@azure/identity 4.1.0-beta.1 → 4.1.1-alpha.20240411.2

package/dist/index.js

@@ -2,18 +2,18 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var msalCommon = require('@azure/msal-node');
 var logger$q = require('@azure/logger');
-var coreUtil = require('@azure/core-util');
-var abortController = require('@azure/abort-controller');
 var coreClient = require('@azure/core-client');
+var coreUtil = require('@azure/core-util');
 var coreRestPipeline = require('@azure/core-rest-pipeline');
+var abortController = require('@azure/abort-controller');
 var coreTracing = require('@azure/core-tracing');
 var fs = require('fs');
 var os = require('os');
 var path = require('path');
-var promises = require('fs/promises');
+var msalCommon = require('@azure/msal-node');
 var https = require('https');
+var promises = require('fs/promises');
 var child_process = require('child_process');
 var crypto = require('crypto');
 var util = require('util');
@@ -44,7 +44,7 @@ var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_proce
 /**
  * Current version of the `@azure/identity` package.
  */
-const SDK_VERSION = `4.1.0-beta.1`;
+const SDK_VERSION = `4.1.1`;
 /**
  * The default client ID for authentication
  * @internal
@@ -93,11 +93,54 @@ const ALL_TENANTS = ["*"];
 /**
  * @internal
  */
-const CACHE_CAE_SUFFIX = ".cae";
+const CACHE_CAE_SUFFIX = "cae";
+/**
+ * @internal
+ */
+const CACHE_NON_CAE_SUFFIX = "nocae";
+/**
+ * @internal
+ *
+ * The default name for the cache persistence plugin.
+ * Matches the constant defined in the cache persistence package.
+ */
+const DEFAULT_TOKEN_CACHE_NAME = "msal.cache";
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * The current persistence provider, undefined by default.
+ * @internal
+ */
+let persistenceProvider = undefined;
+/**
+ * An object that allows setting the persistence provider.
+ * @internal
+ */
+const msalNodeFlowCacheControl = {
+    setPersistence(pluginProvider) {
+        persistenceProvider = pluginProvider;
+    },
+};
+/**
+ * The current native broker provider, undefined by default.
+ * @internal
+ */
+let nativeBrokerInfo = undefined;
+function hasNativeBroker() {
+    return nativeBrokerInfo !== undefined;
+}
 /**
+ * An object that allows setting the native broker provider.
  * @internal
  */
-const CACHE_NON_CAE_SUFFIX = ".nocae";
+const msalNodeFlowNativeBrokerControl = {
+    setNativeBroker(broker) {
+        nativeBrokerInfo = {
+            broker,
+        };
+    },
+};
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
@@ -297,218 +340,6 @@ class AuthenticationRequiredError extends Error {
     }
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * @internal
- */
-const logger$o = credentialLogger("IdentityUtils");
-/**
- * Latest AuthenticationRecord version
- * @internal
- */
-const LatestAuthenticationRecordVersion = "1.0";
-/**
- * Ensures the validity of the MSAL token
- * @internal
- */
-function ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
-    const error = (message) => {
-        logger$o.getToken.info(message);
-        return new AuthenticationRequiredError({
-            scopes: Array.isArray(scopes) ? scopes : [scopes],
-            getTokenOptions,
-            message,
-        });
-    };
-    if (!msalToken) {
-        throw error("No response");
-    }
-    if (!msalToken.expiresOn) {
-        throw error(`Response had no "expiresOn" property.`);
-    }
-    if (!msalToken.accessToken) {
-        throw error(`Response had no "accessToken" property.`);
-    }
-}
-/**
- * Generates a valid authority by combining a host with a tenantId.
- * @internal
- */
-function getAuthority(tenantId, host) {
-    if (!host) {
-        host = DefaultAuthorityHost;
-    }
-    if (new RegExp(`${tenantId}/?$`).test(host)) {
-        return host;
-    }
-    if (host.endsWith("/")) {
-        return host + tenantId;
-    }
-    else {
-        return `${host}/${tenantId}`;
-    }
-}
-/**
- * Generates the known authorities.
- * If the Tenant Id is `adfs`, the authority can't be validated since the format won't match the expected one.
- * For that reason, we have to force MSAL to disable validating the authority
- * by sending it within the known authorities in the MSAL configuration.
- * @internal
- */
-function getKnownAuthorities(tenantId, authorityHost, disableInstanceDiscovery) {
-    if ((tenantId === "adfs" && authorityHost) || disableInstanceDiscovery) {
-        return [authorityHost];
-    }
-    return [];
-}
-/**
- * Generates a logger that can be passed to the MSAL clients.
- * @param credLogger - The logger of the credential.
- * @internal
- */
-const defaultLoggerCallback = (credLogger, platform = coreUtil.isNode ? "Node" : "Browser") => (level, message, containsPii) => {
-    if (containsPii) {
-        return;
-    }
-    switch (level) {
-        case msalCommon__namespace.LogLevel.Error:
-            credLogger.info(`MSAL ${platform} V2 error: ${message}`);
-            return;
-        case msalCommon__namespace.LogLevel.Info:
-            credLogger.info(`MSAL ${platform} V2 info message: ${message}`);
-            return;
-        case msalCommon__namespace.LogLevel.Verbose:
-            credLogger.info(`MSAL ${platform} V2 verbose message: ${message}`);
-            return;
-        case msalCommon__namespace.LogLevel.Warning:
-            credLogger.info(`MSAL ${platform} V2 warning: ${message}`);
-            return;
-    }
-};
-/**
- * @internal
- */
-function getMSALLogLevel(logLevel) {
-    switch (logLevel) {
-        case "error":
-            return msalCommon__namespace.LogLevel.Error;
-        case "info":
-            return msalCommon__namespace.LogLevel.Info;
-        case "verbose":
-            return msalCommon__namespace.LogLevel.Verbose;
-        case "warning":
-            return msalCommon__namespace.LogLevel.Warning;
-        default:
-            // default msal logging level should be Info
-            return msalCommon__namespace.LogLevel.Info;
-    }
-}
-/**
- * Wraps core-util's randomUUID in order to allow for mocking in tests.
- * This prepares the library for the upcoming core-util update to ESM.
- *
- * @internal
- * @returns A string containing a random UUID
- */
-function randomUUID() {
-    return coreUtil.randomUUID();
-}
-/**
- * Handles MSAL errors.
- */
-function handleMsalError(scopes, error, getTokenOptions) {
-    if (error.name === "AuthError" ||
-        error.name === "ClientAuthError" ||
-        error.name === "BrowserAuthError") {
-        const msalError = error;
-        switch (msalError.errorCode) {
-            case "endpoints_resolution_error":
-                logger$o.info(formatError(scopes, error.message));
-                return new CredentialUnavailableError(error.message);
-            case "device_code_polling_cancelled":
-                return new abortController.AbortError("The authentication has been aborted by the caller.");
-            case "consent_required":
-            case "interaction_required":
-            case "login_required":
-                logger$o.info(formatError(scopes, `Authentication returned errorCode ${msalError.errorCode}`));
-                break;
-            default:
-                logger$o.info(formatError(scopes, `Failed to acquire token: ${error.message}`));
-                break;
-        }
-    }
-    if (error.name === "ClientConfigurationError" ||
-        error.name === "BrowserConfigurationAuthError" ||
-        error.name === "AbortError") {
-        return error;
-    }
-    if (error.name === "NativeAuthError") {
-        logger$o.info(formatError(scopes, `Error from the native broker: ${error.message} with status code: ${error.statusCode}`));
-        return error;
-    }
-    return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });
-}
-// transformations.ts
-function publicToMsal(account) {
-    const [environment] = account.authority.match(/([a-z]*\.[a-z]*\.[a-z]*)/) || [""];
-    return Object.assign(Object.assign({}, account), { localAccountId: account.homeAccountId, environment });
-}
-function msalToPublic(clientId, account) {
-    const record = {
-        authority: getAuthority(account.tenantId, account.environment),
-        homeAccountId: account.homeAccountId,
-        tenantId: account.tenantId || DefaultTenantId,
-        username: account.username,
-        clientId,
-        version: LatestAuthenticationRecordVersion,
-    };
-    return record;
-}
-/**
- * Serializes an `AuthenticationRecord` into a string.
- *
- * The output of a serialized authentication record will contain the following properties:
- *
- * - "authority"
- * - "homeAccountId"
- * - "clientId"
- * - "tenantId"
- * - "username"
- * - "version"
- *
- * To later convert this string to a serialized `AuthenticationRecord`, please use the exported function `deserializeAuthenticationRecord()`.
- */
-function serializeAuthenticationRecord(record) {
-    return JSON.stringify(record);
-}
-/**
- * Deserializes a previously serialized authentication record from a string into an object.
- *
- * The input string must contain the following properties:
- *
- * - "authority"
- * - "homeAccountId"
- * - "clientId"
- * - "tenantId"
- * - "username"
- * - "version"
- *
- * If the version we receive is unsupported, an error will be thrown.
- *
- * At the moment, the only available version is: "1.0", which is always set when the authentication record is serialized.
- *
- * @param serializedRecord - Authentication record previously serialized into string.
- * @returns AuthenticationRecord.
- */
-function deserializeAuthenticationRecord(serializedRecord) {
-    const parsed = JSON.parse(serializedRecord);
-    if (parsed.version && parsed.version !== LatestAuthenticationRecordVersion) {
-        throw Error("Unsupported AuthenticationRecord version");
-    }
-    return parsed;
-}
-
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 function createConfigurationErrorMessage(tenantId) {
@@ -899,1082 +730,1432 @@ class IdentityClient extends coreClient.ServiceClient {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-/**
- * Helps specify a regional authority, or "AutoDiscoverRegion" to auto-detect the region.
- */
-var RegionalAuthority;
-(function (RegionalAuthority) {
-    /** Instructs MSAL to attempt to discover the region */
-    RegionalAuthority["AutoDiscoverRegion"] = "AutoDiscoverRegion";
-    /** Uses the {@link RegionalAuthority} for the Azure 'westus' region. */
-    RegionalAuthority["USWest"] = "westus";
-    /** Uses the {@link RegionalAuthority} for the Azure 'westus2' region. */
-    RegionalAuthority["USWest2"] = "westus2";
-    /** Uses the {@link RegionalAuthority} for the Azure 'centralus' region. */
-    RegionalAuthority["USCentral"] = "centralus";
-    /** Uses the {@link RegionalAuthority} for the Azure 'eastus' region. */
-    RegionalAuthority["USEast"] = "eastus";
-    /** Uses the {@link RegionalAuthority} for the Azure 'eastus2' region. */
-    RegionalAuthority["USEast2"] = "eastus2";
-    /** Uses the {@link RegionalAuthority} for the Azure 'northcentralus' region. */
-    RegionalAuthority["USNorthCentral"] = "northcentralus";
-    /** Uses the {@link RegionalAuthority} for the Azure 'southcentralus' region. */
-    RegionalAuthority["USSouthCentral"] = "southcentralus";
-    /** Uses the {@link RegionalAuthority} for the Azure 'westcentralus' region. */
-    RegionalAuthority["USWestCentral"] = "westcentralus";
-    /** Uses the {@link RegionalAuthority} for the Azure 'canadacentral' region. */
-    RegionalAuthority["CanadaCentral"] = "canadacentral";
-    /** Uses the {@link RegionalAuthority} for the Azure 'canadaeast' region. */
-    RegionalAuthority["CanadaEast"] = "canadaeast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'brazilsouth' region. */
-    RegionalAuthority["BrazilSouth"] = "brazilsouth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'northeurope' region. */
-    RegionalAuthority["EuropeNorth"] = "northeurope";
-    /** Uses the {@link RegionalAuthority} for the Azure 'westeurope' region. */
-    RegionalAuthority["EuropeWest"] = "westeurope";
-    /** Uses the {@link RegionalAuthority} for the Azure 'uksouth' region. */
-    RegionalAuthority["UKSouth"] = "uksouth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'ukwest' region. */
-    RegionalAuthority["UKWest"] = "ukwest";
-    /** Uses the {@link RegionalAuthority} for the Azure 'francecentral' region. */
-    RegionalAuthority["FranceCentral"] = "francecentral";
-    /** Uses the {@link RegionalAuthority} for the Azure 'francesouth' region. */
-    RegionalAuthority["FranceSouth"] = "francesouth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandnorth' region. */
-    RegionalAuthority["SwitzerlandNorth"] = "switzerlandnorth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandwest' region. */
-    RegionalAuthority["SwitzerlandWest"] = "switzerlandwest";
-    /** Uses the {@link RegionalAuthority} for the Azure 'germanynorth' region. */
-    RegionalAuthority["GermanyNorth"] = "germanynorth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'germanywestcentral' region. */
-    RegionalAuthority["GermanyWestCentral"] = "germanywestcentral";
-    /** Uses the {@link RegionalAuthority} for the Azure 'norwaywest' region. */
-    RegionalAuthority["NorwayWest"] = "norwaywest";
-    /** Uses the {@link RegionalAuthority} for the Azure 'norwayeast' region. */
-    RegionalAuthority["NorwayEast"] = "norwayeast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'eastasia' region. */
-    RegionalAuthority["AsiaEast"] = "eastasia";
-    /** Uses the {@link RegionalAuthority} for the Azure 'southeastasia' region. */
-    RegionalAuthority["AsiaSouthEast"] = "southeastasia";
-    /** Uses the {@link RegionalAuthority} for the Azure 'japaneast' region. */
-    RegionalAuthority["JapanEast"] = "japaneast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'japanwest' region. */
-    RegionalAuthority["JapanWest"] = "japanwest";
-    /** Uses the {@link RegionalAuthority} for the Azure 'australiaeast' region. */
-    RegionalAuthority["AustraliaEast"] = "australiaeast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'australiasoutheast' region. */
-    RegionalAuthority["AustraliaSouthEast"] = "australiasoutheast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral' region. */
-    RegionalAuthority["AustraliaCentral"] = "australiacentral";
-    /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral2' region. */
-    RegionalAuthority["AustraliaCentral2"] = "australiacentral2";
-    /** Uses the {@link RegionalAuthority} for the Azure 'centralindia' region. */
-    RegionalAuthority["IndiaCentral"] = "centralindia";
-    /** Uses the {@link RegionalAuthority} for the Azure 'southindia' region. */
-    RegionalAuthority["IndiaSouth"] = "southindia";
-    /** Uses the {@link RegionalAuthority} for the Azure 'westindia' region. */
-    RegionalAuthority["IndiaWest"] = "westindia";
-    /** Uses the {@link RegionalAuthority} for the Azure 'koreasouth' region. */
-    RegionalAuthority["KoreaSouth"] = "koreasouth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'koreacentral' region. */
-    RegionalAuthority["KoreaCentral"] = "koreacentral";
-    /** Uses the {@link RegionalAuthority} for the Azure 'uaecentral' region. */
-    RegionalAuthority["UAECentral"] = "uaecentral";
-    /** Uses the {@link RegionalAuthority} for the Azure 'uaenorth' region. */
-    RegionalAuthority["UAENorth"] = "uaenorth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'southafricanorth' region. */
-    RegionalAuthority["SouthAfricaNorth"] = "southafricanorth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'southafricawest' region. */
-    RegionalAuthority["SouthAfricaWest"] = "southafricawest";
-    /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth' region. */
-    RegionalAuthority["ChinaNorth"] = "chinanorth";
-    /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast' region. */
-    RegionalAuthority["ChinaEast"] = "chinaeast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth2' region. */
-    RegionalAuthority["ChinaNorth2"] = "chinanorth2";
-    /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast2' region. */
-    RegionalAuthority["ChinaEast2"] = "chinaeast2";
-    /** Uses the {@link RegionalAuthority} for the Azure 'germanycentral' region. */
-    RegionalAuthority["GermanyCentral"] = "germanycentral";
-    /** Uses the {@link RegionalAuthority} for the Azure 'germanynortheast' region. */
-    RegionalAuthority["GermanyNorthEast"] = "germanynortheast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'usgovvirginia' region. */
-    RegionalAuthority["GovernmentUSVirginia"] = "usgovvirginia";
-    /** Uses the {@link RegionalAuthority} for the Azure 'usgoviowa' region. */
-    RegionalAuthority["GovernmentUSIowa"] = "usgoviowa";
-    /** Uses the {@link RegionalAuthority} for the Azure 'usgovarizona' region. */
-    RegionalAuthority["GovernmentUSArizona"] = "usgovarizona";
-    /** Uses the {@link RegionalAuthority} for the Azure 'usgovtexas' region. */
-    RegionalAuthority["GovernmentUSTexas"] = "usgovtexas";
-    /** Uses the {@link RegionalAuthority} for the Azure 'usdodeast' region. */
-    RegionalAuthority["GovernmentUSDodEast"] = "usdodeast";
-    /** Uses the {@link RegionalAuthority} for the Azure 'usdodcentral' region. */
-    RegionalAuthority["GovernmentUSDodCentral"] = "usdodcentral";
-})(RegionalAuthority || (RegionalAuthority = {}));
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * The current persistence provider, undefined by default.
