@azure/identity 4.4.0 → 4.5.0-alpha.20240813.2

package/dist/index.js

@@ -2,24 +2,22 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var logger$r = require('@azure/logger');
+var logger$m = require('@azure/logger');
 var coreClient = require('@azure/core-client');
 var coreUtil = require('@azure/core-util');
 var coreRestPipeline = require('@azure/core-rest-pipeline');
-var abortController = require('@azure/abort-controller');
 var coreTracing = require('@azure/core-tracing');
 var fs = require('fs');
 var os = require('os');
 var path = require('path');
+var abortController = require('@azure/abort-controller');
 var msalCommon = require('@azure/msal-node');
-var fs$1 = require('node:fs');
-var https = require('https');
 var open = require('open');
 var promises = require('fs/promises');
 var child_process = require('child_process');
 var crypto = require('crypto');
-var promises$1 = require('node:fs/promises');
 var node_crypto = require('node:crypto');
+var promises$1 = require('node:fs/promises');
 
 function _interopNamespaceDefault(e) {
     var n = Object.create(null);
@@ -46,7 +44,7 @@ var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_proce
 /**
  * Current version of the `@azure/identity` package.
  */
-const SDK_VERSION = `4.4.0`;
+const SDK_VERSION = `4.5.0-beta.2`;
 /**
  * The default client ID for authentication
  * @internal
@@ -196,7 +194,7 @@ const msalPlugins = {
 /**
  * The AzureLogger used for all clients within the identity package
  */
-const logger$q = logger$r.createClientLogger("identity");
+const logger$l = logger$m.createClientLogger("identity");
 /**
  * Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
  * @param supportedEnvVars - List of environment variable names
@@ -236,7 +234,7 @@ function formatError(scope, error) {
  *   `[title] => [message]`
  *
  */
-function credentialLoggerInstance(title, parent, log = logger$q) {
+function credentialLoggerInstance(title, parent, log = logger$l) {
     const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;
     function info(message) {
         log.info(`${fullTitle} =>`, message);
@@ -269,7 +267,7 @@ function credentialLoggerInstance(title, parent, log = logger$q) {
  *   `[title] => getToken() => [message]`
  *
  */
-function credentialLogger(title, log = logger$q) {
+function credentialLogger(title, log = logger$l) {
     const credLogger = credentialLoggerInstance(title, undefined, log);
     return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
 }
@@ -291,8 +289,9 @@ const CredentialUnavailableErrorName = "CredentialUnavailableError";
  * an error that should halt the chain, it's caught and the chain continues
  */
 class CredentialUnavailableError extends Error {
-    constructor(message) {
-        super(message);
+    constructor(message, options) {
+        // @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property
+        super(message, options);
         this.name = CredentialUnavailableErrorName;
     }
 }
@@ -307,7 +306,7 @@ const AuthenticationErrorName = "AuthenticationError";
  */
 class AuthenticationError extends Error {
     // eslint-disable-next-line @typescript-eslint/ban-types
-    constructor(statusCode, errorBody) {
+    constructor(statusCode, errorBody, options) {
         let errorResponse = {
             error: "unknown",
             errorDescription: "An unknown error occurred and no additional details are available.",
@@ -325,8 +324,8 @@ class AuthenticationError extends Error {
             catch (e) {
                 if (statusCode === 400) {
                     errorResponse = {
-                        error: "authority_not_found",
-                        errorDescription: "The specified authority URL was not found.",
+                        error: "invalid_request",
+                        errorDescription: `The service indicated that the request was invalid.\n\n${errorBody}`,
                     };
                 }
                 else {
@@ -343,7 +342,9 @@ class AuthenticationError extends Error {
                 errorDescription: "An unknown error occurred and no additional details are available.",
             };
         }
-        super(`${errorResponse.error} Status code: ${statusCode}\nMore details:\n${errorResponse.errorDescription}`);
+        super(`${errorResponse.error} Status code: ${statusCode}\nMore details:\n${errorResponse.errorDescription},`, 
+        // @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property
+        options);
         this.statusCode = statusCode;
         this.errorResponse = errorResponse;
         // Ensure that this type reports the correct name
@@ -386,7 +387,9 @@ class AuthenticationRequiredError extends Error {
      * Optional parameters. A message can be specified. The {@link GetTokenOptions} of the request can also be specified to more easily associate the error with the received parameters.
      */
     options) {
-        super(options.message);
+        super(options.message, 
+        // @ts-expect-error - TypeScript does not recognize this until we use ES2022 as the target; however, all our major runtimes do support the `cause` property
+        options.cause ? { cause: options.cause } : undefined);
         this.scopes = options.scopes;
         this.getTokenOptions = options.getTokenOptions;
         this.name = "AuthenticationRequiredError";
@@ -497,8 +500,6 @@ const DefaultScopeSuffix = "/.default";
 const imdsHost = "http://169.254.169.254";
 const imdsEndpointPath = "/metadata/identity/oauth2/token";
 const imdsApiVersion = "2018-02-01";
-const azureArcAPIVersion = "2019-11-01";
-const azureFabricVersion = "2019-07-01-preview";
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
@@ -590,14 +591,19 @@ class IdentityClient extends coreClient.ServiceClient {
             } }, options), { userAgentOptions: {
                 userAgentPrefix,
             }, baseUri }));
+        this.allowInsecureConnection = false;
         this.authorityHost = baseUri;
         this.abortControllers = new Map();
         this.allowLoggingAccountIdentifiers = (_b = options === null || options === void 0 ? void 0 : options.loggingOptions) === null || _b === void 0 ? void 0 : _b.allowLoggingAccountIdentifiers;
         // used for WorkloadIdentity
         this.tokenCredentialOptions = Object.assign({}, options);
+        // used for ManagedIdentity
+        if (options === null || options === void 0 ? void 0 : options.allowInsecureConnection) {
+            this.allowInsecureConnection = options.allowInsecureConnection;
+        }
     }
     async sendTokenRequest(request) {
-        logger$q.info(`IdentityClient: sending token request to [${request.url}]`);
+        logger$l.info(`IdentityClient: sending token request to [${request.url}]`);
         const response = await this.sendRequest(request);
         if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
             const parsedBody = JSON.parse(response.bodyAsText);
@@ -612,12 +618,12 @@ class IdentityClient extends coreClient.ServiceClient {
                 },
                 refreshToken: parsedBody.refresh_token,
             };
-            logger$q.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
+            logger$l.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
             return token;
         }
         else {
             const error = new AuthenticationError(response.status, response.bodyAsText);
-            logger$q.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
+            logger$l.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
             throw error;
         }
     }
@@ -625,7 +631,7 @@ class IdentityClient extends coreClient.ServiceClient {
         if (refreshToken === undefined) {
             return null;
         }
-        logger$q.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
+        logger$l.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
         const refreshParams = {
             grant_type: "refresh_token",
             client_id: clientId,
@@ -651,7 +657,7 @@ class IdentityClient extends coreClient.ServiceClient {
                     tracingOptions: updatedOptions.tracingOptions,
                 });
                 const response = await this.sendTokenRequest(request);
-                logger$q.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
+                logger$l.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
                 return response;
             }
             catch (err) {
@@ -660,11 +666,11 @@ class IdentityClient extends coreClient.ServiceClient {
                     // It's likely that the refresh token has expired, so
                     // return null so that the credential implementation will
                     // initiate the authentication flow again.
