {
-                if (listen) {
-                    listen.close();
-                }
-                for (const socket of socketToDestroy) {
-                    socket.destroy();
-                }
-                if (server) {
-                    server.close();
-                    server.stop();
-                }
-            }
-            app.on("connection", (socket) => socketToDestroy.push(socket));
-            app.on("error", (err) => {
-                cleanup();
-                const code = err.code;
-                if (code === "EACCES" || code === "EADDRINUSE") {
-                    reject(new CredentialUnavailableError([
-                        `InteractiveBrowserCredential: Access denied to port ${this.port}.`,
-                        `Try sending a redirect URI with a different port, as follows:`,
-                        '`new InteractiveBrowserCredential({ redirectUri: "http://localhost:1337" })`',
-                    ].join(" ")));
+            if (hasNativeBroker() && this.enableBroker) {
+                this.logger.verbose("Authentication will resume through the broker");
+                if (this.parentWindowHandle) {
+                    interactiveRequest.windowHandle = Buffer.from(this.parentWindowHandle);
                 }
                 else {
-                    reject(new CredentialUnavailableError(`InteractiveBrowserCredential: Failed to start the necessary web server. Error: ${err.message}`));
+                    // error should have been thrown from within the constructor of InteractiveBrowserCredential
+                    this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
                 }
-            });
-            app.on("listening", () => {
-                const openPromise = this.openAuthCodeUrl(scopes, options);
-                const abortSignal = options === null || options === void 0 ? void 0 : options.abortSignal;
-                if (abortSignal) {
-                    abortSignal.addEventListener("abort", () => {
-                        cleanup();
-                        reject(new Error("Aborted"));
-                    });
+                if (this.enableMsaPassthrough) {
+                    ((_a = interactiveRequest.tokenQueryParameters) !== null && _a !== void 0 ? _a : (interactiveRequest.tokenQueryParameters = {}))["msal_request_type"] =
+                        "consumer_passthrough";
                 }
-                openPromise.catch((e) => {
-                    cleanup();
-                    reject(e);
-                });
-            });
-        });
-    }
-    async openAuthCodeUrl(scopeArray, options) {
-        // Initialize CryptoProvider instance
-        const cryptoProvider = new msalNode__namespace.CryptoProvider();
-        // Generate PKCE Codes before starting the authorization flow
-        this.pkceCodes = await cryptoProvider.generatePkceCodes();
-        const authCodeUrlParameters = {
-            scopes: scopeArray,
-            correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-            redirectUri: this.redirectUri,
-            authority: options === null || options === void 0 ? void 0 : options.authority,
-            claims: options === null || options === void 0 ? void 0 : options.claims,
-            loginHint: this.loginHint,
-            codeChallenge: this.pkceCodes.challenge,
-            codeChallengeMethod: "S256", // Use SHA256 Algorithm
-        };
-        const response = await this.publicApp.getAuthCodeUrl(authCodeUrlParameters);
-        try {
-            // A new instance on macOS only which allows it to not hang, does not fix the issue on linux
-            await interactiveBrowserMockable.open(response, { wait: true, newInstance: true });
+            }
+            if (hasNativeBroker() && !this.enableBroker) {
+                this.logger.verbose("Authentication will resume normally without the broker, since it's not enabled");
+            }
+            const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenInteractive(interactiveRequest);
+            if (result.fromNativeBroker) {
+                this.logger.verbose(`This result is returned from native broker`);
+            }
+            return this.handleResult(scopes, this.clientId, result || undefined);
         }
-        catch (e) {
-            throw new CredentialUnavailableError(`InteractiveBrowserCredential: Could not open a browser window. Error: ${e.message}`);
+        catch (err) {
+            throw this.handleError(scopes, err, options);
         }
     }
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const logger$3 = credentialLogger("InteractiveBrowserCredential");
 /**
- * Enables authentication to Azure Active Directory inside of the web browser
+ * Enables authentication to Microsoft Entra ID inside of the web browser
  * using the interactive login flow.
  */
 class InteractiveBrowserCredential {
     /**
      * Creates an instance of InteractiveBrowserCredential with the details needed.
      *
-     * This credential uses the [Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
+     * This credential uses the [Authorization Code Flow](https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
      * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
      * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
      *
-     * For Node.js, if a `clientId` is provided, the Azure Active Directory application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
-     * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
+     * For Node.js, if a `clientId` is provided, the Microsoft Entra application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
+     * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://learn.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
      *
      * @param options - Options for configuring the client which makes the authentication requests.