- * @internal
- */
-let persistenceProvider = undefined;
-/**
- * An object that allows setting the persistence provider.
- * @internal
- */
-const msalNodeFlowCacheControl = {
-    setPersistence(pluginProvider) {
-        persistenceProvider = pluginProvider;
+const CommonTenantId = "common";
+const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
+const logger$o = credentialLogger("VisualStudioCodeCredential");
+let findCredentials = undefined;
+const vsCodeCredentialControl = {
+    setVsCodeCredentialFinder(finder) {
+        findCredentials = finder;
     },
 };
-/**
- * The current native broker provider, undefined by default.
- * @internal
- */
-let nativeBrokerInfo = undefined;
-function hasNativeBroker() {
-    return nativeBrokerInfo !== undefined;
+// Map of unsupported Tenant IDs and the errors we will be throwing.
+const unsupportedTenantIds = {
+    adfs: "The VisualStudioCodeCredential does not support authentication with ADFS tenants.",
+};
+function checkUnsupportedTenant(tenantId) {
+    // If the Tenant ID isn't supported, we throw.
+    const unsupportedTenantError = unsupportedTenantIds[tenantId];
+    if (unsupportedTenantError) {
+        throw new CredentialUnavailableError(unsupportedTenantError);
+    }
 }
+const mapVSCodeAuthorityHosts = {
+    AzureCloud: exports.AzureAuthorityHosts.AzurePublicCloud,
+    AzureChina: exports.AzureAuthorityHosts.AzureChina,
+    AzureGermanCloud: exports.AzureAuthorityHosts.AzureGermany,
+    AzureUSGovernment: exports.AzureAuthorityHosts.AzureGovernment,
+};
 /**
- * An object that allows setting the native broker provider.
- * @internal
+ * Attempts to load a specific property from the VSCode configurations of the current OS.
+ * If it fails at any point, returns undefined.
  */
-const msalNodeFlowNativeBrokerControl = {
-    setNativeBroker(broker) {
-        nativeBrokerInfo = {
-            broker,
-        };
-    },
-};
+function getPropertyFromVSCode(property) {
+    const settingsPath = ["User", "settings.json"];
+    // Eventually we can add more folders for more versions of VSCode.
+    const vsCodeFolder = "Code";
+    const homedir = os.homedir();
+    function loadProperty(...pathSegments) {
+        const fullPath = path.join(...pathSegments, vsCodeFolder, ...settingsPath);
+        const settings = JSON.parse(fs.readFileSync(fullPath, { encoding: "utf8" }));
+        return settings[property];
+    }
+    try {
+        let appData;
+        switch (process.platform) {
+            case "win32":
+                appData = process.env.APPDATA;
+                return appData ? loadProperty(appData) : undefined;
+            case "darwin":
+                return loadProperty(homedir, "Library", "Application Support");
+            case "linux":
+                return loadProperty(homedir, ".config");
+            default:
+                return;
+        }
+    }
+    catch (e) {
+        logger$o.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
+        return;
+    }
+}
 /**
- * MSAL partial base client for Node.js.
- *
- * It completes the input configuration with some default values.
- * It also provides with utility protected methods that can be used from any of the clients,
- * which includes handlers for successful responses and errors.
+ * Connects to Azure using the credential provided by the VSCode extension 'Azure Account'.
+ * Once the user has logged in via the extension, this credential can share the same refresh token
+ * that is cached by the extension.
  *
- * @internal
+ * It's a [known issue](https://github.com/Azure/azure-sdk-for-js/issues/20500) that this credential doesn't
+ * work with [Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account)
+ * versions newer than **0.9.11**. A long-term fix to this problem is in progress. In the meantime, consider
+ * authenticating with {@link AzureCliCredential}.
  */
-class MsalNode {
+class VisualStudioCodeCredential {
+    /**
+     * Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.
+     *
+     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
+     * `@azure/identity-vscode`. If this package is not installed and registered
+     * using the plugin API (`useIdentityPlugin`), then authentication using
+     * `VisualStudioCodeCredential` will not be available.
+     *
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
     constructor(options) {
-        var _a, _b, _c, _d, _e, _f, _g;
-        this.app = {};
-        this.caeApp = {};
-        this.requiresConfidential = false;
-        this.logger = options.logger;
-        this.msalConfig = this.defaultNodeMsalConfig(options);
-        this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
-        this.clientId = this.msalConfig.auth.clientId;
-        if (options === null || options === void 0 ? void 0 : options.getAssertion) {
-            this.getAssertion = options.getAssertion;
-        }
-        this.enableBroker = (_b = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _b === void 0 ? void 0 : _b.enabled;
-        this.enableMsaPassthrough = (_c = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough;
-        this.parentWindowHandle = (_d = options.brokerOptions) === null || _d === void 0 ? void 0 : _d.parentWindowHandle;
-        // If persistence has been configured
-        if (persistenceProvider !== undefined && ((_e = options.tokenCachePersistenceOptions) === null || _e === void 0 ? void 0 : _e.enabled)) {
-            const nonCaeOptions = Object.assign({ name: `${options.tokenCachePersistenceOptions.name}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
-            const caeOptions = Object.assign({ name: `${options.tokenCachePersistenceOptions.name}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
-            this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
-            this.createCachePluginCae = () => persistenceProvider(caeOptions);
+        // We want to make sure we use the one assigned by the user on the VSCode settings.
+        // Or just `AzureCloud` by default.
+        this.cloudName = (getPropertyFromVSCode("azure.cloud") || "AzureCloud");
+        // Picking an authority host based on the cloud name.
+        const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
+        this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
+        if (options && options.tenantId) {
+            checkTenantId(logger$o, options.tenantId);
+            this.tenantId = options.tenantId;
         }
-        else if ((_f = options.tokenCachePersistenceOptions) === null || _f === void 0 ? void 0 : _f.enabled) {
-            throw new Error([
-                "Persistent token caching was requested, but no persistence provider was configured.",
-                "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
-                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
-                "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`.",
-            ].join(" "));
-        }
-        // If broker has not been configured
-        if (!hasNativeBroker() && this.enableBroker) {
-            throw new Error([
-                "Broker for WAM was requested to be enabled, but no native broker was configured.",
-                "You must install the identity-broker plugin package (`npm install --save @azure/identity-broker`)",
-                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
-                "`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`.",
-            ].join(" "));
-        }
-        this.azureRegion = (_g = options.regionalAuthority) !== null && _g !== void 0 ? _g : process.env.AZURE_REGIONAL_AUTHORITY_NAME;
-        if (this.azureRegion === RegionalAuthority.AutoDiscoverRegion) {
-            this.azureRegion = "AUTO_DISCOVER";
+        else {
+            this.tenantId = CommonTenantId;
         }
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        checkUnsupportedTenant(this.tenantId);
     }
     /**
-     * Generates a MSAL configuration that generally works for Node.js
+     * Runs preparations for any further getToken request.
      */
-    defaultNodeMsalConfig(options) {
-        var _a;
-        const clientId = options.clientId || DeveloperSignOnClientId;
-        const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
-        const authority = getAuthority(tenantId, this.authorityHost);
-        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
-        const clientCapabilities = [];
-        return {
-            auth: {
-                clientId,
-                authority,
-                knownAuthorities: getKnownAuthorities(tenantId, authority, options.disableInstanceDiscovery),
-                clientCapabilities,
-            },
-            // Cache is defined in this.prepare();
-            system: {
-                networkClient: this.identityClient,
-                loggerOptions: {
-                    loggerCallback: defaultLoggerCallback(options.logger),
-                    logLevel: getMSALLogLevel(logger$q.getLogLevel()),
-                    piiLoggingEnabled: (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.enableUnsafeSupportLogging,
-                },
-            },
-        };
-    }
-    getApp(appType, enableCae) {
-        const app = enableCae ? this.caeApp : this.app;
-        if (appType === "publicFirst") {
-            return (app.public || app.confidential);
-        }
-        else if (appType === "confidentialFirst") {
-            return (app.confidential || app.public);
-        }
-        else if (appType === "confidential") {
-            return app.confidential;
-        }
-        else {
-            return app.public;
+    async prepare() {
+        // Attempts to load the tenant from the VSCode configuration file.
+        const settingsTenant = getPropertyFromVSCode("azure.tenant");
+        if (settingsTenant) {
+            this.tenantId = settingsTenant;
         }
+        checkUnsupportedTenant(this.tenantId);
     }
     /**
-     * Prepares the MSAL applications.
+     * Runs preparations for any further getToken, but only once.
      */
-    async init(options) {
-        if (options === null || options === void 0 ? void 0 : options.abortSignal) {
-            options.abortSignal.addEventListener("abort", () => {
-                // This will abort any pending request in the IdentityClient,
-                // based on the received or generated correlationId
-                this.identityClient.abortRequests(options.correlationId);
-            });
-        }
-        const app = (options === null || options === void 0 ? void 0 : options.enableCae) ? this.caeApp : this.app;
-        if (options === null || options === void 0 ? void 0 : options.enableCae) {
-            this.msalConfig.auth.clientCapabilities = ["cp1"];
-        }
-        if (app.public || app.confidential) {
-            return;
-        }
-        if ((options === null || options === void 0 ? void 0 : options.enableCae) && this.createCachePluginCae !== undefined) {
-            this.msalConfig.cache = {
-                cachePlugin: await this.createCachePluginCae(),
-            };
-        }
-        if (this.createCachePlugin !== undefined) {
-            this.msalConfig.cache = {
-                cachePlugin: await this.createCachePlugin(),
-            };
-        }
-        if (hasNativeBroker() && this.enableBroker) {
-            this.msalConfig.broker = {
-                nativeBrokerPlugin: nativeBrokerInfo.broker,
-            };
-            if (!this.parentWindowHandle) {
-                // error should have been thrown from within the constructor of InteractiveBrowserCredential
-                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
-            }
-        }
-        if (options === null || options === void 0 ? void 0 : options.enableCae) {
-            this.caeApp.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
-        }
-        else {
-            this.app.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
-        }
-        if (this.getAssertion) {
-            this.msalConfig.auth.clientAssertion = await this.getAssertion();
-        }
-        // The confidential client requires either a secret, assertion or certificate.
-        if (this.msalConfig.auth.clientSecret ||
-            this.msalConfig.auth.clientAssertion ||
-            this.msalConfig.auth.clientCertificate) {
-            if (options === null || options === void 0 ? void 0 : options.enableCae) {
-                this.caeApp.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
-            }
-            else {
-                this.app.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
-            }
-        }
-        else {
-            if (this.requiresConfidential) {
-                throw new Error("Unable to generate the MSAL confidential client. Missing either the client's secret, certificate or assertion.");
-            }
+    prepareOnce() {
+        if (!this.preparePromise) {
+            this.preparePromise = this.prepare();
         }
+        return this.preparePromise;
     }
     /**
-     * Allows the cancellation of a MSAL request.
-     */
-    withCancellation(promise, abortSignal, onCancel) {
-        return new Promise((resolve, reject) => {
-            promise
-                .then((msalToken) => {
-                return resolve(msalToken);
-            })
-                .catch(reject);
-            if (abortSignal) {
-                abortSignal.addEventListener("abort", () => {
-                    onCancel === null || onCancel === void 0 ? void 0 : onCancel();
-                });
-            }
-        });
-    }
-    /**
-     * Returns the existing account, attempts to load the account from MSAL.