-                    logger$q.info(`IdentityClient: interaction required for client ID: ${clientId}`);
+                    logger$l.info(`IdentityClient: interaction required for client ID: ${clientId}`);
                     return null;
                 }
                 else {
-                    logger$q.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
+                    logger$l.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
                     throw err;
                 }
             }
@@ -673,7 +679,7 @@ class IdentityClient extends coreClient.ServiceClient {
     // Here is a custom layer that allows us to abort requests that go through MSAL,
     // since MSAL doesn't allow us to pass options all the way through.
     generateAbortSignal(correlationId) {
-        const controller = new abortController.AbortController();
+        const controller = new AbortController();
         const controllers = this.abortControllers.get(correlationId) || [];
         controllers.push(controller);
         this.abortControllers.set(correlationId, controllers);
@@ -681,7 +687,7 @@ class IdentityClient extends coreClient.ServiceClient {
         controller.signal.onabort = (...params) => {
             this.abortControllers.set(correlationId, undefined);
             if (existingOnAbort) {
-                existingOnAbort(...params);
+                existingOnAbort.apply(controller.signal, params);
             }
         };
         return controller.signal;
@@ -712,6 +718,7 @@ class IdentityClient extends coreClient.ServiceClient {
             url,
             method: "GET",
             body: options === null || options === void 0 ? void 0 : options.body,
+            allowInsecureConnection: this.allowInsecureConnection,
             headers: coreRestPipeline.createHttpHeaders(options === null || options === void 0 ? void 0 : options.headers),
             abortSignal: this.generateAbortSignal(noCorrelationId),
         });
@@ -729,6 +736,7 @@ class IdentityClient extends coreClient.ServiceClient {
             method: "POST",
             body: options === null || options === void 0 ? void 0 : options.body,
             headers: coreRestPipeline.createHttpHeaders(options === null || options === void 0 ? void 0 : options.headers),
+            allowInsecureConnection: this.allowInsecureConnection,
             // MSAL doesn't send the correlation ID on the get requests.
             abortSignal: this.generateAbortSignal(this.getCorrelationId(options)),
         });
@@ -773,10 +781,10 @@ class IdentityClient extends coreClient.ServiceClient {
             }
             const base64Metadata = accessToken.split(".")[1];
             const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
-            logger$q.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
+            logger$l.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
         }
         catch (e) {
-            logger$q.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
+            logger$l.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
         }
     }
 }
@@ -785,7 +793,7 @@ class IdentityClient extends coreClient.ServiceClient {
 // Licensed under the MIT license.
 const CommonTenantId = "common";
 const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
-const logger$p = credentialLogger("VisualStudioCodeCredential");
+const logger$k = credentialLogger("VisualStudioCodeCredential");
 let findCredentials = undefined;
 const vsCodeCredentialControl = {
     setVsCodeCredentialFinder(finder) {
@@ -838,7 +846,7 @@ function getPropertyFromVSCode(property) {
         }
     }
     catch (e) {
-        logger$p.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
+        logger$k.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
         return;
     }
 }
@@ -871,7 +879,7 @@ class VisualStudioCodeCredential {
         const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
         this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
         if (options && options.tenantId) {
-            checkTenantId(logger$p, options.tenantId);
+            checkTenantId(logger$k, options.tenantId);
             this.tenantId = options.tenantId;
         }
         else {
@@ -911,7 +919,7 @@ class VisualStudioCodeCredential {
     async getToken(scopes, options) {
         var _a, _b;
         await this.prepareOnce();
-        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds, logger$p) || this.tenantId;
+        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds, logger$k) || this.tenantId;
         if (findCredentials === undefined) {
             throw new CredentialUnavailableError([
                 "No implementation of `VisualStudioCodeCredential` is available.",
@@ -925,7 +933,7 @@ class VisualStudioCodeCredential {
         // Check to make sure the scope we get back is a valid scope
         if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
             const error = new Error("Invalid scope was specified by the user or calling client");
-            logger$p.getToken.info(formatError(scopes, error));
+            logger$k.getToken.info(formatError(scopes, error));
             throw error;
         }
         if (scopeString.indexOf("offline_access") < 0) {
@@ -945,18 +953,18 @@ class VisualStudioCodeCredential {
         if (refreshToken) {
             const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
             if (tokenResponse) {
-                logger$p.getToken.info(formatSuccess(scopes));
+                logger$k.getToken.info(formatSuccess(scopes));
                 return tokenResponse.accessToken;
             }
             else {
                 const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
-                logger$p.getToken.info(formatError(scopes, error));
+                logger$k.getToken.info(formatError(scopes, error));
                 throw error;
             }
         }
         else {
             const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
-            logger$p.getToken.info(formatError(scopes, error));
+            logger$k.getToken.info(formatError(scopes, error));
             throw error;
         }
     }
@@ -1005,438 +1013,6 @@ function useIdentityPlugin(plugin) {
     plugin(pluginContext);
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const msiName$6 = "ManagedIdentityCredential - CloudShellMSI";
-const logger$o = credentialLogger(msiName$6);
-/**
- * Generates the options used on the request for an access token.
- */
-function prepareRequestOptions$5(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$6}: Multiple scopes are not supported.`);
-    }
-    const body = {
-        resource,
-    };
-    if (clientId) {
-        body.client_id = clientId;
-    }
-    if (resourceId) {
-        body.msi_res_id = resourceId;
-    }
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.MSI_ENDPOINT) {
-        throw new Error(`${msiName$6}: Missing environment variable: MSI_ENDPOINT`);
-    }
-    const params = new URLSearchParams(body);
-    return {
-        url: process.env.MSI_ENDPOINT,
-        method: "POST",
-        body: params.toString(),
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            Metadata: "true",
-            "Content-Type": "application/x-www-form-urlencoded",
-        }),
-    };
-}
-/**
- * Defines how to determine whether the Azure Cloud Shell MSI is available, and also how to retrieve a token from the Azure Cloud Shell MSI.
- * Since Azure Managed Identities aren't available in the Azure Cloud Shell, we log a warning for users that try to access cloud shell using user assigned identity.