      */
-    constructor(options = {}) {
+    constructor(options) {
+        var _a, _b, _c;
         const redirectUri = typeof options.redirectUri === "function"
             ? options.redirectUri()
             : options.redirectUri || "http://localhost";
         this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$3,
-            redirectUri }));
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        const ibcNodeOptions = options;
+        if ((_a = ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.brokerOptions) === null || _a === void 0 ? void 0 : _a.enabled) {
+            if (!((_b = ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.brokerOptions) === null || _b === void 0 ? void 0 : _b.parentWindowHandle)) {
+                throw new Error("In order to do WAM authentication, `parentWindowHandle` under `brokerOptions` is a required parameter");
+            }
+            else {
+                this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$3,
+                    redirectUri, browserCustomizationOptions: ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.browserCustomizationOptions, brokerOptions: {
+                        enabled: true,
+                        parentWindowHandle: ibcNodeOptions.brokerOptions.parentWindowHandle,
+                        legacyEnableMsaPassthrough: (_c = ibcNodeOptions.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough,
+                    } }));
+            }
+        }
+        else {
+            this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$3,
+                redirectUri, browserCustomizationOptions: ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.browserCustomizationOptions }));
+        }
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
@@ -3658,13 +3916,13 @@ class InteractiveBrowserCredential {
      */
     async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$3);
             const arrayScopes = ensureScopes(scopes);
             return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
         });
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
@@ -3686,6 +3944,7 @@ class InteractiveBrowserCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * MSAL device code client. Calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`.
  * @internal
@@ -3705,7 +3964,7 @@ class MsalDeviceCode extends MsalNode {
                 authority: options === null || options === void 0 ? void 0 : options.authority,
                 claims: options === null || options === void 0 ? void 0 : options.claims,
             };
-            const promise = this.publicApp.acquireTokenByDeviceCode(requestOptions);
+            const promise = this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByDeviceCode(requestOptions);
             const deviceResponse = await this.withCancellation(promise, options === null || options === void 0 ? void 0 : options.abortSignal, () => {
                 requestOptions.cancel = true;
             });
@@ -3718,6 +3977,7 @@ class MsalDeviceCode extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const logger$2 = credentialLogger("DeviceCodeCredential");
 /**
  * Method that logs the user code from the DeviceCodeCredential.
@@ -3727,13 +3987,13 @@ function defaultDeviceCodePromptCallback(deviceCodeInfo) {
     console.log(deviceCodeInfo.message);
 }
 /**
- * Enables authentication to Azure Active Directory using a device code
+ * Enables authentication to Microsoft Entra ID using a device code
  * that the user can enter into https://microsoft.com/devicelogin.
  */
 class DeviceCodeCredential {
     /**
      * Creates an instance of DeviceCodeCredential with the details needed
-     * to initiate the device code authorization flow with Azure Active Directory.
+     * to initiate the device code authorization flow with Microsoft Entra ID.
      *
      * A message will be logged, giving users a code that they can use to authenticate once they go to https://microsoft.com/devicelogin
      *
@@ -3753,12 +4013,12 @@ class DeviceCodeCredential {
      */
     constructor(options) {
         this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.msalFlow = new MsalDeviceCode(Object.assign(Object.assign({}, options), { logger: logger$2, userPromptCallback: (options === null || options === void 0 ? void 0 : options.userPromptCallback) || defaultDeviceCodePromptCallback, tokenCredentialOptions: options || {} }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the user provided the option `disableAutomaticAuthentication`,
@@ -3771,13 +4031,13 @@ class DeviceCodeCredential {
      */
     async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$2);
             const arrayScopes = ensureScopes(scopes);
             return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
         });
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
@@ -3796,6 +4056,7 @@ class DeviceCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`
  * to trigger the authentication flow, and then respond based on the values obtained from the redirect callback
@@ -3813,19 +4074,21 @@ class MsalAuthorizationCode extends MsalNode {
     }
     async getAuthCodeUrl(options) {
         await this.init();
-        return (this.confidentialApp || this.publicApp).getAuthCodeUrl(options);
+        return this.getApp("confidentialFirst", options.enableCae).getAuthCodeUrl({
+            scopes: options.scopes,
+            redirectUri: options.redirectUri,
+        });
     }
     async doGetToken(scopes, options) {
-        var _a;
         try {
-            const result = await ((_a = (this.confidentialApp || this.publicApp)) === null || _a === void 0 ? void 0 : _a.acquireTokenByCode({
+            const result = await this.getApp("confidentialFirst", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByCode({
                 scopes,
                 redirectUri: this.redirectUri,
                 code: this.authorizationCode,
                 correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
                 authority: options === null || options === void 0 ? void 0 : options.authority,
                 claims: options === null || options === void 0 ? void 0 : options.claims,
-            }));
+            });
             // The Client Credential flow does not return an account,
             // so each time getToken gets called, we will have to acquire a new token through the service.