+     * Returns the token found by searching VSCode's authentication cache or
+     * returns null if no token could be found.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                `TokenCredential` implementation might make.
      */
-    async getActiveAccount(enableCae = false) {
-        if (this.account) {
-            return this.account;
-        }
-        const cache = this.getApp("confidentialFirst", enableCae).getTokenCache();
-        const accountsByTenant = await (cache === null || cache === void 0 ? void 0 : cache.getAllAccounts());
-        if (!accountsByTenant) {
-            return;
-        }
-        if (accountsByTenant.length === 1) {
-            this.account = msalToPublic(this.clientId, accountsByTenant[0]);
+    async getToken(scopes, options) {
+        var _a, _b;
+        await this.prepareOnce();
+        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds, logger$o) || this.tenantId;
+        if (findCredentials === undefined) {
+            throw new CredentialUnavailableError([
+                "No implementation of `VisualStudioCodeCredential` is available.",
+                "You must install the identity-vscode plugin package (`npm install --save-dev @azure/identity-vscode`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(vsCodePlugin)` before creating a `VisualStudioCodeCredential`.",
+                "To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.",
+            ].join(" "));
         }
-        else {
-            this.logger
-                .info(`More than one account was found authenticated for this Client ID and Tenant ID.
-However, no "authenticationRecord" has been provided for this credential,
-therefore we're unable to pick between these accounts.
-A new login attempt will be requested, to ensure the correct account is picked.
-To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.`);
-            return;
+        let scopeString = typeof scopes === "string" ? scopes : scopes.join(" ");
+        // Check to make sure the scope we get back is a valid scope
+        if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
+            const error = new Error("Invalid scope was specified by the user or calling client");
+            logger$o.getToken.info(formatError(scopes, error));
+            throw error;
         }
-        return this.account;
-    }
-    /**
-     * Attempts to retrieve a token from cache.
-     */
-    async getTokenSilent(scopes, options) {
-        var _a, _b, _c;
-        await this.getActiveAccount(options === null || options === void 0 ? void 0 : options.enableCae);
-        if (!this.account) {
-            throw new AuthenticationRequiredError({
-                scopes,
-                getTokenOptions: options,
-                message: "Silent authentication failed. We couldn't retrieve an active account from the cache.",
-            });
+        if (scopeString.indexOf("offline_access") < 0) {
+            scopeString += " offline_access";
         }
-        const silentRequest = {
-            // To be able to re-use the account, the Token Cache must also have been provided.
-            account: publicToMsal(this.account),
-            correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-            scopes,
-            authority: options === null || options === void 0 ? void 0 : options.authority,
-            claims: options === null || options === void 0 ? void 0 : options.claims,
-        };
-        if (hasNativeBroker() && this.enableBroker) {
-            if (!silentRequest.tokenQueryParameters) {
-                silentRequest.tokenQueryParameters = {};
-            }
-            if (!this.parentWindowHandle) {
-                // error should have been thrown from within the constructor of InteractiveBrowserCredential
-                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+        // findCredentials returns an array similar to:
+        // [
+        //   {
+        //     account: "",
+        //     password: "",
+        //   },
+        //   /* ... */
+        // ]
+        const credentials = await findCredentials();
+        // If we can't find the credential based on the name, we'll pick the first one available.
+        const { password: refreshToken } = (_b = (_a = credentials.find(({ account }) => account === this.cloudName)) !== null && _a !== void 0 ? _a : credentials[0]) !== null && _b !== void 0 ? _b : {};
+        if (refreshToken) {
+            const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
+            if (tokenResponse) {
+                logger$o.getToken.info(formatSuccess(scopes));
+                return tokenResponse.accessToken;
             }
-            if (this.enableMsaPassthrough) {
-                silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
+            else {
+                const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
+                logger$o.getToken.info(formatError(scopes, error));
+                throw error;
             }
         }
-        try {
-            this.logger.info("Attempting to acquire token silently");
-            /**
-             * The following code to retrieve all accounts is done as a workaround in an attempt to force the
-             * refresh of the token cache with the token and the account passed in through the
-             * `authenticationRecord` parameter. See issue - https://github.com/Azure/azure-sdk-for-js/issues/24349#issuecomment-1496715651
-             * This workaround serves as a workaround for silent authentication not happening when authenticationRecord is passed.
-             */
-            await ((_a = this.getApp("publicFirst", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
-            const response = (_c = (await ((_b = this.getApp("confidential", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenSilent(silentRequest));
-            return this.handleResult(scopes, response || undefined);
-        }
-        catch (err) {
-            throw handleMsalError(scopes, err, options);
+        else {
+            const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
+            logger$o.getToken.info(formatError(scopes, error));
+            throw error;
         }
     }
-    /**
-     * Wrapper around each MSAL flow get token operation: doGetToken.
-     * If disableAutomaticAuthentication is sent through the constructor, it will prevent MSAL from requesting the user input.
-     */
-    async getToken(scopes, options = {}) {
-        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds) ||
-            this.tenantId;
-        options.authority = getAuthority(tenantId, this.authorityHost);
-        options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || randomUUID();
-        await this.init(options);
-        try {
-            // MSAL now caches tokens based on their claims,
-            // so now one has to keep track fo claims in order to retrieve the newer tokens from acquireTokenSilent
-            // This update happened on PR: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/4533
-            const optionsClaims = options.claims;
-            if (optionsClaims) {
-                this.cachedClaims = optionsClaims;
-            }
-            if (this.cachedClaims && !optionsClaims) {
-                options.claims = this.cachedClaims;
-            }
-            // We don't return the promise since we want to catch errors right here.
-            return await this.getTokenSilent(scopes, options);
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * The context passed to an Identity plugin. This contains objects that
+ * plugins can use to set backend implementations.
+ * @internal
+ */
+const pluginContext = {
+    cachePluginControl: msalNodeFlowCacheControl,
+    nativeBrokerPluginControl: msalNodeFlowNativeBrokerControl,
+    vsCodeCredentialControl: vsCodeCredentialControl,
+};
+/**
+ * Extend Azure Identity with additional functionality. Pass a plugin from
+ * a plugin package, such as:
+ *
+ * - `@azure/identity-cache-persistence`: provides persistent token caching
+ * - `@azure/identity-vscode`: provides the dependencies of
+ *   `VisualStudioCodeCredential` and enables it
+ *
+ * Example:
+ *
+ * ```javascript
+ * import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
+ *
+ * import { useIdentityPlugin, DefaultAzureCredential } from "@azure/identity";
+ * useIdentityPlugin(cachePersistencePlugin);
+ *
+ * // The plugin has the capability to extend `DefaultAzureCredential` and to
+ * // add middleware to the underlying credentials, such as persistence.
+ * const credential = new DefaultAzureCredential({
+ *   tokenCachePersistenceOptions: {
+ *     enabled: true
+ *   }
+ * });
+ * ```
+ *
+ * @param plugin - the plugin to register
+ */
+function useIdentityPlugin(plugin) {
+    plugin(pluginContext);
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
+const logger$n = credentialLogger(msiName$6);
+/**
+ * Generates the options used on the request for an access token.
+ */
+function prepareRequestOptions$5(scopes, clientId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$6}: Multiple scopes are not supported.`);
+    }
+    const queryParameters = {
+        resource,
+        "api-version": "2017-09-01",
+    };
+    if (clientId) {
+        queryParameters.clientid = clientId;
+    }
+    const query = new URLSearchParams(queryParameters);
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.MSI_ENDPOINT) {
+        throw new Error(`${msiName$6}: Missing environment variable: MSI_ENDPOINT`);
+    }
+    if (!process.env.MSI_SECRET) {
+        throw new Error(`${msiName$6}: Missing environment variable: MSI_SECRET`);
+    }
+    return {
+        url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            secret: process.env.MSI_SECRET,
+        }),
+    };
+}
+/**
+ * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
+ */
+const appServiceMsi2017 = {
+    name: "appServiceMsi2017",
+    async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$n.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const env = process.env;
+        const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
+        if (!result) {
+            logger$n.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        if (resourceId) {
+            logger$n.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+        }
+        logger$n.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId)), { 
+            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+            allowInsecureConnection: true }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return (tokenResponse && tokenResponse.accessToken) || null;
+    },
+};
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+const msiName$5 = "ManagedIdentityCredential - AppServiceMSI 2019";
+const logger$m = credentialLogger(msiName$5);
+/**
+ * Generates the options used on the request for an access token.
+ */
+function prepareRequestOptions$4(scopes, clientId, resourceId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
+    }
+    const queryParameters = {
+        resource,
+        "api-version": "2019-08-01",
+    };
+    if (clientId) {
+        queryParameters.client_id = clientId;
+    }
+    if (resourceId) {
+        queryParameters.mi_res_id = resourceId;
+    }
+    const query = new URLSearchParams(queryParameters);
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error(`${msiName$5}: Missing environment variable: IDENTITY_ENDPOINT`);
+    }
+    if (!process.env.IDENTITY_HEADER) {
+        throw new Error(`${msiName$5}: Missing environment variable: IDENTITY_HEADER`);
+    }
+    return {
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            "X-IDENTITY-HEADER": process.env.IDENTITY_HEADER,
+        }),
+    };
+}
+/**
+ * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
+ */
+const appServiceMsi2019 = {
+    name: "appServiceMsi2019",
+    async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$m.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const env = process.env;
+        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
+        if (!result) {
+            logger$m.info(`${msiName$5}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        logger$m.info(`${msiName$5}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), { 
+            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+            allowInsecureConnection: true }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return (tokenResponse && tokenResponse.accessToken) || null;
+    },
+};
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+const msiName$4 = "ManagedIdentityCredential - Azure Arc MSI";
+const logger$l = credentialLogger(msiName$4);
+/**
+ * Generates the options used on the request for an access token.
+ */
+function prepareRequestOptions$3(scopes, clientId, resourceId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$4}: Multiple scopes are not supported.`);
+    }
+    const queryParameters = {
+        resource,
+        "api-version": azureArcAPIVersion,
+    };
+    if (clientId) {
+        queryParameters.client_id = clientId;
+    }
+    if (resourceId) {
+        queryParameters.msi_res_id = resourceId;
+    }
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error(`${msiName$4}: Missing environment variable: IDENTITY_ENDPOINT`);
+    }
+    const query = new URLSearchParams(queryParameters);
+    return coreRestPipeline.createPipelineRequest({
+        // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            Metadata: "true",
+        }),
+    });
+}
+/**
+ * Retrieves the file contents at the given path using promises.
+ * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.
+ */
+function readFileAsync$1(path, options) {
+    return new Promise((resolve, reject) => fs.readFile(path, options, (err, data) => {
+        if (err) {
+            reject(err);
+        }
+        resolve(data);
+    }));
+}
+/**
+ * Does a request to the authentication provider that results in a file path.
+ */
+async function filePathRequest(identityClient, requestPrepareOptions) {
+    const response = await identityClient.sendRequest(coreRestPipeline.createPipelineRequest(requestPrepareOptions));
+    if (response.status !== 401) {
+        let message = "";
+        if (response.bodyAsText) {
+            message = ` Response: ${response.bodyAsText}`;
+        }
+        throw new AuthenticationError(response.status, `${msiName$4}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
+    }
+    const authHeader = response.headers.get("www-authenticate") || "";
+    try {
+        return authHeader.split("=").slice(1)[0];
+    }
+    catch (e) {
+        throw Error(`Invalid www-authenticate header format: ${authHeader}`);
+    }
+}
+/**
+ * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
+ */
+const arcMsi = {
+    name: "arc",
+    async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$l.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
+        if (!result) {
+            logger$l.info(`${msiName$4}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        var _a;
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        if (clientId) {
+            logger$l.warning(`${msiName$4}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+        }
+        if (resourceId) {
+            logger$l.warning(`${msiName$4}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
+        }
+        logger$l.info(`${msiName$4}: Authenticating.`);
+        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
+        const filePath = await filePathRequest(identityClient, requestOptions);
+        if (!filePath) {
+            throw new Error(`${msiName$4}: Failed to find the token file.`);
+        }
+        const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
+        (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({}, requestOptions), { 
+            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+            allowInsecureConnection: true }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return (tokenResponse && tokenResponse.accessToken) || null;
+    },
+};
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+const msiName$3 = "ManagedIdentityCredential - CloudShellMSI";
+const logger$k = credentialLogger(msiName$3);
+/**
+ * Generates the options used on the request for an access token.
+ */
+function prepareRequestOptions$2(scopes, clientId, resourceId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
+    }
+    const body = {
+        resource,
+    };
+    if (clientId) {
+        body.client_id = clientId;
+    }
+    if (resourceId) {
+        body.msi_res_id = resourceId;
+    }
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.MSI_ENDPOINT) {
+        throw new Error(`${msiName$3}: Missing environment variable: MSI_ENDPOINT`);
+    }
+    const params = new URLSearchParams(body);
+    return {
+        url: process.env.MSI_ENDPOINT,
+        method: "POST",
+        body: params.toString(),
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            Metadata: "true",
+            "Content-Type": "application/x-www-form-urlencoded",
+        }),
+    };
+}
+/**
+ * Defines how to determine whether the Azure Cloud Shell MSI is available, and also how to retrieve a token from the Azure Cloud Shell MSI.
+ * Since Azure Managed Identities aren't available in the Azure Cloud Shell, we log a warning for users that try to access cloud shell using user assigned identity.