- */
-const cloudShellMsi = {
-    name: "cloudShellMsi",
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$o.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        const result = Boolean(process.env.MSI_ENDPOINT);
-        if (!result) {
-            logger$o.info(`${msiName$6}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
-        }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        if (clientId) {
-            logger$o.warning(`${msiName$6}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
-        }
-        if (resourceId) {
-            logger$o.warning(`${msiName$6}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
-        }
-        logger$o.info(`${msiName$6}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId, resourceId)), { 
-            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-            allowInsecureConnection: true }));
-        const tokenResponse = await identityClient.sendTokenRequest(request);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const msiName$5 = "ManagedIdentityCredential - AppServiceMSI 2017";
-const logger$n = credentialLogger(msiName$5);
-/**
- * Generates the options used on the request for an access token.
- */
-function prepareRequestOptions$4(scopes, clientId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
-    }
-    const queryParameters = {
-        resource,
-        "api-version": "2017-09-01",
-    };
-    if (clientId) {
-        queryParameters.clientid = clientId;
-    }
-    const query = new URLSearchParams(queryParameters);
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.MSI_ENDPOINT) {
-        throw new Error(`${msiName$5}: Missing environment variable: MSI_ENDPOINT`);
-    }
-    if (!process.env.MSI_SECRET) {
-        throw new Error(`${msiName$5}: Missing environment variable: MSI_SECRET`);
-    }
-    return {
-        url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            secret: process.env.MSI_SECRET,
-        }),
-    };
-}
-/**
- * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
- */
-const appServiceMsi2017 = {
-    name: "appServiceMsi2017",
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$n.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        const env = process.env;
-        const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
-        if (!result) {
-            logger$n.info(`${msiName$5}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
-        }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        if (resourceId) {
-            logger$n.warning(`${msiName$5}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
-        }
-        logger$n.info(`${msiName$5}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId)), { 
-            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-            allowInsecureConnection: true }));
-        const tokenResponse = await identityClient.sendTokenRequest(request);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const msiName$4 = "ManagedIdentityCredential - AppServiceMSI 2019";
-const logger$m = credentialLogger(msiName$4);
-/**
- * Generates the options used on the request for an access token.
- */
-function prepareRequestOptions$3(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$4}: Multiple scopes are not supported.`);
-    }
-    const queryParameters = {
-        resource,
-        "api-version": "2019-08-01",
-    };
-    if (clientId) {
-        queryParameters.client_id = clientId;
-    }
-    if (resourceId) {
-        queryParameters.mi_res_id = resourceId;
-    }
-    const query = new URLSearchParams(queryParameters);
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error(`${msiName$4}: Missing environment variable: IDENTITY_ENDPOINT`);
-    }
-    if (!process.env.IDENTITY_HEADER) {
-        throw new Error(`${msiName$4}: Missing environment variable: IDENTITY_HEADER`);
-    }
-    return {
-        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            "X-IDENTITY-HEADER": process.env.IDENTITY_HEADER,
-        }),
-    };
-}
-/**
- * Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
- */
-const appServiceMsi2019 = {
-    name: "appServiceMsi2019",
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$m.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        const env = process.env;
-        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
-        if (!result) {
-            logger$m.info(`${msiName$4}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
-        }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        logger$m.info(`${msiName$4}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { 
-            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-            allowInsecureConnection: true }));
-        const tokenResponse = await identityClient.sendTokenRequest(request);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
-const logger$l = credentialLogger(msiName$3);
-/**
- * Generates the options used on the request for an access token.
- */
-function prepareRequestOptions$2(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
-    }
-    const queryParameters = {
-        resource,
-        "api-version": azureArcAPIVersion,
-    };
-    if (clientId) {
-        queryParameters.client_id = clientId;
-    }
-    if (resourceId) {
-        queryParameters.msi_res_id = resourceId;
-    }
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error(`${msiName$3}: Missing environment variable: IDENTITY_ENDPOINT`);
-    }
-    const query = new URLSearchParams(queryParameters);
-    return coreRestPipeline.createPipelineRequest({
-        // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token
-        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            Metadata: "true",
-        }),
-    });
-}
-/**
- * Does a request to the authentication provider that results in a file path.
- */
-async function filePathRequest(identityClient, requestPrepareOptions) {
-    const response = await identityClient.sendRequest(coreRestPipeline.createPipelineRequest(requestPrepareOptions));
-    if (response.status !== 401) {
-        let message = "";
-        if (response.bodyAsText) {
-            message = ` Response: ${response.bodyAsText}`;
-        }
-        throw new AuthenticationError(response.status, `${msiName$3}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
-    }
-    const authHeader = response.headers.get("www-authenticate") || "";
-    try {
-        return authHeader.split("=").slice(1)[0];
-    }
-    catch (e) {
-        throw Error(`Invalid www-authenticate header format: ${authHeader}`);
-    }
-}
-function platformToFilePath() {
-    switch (process.platform) {
-        case "win32":
-            if (!process.env.PROGRAMDATA) {
-                throw new Error(`${msiName$3}: PROGRAMDATA environment variable has no value.`);
-            }
-            return `${process.env.PROGRAMDATA}\\AzureConnectedMachineAgent\\Tokens`;
-        case "linux":
-            return "/var/opt/azcmagent/tokens";
-        default:
-            throw new Error(`${msiName$3}: Unsupported platform ${process.platform}.`);
-    }
-}
-/**
- * Validates that a given Azure Arc MSI file path is valid for use.
- *
- * A valid file will:
- * 1. Be in the expected path for the current platform.
- * 2. Have a `.key` extension.
- * 3. Be at most 4096 bytes in size.
- */
-function validateKeyFile(filePath) {
-    if (!filePath) {
-        throw new Error(`${msiName$3}: Failed to find the token file.`);
-    }
-    if (!filePath.endsWith(".key")) {
-        throw new Error(`${msiName$3}: unexpected file path from HIMDS service: ${filePath}.`);
-    }
-    const expectedPath = platformToFilePath();
-    if (!filePath.startsWith(expectedPath)) {
-        throw new Error(`${msiName$3}: unexpected file path from HIMDS service: ${filePath}.`);
-    }
-    const stats = fs$1.statSync(filePath);
-    if (stats.size > 4096) {
-        throw new Error(`${msiName$3}: The file at ${filePath} is larger than expected at ${stats.size} bytes.`);
-    }
-}
-/**
- * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
- */
-const arcMsi = {
-    name: "arc",
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$l.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
-        if (!result) {
-            logger$l.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
-        }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        var _a;
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        if (clientId) {
-            logger$l.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
-        }
-        if (resourceId) {
-            logger$l.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
-        }
-        logger$l.info(`${msiName$3}: Authenticating.`);
-        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId, resourceId)), { allowInsecureConnection: true });
-        const filePath = await filePathRequest(identityClient, requestOptions);
-        validateKeyFile(filePath);
-        const key = await fs$1.promises.readFile(filePath, { encoding: "utf-8" });
-        (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
-        const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({}, requestOptions), { 
-            // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
-            allowInsecureConnection: true }));
-        const tokenResponse = await identityClient.sendTokenRequest(request);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-// This MSI can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
-//
-//   FROM node:12
-//   RUN wget https://host.any/path/bash.sh
-//   CMD ["bash", "bash.sh"]
-//
-// Where the bash script contains:
-//
-//   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
-//
-const msiName$2 = "ManagedIdentityCredential - Fabric MSI";
-const logger$k = credentialLogger(msiName$2);
-/**
- * Generates the options used on the request for an access token.