             return this.handleResult(scopes, this.clientId, result || undefined);
@@ -3837,13 +4100,14 @@ class MsalAuthorizationCode extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const logger$1 = credentialLogger("AuthorizationCodeCredential");
 /**
- * Enables authentication to Azure Active Directory using an authorization code
+ * Enables authentication to Microsoft Entra ID using an authorization code
  * that was obtained through the authorization code flow, described in more detail
- * in the Azure Active Directory documentation:
+ * in the Microsoft Entra ID documentation:
  *
- * https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
+ * https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow
  */
 class AuthorizationCodeCredential {
     /**
@@ -3868,13 +4132,13 @@ class AuthorizationCodeCredential {
         }
         // TODO: Validate tenant if provided
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.msalFlow = new MsalAuthorizationCode(Object.assign(Object.assign({}, options), { clientSecret,
             clientId,
             tenantId, tokenCredentialOptions: options || {}, logger: logger$1, redirectUri: this.redirectUri, authorizationCode: this.authorizationCode }));
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -3892,6 +4156,7 @@ class AuthorizationCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * MSAL on behalf of flow. Calls to MSAL's confidential application's `acquireTokenOnBehalfOf` during `doGetToken`.
  * @internal
@@ -3929,7 +4194,7 @@ class MsalOnBehalfOf extends MsalNode {
     }
     async doGetToken(scopes, options = {}) {
         try {
-            const result = await this.confidentialApp.acquireTokenOnBehalfOf({
+            const result = await this.getApp("confidential", options.enableCae).acquireTokenOnBehalfOf({
                 scopes,
                 correlationId: options.correlationId,
                 authority: options.authority,
@@ -3945,10 +4210,11 @@ class MsalOnBehalfOf extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 const credentialName = "OnBehalfOfCredential";
 const logger = credentialLogger(credentialName);
 /**
- * Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
+ * Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
  */
 class OnBehalfOfCredential {
     constructor(options) {
@@ -3960,11 +4226,11 @@ class OnBehalfOfCredential {
             throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
         }
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(additionallyAllowedTenantIds);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(additionallyAllowedTenantIds);
         this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign({}, this.options), { logger, tokenCredentialOptions: this.options }));
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
@@ -3972,7 +4238,7 @@ class OnBehalfOfCredential {
      */
     async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${credentialName}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger);
             const arrayScopes = ensureScopes(scopes);
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });
@@ -3980,6 +4246,7 @@ class OnBehalfOfCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
 /**
  * Returns a new instance of the {@link DefaultAzureCredential}.
  */
@@ -3994,6 +4261,7 @@ exports.AuthenticationErrorName = AuthenticationErrorName;
 exports.AuthenticationRequiredError = AuthenticationRequiredError;
 exports.AuthorizationCodeCredential = AuthorizationCodeCredential;
 exports.AzureCliCredential = AzureCliCredential;
+exports.AzureDeveloperCliCredential = AzureDeveloperCliCredential;
 exports.AzurePowerShellCredential = AzurePowerShellCredential;
 exports.ChainedTokenCredential = ChainedTokenCredential;
 exports.ClientAssertionCredential = ClientAssertionCredential;
@@ -4009,9 +4277,10 @@ exports.ManagedIdentityCredential = ManagedIdentityCredential;
 exports.OnBehalfOfCredential = OnBehalfOfCredential;
 exports.UsernamePasswordCredential = UsernamePasswordCredential;
 exports.VisualStudioCodeCredential = VisualStudioCodeCredential;
+exports.WorkloadIdentityCredential = WorkloadIdentityCredential;
 exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
 exports.getDefaultAzureCredential = getDefaultAzureCredential;
-exports.logger = logger$m;
+exports.logger = logger$n;
 exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
 exports.useIdentityPlugin = useIdentityPlugin;
 //# sourceMappingURL=index.js.map