+ */
+const cloudShellMsi = {
+    name: "cloudShellMsi",
+    async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$k.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
+            return false;
         }
-        catch (err) {
-            if (err.name !== "AuthenticationRequiredError") {
-                throw err;
-            }
-            if (options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication) {
-                throw new AuthenticationRequiredError({
-                    scopes,
-                    getTokenOptions: options,
-                    message: "Automatic authentication has been disabled. You may call the authentication() method.",
-                });
-            }
-            this.logger.info(`Silent authentication failed, falling back to interactive method.`);
-            return this.doGetToken(scopes, options);
+        const result = Boolean(process.env.MSI_ENDPOINT);
+        if (!result) {
+            logger$k.info(`${msiName$3}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        if (clientId) {
+            logger$k.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
         }
+        if (resourceId) {
+            logger$k.warning(`${msiName$3}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
+        }
+        logger$k.info(`${msiName$3}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
+        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId, resourceId)), { 
+            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
+            allowInsecureConnection: true }));
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return (tokenResponse && tokenResponse.accessToken) || null;
+    },
+};
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+// This MSI can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
+//
+//   FROM node:12
+//   RUN wget https://host.any/path/bash.sh
+//   CMD ["bash", "bash.sh"]
+//
+// Where the bash script contains:
+//
+//   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
+//
+const msiName$2 = "ManagedIdentityCredential - Fabric MSI";
+const logger$j = credentialLogger(msiName$2);
+/**
+ * Generates the options used on the request for an access token.
+ */
+function prepareRequestOptions$1(scopes, clientId, resourceId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$2}: Multiple scopes are not supported.`);
     }
-    /**
-     * Handles the MSAL authentication result.
-     * If the result has an account, we update the local account reference.
-     * If the token received is invalid, an error will be thrown depending on what's missing.
-     */
-    handleResult(scopes, result, getTokenOptions) {
-        if (result === null || result === void 0 ? void 0 : result.account) {
-            this.account = msalToPublic(this.clientId, result.account);
+    const queryParameters = {
+        resource,
+        "api-version": azureFabricVersion,
+    };
+    if (clientId) {
+        queryParameters.client_id = clientId;
+    }
+    if (resourceId) {
+        queryParameters.msi_res_id = resourceId;
+    }
+    const query = new URLSearchParams(queryParameters);
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error("Missing environment variable: IDENTITY_ENDPOINT");
+    }
+    if (!process.env.IDENTITY_HEADER) {
+        throw new Error("Missing environment variable: IDENTITY_HEADER");
+    }
+    return {
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders({
+            Accept: "application/json",
+            secret: process.env.IDENTITY_HEADER,
+        }),
+    };
+}
+/**
+ * Defines how to determine whether the Azure Service Fabric MSI is available, and also how to retrieve a token from the Azure Service Fabric MSI.
+ */
+const fabricMsi = {
+    name: "fabricMsi",
+    async isAvailable({ scopes }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$j.info(`${msiName$2}: Unavailable. Multiple scopes are not supported.`);
+            return false;
         }
-        ensureValidMsalToken(scopes, result, getTokenOptions);
-        this.logger.getToken.info(formatSuccess(scopes));
-        return {
-            token: result.accessToken,
-            expiresOnTimestamp: result.expiresOn.getTime(),
-        };
+        const env = process.env;
+        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
+        if (!result) {
+            logger$j.info(`${msiName$2}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { scopes, identityClient, clientId, resourceId } = configuration;
+        if (resourceId) {
+            logger$j.warning(`${msiName$2}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
+        }
+        logger$j.info([
+            `${msiName$2}:`,
+            "Using the endpoint and the secret coming from the environment variables:",
+            `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
+            "IDENTITY_HEADER=[REDACTED] and",
+            "IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
+        ].join(" "));
+        const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId, resourceId)));
+        request.agent = new https.Agent({
+            // This is necessary because Service Fabric provides a self-signed certificate.
+            // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
+            rejectUnauthorized: false,
+        });
+        const tokenResponse = await identityClient.sendTokenRequest(request);
+        return (tokenResponse && tokenResponse.accessToken) || null;
+    },
+};
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * @internal
+ */
+const logger$i = credentialLogger("IdentityUtils");
+/**
+ * Latest AuthenticationRecord version
+ * @internal
+ */
+const LatestAuthenticationRecordVersion = "1.0";
+/**
+ * Ensures the validity of the MSAL token
+ * @internal
+ */
+function ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
+    const error = (message) => {
+        logger$i.getToken.info(message);
+        return new AuthenticationRequiredError({
+            scopes: Array.isArray(scopes) ? scopes : [scopes],
+            getTokenOptions,
+            message,
+        });
+    };
+    if (!msalToken) {
+        throw error("No response");
+    }
+    if (!msalToken.expiresOn) {
+        throw error(`Response had no "expiresOn" property.`);
+    }
+    if (!msalToken.accessToken) {
+        throw error(`Response had no "accessToken" property.`);
+    }
+}
+/**
+ * Generates a valid authority by combining a host with a tenantId.
+ * @internal
+ */
+function getAuthority(tenantId, host) {
+    if (!host) {
+        host = DefaultAuthorityHost;
+    }
+    if (new RegExp(`${tenantId}/?$`).test(host)) {
+        return host;
+    }
+    if (host.endsWith("/")) {
+        return host + tenantId;
+    }
+    else {
+        return `${host}/${tenantId}`;
+    }
+}
+/**
+ * Generates the known authorities.
+ * If the Tenant Id is `adfs`, the authority can't be validated since the format won't match the expected one.
+ * For that reason, we have to force MSAL to disable validating the authority
+ * by sending it within the known authorities in the MSAL configuration.
+ * @internal
+ */
+function getKnownAuthorities(tenantId, authorityHost, disableInstanceDiscovery) {
+    if ((tenantId === "adfs" && authorityHost) || disableInstanceDiscovery) {
+        return [authorityHost];
+    }
+    return [];
+}
+/**
+ * Generates a logger that can be passed to the MSAL clients.
+ * @param credLogger - The logger of the credential.
+ * @internal
+ */
+const defaultLoggerCallback = (credLogger, platform = coreUtil.isNode ? "Node" : "Browser") => (level, message, containsPii) => {
+    if (containsPii) {
+        return;
+    }
+    switch (level) {
+        case msalCommon__namespace.LogLevel.Error:
+            credLogger.info(`MSAL ${platform} V2 error: ${message}`);
+            return;
+        case msalCommon__namespace.LogLevel.Info:
+            credLogger.info(`MSAL ${platform} V2 info message: ${message}`);
+            return;
+        case msalCommon__namespace.LogLevel.Verbose:
+            credLogger.info(`MSAL ${platform} V2 verbose message: ${message}`);
+            return;
+        case msalCommon__namespace.LogLevel.Warning:
+            credLogger.info(`MSAL ${platform} V2 warning: ${message}`);
+            return;
     }
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const CommonTenantId = "common";
-const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
-const logger$n = credentialLogger("VisualStudioCodeCredential");
-let findCredentials = undefined;
-const vsCodeCredentialControl = {
-    setVsCodeCredentialFinder(finder) {
-        findCredentials = finder;
-    },
-};
-// Map of unsupported Tenant IDs and the errors we will be throwing.
-const unsupportedTenantIds = {
-    adfs: "The VisualStudioCodeCredential does not support authentication with ADFS tenants.",
 };
-function checkUnsupportedTenant(tenantId) {
-    // If the Tenant ID isn't supported, we throw.
-    const unsupportedTenantError = unsupportedTenantIds[tenantId];
-    if (unsupportedTenantError) {
-        throw new CredentialUnavailableError(unsupportedTenantError);
+/**
+ * @internal
+ */
+function getMSALLogLevel(logLevel) {
+    switch (logLevel) {
+        case "error":
+            return msalCommon__namespace.LogLevel.Error;
+        case "info":
+            return msalCommon__namespace.LogLevel.Info;
+        case "verbose":
+            return msalCommon__namespace.LogLevel.Verbose;
+        case "warning":
+            return msalCommon__namespace.LogLevel.Warning;
+        default:
+            // default msal logging level should be Info
+            return msalCommon__namespace.LogLevel.Info;
     }
 }
-const mapVSCodeAuthorityHosts = {
-    AzureCloud: exports.AzureAuthorityHosts.AzurePublicCloud,
-    AzureChina: exports.AzureAuthorityHosts.AzureChina,
-    AzureGermanCloud: exports.AzureAuthorityHosts.AzureGermany,
-    AzureUSGovernment: exports.AzureAuthorityHosts.AzureGovernment,
-};
 /**
- * Attempts to load a specific property from the VSCode configurations of the current OS.
- * If it fails at any point, returns undefined.
+ * Wraps core-util's randomUUID in order to allow for mocking in tests.
+ * This prepares the library for the upcoming core-util update to ESM.
+ *
+ * @internal
+ * @returns A string containing a random UUID
  */
-function getPropertyFromVSCode(property) {
-    const settingsPath = ["User", "settings.json"];
-    // Eventually we can add more folders for more versions of VSCode.
-    const vsCodeFolder = "Code";
-    const homedir = os.homedir();
-    function loadProperty(...pathSegments) {
-        const fullPath = path.join(...pathSegments, vsCodeFolder, ...settingsPath);
-        const settings = JSON.parse(fs.readFileSync(fullPath, { encoding: "utf8" }));
-        return settings[property];
-    }
-    try {
-        let appData;
-        switch (process.platform) {
-            case "win32":
-                appData = process.env.APPDATA;
-                return appData ? loadProperty(appData) : undefined;
-            case "darwin":
-                return loadProperty(homedir, "Library", "Application Support");
-            case "linux":
-                return loadProperty(homedir, ".config");
+function randomUUID() {
+    return coreUtil.randomUUID();
+}
+/**
+ * Handles MSAL errors.
+ */
+function handleMsalError(scopes, error, getTokenOptions) {
+    if (error.name === "AuthError" ||
+        error.name === "ClientAuthError" ||
+        error.name === "BrowserAuthError") {
+        const msalError = error;
+        switch (msalError.errorCode) {
+            case "endpoints_resolution_error":
+                logger$i.info(formatError(scopes, error.message));
+                return new CredentialUnavailableError(error.message);
+            case "device_code_polling_cancelled":
+                return new abortController.AbortError("The authentication has been aborted by the caller.");
+            case "consent_required":
+            case "interaction_required":
+            case "login_required":
+                logger$i.info(formatError(scopes, `Authentication returned errorCode ${msalError.errorCode}`));
+                break;
             default:
-                return;
+                logger$i.info(formatError(scopes, `Failed to acquire token: ${error.message}`));
+                break;
         }
     }
-    catch (e) {
-        logger$n.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
-        return;
+    if (error.name === "ClientConfigurationError" ||
+        error.name === "BrowserConfigurationAuthError" ||
+        error.name === "AbortError") {
+        return error;
+    }
+    if (error.name === "NativeAuthError") {
+        logger$i.info(formatError(scopes, `Error from the native broker: ${error.message} with status code: ${error.statusCode}`));
+        return error;
     }
+    return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });
+}
+// transformations.ts
+function publicToMsal(account) {
+    const [environment] = account.authority.match(/([a-z]*\.[a-z]*\.[a-z]*)/) || [""];
+    return Object.assign(Object.assign({}, account), { localAccountId: account.homeAccountId, environment });
+}
+function msalToPublic(clientId, account) {
+    const record = {
+        authority: getAuthority(account.tenantId, account.environment),
+        homeAccountId: account.homeAccountId,
+        tenantId: account.tenantId || DefaultTenantId,
+        username: account.username,
+        clientId,
+        version: LatestAuthenticationRecordVersion,
+    };
+    return record;
 }
 /**
- * Connects to Azure using the credential provided by the VSCode extension 'Azure Account'.
- * Once the user has logged in via the extension, this credential can share the same refresh token
- * that is cached by the extension.
+ * Serializes an `AuthenticationRecord` into a string.
  *
- * It's a [known issue](https://github.com/Azure/azure-sdk-for-js/issues/20500) that this credential doesn't
- * work with [Azure Account extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account)
- * versions newer than **0.9.11**. A long-term fix to this problem is in progress. In the meantime, consider
- * authenticating with {@link AzureCliCredential}.
+ * The output of a serialized authentication record will contain the following properties:
+ *
+ * - "authority"
+ * - "homeAccountId"
+ * - "clientId"
+ * - "tenantId"
+ * - "username"
+ * - "version"
+ *
+ * To later convert this string to a serialized `AuthenticationRecord`, please use the exported function `deserializeAuthenticationRecord()`.
  */
-class VisualStudioCodeCredential {
-    /**
-     * Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.
-     *
-     * **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
-     * `@azure/identity-vscode`. If this package is not installed and registered
-     * using the plugin API (`useIdentityPlugin`), then authentication using
-     * `VisualStudioCodeCredential` will not be available.
-     *
-     * @param options - Options for configuring the client which makes the authentication request.
-     */
-    constructor(options) {
-        // We want to make sure we use the one assigned by the user on the VSCode settings.
-        // Or just `AzureCloud` by default.
-        this.cloudName = (getPropertyFromVSCode("azure.cloud") || "AzureCloud");
-        // Picking an authority host based on the cloud name.
-        const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
-        this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
-        if (options && options.tenantId) {
-            checkTenantId(logger$n, options.tenantId);
-            this.tenantId = options.tenantId;
-        }
-        else {
-            this.tenantId = CommonTenantId;
-        }
-        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        checkUnsupportedTenant(this.tenantId);
+function serializeAuthenticationRecord(record) {
+    return JSON.stringify(record);
+}
+/**
+ * Deserializes a previously serialized authentication record from a string into an object.
+ *
+ * The input string must contain the following properties:
+ *
+ * - "authority"
+ * - "homeAccountId"
+ * - "clientId"
+ * - "tenantId"
+ * - "username"
+ * - "version"
+ *
+ * If the version we receive is unsupported, an error will be thrown.
+ *
+ * At the moment, the only available version is: "1.0", which is always set when the authentication record is serialized.
+ *
+ * @param serializedRecord - Authentication record previously serialized into string.
+ * @returns AuthenticationRecord.
+ */
+function deserializeAuthenticationRecord(serializedRecord) {
+    const parsed = JSON.parse(serializedRecord);
+    if (parsed.version && parsed.version !== LatestAuthenticationRecordVersion) {
+        throw Error("Unsupported AuthenticationRecord version");
     }
-    /**
-     * Runs preparations for any further getToken request.
-     */
-    async prepare() {
-        // Attempts to load the tenant from the VSCode configuration file.