- */
-function prepareRequestOptions$1(scopes, clientId, resourceId) {
-    const resource = mapScopesToResource(scopes);
-    if (!resource) {
-        throw new Error(`${msiName$2}: Multiple scopes are not supported.`);
-    }
-    const queryParameters = {
-        resource,
-        "api-version": azureFabricVersion,
-    };
-    if (clientId) {
-        queryParameters.client_id = clientId;
-    }
-    if (resourceId) {
-        queryParameters.msi_res_id = resourceId;
-    }
-    const query = new URLSearchParams(queryParameters);
-    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
-    if (!process.env.IDENTITY_ENDPOINT) {
-        throw new Error("Missing environment variable: IDENTITY_ENDPOINT");
-    }
-    if (!process.env.IDENTITY_HEADER) {
-        throw new Error("Missing environment variable: IDENTITY_HEADER");
-    }
-    return {
-        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
-        method: "GET",
-        headers: coreRestPipeline.createHttpHeaders({
-            Accept: "application/json",
-            secret: process.env.IDENTITY_HEADER,
-        }),
-    };
-}
-/**
- * Defines how to determine whether the Azure Service Fabric MSI is available, and also how to retrieve a token from the Azure Service Fabric MSI.
- */
-const fabricMsi = {
-    name: "fabricMsi",
-    async isAvailable({ scopes }) {
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            logger$k.info(`${msiName$2}: Unavailable. Multiple scopes are not supported.`);
-            return false;
-        }
-        const env = process.env;
-        const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
-        if (!result) {
-            logger$k.info(`${msiName$2}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
-        }
-        return result;
-    },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { scopes, identityClient, clientId, resourceId } = configuration;
-        if (resourceId) {
-            logger$k.warning(`${msiName$2}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
-        }
-        logger$k.info([
-            `${msiName$2}:`,
-            "Using the endpoint and the secret coming from the environment variables:",
-            `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
-            "IDENTITY_HEADER=[REDACTED] and",
-            "IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
-        ].join(" "));
-        const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId, resourceId)));
-        request.agent = new https.Agent({
-            // This is necessary because Service Fabric provides a self-signed certificate.
-            // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
-            rejectUnauthorized: false,
-        });
-        const tokenResponse = await identityClient.sendTokenRequest(request);
-        return (tokenResponse && tokenResponse.accessToken) || null;
-    },
-};
-
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 /**
@@ -1776,6 +1352,41 @@ const imdsMsi = {
     },
 };
 
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+// Matches the default retry configuration in expontentialRetryStrategy.ts
+const DEFAULT_CLIENT_MAX_RETRY_INTERVAL = 1000 * 64;
+/**
+ * An additional policy that retries on 404 errors. The default retry policy does not retry on
+ * 404s, but the IMDS endpoint can return 404s when the token is not yet available. This policy
+ * will retry on 404s with an exponential backoff.
+ *
+ * @param msiRetryConfig - The retry configuration for the MSI credential.
+ * @returns - The policy that will retry on 404s.
+ */
+function imdsRetryPolicy(msiRetryConfig) {
+    return coreRestPipeline.retryPolicy([
+        {
+            name: "imdsRetryPolicy",
+            retry: ({ retryCount, response }) => {
+                if ((response === null || response === void 0 ? void 0 : response.status) !== 404) {
+                    return { skipStrategy: true };
+                }
+                // Exponentially increase the delay each time
+                const exponentialDelay = msiRetryConfig.startDelayInMs * Math.pow(2, retryCount);
+                // Don't let the delay exceed the maximum
+                const clampedExponentialDelay = Math.min(DEFAULT_CLIENT_MAX_RETRY_INTERVAL, exponentialDelay);
+                // Allow the final value to have some "jitter" (within 50% of the delay size) so
+                // that retries across multiple clients don't occur simultaneously.
+                const retryAfterInMs = clampedExponentialDelay / 2 + coreUtil.getRandomIntegerInclusive(0, clampedExponentialDelay / 2);
+                return { retryAfterInMs };
+            },
+        },
+    ], {
+        maxRetries: msiRetryConfig.maxRetries,
+    });
+}
+
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 /**
@@ -1918,6 +1529,10 @@ function calculateRegionalAuthority(regionalAuthority) {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
+/**
+ * The default logger used if no logger was passed in by the credential.
+ */
+const msalLogger = credentialLogger("MsalClient");
 /**
  * A call to open(), but mockable
  * @internal
@@ -1925,13 +1540,6 @@ function calculateRegionalAuthority(regionalAuthority) {
 const interactiveBrowserMockable = {
     open,
 };
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * The default logger used if no logger was passed in by the credential.
- */
-const msalLogger = credentialLogger("MsalClient");
 /**
  * Generates the configuration for MSAL (Microsoft Authentication Library).
  *
@@ -1956,7 +1564,7 @@ function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
             networkClient: httpClient,
             loggerOptions: {
                 loggerCallback: defaultLoggerCallback((_c = msalClientOptions.logger) !== null && _c !== void 0 ? _c : msalLogger),
-                logLevel: getMSALLogLevel(logger$r.getLogLevel()),
+                logLevel: getMSALLogLevel(logger$m.getLogLevel()),
                 piiLoggingEnabled: (_d = msalClientOptions.loggingOptions) === null || _d === void 0 ? void 0 : _d.enableUnsafeSupportLogging,
             },
         },
@@ -2377,8 +1985,14 @@ class ClientAssertionCredential {
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(tenantId, clientId, getAssertion, options = {}) {
-        if (!tenantId || !clientId || !getAssertion) {
-            throw new Error("ClientAssertionCredential: tenantId, clientId, and clientAssertion are required parameters.");
+        if (!tenantId) {
+            throw new CredentialUnavailableError("ClientAssertionCredential: tenantId is a required parameter.");
+        }
+        if (!clientId) {
+            throw new CredentialUnavailableError("ClientAssertionCredential: clientId is a required parameter.");
+        }
+        if (!getAssertion) {
+            throw new CredentialUnavailableError("ClientAssertionCredential: clientAssertion is a required parameter.");
         }
         this.tenantId = tenantId;
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
@@ -2453,10 +2067,20 @@ class WorkloadIdentityCredential {
         if (tenantId) {
             checkTenantId(logger$g, tenantId);
         }
-        if (clientId && tenantId && this.federatedTokenFilePath) {
-            logger$g.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
-            this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
+        if (!clientId) {
+            throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. clientId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_CLIENT_ID".
+        See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`);
+        }
+        if (!tenantId) {
+            throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. tenantId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_TENANT_ID".
+        See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`);
         }
+        if (!this.federatedTokenFilePath) {
+            throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. federatedTokenFilePath is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - "AZURE_FEDERATED_TOKEN_FILE".
+        See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`);
+        }
+        logger$g.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
+        this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
     }
     /**
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -2472,7 +2096,7 @@ class WorkloadIdentityCredential {
       In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables - 
       "AZURE_TENANT_ID",
       "AZURE_CLIENT_ID",
-      "AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot  `;
+      "AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`;
             logger$g.info(errorMessage);
             throw new CredentialUnavailableError(errorMessage);
         }
@@ -2509,132 +2133,76 @@ const logger$f = credentialLogger(msiName);
 /**
  * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
  */
-function tokenExchangeMsi() {
-    return {
-        name: "tokenExchangeMsi",
-        async isAvailable({ clientId }) {
-            const env = process.env;
-            const result = Boolean((clientId || env.AZURE_CLIENT_ID) &&
-                env.AZURE_TENANT_ID &&
-                process.env.AZURE_FEDERATED_TOKEN_FILE);
-            if (!result) {
-                logger$f.info(`${msiName}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
-            }
-            return result;
-        },
-        async getToken(configuration, getTokenOptions = {}) {
-            const { scopes, clientId } = configuration;
-            const identityClientTokenCredentialOptions = {};
-            const workloadIdentityCredential = new WorkloadIdentityCredential(Object.assign(Object.assign({ clientId, tenantId: process.env.AZURE_TENANT_ID, tokenFilePath: process.env.AZURE_FEDERATED_TOKEN_FILE }, identityClientTokenCredentialOptions), { disableInstanceDiscovery: true }));
-            const token = await workloadIdentityCredential.getToken(scopes, getTokenOptions);
-            return token;
-        },
-    };
-}
+const tokenExchangeMsi = {
+    name: "tokenExchangeMsi",
+    async isAvailable({ clientId }) {
+        const env = process.env;
+        const result = Boolean((clientId || env.AZURE_CLIENT_ID) &&
+            env.AZURE_TENANT_ID &&
+            process.env.AZURE_FEDERATED_TOKEN_FILE);
+        if (!result) {
+            logger$f.info(`${msiName}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
+        }
+        return result;
+    },
+    async getToken(configuration, getTokenOptions = {}) {
+        const { scopes, clientId } = configuration;
+        const identityClientTokenCredentialOptions = {};
+        const workloadIdentityCredential = new WorkloadIdentityCredential(Object.assign(Object.assign({ clientId, tenantId: process.env.AZURE_TENANT_ID, tokenFilePath: process.env.AZURE_FEDERATED_TOKEN_FILE }, identityClientTokenCredentialOptions), { disableInstanceDiscovery: true }));
+        return workloadIdentityCredential.getToken(scopes, getTokenOptions);
+    },
+};
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-const logger$e = credentialLogger("ManagedIdentityCredential");
-class LegacyMsiProvider {
-    constructor(clientIdOrOptions, options) {
+const logger$e = credentialLogger("ManagedIdentityCredential(MSAL)");
+class MsalMsiProvider {
+    constructor(clientIdOrOptions, options = {}) {
         var _a, _b;
-        this.isEndpointUnavailable = null;
-        this.isAppTokenProviderInitialized = false;
         this.msiRetryConfig = {
             maxRetries: 5,
             startDelayInMs: 800,
             intervalIncrement: 2,
         };
-        let _options;
+        let _options = {};
         if (typeof clientIdOrOptions === "string") {
             this.clientId = clientIdOrOptions;
             _options = options;
         }
         else {
             this.clientId = clientIdOrOptions === null || clientIdOrOptions === void 0 ? void 0 : clientIdOrOptions.clientId;
-            _options = clientIdOrOptions;
+            _options = clientIdOrOptions !== null && clientIdOrOptions !== void 0 ? clientIdOrOptions : {};
         }
         this.resourceId = _options === null || _options === void 0 ? void 0 : _options.resourceId;
         // For JavaScript users.
         if (this.clientId && this.resourceId) {
             throw new Error(`ManagedIdentityCredential - Client Id and Resource Id can't be provided at the same time.`);
         }
+        // ManagedIdentity uses http for local requests
+        _options.allowInsecureConnection = true;
         if (((_a = _options === null || _options === void 0 ? void 0 : _options.retryOptions) === null || _a === void 0 ? void 0 : _a.maxRetries) !== undefined) {
             this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;
         }
-        this.identityClient = new IdentityClient(_options);
-        this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
-                maxRetries: 0,
-            } }));
-        /**  authority host validation and metadata discovery to be skipped in managed identity
-         * since this wasn't done previously before adding token cache support
-         */
-        this.confidentialApp = new msalCommon.ConfidentialClientApplication({
-            auth: {
-                authority: "https://login.microsoftonline.com/managed_identity",
-                clientId: (_b = this.clientId) !== null && _b !== void 0 ? _b : DeveloperSignOnClientId,
-                clientSecret: "dummy-secret",
-                cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}',
-                authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/common/kerberos","tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}',
-                clientCapabilities: [],
+        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { additionalPolicies: [{ policy: imdsRetryPolicy(this.msiRetryConfig), position: "perCall" }] }));
+        this.managedIdentityApp = new msalCommon.ManagedIdentityApplication({
+            managedIdentityIdParams: {
+                userAssignedClientId: this.clientId,
+                userAssignedResourceId: this.resourceId,
             },
             system: {
+                // todo: proxyUrl?