-        const settingsTenant = getPropertyFromVSCode("azure.tenant");
-        if (settingsTenant) {
-            this.tenantId = settingsTenant;
-        }
-        checkUnsupportedTenant(this.tenantId);
+    return parsed;
+}
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+const msiName$1 = "ManagedIdentityCredential - IMDS";
+const logger$h = credentialLogger(msiName$1);
+/**
+ * Generates the options used on the request for an access token.
+ */
+function prepareRequestOptions(scopes, clientId, resourceId, options) {
+    var _a;
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName$1}: Multiple scopes are not supported.`);
     }
-    /**
-     * Runs preparations for any further getToken, but only once.
-     */
-    prepareOnce() {
-        if (!this.preparePromise) {
-            this.preparePromise = this.prepare();
+    const { skipQuery, skipMetadataHeader } = options || {};
+    let query = "";
+    // Pod Identity will try to process this request even if the Metadata header is missing.
+    // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.
+    if (!skipQuery) {
+        const queryParameters = {
+            resource,
+            "api-version": imdsApiVersion,
+        };
+        if (clientId) {
+            queryParameters.client_id = clientId;
         }
-        return this.preparePromise;
+        if (resourceId) {
+            queryParameters.msi_res_id = resourceId;
+        }
+        const params = new URLSearchParams(queryParameters);
+        query = `?${params.toString()}`;
     }
-    /**
-     * Returns the token found by searching VSCode's authentication cache or
-     * returns null if no token could be found.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                `TokenCredential` implementation might make.
-     */
-    async getToken(scopes, options) {
-        var _a, _b;
-        await this.prepareOnce();
-        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds, logger$n) || this.tenantId;
-        if (findCredentials === undefined) {
-            throw new CredentialUnavailableError([
-                "No implementation of `VisualStudioCodeCredential` is available.",
-                "You must install the identity-vscode plugin package (`npm install --save-dev @azure/identity-vscode`)",
-                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
-                "`useIdentityPlugin(vsCodePlugin)` before creating a `VisualStudioCodeCredential`.",
-                "To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.",
-            ].join(" "));
+    const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
+    const rawHeaders = {
+        Accept: "application/json",
+        Metadata: "true",
+    };
+    // Remove the Metadata header to invoke a request error from some IMDS endpoints.
+    if (skipMetadataHeader) {
+        delete rawHeaders.Metadata;
+    }
+    return {
+        // In this case, the `?` should be added in the "query" variable `skipQuery` is not set.
+        url: `${url}${query}`,
+        method: "GET",
+        headers: coreRestPipeline.createHttpHeaders(rawHeaders),
+    };
+}
+/**
+ * Defines how to determine whether the Azure IMDS MSI is available, and also how to retrieve a token from the Azure IMDS MSI.
+ */
+const imdsMsi = {
+    name: "imdsMsi",
+    async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions = {}, }) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger$h.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
+            return false;
         }
-        let scopeString = typeof scopes === "string" ? scopes : scopes.join(" ");
-        // Check to make sure the scope we get back is a valid scope
-        if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
-            const error = new Error("Invalid scope was specified by the user or calling client");
-            logger$n.getToken.info(formatError(scopes, error));
-            throw error;
+        // if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
+        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
+            return true;
         }
-        if (scopeString.indexOf("offline_access") < 0) {
-            scopeString += " offline_access";
+        if (!identityClient) {
+            throw new Error("Missing IdentityClient");
         }
-        // findCredentials returns an array similar to:
-        // [
-        //   {
-        //     account: "",
-        //     password: "",
-        //   },
-        //   /* ... */
-        // ]
-        const credentials = await findCredentials();
-        // If we can't find the credential based on the name, we'll pick the first one available.
-        const { password: refreshToken } = (_b = (_a = credentials.find(({ account }) => account === this.cloudName)) !== null && _a !== void 0 ? _a : credentials[0]) !== null && _b !== void 0 ? _b : {};
-        if (refreshToken) {
-            const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
-            if (tokenResponse) {
-                logger$n.getToken.info(formatSuccess(scopes));
-                return tokenResponse.accessToken;
+        const requestOptions = prepareRequestOptions(resource, clientId, resourceId, {
+            skipMetadataHeader: true,
+            skipQuery: true,
+        });
+        return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions, async (options) => {
+            var _a, _b;
+            requestOptions.tracingOptions = options.tracingOptions;
+            // Create a request with a timeout since we expect that
+            // not having a "Metadata" header should cause an error to be
+            // returned quickly from the endpoint, proving its availability.
+            const request = coreRestPipeline.createPipelineRequest(requestOptions);
+            // Default to 1000 if the default of 0 is used.
+            // Negative values can still be used to disable the timeout.
+            request.timeout = ((_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) || 1000;
+            // This MSI uses the imdsEndpoint to get the token, which only uses http://
+            request.allowInsecureConnection = true;
+            let response;
+            try {
+                logger$h.info(`${msiName$1}: Pinging the Azure IMDS endpoint`);
+                response = await identityClient.sendRequest(request);
             }
-            else {
-                const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
-                logger$n.getToken.info(formatError(scopes, error));
-                throw error;
+            catch (err) {
+                // If the request failed, or Node.js was unable to establish a connection,
+                // or the host was down, we'll assume the IMDS endpoint isn't available.
+                if (coreUtil.isError(err)) {
+                    logger$h.verbose(`${msiName$1}: Caught error ${err.name}: ${err.message}`);
+                }
+                // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
+                // rather than just timing out, as expected.
+                logger$h.info(`${msiName$1}: The Azure IMDS endpoint is unavailable`);
+                return false;
+            }
+            if (response.status === 403) {
+                if ((_b = response.bodyAsText) === null || _b === void 0 ? void 0 : _b.includes("unreachable")) {
+                    logger$h.info(`${msiName$1}: The Azure IMDS endpoint is unavailable`);
+                    logger$h.info(`${msiName$1}: ${response.bodyAsText}`);
+                    return false;
+                }
             }
+            // If we received any response, the endpoint is available
+            logger$h.info(`${msiName$1}: The Azure IMDS endpoint is available`);
+            return true;
+        });
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId, resourceId } = configuration;
+        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
+            logger$h.info(`${msiName$1}: Using the Azure IMDS endpoint coming from the environment variable AZURE_POD_IDENTITY_AUTHORITY_HOST=${process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST}.`);
         }
         else {
-            const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
-            logger$n.getToken.info(formatError(scopes, error));
-            throw error;
+            logger$h.info(`${msiName$1}: Using the default Azure IMDS endpoint ${imdsHost}.`);
         }
-    }
-}
+        let nextDelayInMs = configuration.retryConfig.startDelayInMs;
+        for (let retries = 0; retries < configuration.retryConfig.maxRetries; retries++) {
+            try {
+                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
+                const tokenResponse = await identityClient.sendTokenRequest(request);
+                return (tokenResponse && tokenResponse.accessToken) || null;
+            }
+            catch (error) {
+                if (error.statusCode === 404) {
+                    await coreUtil.delay(nextDelayInMs);
+                    nextDelayInMs *= configuration.retryConfig.intervalIncrement;
+                    continue;
+                }
+                throw error;
+            }
+        }
+        throw new AuthenticationError(404, `${msiName$1}: Failed to retrieve IMDS token after ${configuration.retryConfig.maxRetries} retries.`);
+    },
+};
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 /**
- * The context passed to an Identity plugin. This contains objects that
- * plugins can use to set backend implementations.
- * @internal
- */
-const pluginContext = {
-    cachePluginControl: msalNodeFlowCacheControl,
-    nativeBrokerPluginControl: msalNodeFlowNativeBrokerControl,
-    vsCodeCredentialControl: vsCodeCredentialControl,
-};
-/**
- * Extend Azure Identity with additional functionality. Pass a plugin from
- * a plugin package, such as:
- *
- * - `@azure/identity-cache-persistence`: provides persistent token caching
- * - `@azure/identity-vscode`: provides the dependencies of
- *   `VisualStudioCodeCredential` and enables it
- *
- * Example:
- *
- * ```javascript
- * import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
- *
- * import { useIdentityPlugin, DefaultAzureCredential } from "@azure/identity";
- * useIdentityPlugin(cachePersistencePlugin);
- *
- * // The plugin has the capability to extend `DefaultAzureCredential` and to
- * // add middleware to the underlying credentials, such as persistence.
- * const credential = new DefaultAzureCredential({
- *   tokenCachePersistenceOptions: {
- *     enabled: true
- *   }
- * });
- * ```
- *
- * @param plugin - the plugin to register
+ * Helps specify a regional authority, or "AutoDiscoverRegion" to auto-detect the region.
  */
-function useIdentityPlugin(plugin) {
-    plugin(pluginContext);
-}
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
-const logger$m = credentialLogger(msiName$6);
+var RegionalAuthority;
+(function (RegionalAuthority) {
+    /** Instructs MSAL to attempt to discover the region */
+    RegionalAuthority["AutoDiscoverRegion"] = "AutoDiscoverRegion";
+    /** Uses the {@link RegionalAuthority} for the Azure 'westus' region. */
+    RegionalAuthority["USWest"] = "westus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'westus2' region. */
+    RegionalAuthority["USWest2"] = "westus2";
+    /** Uses the {@link RegionalAuthority} for the Azure 'centralus' region. */
+    RegionalAuthority["USCentral"] = "centralus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'eastus' region. */
+    RegionalAuthority["USEast"] = "eastus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'eastus2' region. */
+    RegionalAuthority["USEast2"] = "eastus2";
+    /** Uses the {@link RegionalAuthority} for the Azure 'northcentralus' region. */
+    RegionalAuthority["USNorthCentral"] = "northcentralus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'southcentralus' region. */
+    RegionalAuthority["USSouthCentral"] = "southcentralus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'westcentralus' region. */
+    RegionalAuthority["USWestCentral"] = "westcentralus";
+    /** Uses the {@link RegionalAuthority} for the Azure 'canadacentral' region. */
+    RegionalAuthority["CanadaCentral"] = "canadacentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'canadaeast' region. */
+    RegionalAuthority["CanadaEast"] = "canadaeast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'brazilsouth' region. */
+    RegionalAuthority["BrazilSouth"] = "brazilsouth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'northeurope' region. */
+    RegionalAuthority["EuropeNorth"] = "northeurope";
+    /** Uses the {@link RegionalAuthority} for the Azure 'westeurope' region. */
+    RegionalAuthority["EuropeWest"] = "westeurope";
+    /** Uses the {@link RegionalAuthority} for the Azure 'uksouth' region. */
+    RegionalAuthority["UKSouth"] = "uksouth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'ukwest' region. */
+    RegionalAuthority["UKWest"] = "ukwest";
+    /** Uses the {@link RegionalAuthority} for the Azure 'francecentral' region. */
+    RegionalAuthority["FranceCentral"] = "francecentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'francesouth' region. */
+    RegionalAuthority["FranceSouth"] = "francesouth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandnorth' region. */
+    RegionalAuthority["SwitzerlandNorth"] = "switzerlandnorth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'switzerlandwest' region. */
+    RegionalAuthority["SwitzerlandWest"] = "switzerlandwest";
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanynorth' region. */
+    RegionalAuthority["GermanyNorth"] = "germanynorth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanywestcentral' region. */
+    RegionalAuthority["GermanyWestCentral"] = "germanywestcentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'norwaywest' region. */
+    RegionalAuthority["NorwayWest"] = "norwaywest";
+    /** Uses the {@link RegionalAuthority} for the Azure 'norwayeast' region. */
+    RegionalAuthority["NorwayEast"] = "norwayeast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'eastasia' region. */
+    RegionalAuthority["AsiaEast"] = "eastasia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'southeastasia' region. */
+    RegionalAuthority["AsiaSouthEast"] = "southeastasia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'japaneast' region. */
+    RegionalAuthority["JapanEast"] = "japaneast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'japanwest' region. */
+    RegionalAuthority["JapanWest"] = "japanwest";
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiaeast' region. */
+    RegionalAuthority["AustraliaEast"] = "australiaeast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiasoutheast' region. */
+    RegionalAuthority["AustraliaSouthEast"] = "australiasoutheast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral' region. */
+    RegionalAuthority["AustraliaCentral"] = "australiacentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'australiacentral2' region. */
+    RegionalAuthority["AustraliaCentral2"] = "australiacentral2";
+    /** Uses the {@link RegionalAuthority} for the Azure 'centralindia' region. */
+    RegionalAuthority["IndiaCentral"] = "centralindia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'southindia' region. */
+    RegionalAuthority["IndiaSouth"] = "southindia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'westindia' region. */
+    RegionalAuthority["IndiaWest"] = "westindia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'koreasouth' region. */
+    RegionalAuthority["KoreaSouth"] = "koreasouth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'koreacentral' region. */
+    RegionalAuthority["KoreaCentral"] = "koreacentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'uaecentral' region. */
+    RegionalAuthority["UAECentral"] = "uaecentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'uaenorth' region. */
+    RegionalAuthority["UAENorth"] = "uaenorth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'southafricanorth' region. */
+    RegionalAuthority["SouthAfricaNorth"] = "southafricanorth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'southafricawest' region. */
+    RegionalAuthority["SouthAfricaWest"] = "southafricawest";
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth' region. */
+    RegionalAuthority["ChinaNorth"] = "chinanorth";
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast' region. */
+    RegionalAuthority["ChinaEast"] = "chinaeast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinanorth2' region. */
+    RegionalAuthority["ChinaNorth2"] = "chinanorth2";
+    /** Uses the {@link RegionalAuthority} for the Azure 'chinaeast2' region. */
+    RegionalAuthority["ChinaEast2"] = "chinaeast2";
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanycentral' region. */
+    RegionalAuthority["GermanyCentral"] = "germanycentral";
+    /** Uses the {@link RegionalAuthority} for the Azure 'germanynortheast' region. */
+    RegionalAuthority["GermanyNorthEast"] = "germanynortheast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgovvirginia' region. */
+    RegionalAuthority["GovernmentUSVirginia"] = "usgovvirginia";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgoviowa' region. */
+    RegionalAuthority["GovernmentUSIowa"] = "usgoviowa";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgovarizona' region. */
+    RegionalAuthority["GovernmentUSArizona"] = "usgovarizona";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usgovtexas' region. */
+    RegionalAuthority["GovernmentUSTexas"] = "usgovtexas";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usdodeast' region. */
+    RegionalAuthority["GovernmentUSDodEast"] = "usdodeast";
+    /** Uses the {@link RegionalAuthority} for the Azure 'usdodcentral' region. */
+    RegionalAuthority["GovernmentUSDodCentral"] = "usdodcentral";
+})(RegionalAuthority || (RegionalAuthority = {}));
 /**
- * Generates the options used on the request for an access token.