+                disableInternalRetries: true,
+                networkClient: this.identityClient,
                 loggerOptions: {
-                    logLevel: getMSALLogLevel(logger$r.getLogLevel()),
+                    logLevel: getMSALLogLevel(logger$m.getLogLevel()),
+                    piiLoggingEnabled: (_b = options.loggingOptions) === null || _b === void 0 ? void 0 : _b.enableUnsafeSupportLogging,
+                    loggerCallback: defaultLoggerCallback(logger$e),
                 },
             },
         });
-    }
-    async cachedAvailableMSI(scopes, getTokenOptions) {
-        if (this.cachedMSI) {
-            return this.cachedMSI;
-        }
-        const MSIs = [
-            arcMsi,
-            fabricMsi,
-            appServiceMsi2019,
-            appServiceMsi2017,
-            cloudShellMsi,
-            tokenExchangeMsi(),
-            imdsMsi,
-        ];
-        for (const msi of MSIs) {
-            if (await msi.isAvailable({
-                scopes,
-                identityClient: this.isAvailableIdentityClient,
-                clientId: this.clientId,
-                resourceId: this.resourceId,
-                getTokenOptions,
-            })) {
-                this.cachedMSI = msi;
-                return msi;
-            }
-        }
-        throw new CredentialUnavailableError(`ManagedIdentityCredential - No MSI credential available`);
-    }
-    async authenticateManagedIdentity(scopes, getTokenOptions) {
-        const { span, updatedOptions } = tracingClient.startSpan(`ManagedIdentityCredential.authenticateManagedIdentity`, getTokenOptions);
-        try {
-            // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
-            const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);
-            return availableMSI.getToken({
-                identityClient: this.identityClient,
-                scopes,
-                clientId: this.clientId,
-                resourceId: this.resourceId,
-                retryConfig: this.msiRetryConfig,
-            }, updatedOptions);
-        }
-        catch (err) {
-            span.setStatus({
-                status: "error",
-                error: err,
-            });
-            throw err;
-        }
-        finally {
-            span.end();
-        }
+        this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
+                maxRetries: 0,
+            } }));
     }
     /**
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -2645,133 +2213,93 @@ class LegacyMsiProvider {
      * @param options - The options used to configure any requests this
      *                TokenCredential implementation might make.
      */
-    async getToken(scopes, options) {
-        let result = null;
-        const { span, updatedOptions } = tracingClient.startSpan(`ManagedIdentityCredential.getToken`, options);
-        try {
-            // isEndpointAvailable can be true, false, or null,
-            // If it's null, it means we don't yet know whether
-            // the endpoint is available and need to check for it.
-            if (this.isEndpointUnavailable !== true) {
-                const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);
-                if (availableMSI.name === "tokenExchangeMsi") {
-                    result = await this.authenticateManagedIdentity(scopes, updatedOptions);
-                }
-                else {
-                    const appTokenParameters = {
-                        correlationId: this.identityClient.getCorrelationId(),
-                        tenantId: (options === null || options === void 0 ? void 0 : options.tenantId) || "managed_identity",
-                        scopes: Array.isArray(scopes) ? scopes : [scopes],
-                        claims: options === null || options === void 0 ? void 0 : options.claims,
-                    };
-                    // Added a check to see if SetAppTokenProvider was already defined.
-                    this.initializeSetAppTokenProvider();
-                    const authenticationResult = await this.confidentialApp.acquireTokenByClientCredential(Object.assign({}, appTokenParameters));
-                    result = this.handleResult(scopes, authenticationResult || undefined);
+    async getToken(scopes, options = {}) {
+        logger$e.getToken.info("Using the MSAL provider for Managed Identity.");
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            throw new CredentialUnavailableError(`ManagedIdentityCredential: Multiple scopes are not supported. Scopes: ${JSON.stringify(scopes)}`);
+        }
+        return tracingClient.withSpan("ManagedIdentityCredential.getToken", options, async () => {
+            try {
+                const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable({
+                    scopes,
+                    clientId: this.clientId,
+                    getTokenOptions: options,
+                    identityClient: this.identityClient,
+                    resourceId: this.resourceId,
+                });
+                // Most scenarios are handled by MSAL except for two:
+                // AKS pod identity - MSAL does not implement the token exchange flow.
+                // IMDS Endpoint probing - MSAL does not do any probing before trying to get a token.
+                // As a DefaultAzureCredential optimization we probe the IMDS endpoint with a short timeout and no retries before actually trying to get a token
+                // We will continue to implement these features in the Identity library.
+                const identitySource = this.managedIdentityApp.getManagedIdentitySource();
+                const isImdsMsi = identitySource === "DefaultToImds" || identitySource === "Imds"; // Neither actually checks that IMDS endpoint is available, just that it's the source the MSAL _would_ try to use.
+                logger$e.getToken.info(`MSAL Identity source: ${identitySource}`);
+                if (isTokenExchangeMsi) {
+                    // In the AKS scenario we will use the existing tokenExchangeMsi indefinitely.
+                    logger$e.getToken.info("Using the token exchange managed identity.");
+                    const result = await tokenExchangeMsi.getToken({
+                        scopes,
+                        clientId: this.clientId,
+                        identityClient: this.identityClient,
+                        retryConfig: this.msiRetryConfig,
+                        resourceId: this.resourceId,
+                    });
+                    if (result === null) {
+                        throw new CredentialUnavailableError("Attempted to use the token exchange managed identity, but received a null response.");
+                    }
+                    return result;
                 }
-                if (result === null) {
-                    // If authenticateManagedIdentity returns null,
-                    // it means no MSI endpoints are available.
-                    // If so, we avoid trying to reach to them in future requests.
-                    this.isEndpointUnavailable = true;
-                    // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
-                    // yet we had no access token. For this reason, we'll throw once with a specific message:
-                    const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
-                    logger$e.getToken.info(formatError(scopes, error));
-                    throw error;
+                else if (isImdsMsi) {
+                    // In the IMDS scenario we will probe the IMDS endpoint to ensure it's available before trying to get a token.
+                    // If the IMDS endpoint is not available and this is the source that MSAL will use, we will fail-fast with an error that tells DAC to move to the next credential.
+                    logger$e.getToken.info("Using the IMDS endpoint to probe for availability.");
+                    const isAvailable = await imdsMsi.isAvailable({
+                        scopes,
+                        clientId: this.clientId,
+                        getTokenOptions: options,
+                        identityClient: this.isAvailableIdentityClient,
+                        resourceId: this.resourceId,
+                    });
+                    if (!isAvailable) {
+                        throw new CredentialUnavailableError(`ManagedIdentityCredential: Attempted to use the IMDS endpoint, but it is not available.`);
+                    }
                 }
-                // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
-                // We will assume that this endpoint is reachable from this point forward,
-                // and avoid pinging again to it.
-                this.isEndpointUnavailable = false;
-            }
-            else {
-                // We've previously determined that the endpoint was unavailable,
-                // either because it was unreachable or permanently unable to authenticate.
-                const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
-                logger$e.getToken.info(formatError(scopes, error));
-                throw error;
-            }
-            logger$e.getToken.info(formatSuccess(scopes));
-            return result;
-        }
-        catch (err) {
-            // CredentialUnavailable errors are expected to reach here.
-            // We intend them to bubble up, so that DefaultAzureCredential can catch them.
-            if (err.name === "AuthenticationRequiredError") {
-                throw err;
-            }
-            // Expected errors to reach this point:
-            // - Errors coming from a method unexpectedly breaking.