+ * Calculates the correct regional authority based on the supplied value
+ * and the AZURE_REGIONAL_AUTHORITY_NAME environment variable.
+ *
+ * Values will be returned verbatim, except for {@link RegionalAuthority.AutoDiscoverRegion}
+ * which is mapped to a value MSAL can understand.
+ *
+ * @internal
  */
-function prepareRequestOptions$5(scopes, clientId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$6}: Multiple scopes are not supported.`);
-    }
-    const queryParameters = {
-        resource,
-        "api-version": "2017-09-01",
-    };
-    if (clientId) {
-        queryParameters.clientid = clientId;
-    }
-    const query = new URLSearchParams(queryParameters);
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.MSI_ENDPOINT) {
-        throw new Error(`${msiName$6}: Missing environment variable: MSI_ENDPOINT`);
+function calculateRegionalAuthority(regionalAuthority) {
+    var _a, _b;
+    let azureRegion = regionalAuthority;
+    if (azureRegion === undefined &&
+        ((_b = (_a = globalThis.process) === null || _a === void 0 ? void 0 : _a.env) === null || _b === void 0 ? void 0 : _b.AZURE_REGIONAL_AUTHORITY_NAME) !== undefined) {
+        azureRegion = process.env.AZURE_REGIONAL_AUTHORITY_NAME;
     }
-    if (!process.env.MSI_SECRET) {
-        throw new Error(`${msiName$6}: Missing environment variable: MSI_SECRET`);
+    if (azureRegion === RegionalAuthority.AutoDiscoverRegion) {
+        return "AUTO_DISCOVER";
     }
-    return {
-        url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            secret: process.env.MSI_SECRET,
-        }),
-    };
+    return azureRegion;
 }
-/**
- * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
- */
-const appServiceMsi2017 = {
-    name: "appServiceMsi2017",
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$m.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        const env = process.env;
-        const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
-        if (!result) {
-            logger$m.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
-        }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        if (resourceId) {
-            logger$m.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
-        }
-        logger$m.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId)), { 
-            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-            allowInsecureConnection: true }));
-        const tokenResponse = await identityClient.sendTokenRequest(request);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-const msiName$5 = "ManagedIdentityCredential - CloudShellMSI";
-const logger$l = credentialLogger(msiName$5);
-/**
- * Generates the options used on the request for an access token.
- */
-function prepareRequestOptions$4(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
-    }
-    const body = {
-        resource,
-    };
-    if (clientId) {
-        body.client_id = clientId;
-    }
-    if (resourceId) {
-        body.msi_res_id = resourceId;
-    }
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.MSI_ENDPOINT) {
-        throw new Error(`${msiName$5}: Missing environment variable: MSI_ENDPOINT`);
-    }
-    const params = new URLSearchParams(body);
-    return {
-        url: process.env.MSI_ENDPOINT,
-        method: "POST",
-        body: params.toString(),
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            Metadata: "true",
-            "Content-Type": "application/x-www-form-urlencoded",
-        }),
-    };
-}
 /**
- * Defines how to determine whether the Azure Cloud Shell MSI is available, and also how to retrieve a token from the Azure Cloud Shell MSI.
- * Since Azure Managed Identities aren't available in the Azure Cloud Shell, we log a warning for users that try to access cloud shell using user assigned identity.
+ * MSAL partial base client for Node.js.
+ *
+ * It completes the input configuration with some default values.
+ * It also provides with utility protected methods that can be used from any of the clients,
+ * which includes handlers for successful responses and errors.
+ *
+ * @internal
  */
-const cloudShellMsi = {
-    name: "cloudShellMsi",
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$l.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
-            return false;
+class MsalNode {
+    constructor(options) {
+        var _a, _b, _c, _d, _e, _f;
+        this.app = {};
+        this.caeApp = {};
+        this.requiresConfidential = false;
+        this.logger = options.logger;
+        this.msalConfig = this.defaultNodeMsalConfig(options);
+        this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
+        this.clientId = this.msalConfig.auth.clientId;
+        if (options === null || options === void 0 ? void 0 : options.getAssertion) {
+            this.getAssertion = options.getAssertion;
         }
-        const result = Boolean(process.env.MSI_ENDPOINT);
-        if (!result) {
-            logger$l.info(`${msiName$5}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
+        this.enableBroker = (_b = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _b === void 0 ? void 0 : _b.enabled;
+        this.enableMsaPassthrough = (_c = options === null || options === void 0 ? void 0 : options.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough;
+        this.parentWindowHandle = (_d = options.brokerOptions) === null || _d === void 0 ? void 0 : _d.parentWindowHandle;
+        // If persistence has been configured
+        if (persistenceProvider !== undefined && ((_e = options.tokenCachePersistenceOptions) === null || _e === void 0 ? void 0 : _e.enabled)) {
+            const cacheBaseName = options.tokenCachePersistenceOptions.name || DEFAULT_TOKEN_CACHE_NAME;
+            const nonCaeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_NON_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            const caeOptions = Object.assign({ name: `${cacheBaseName}.${CACHE_CAE_SUFFIX}` }, options.tokenCachePersistenceOptions);
+            this.createCachePlugin = () => persistenceProvider(nonCaeOptions);
+            this.createCachePluginCae = () => persistenceProvider(caeOptions);
         }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        if (clientId) {
-            logger$l.warning(`${msiName$5}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
+        else if ((_f = options.tokenCachePersistenceOptions) === null || _f === void 0 ? void 0 : _f.enabled) {
+            throw new Error([
+                "Persistent token caching was requested, but no persistence provider was configured.",
+                "You must install the identity-cache-persistence plugin package (`npm install --save @azure/identity-cache-persistence`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(cachePersistencePlugin)` before using `tokenCachePersistenceOptions`.",
+            ].join(" "));
         }
-        if (resourceId) {
-            logger$l.warning(`${msiName$5}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
+        // If broker has not been configured
+        if (!hasNativeBroker() && this.enableBroker) {
+            throw new Error([
+                "Broker for WAM was requested to be enabled, but no native broker was configured.",
+                "You must install the identity-broker plugin package (`npm install --save @azure/identity-broker`)",
+                "and enable it by importing `useIdentityPlugin` from `@azure/identity` and calling",
+                "`useIdentityPlugin(createNativeBrokerPlugin())` before using `enableBroker`.",
+            ].join(" "));
         }
-        logger$l.info(`${msiName$5}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), { 
-            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-            allowInsecureConnection: true }));
-        const tokenResponse = await identityClient.sendTokenRequest(request);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const msiName$4 = "ManagedIdentityCredential - IMDS";
-const logger$k = credentialLogger(msiName$4);
-/**
- * Generates the options used on the request for an access token.
- */
-function prepareRequestOptions$3(scopes, clientId, resourceId, options) {
-    var _a;
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$4}: Multiple scopes are not supported.`);
+        this.azureRegion = calculateRegionalAuthority(options.regionalAuthority);
     }
-    const { skipQuery, skipMetadataHeader } = options || {};
-    let query = "";
-    // Pod Identity will try to process this request even if the Metadata header is missing.
-    // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.
-    if (!skipQuery) {
-        const queryParameters = {
-            resource,
-            "api-version": imdsApiVersion,
+    /**
+     * Generates a MSAL configuration that generally works for Node.js
+     */
+    defaultNodeMsalConfig(options) {
+        var _a;
+        const clientId = options.clientId || DeveloperSignOnClientId;
+        const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
+        this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
+        const authority = getAuthority(tenantId, this.authorityHost);
+        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
+        const clientCapabilities = [];
+        return {
+            auth: {
+                clientId,
+                authority,
+                knownAuthorities: getKnownAuthorities(tenantId, authority, options.disableInstanceDiscovery),
+                clientCapabilities,
+            },
+            // Cache is defined in this.prepare();
+            system: {
+                networkClient: this.identityClient,
+                loggerOptions: {
+                    loggerCallback: defaultLoggerCallback(options.logger),
+                    logLevel: getMSALLogLevel(logger$q.getLogLevel()),
+                    piiLoggingEnabled: (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.enableUnsafeSupportLogging,
+                },
+            },
         };
-        if (clientId) {
-            queryParameters.client_id = clientId;
+    }
+    getApp(appType, enableCae) {
+        const app = enableCae ? this.caeApp : this.app;
+        if (appType === "publicFirst") {
+            return (app.public || app.confidential);
         }
-        if (resourceId) {
-            queryParameters.msi_res_id = resourceId;
+        else if (appType === "confidentialFirst") {
+            return (app.confidential || app.public);
+        }
+        else if (appType === "confidential") {
+            return app.confidential;
+        }
+        else {
+            return app.public;
         }
-        const params = new URLSearchParams(queryParameters);
-        query = `?${params.toString()}`;
-    }
-    const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
-    const rawHeaders = {
-        Accept: "application/json",
-        Metadata: "true",
-    };
-    // Remove the Metadata header to invoke a request error from some IMDS endpoints.
-    if (skipMetadataHeader) {
-        delete rawHeaders.Metadata;
     }
-    return {
-        // In this case, the `?` should be added in the "query" variable `skipQuery` is not set.
-        url: `${url}${query}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders(rawHeaders),
-    };
-}
-// 800ms -> 1600ms -> 3200ms
-const imdsMsiRetryConfig = {
-    maxRetries: 3,
-    startDelayInMs: 800,
-    intervalIncrement: 2,
-};
-/**
- * Defines how to determine whether the Azure IMDS MSI is available, and also how to retrieve a token from the Azure IMDS MSI.
- */
-const imdsMsi = {
-    name: "imdsMsi",
-    async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions = {}, }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$k.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
-            return false;
+    /**
+     * Prepares the MSAL applications.
+     */
+    async init(options) {
+        if (options === null || options === void 0 ? void 0 : options.abortSignal) {
+            options.abortSignal.addEventListener("abort", () => {
+                // This will abort any pending request in the IdentityClient,
+                // based on the received or generated correlationId
+                this.identityClient.abortRequests(options.correlationId);
+            });
+        }
+        const app = (options === null || options === void 0 ? void 0 : options.enableCae) ? this.caeApp : this.app;
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.msalConfig.auth.clientCapabilities = ["cp1"];
         }
-        // if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
-        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
-            return true;
+        if (app.public || app.confidential) {
+            return;
         }
-        if (!identityClient) {
-            throw new Error("Missing IdentityClient");
+        if ((options === null || options === void 0 ? void 0 : options.enableCae) && this.createCachePluginCae !== undefined) {
+            this.msalConfig.cache = {
+                cachePlugin: await this.createCachePluginCae(),
+            };
         }
-        const requestOptions = prepareRequestOptions$3(resource, clientId, resourceId, {
-            skipMetadataHeader: true,
-            skipQuery: true,
-        });
-        return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions, async (options) => {
-            var _a, _b;
-            requestOptions.tracingOptions = options.tracingOptions;
-            // Create a request with a timeout since we expect that
-            // not having a "Metadata" header should cause an error to be
-            // returned quickly from the endpoint, proving its availability.
-            const request = coreRestPipeline.createPipelineRequest(requestOptions);
-            // Default to 1000 if the default of 0 is used.
-            // Negative values can still be used to disable the timeout.
-            request.timeout = ((_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) || 1000;
-            // This MSI uses the imdsEndpoint to get the token, which only uses http://
-            request.allowInsecureConnection = true;
-            let response;
-            try {
-                logger$k.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
-                response = await identityClient.sendRequest(request);
-            }
-            catch (err) {
-                // If the request failed, or Node.js was unable to establish a connection,
-                // or the host was down, we'll assume the IMDS endpoint isn't available.
-                if (coreUtil.isError(err)) {
-                    logger$k.verbose(`${msiName$4}: Caught error ${err.name}: ${err.message}`);
-                }
-                // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network"
-                // rather than just timing out, as expected.
-                logger$k.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
-                return false;
-            }
-            if (response.status === 403) {
-                if ((_b = response.bodyAsText) === null || _b === void 0 ? void 0 : _b.includes("A socket operation was attempted to an unreachable network")) {
-                    logger$k.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
-                    logger$k.info(`${msiName$4}: ${response.bodyAsText}`);
-                    return false;
-                }
+        if (this.createCachePlugin !== undefined) {
+            this.msalConfig.cache = {
+                cachePlugin: await this.createCachePlugin(),
+            };
+        }
+        if (hasNativeBroker() && this.enableBroker) {
+            this.msalConfig.broker = {
+                nativeBrokerPlugin: nativeBrokerInfo.broker,
+            };
+            if (!this.parentWindowHandle) {
+                // error should have been thrown from within the constructor of InteractiveBrowserCredential
+                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
             }
-            // If we received any response, the endpoint is available
-            logger$k.info(`${msiName$4}: The Azure IMDS endpoint is available`);
-            return true;
-        });
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
-            logger$k.info(`${msiName$4}: Using the Azure IMDS endpoint coming from the environment variable AZURE_POD_IDENTITY_AUTHORITY_HOST=${process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST}.`);
+        }
+        if (options === null || options === void 0 ? void 0 : options.enableCae) {
+            this.caeApp.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
         }
         else {
-            logger$k.info(`${msiName$4}: Using the default Azure IMDS endpoint ${imdsHost}.`);
+            this.app.public = new msalCommon__namespace.PublicClientApplication(this.msalConfig);
         }
-        let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
-        for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
-            try {
-                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
-                const tokenResponse = await identityClient.sendTokenRequest(request);
-                return (tokenResponse && tokenResponse.accessToken) || null;
+        if (this.getAssertion) {
+            this.msalConfig.auth.clientAssertion = await this.getAssertion();
+        }
+        // The confidential client requires either a secret, assertion or certificate.