-            // - When identityClient.sendTokenRequest throws, in which case
-            //   if the status code was 400, it means that the endpoint is working,
-            //   but no identity is available.
-            span.setStatus({
-                status: "error",
-                error: err,
-            });
-            // If either the network is unreachable,
-            // we can safely assume the credential is unavailable.
-            if (err.code === "ENETUNREACH") {
-                const error = new CredentialUnavailableError(`ManagedIdentityCredential: Unavailable. Network unreachable. Message: ${err.message}`);
-                logger$e.getToken.info(formatError(scopes, error));
-                throw error;
-            }
-            // If either the host was unreachable,
-            // we can safely assume the credential is unavailable.
-            if (err.code === "EHOSTUNREACH") {
-                const error = new CredentialUnavailableError(`ManagedIdentityCredential: Unavailable. No managed identity endpoint found. Message: ${err.message}`);
-                logger$e.getToken.info(formatError(scopes, error));
-                throw error;
-            }
-            // If err.statusCode has a value of 400, it comes from sendTokenRequest,
-            // and it means that the endpoint is working, but that no identity is available.
-            if (err.statusCode === 400) {
-                throw new CredentialUnavailableError(`ManagedIdentityCredential: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
+                // If we got this far, it means:
+                // - This is not a tokenExchangeMsi,
+                // - We already probed for IMDS endpoint availability and failed-fast if it's unreachable.
+                // We can proceed normally by calling MSAL for a token.
+                logger$e.getToken.info("Calling into MSAL for managed identity token.");
+                const token = await this.managedIdentityApp.acquireToken({
+                    resource,
+                });
+                this.ensureValidMsalToken(scopes, token, options);
+                logger$e.getToken.info(formatSuccess(scopes));
+                return {
+                    expiresOnTimestamp: token.expiresOn.getTime(),
+                    token: token.accessToken,
+                };
             }
-            // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
-            // rather than just timing out, as expected.
-            if (err.statusCode === 403 || err.code === 403) {
-                if (err.message.includes("unreachable")) {
-                    const error = new CredentialUnavailableError(`ManagedIdentityCredential: Unavailable. Network unreachable. Message: ${err.message}`);
-                    logger$e.getToken.info(formatError(scopes, error));
-                    throw error;
+            catch (err) {
+                logger$e.getToken.error(formatError(scopes, err));
+                // AuthenticationRequiredError described as Error to enforce authentication after trying to retrieve a token silently.
+                // TODO: why would this _ever_ happen considering we're not trying the silent request in this flow?
+                if (err.name === "AuthenticationRequiredError") {
+                    throw err;
                 }
+                if (isNetworkError(err)) {
+                    throw new CredentialUnavailableError(`ManagedIdentityCredential: Network unreachable. Message: ${err.message}`, { cause: err });
+                }
+                throw new CredentialUnavailableError(`ManagedIdentityCredential: Authentication failed. Message ${err.message}`, { cause: err });
             }
-            // If the error has no status code, we can assume there was no available identity.
-            // This will throw silently during any ChainedTokenCredential.
-            if (err.statusCode === undefined) {
-                throw new CredentialUnavailableError(`ManagedIdentityCredential: Authentication failed. Message ${err.message}`);
-            }
-            // Any other error should break the chain.
-            throw new AuthenticationError(err.statusCode, {
-                error: `ManagedIdentityCredential authentication failed.`,
-                error_description: err.message,
-            });
-        }
-        finally {
-            // Finally is always called, both if we return and if we throw in the above try/catch.
-            span.end();
-        }
-    }
-    /**
-     * Handles the MSAL authentication result.
-     * If the result has an account, we update the local account reference.
-     * If the token received is invalid, an error will be thrown depending on what's missing.
-     */
-    handleResult(scopes, result, getTokenOptions) {
-        this.ensureValidMsalToken(scopes, result, getTokenOptions);
-        logger$e.getToken.info(formatSuccess(scopes));
-        return {
-            token: result.accessToken,
-            expiresOnTimestamp: result.expiresOn.getTime(),
-        };
+        });
     }
     /**
      * Ensures the validity of the MSAL token
      */
     ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
-        const error = (message) => {
+        const createError = (message) => {
             logger$e.getToken.info(message);
             return new AuthenticationRequiredError({
                 scopes: Array.isArray(scopes) ? scopes : [scopes],
@@ -2780,43 +2308,33 @@ class LegacyMsiProvider {
             });
         };
         if (!msalToken) {
-            throw error("No response");
+            throw createError("No response.");
         }
         if (!msalToken.expiresOn) {
-            throw error(`Response had no "expiresOn" property.`);
+            throw createError(`Response had no "expiresOn" property.`);
         }
         if (!msalToken.accessToken) {
-            throw error(`Response had no "accessToken" property.`);
-        }
-    }
-    initializeSetAppTokenProvider() {
-        if (!this.isAppTokenProviderInitialized) {
-            this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters) => {
-                logger$e.info(`SetAppTokenProvider invoked with parameters- ${JSON.stringify(appTokenProviderParameters)}`);
-                const getTokenOptions = Object.assign({}, appTokenProviderParameters);
-                logger$e.info(`authenticateManagedIdentity invoked with scopes- ${JSON.stringify(appTokenProviderParameters.scopes)} and getTokenOptions - ${JSON.stringify(getTokenOptions)}`);
-                const resultToken = await this.authenticateManagedIdentity(appTokenProviderParameters.scopes, getTokenOptions);
-                if (resultToken) {
-                    logger$e.info(`SetAppTokenProvider will save the token in cache`);
-                    const expiresInSeconds = (resultToken === null || resultToken === void 0 ? void 0 : resultToken.expiresOnTimestamp)
-                        ? Math.floor((resultToken.expiresOnTimestamp - Date.now()) / 1000)
-                        : 0;
-                    return {
-                        accessToken: resultToken === null || resultToken === void 0 ? void 0 : resultToken.token,
-                        expiresInSeconds,
-                    };
-                }
-                else {
-                    logger$e.info(`SetAppTokenProvider token has "no_access_token_returned" as the saved token`);
-                    return {
-                        accessToken: "no_access_token_returned",
-                        expiresInSeconds: 0,
-                    };
-                }
-            });
-            this.isAppTokenProviderInitialized = true;
+            throw createError(`Response had no "accessToken" property.`);
+        }
+    }
+}
+function isNetworkError(err) {
+    // MSAL error
+    if (err.errorCode === "network_error") {
+        return true;
+    }
+    // Probe errors
+    if (err.code === "ENETUNREACH" || err.code === "EHOSTUNREACH") {
+        return true;
+    }
+    // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
+    // rather than just timing out, as expected.