+        if (this.msalConfig.auth.clientSecret ||
+            this.msalConfig.auth.clientAssertion ||
+            this.msalConfig.auth.clientCertificate) {
+            if (options === null || options === void 0 ? void 0 : options.enableCae) {
+                this.caeApp.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
             }
-            catch (error) {
-                if (error.statusCode === 404) {
-                    await coreUtil.delay(nextDelayInMs);
-                    nextDelayInMs *= imdsMsiRetryConfig.intervalIncrement;
-                    continue;
-                }
-                throw error;
+            else {
+                this.app.confidential = new msalCommon__namespace.ConfidentialClientApplication(this.msalConfig);
+            }
+        }
+        else {
+            if (this.requiresConfidential) {
+                throw new Error("Unable to generate the MSAL confidential client. Missing either the client's secret, certificate or assertion.");
             }
         }
-        throw new AuthenticationError(404, `${msiName$4}: Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
-    },
-};
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
-const logger$j = credentialLogger(msiName$3);
-/**
- * Generates the options used on the request for an access token.
- */
-function prepareRequestOptions$2(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
     }
-    const queryParameters = {
-        resource,
-        "api-version": azureArcAPIVersion,
-    };
-    if (clientId) {
-        queryParameters.client_id = clientId;
+    /**
+     * Allows the cancellation of a MSAL request.
+     */
+    withCancellation(promise, abortSignal, onCancel) {
+        return new Promise((resolve, reject) => {
+            promise
+                .then((msalToken) => {
+                return resolve(msalToken);
+            })
+                .catch(reject);
+            if (abortSignal) {
+                abortSignal.addEventListener("abort", () => {
+                    onCancel === null || onCancel === void 0 ? void 0 : onCancel();
+                });
+            }
+        });
     }
-    if (resourceId) {
-        queryParameters.msi_res_id = resourceId;
+    /**
+     * Returns the existing account, attempts to load the account from MSAL.
+     */
+    async getActiveAccount(enableCae = false) {
+        if (this.account) {
+            return this.account;
+        }
+        const cache = this.getApp("confidentialFirst", enableCae).getTokenCache();
+        const accountsByTenant = await (cache === null || cache === void 0 ? void 0 : cache.getAllAccounts());
+        if (!accountsByTenant) {
+            return;
+        }
+        if (accountsByTenant.length === 1) {
+            this.account = msalToPublic(this.clientId, accountsByTenant[0]);
+        }
+        else {
+            this.logger
+                .info(`More than one account was found authenticated for this Client ID and Tenant ID.
+However, no "authenticationRecord" has been provided for this credential,
+therefore we're unable to pick between these accounts.
+A new login attempt will be requested, to ensure the correct account is picked.
+To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.`);
+            return;
+        }
+        return this.account;
     }
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error(`${msiName$3}: Missing environment variable: IDENTITY_ENDPOINT`);
+    /**
+     * Attempts to retrieve a token from cache.
+     */
+    async getTokenSilent(scopes, options) {
+        var _a, _b, _c;
+        await this.getActiveAccount(options === null || options === void 0 ? void 0 : options.enableCae);
+        if (!this.account) {
+            throw new AuthenticationRequiredError({
+                scopes,
+                getTokenOptions: options,
+                message: "Silent authentication failed. We couldn't retrieve an active account from the cache.",
+            });
+        }
+        const silentRequest = {
+            // To be able to re-use the account, the Token Cache must also have been provided.
+            account: publicToMsal(this.account),
+            correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
+            scopes,
+            authority: options === null || options === void 0 ? void 0 : options.authority,
+            claims: options === null || options === void 0 ? void 0 : options.claims,
+        };
+        if (hasNativeBroker() && this.enableBroker) {
+            if (!silentRequest.tokenQueryParameters) {
+                silentRequest.tokenQueryParameters = {};
+            }
+            if (!this.parentWindowHandle) {
+                // error should have been thrown from within the constructor of InteractiveBrowserCredential
+                this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+            }
+            if (this.enableMsaPassthrough) {
+                silentRequest.tokenQueryParameters["msal_request_type"] = "consumer_passthrough";
+            }
+        }
+        try {
+            this.logger.info("Attempting to acquire token silently");
+            /**
+             * The following code to retrieve all accounts is done as a workaround in an attempt to force the
+             * refresh of the token cache with the token and the account passed in through the
+             * `authenticationRecord` parameter. See issue - https://github.com/Azure/azure-sdk-for-js/issues/24349#issuecomment-1496715651
+             * This workaround serves as a workaround for silent authentication not happening when authenticationRecord is passed.
+             */
+            await ((_a = this.getApp("publicFirst", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _a === void 0 ? void 0 : _a.getTokenCache().getAllAccounts());
+            const response = (_c = (await ((_b = this.getApp("confidential", options === null || options === void 0 ? void 0 : options.enableCae)) === null || _b === void 0 ? void 0 : _b.acquireTokenSilent(silentRequest)))) !== null && _c !== void 0 ? _c : (await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenSilent(silentRequest));
+            return this.handleResult(scopes, response || undefined);
+        }
+        catch (err) {
+            throw handleMsalError(scopes, err, options);
+        }
     }
-    const query = new URLSearchParams(queryParameters);
-    return coreRestPipeline.createPipelineRequest({
-        // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token
-        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            Metadata: "true",
-        }),
-    });
-}
-/**
- * Retrieves the file contents at the given path using promises.
- * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.
- */
-function readFileAsync$1(path, options) {
-    return new Promise((resolve, reject) => fs.readFile(path, options, (err, data) => {
-        if (err) {
-            reject(err);
+    /**
+     * Wrapper around each MSAL flow get token operation: doGetToken.
+     * If disableAutomaticAuthentication is sent through the constructor, it will prevent MSAL from requesting the user input.
+     */
+    async getToken(scopes, options = {}) {
+        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds) ||
+            this.tenantId;
+        options.authority = getAuthority(tenantId, this.authorityHost);
+        options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || randomUUID();
+        await this.init(options);
+        try {
+            // MSAL now caches tokens based on their claims,
+            // so now one has to keep track fo claims in order to retrieve the newer tokens from acquireTokenSilent
+            // This update happened on PR: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/4533
+            const optionsClaims = options.claims;
+            if (optionsClaims) {
+                this.cachedClaims = optionsClaims;
+            }
+            if (this.cachedClaims && !optionsClaims) {
+                options.claims = this.cachedClaims;
+            }
+            // We don't return the promise since we want to catch errors right here.
+            return await this.getTokenSilent(scopes, options);
         }
-        resolve(data);
-    }));
-}
-/**
- * Does a request to the authentication provider that results in a file path.
- */
-async function filePathRequest(identityClient, requestPrepareOptions) {
-    const response = await identityClient.sendRequest(coreRestPipeline.createPipelineRequest(requestPrepareOptions));
-    if (response.status !== 401) {
-        let message = "";
-        if (response.bodyAsText) {
-            message = ` Response: ${response.bodyAsText}`;
+        catch (err) {
+            if (err.name !== "AuthenticationRequiredError") {
+                throw err;
+            }
+            if (options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication) {
+                throw new AuthenticationRequiredError({
+                    scopes,
+                    getTokenOptions: options,
+                    message: "Automatic authentication has been disabled. You may call the authentication() method.",
+                });
+            }
+            this.logger.info(`Silent authentication failed, falling back to interactive method.`);
+            return this.doGetToken(scopes, options);
         }
-        throw new AuthenticationError(response.status, `${msiName$3}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
-    }
-    const authHeader = response.headers.get("www-authenticate") || "";
-    try {
-        return authHeader.split("=").slice(1)[0];
     }
-    catch (e) {
-        throw Error(`Invalid www-authenticate header format: ${authHeader}`);
+    /**
+     * Handles the MSAL authentication result.
+     * If the result has an account, we update the local account reference.
+     * If the token received is invalid, an error will be thrown depending on what's missing.
+     */
+    handleResult(scopes, result, getTokenOptions) {
+        if (result === null || result === void 0 ? void 0 : result.account) {
+            this.account = msalToPublic(this.clientId, result.account);
+        }
+        ensureValidMsalToken(scopes, result, getTokenOptions);
+        this.logger.getToken.info(formatSuccess(scopes));
+        return {
+            token: result.accessToken,
+            expiresOnTimestamp: result.expiresOn.getTime(),
+        };
     }
 }
-/**
- * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
- */
-const arcMsi = {
-    name: "arc",
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$j.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
-        if (!result) {
-            logger$j.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
-        }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        var _a;
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        if (clientId) {
-            logger$j.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
-        }
-        if (resourceId) {
-            logger$j.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
-        }
-        logger$j.info(`${msiName$3}: Authenticating.`);
-        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId, resourceId)), { allowInsecureConnection: true });
-        const filePath = await filePathRequest(identityClient, requestOptions);
-        if (!filePath) {
-            throw new Error(`${msiName$3}: Failed to find the token file.`);
-        }
-        const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
-        (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({}, requestOptions), { 
-            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-            allowInsecureConnection: true }));
-        const tokenResponse = await identityClient.sendTokenRequest(request);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
@@ -2018,7 +2199,7 @@ class MsalClientAssertion extends MsalNode {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-const logger$i = credentialLogger("ClientAssertionCredential");
+const logger$g = credentialLogger("ClientAssertionCredential");
 /**
  * Authenticates a service principal with a JWT assertion.
  */
@@ -2041,7 +2222,7 @@ class ClientAssertionCredential {
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.clientId = clientId;
         this.options = options;
-        this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$i, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
+        this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$g, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
     }
     /**
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -2053,7 +2234,7 @@ class ClientAssertionCredential {
      */
     async getToken(scopes, options = {}) {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
-            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$i);
+            newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$g);
             const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
             return this.msalFlow.getToken(arrayScopes, newOptions);
         });
@@ -2075,7 +2256,7 @@ const SupportedWorkloadEnvironmentVariables = [
     "AZURE_CLIENT_ID",
     "AZURE_FEDERATED_TOKEN_FILE",
 ];
-const logger$h = credentialLogger(credentialName$3);
+const logger$f = credentialLogger(credentialName$3);
 /**
  * Workload Identity authentication is a feature in Azure that allows applications running on virtual machines (VMs)
  * to access other Azure resources without the need for a service principal or managed identity. With Workload Identity
@@ -2101,17 +2282,17 @@ class WorkloadIdentityCredential {
         this.cacheDate = undefined;
         // Logging environment variables for error details
         const assignedEnv = processEnvVars(SupportedWorkloadEnvironmentVariables).assigned.join(", ");
-        logger$h.info(`Found the following environment variables: ${assignedEnv}`);
+        logger$f.info(`Found the following environment variables: ${assignedEnv}`);
         const workloadIdentityCredentialOptions = options !== null && options !== void 0 ? options : {};
         const tenantId = workloadIdentityCredentialOptions.tenantId || process.env.AZURE_TENANT_ID;
         const clientId = workloadIdentityCredentialOptions.clientId || process.env.AZURE_CLIENT_ID;
         this.federatedTokenFilePath =
             workloadIdentityCredentialOptions.tokenFilePath || process.env.AZURE_FEDERATED_TOKEN_FILE;
         if (tenantId) {
-            checkTenantId(logger$h, tenantId);
+            checkTenantId(logger$f, tenantId);
         }
         if (clientId && tenantId && this.federatedTokenFilePath) {
-            logger$h.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
+            logger$f.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
             this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
         }
     }
@@ -2130,10 +2311,10 @@ class WorkloadIdentityCredential {
       "AZURE_TENANT_ID",
       "AZURE_CLIENT_ID",
       "AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot  `;
-            logger$h.info(errorMessage);
+            logger$f.info(errorMessage);
             throw new CredentialUnavailableError(errorMessage);
         }
-        logger$h.info("Invoking getToken() of Client Assertion Credential");
+        logger$f.info("Invoking getToken() of Client Assertion Credential");
         return this.client.getToken(scopes, options);
     }
     async readFileContents() {
@@ -2161,8 +2342,8 @@ class WorkloadIdentityCredential {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-const msiName$2 = "ManagedIdentityCredential - Token Exchange";
-const logger$g = credentialLogger(msiName$2);
+const msiName = "ManagedIdentityCredential - Token Exchange";
+const logger$e = credentialLogger(msiName);
 /**
  * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
  */
@@ -2175,7 +2356,7 @@ function tokenExchangeMsi() {
                 env.AZURE_TENANT_ID &&
                 process.env.AZURE_FEDERATED_TOKEN_FILE);
             if (!result) {
-                logger$g.info(`${msiName$2}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
+                logger$e.info(`${msiName}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
             }
             return result;
         },
@@ -2189,164 +2370,6 @@ function tokenExchangeMsi() {
     };
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-// This MSI can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
-//
-//   FROM node:12
-//   RUN wget https://host.any/path/bash.sh
-//   CMD ["bash", "bash.sh"]
-//
-// Where the bash script contains:
-//
-//   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
-//
-const msiName$1 = "ManagedIdentityCredential - Fabric MSI";
-const logger$f = credentialLogger(msiName$1);
-/**
- * Generates the options used on the request for an access token.
- */
-function prepareRequestOptions$1(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$1}: Multiple scopes are not supported.`);
-    }
-    const queryParameters = {
-        resource,
-        "api-version": azureFabricVersion,
-    };
-    if (clientId) {
-        queryParameters.client_id = clientId;
-    }
-    if (resourceId) {
-        queryParameters.msi_res_id = resourceId;
-    }
-    const query = new URLSearchParams(queryParameters);
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error("Missing environment variable: IDENTITY_ENDPOINT");
-    }
-    if (!process.env.IDENTITY_HEADER) {
-        throw new Error("Missing environment variable: IDENTITY_HEADER");
-    }
-    return {
-        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            secret: process.env.IDENTITY_HEADER,
-        }),
-    };
-}
-/**
- * Defines how to determine whether the Azure Service Fabric MSI is available, and also how to retrieve a token from the Azure Service Fabric MSI.
- */
-const fabricMsi = {
-    name: "fabricMsi",
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$f.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        const env = process.env;
-        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
-        if (!result) {
-            logger$f.info(`${msiName$1}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
-        }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { scopes, identityClient, clientId, resourceId } = configuration;
-        if (resourceId) {
-            logger$f.warning(`${msiName$1}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
-        }
-        logger$f.info([
-            `${msiName$1}:`,
-            "Using the endpoint and the secret coming from the environment variables:",
-            `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
-            "IDENTITY_HEADER=[REDACTED] and",
-            "IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
-        ].join(" "));
-        const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId, resourceId)));
-        request.agent = new https.Agent({
-            // This is necessary because Service Fabric provides a self-signed certificate.
-            // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
-            rejectUnauthorized: false,
-        });
-        const tokenResponse = await identityClient.sendTokenRequest(request);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const msiName = "ManagedIdentityCredential - AppServiceMSI 2019";
-const logger$e = credentialLogger(msiName);
-/**
- * Generates the options used on the request for an access token.
- */
-function prepareRequestOptions(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName}: Multiple scopes are not supported.`);
-    }
-    const queryParameters = {
-        resource,
-        "api-version": "2019-08-01",
-    };
-    if (clientId) {
-        queryParameters.client_id = clientId;
-    }
-    if (resourceId) {
-        queryParameters.mi_res_id = resourceId;
-    }
-    const query = new URLSearchParams(queryParameters);
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error(`${msiName}: Missing environment variable: IDENTITY_ENDPOINT`);
-    }
-    if (!process.env.IDENTITY_HEADER) {
-        throw new Error(`${msiName}: Missing environment variable: IDENTITY_HEADER`);
-    }
-    return {
-        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            "X-IDENTITY-HEADER": process.env.IDENTITY_HEADER,
-        }),
-    };
-}
-/**
- * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
- */
-const appServiceMsi2019 = {
-    name: "appServiceMsi2019",
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$e.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        const env = process.env;
-        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
-        if (!result) {
-            logger$e.info(`${msiName}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
-        }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        logger$e.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)), { 
-            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-            allowInsecureConnection: true }));
-        const tokenResponse = await identityClient.sendTokenRequest(request);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
-
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 const logger$d = credentialLogger("ManagedIdentityCredential");
@@ -2364,9 +2387,14 @@ class ManagedIdentityCredential {
      * @hidden
      */
     constructor(clientIdOrOptions, options) {
-        var _a;
+        var _a, _b;
         this.isEndpointUnavailable = null;
         this.isAppTokenProviderInitialized = false;
+        this.msiRetryConfig = {
+            maxRetries: 5,
+            startDelayInMs: 800,
+            intervalIncrement: 2,
+        };
         let _options;
         if (typeof clientIdOrOptions === "string") {
             this.clientId = clientIdOrOptions;
@@ -2381,6 +2409,9 @@ class ManagedIdentityCredential {
         if (this.clientId && this.resourceId) {
             throw new Error(`${ManagedIdentityCredential.name} - Client Id and Resource Id can't be provided at the same time.`);
         }
+        if (((_a = _options === null || _options === void 0 ? void 0 : _options.retryOptions) === null || _a === void 0 ? void 0 : _a.maxRetries) !== undefined) {
+            this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;
+        }
         this.identityClient = new IdentityClient(_options);
         this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
                 maxRetries: 0,
@@ -2391,7 +2422,7 @@ class ManagedIdentityCredential {
         this.confidentialApp = new msalCommon.ConfidentialClientApplication({
             auth: {
                 authority: "https://login.microsoftonline.com/managed_identity",
-                clientId: (_a = this.clientId) !== null && _a !== void 0 ? _a : DeveloperSignOnClientId,
+                clientId: (_b = this.clientId) !== null && _b !== void 0 ? _b : DeveloperSignOnClientId,
                 clientSecret: "dummy-secret",
                 cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}',
                 authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/common/kerberos","tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}',
@@ -2441,6 +2472,7 @@ class ManagedIdentityCredential {
                 scopes,
                 clientId: this.clientId,
                 resourceId: this.resourceId,
+                retryConfig: this.msiRetryConfig,
             }, updatedOptions);
         }
         catch (err) {
@@ -2547,10 +2579,10 @@ class ManagedIdentityCredential {
             if (err.statusCode === 400) {
                 throw new CredentialUnavailableError(`${ManagedIdentityCredential.name}: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
             }
-            // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network"
+            // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
             // rather than just timing out, as expected.
             if (err.statusCode === 403 || err.code === 403) {
-                if (err.message.includes("A socket operation was attempted to an unreachable network")) {
+                if (err.message.includes("unreachable")) {
                     const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
                     logger$d.getToken.info(formatError(scopes, error));
                     throw error;
@@ -2587,7 +2619,6 @@ class ManagedIdentityCredential {
     }
     /**
      * Ensures the validity of the MSAL token
-     * @internal
      */
     ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
         const error = (message) => {
@@ -2891,7 +2922,7 @@ const logger$b = credentialLogger("AzureDeveloperCliCredential");
  * Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy
  * resources in Azure. It's built on top of the Azure CLI and provides additional functionality specific
  * to Azure developers. It allows users to authenticate as a user and/or a service principal against
- * <a href="https://learn.microsoft.com/azure/active-directory/fundamentals/">Microsoft Entra ID</a>. The
+ * <a href="https://learn.microsoft.com/entra/fundamentals/">Microsoft Entra ID</a>. The
  * AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of
  * the logged-in user or service principal in the Azure Developer CLI. It acts as the Azure Developer CLI logged in user or
  * service principal and executes an Azure CLI command underneath to authenticate the application against
@@ -3485,7 +3516,7 @@ const logger$7 = credentialLogger("ClientSecretCredential");
  * that was generated for an App Registration. More information on how
  * to configure a client secret can be found here:
  *
- * https://learn.microsoft.com/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
+ * https://learn.microsoft.com/entra/identity-platform/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
  *
  */
 class ClientSecretCredential {
@@ -3734,13 +3765,17 @@ const logger$4 = credentialLogger("DefaultAzureCredential");
  *
  * @internal
  */
-function createDefaultManagedIdentityCredential(options) {
-    var _a, _b, _c;
-    const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
-    const workloadIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _b !== void 0 ? _b : managedIdentityClientId;
+function createDefaultManagedIdentityCredential(options = {}) {
+    var _a, _b, _c, _d;
+    (_a = options.retryOptions) !== null && _a !== void 0 ? _a : (options.retryOptions = {
+        maxRetries: 5,
+        retryDelayInMs: 800,
+    });
+    const managedIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _b !== void 0 ? _b : process.env.AZURE_CLIENT_ID;
+    const workloadIdentityClientId = (_c = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _c !== void 0 ? _c : managedIdentityClientId;
     const managedResourceId = options === null || options === void 0 ? void 0 : options.managedIdentityResourceId;
     const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
-    const tenantId = (_c = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _c !== void 0 ? _c : process.env.AZURE_TENANT_ID;
+    const tenantId = (_d = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _d !== void 0 ? _d : process.env.AZURE_TENANT_ID;
     if (managedResourceId) {
         const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
         return new ManagedIdentityCredential(managedIdentityResourceIdOptions);
@@ -3880,15 +3915,16 @@ const interactiveBrowserMockable = {
  */
 class MsalOpenBrowser extends MsalNode {
     constructor(options) {
-        var _a, _b;
+        var _a, _b, _c, _d;
         super(options);
         this.loginHint = options.loginHint;
         this.errorTemplate = (_a = options.browserCustomizationOptions) === null || _a === void 0 ? void 0 : _a.errorMessage;
         this.successTemplate = (_b = options.browserCustomizationOptions) === null || _b === void 0 ? void 0 : _b.successMessage;
         this.logger = credentialLogger("Node.js MSAL Open Browser");
+        this.useDefaultBrokerAccount =
+            ((_c = options.brokerOptions) === null || _c === void 0 ? void 0 : _c.enabled) && ((_d = options.brokerOptions) === null || _d === void 0 ? void 0 : _d.useDefaultBrokerAccount);
     }
-    async doGetToken(scopes, options) {
-        var _a;
+    async doGetToken(scopes, options = {}) {
         try {
             const interactiveRequest = {
                 openBrowser: async (url) => {
@@ -3903,30 +3939,70 @@ class MsalOpenBrowser extends MsalNode {
                 successTemplate: this.successTemplate,
             };
             if (hasNativeBroker() && this.enableBroker) {
-                this.logger.verbose("Authentication will resume through the broker");
-                if (this.parentWindowHandle) {
-                    interactiveRequest.windowHandle = Buffer.from(this.parentWindowHandle);
-                }
-                else {
-                    // error should have been thrown from within the constructor of InteractiveBrowserCredential
-                    this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
-                }
-                if (this.enableMsaPassthrough) {
-                    ((_a = interactiveRequest.tokenQueryParameters) !== null && _a !== void 0 ? _a : (interactiveRequest.tokenQueryParameters = {}))["msal_request_type"] =
-                        "consumer_passthrough";
-                }
+                return this.doGetBrokeredToken(scopes, interactiveRequest, {
+                    enableCae: options.enableCae,
+                    useDefaultBrokerAccount: this.useDefaultBrokerAccount,
+                });
             }
+            // If the broker is not enabled, we will fall back to interactive authentication
             if (hasNativeBroker() && !this.enableBroker) {
                 this.logger.verbose("Authentication will resume normally without the broker, since it's not enabled");
             }
+            const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenInteractive(interactiveRequest);
+            return this.handleResult(scopes, result || undefined);
+        }
+        catch (err) {
+            throw handleMsalError(scopes, err, options);
+        }
+    }
+    /**
+     * A helper function that supports brokered authentication through the MSAL's public application.
+     *
+     * When options.useDefaultBrokerAccount is true, the method will attempt to authenticate using the default broker account.
+     * If the default broker account is not available, the method will fall back to interactive authentication.
+     */
+    async doGetBrokeredToken(scopes, interactiveRequest, options) {
+        var _a;
+        this.logger.verbose("Authentication will resume through the broker");
+        if (this.parentWindowHandle) {
+            interactiveRequest.windowHandle = Buffer.from(this.parentWindowHandle);
+        }
+        else {
+            // error should have been thrown from within the constructor of InteractiveBrowserCredential
+            this.logger.warning("Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.");
+        }
+        if (this.enableMsaPassthrough) {
+            ((_a = interactiveRequest.tokenQueryParameters) !== null && _a !== void 0 ? _a : (interactiveRequest.tokenQueryParameters = {}))["msal_request_type"] =
+                "consumer_passthrough";
+        }
+        if (options.useDefaultBrokerAccount) {
+            interactiveRequest.prompt = "none";
+            this.logger.verbose("Attempting broker authentication using the default broker account");
+        }
+        else {
+            interactiveRequest.prompt = undefined;
+            this.logger.verbose("Attempting broker authentication without the default broker account");
+        }
+        try {
             const result = await this.getApp("public", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenInteractive(interactiveRequest);
             if (result.fromNativeBroker) {
                 this.logger.verbose(`This result is returned from native broker`);
             }
             return this.handleResult(scopes, result || undefined);
         }
-        catch (err) {
-            throw handleMsalError(scopes, err, options);
+        catch (e) {
+            this.logger.verbose(`Failed to authenticate through the broker: ${e.message}`);
+            // If we tried to use the default broker account and failed, fall back to interactive authentication
+            if (options.useDefaultBrokerAccount) {
+                return this.doGetBrokeredToken(scopes, interactiveRequest, {
+                    enableCae: options.enableCae,
+                    useDefaultBrokerAccount: false,
+                });
+            }
+            else {
+                // If we're not using the default broker account, throw the error
+                throw handleMsalError(scopes, e);
+            }
         }
     }
 }
@@ -3942,17 +4018,17 @@ class InteractiveBrowserCredential {
     /**
      * Creates an instance of InteractiveBrowserCredential with the details needed.
      *
-     * This credential uses the [Authorization Code Flow](https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow).
+     * This credential uses the [Authorization Code Flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow).
      * On Node.js, it will open a browser window while it listens for a redirect response from the authentication service.
      * On browsers, it authenticates via popups. The `loginStyle` optional parameter can be set to `redirect` to authenticate by redirecting the user to an Azure secure login page, which then will redirect the user back to the web application where the authentication started.
      *
      * For Node.js, if a `clientId` is provided, the Microsoft Entra application will need to be configured to have a "Mobile and desktop applications" redirect endpoint.
-     * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://learn.microsoft.com/azure/active-directory/develop/scenario-desktop-app-registration#redirect-uris).
+     * Follow our guide on [setting up Redirect URIs for Desktop apps that calls to web APIs](https://learn.microsoft.com/entra/identity-platform/scenario-desktop-app-registration#redirect-uris).
      *
      * @param options - Options for configuring the client which makes the authentication requests.
      */
     constructor(options) {
-        var _a, _b, _c;
+        var _a, _b, _c, _d;
         const redirectUri = typeof options.redirectUri === "function"
             ? options.redirectUri()
             : options.redirectUri || "http://localhost";
@@ -3969,6 +4045,7 @@ class InteractiveBrowserCredential {
                         enabled: true,
                         parentWindowHandle: ibcNodeOptions.brokerOptions.parentWindowHandle,
                         legacyEnableMsaPassthrough: (_c = ibcNodeOptions.brokerOptions) === null || _c === void 0 ? void 0 : _c.legacyEnableMsaPassthrough,
+                        useDefaultBrokerAccount: (_d = ibcNodeOptions.brokerOptions) === null || _d === void 0 ? void 0 : _d.useDefaultBrokerAccount,
                     } }));
             }
         }
@@ -4183,7 +4260,7 @@ const logger$1 = credentialLogger("AuthorizationCodeCredential");
  * that was obtained through the authorization code flow, described in more detail
  * in the Microsoft Entra ID documentation:
  *
- * https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow
+ * https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow
  */
 class AuthorizationCodeCredential {
     /**
@@ -4290,7 +4367,7 @@ class MsalOnBehalfOf extends MsalNode {
 const credentialName = "OnBehalfOfCredential";
 const logger = credentialLogger(credentialName);
 /**
- * Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
+ * Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://learn.microsoft.com/entra/identity-platform/v2-oauth2-on-behalf-of-flow).
  */
 class OnBehalfOfCredential {
     constructor(options) {