+    if (err.statusCode === 403 || err.code === 403) {
+        if (err.message.includes("unreachable")) {
+            return true;
         }
     }
+    return false;
 }
 
 // Copyright (c) Microsoft Corporation.
@@ -2835,7 +2353,11 @@ class ManagedIdentityCredential {
      * @hidden
      */
     constructor(clientIdOrOptions, options) {
-        this.implProvider = new LegacyMsiProvider(clientIdOrOptions, options);
+        // https://github.com/Azure/azure-sdk-for-js/issues/30189
+        // If needed, you may release a hotfix to quickly rollback to the legacy implementation by changing the following line to:
+        // this.implProvider = new LegacyMsiProvider(clientIdOrOptions, options);
+        // Once stabilized, you can remove the legacy implementation and inline the msalMsiProvider code here as a drop-in replacement.
+        this.implProvider = new MsalMsiProvider(clientIdOrOptions, options);
     }
     /**
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -3345,33 +2867,45 @@ class AzurePowerShellCredential {
                 commandStack.shift();
                 continue;
             }
-            let tenantSection = "";
-            if (tenantId) {
-                tenantSection = `-TenantId "${tenantId}"`;
-            }
             const results = await runCommands([
                 [
                     powerShellCommand,
                     "-NoProfile",
                     "-NonInteractive",
                     "-Command",
-                    "Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru",
-                ],
-                [
-                    powerShellCommand,
-                    "-NoProfile",
-                    "-NonInteractive",
-                    "-Command",
-                    `Get-AzAccessToken ${tenantSection} -ResourceUrl "${resource}" | ConvertTo-Json`,
+                    `
+          $tenantId = "${tenantId !== null && tenantId !== void 0 ? tenantId : ""}"
+          $m = Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru
+          $useSecureString = $m.Version -ge [version]'2.17.0'
+
+          $params = @{
+            ResourceUrl = "${resource}"
+          }
+
+          if ($tenantId.Length -gt 0) {
+            $params["TenantId"] = $tenantId
+          }
+
+          if ($useSecureString) {
+            $params["AsSecureString"] = $true
+          }
+
+          $token = Get-AzAccessToken @params
+
+          $result = New-Object -TypeName PSObject
+          $result | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value $token.ExpiresOn
+          if ($useSecureString) {
+            $result | Add-Member -MemberType NoteProperty -Name Token -Value (ConvertFrom-SecureString -AsPlainText $token.Token)
+          } else {
+            $result | Add-Member -MemberType NoteProperty -Name Token -Value $token.Token
+          }
+
+          Write-Output (ConvertTo-Json $result)
+          `,
                 ],
             ]);
-            const result = results[1];
-            try {
-                return JSON.parse(result);
-            }
-            catch (e) {
-                throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
-            }
+            const result = results[0];
+            return parseJsonToken(result);
         }
         throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);
     }
@@ -3418,6 +2952,38 @@ class AzurePowerShellCredential {
         });
     }
 }
+/**
+ *
+ * @internal
+ */
+async function parseJsonToken(result) {
+    const jsonRegex = /{[^{}]*}/g;
+    const matches = result.match(jsonRegex);
+    let resultWithoutToken = result;
+    if (matches) {
+        try {
+            for (const item of matches) {
+                try {
+                    const jsonContent = JSON.parse(item);
+                    if (jsonContent === null || jsonContent === void 0 ? void 0 : jsonContent.Token) {
+                        resultWithoutToken = resultWithoutToken.replace(item, "");
+                        if (resultWithoutToken) {
+                            logger$b.getToken.warning(resultWithoutToken);
+                        }
+                        return jsonContent;
+                    }
+                }
+                catch (e) {
+                    continue;
+                }
+            }
+        }
+        catch (e) {
+            throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
+        }
+    }
+    throw new Error(`No access token found in the output. Received output: ${result}`);
+}
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
@@ -3550,7 +3116,8 @@ class ClientCertificateCredential {
         });
     }
     async buildClientCertificate() {
-        const parts = await this.parseCertificate();
+        var _a;
+        const parts = await parseCertificate(this.certificateConfiguration, (_a = this.sendCertificateChain) !== null && _a !== void 0 ? _a : false);
         let privateKey;
         if (this.certificateConfiguration.certificatePassword !== undefined) {
             privateKey = crypto.createPrivateKey({
@@ -3573,34 +3140,41 @@ class ClientCertificateCredential {
             x5c: parts.x5c,
         };
     }
-    async parseCertificate() {
-        const certificate = this.certificateConfiguration.certificate;
-        const certificatePath = this.certificateConfiguration.certificatePath;
-        const certificateContents = certificate || (await promises.readFile(certificatePath, "utf8"));
-        const x5c = this.sendCertificateChain ? certificateContents : undefined;
-        const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
-        const publicKeys = [];
-        // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
-        let match;
-        do {
-            match = certificatePattern.exec(certificateContents);
-            if (match) {
-                publicKeys.push(match[3]);
-            }
-        } while (match);
-        if (publicKeys.length === 0) {
-            throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
-        }
-        const thumbprint = crypto.createHash("sha1")
-            .update(Buffer.from(publicKeys[0], "base64"))
-            .digest("hex")
-            .toUpperCase();
-        return {
-            certificateContents,
-            thumbprint,
-            x5c,
-        };
-    }
+}
+/**
+ * Parses a certificate into its relevant parts
+ *
+ * @param certificateConfiguration - The certificate contents or path to the certificate
+ * @param sendCertificateChain - true if the entire certificate chain should be sent for SNI, false otherwise
+ * @returns The parsed certificate parts and the certificate contents
+ */
+async function parseCertificate(certificateConfiguration, sendCertificateChain) {
+    const certificate = certificateConfiguration.certificate;
+    const certificatePath = certificateConfiguration.certificatePath;
+    const certificateContents = certificate || (await promises.readFile(certificatePath, "utf8"));
+    const x5c = sendCertificateChain ? certificateContents : undefined;
+    const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
+    const publicKeys = [];
+    // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
+    let match;
+    do {
+        match = certificatePattern.exec(certificateContents);
+        if (match) {
+            publicKeys.push(match[3]);
+        }
+    } while (match);
+    if (publicKeys.length === 0) {
+        throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
+    }
+    const thumbprint = crypto.createHash("sha1")
+        .update(Buffer.from(publicKeys[0], "base64"))
+        .digest("hex")
+        .toUpperCase();
+    return {
+        certificateContents,
+        thumbprint,
+        x5c,
+    };
 }
 
 // Copyright (c) Microsoft Corporation.
@@ -3626,8 +3200,14 @@ class ClientSecretCredential {
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(tenantId, clientId, clientSecret, options = {}) {
-        if (!tenantId || !clientId || !clientSecret) {
-            throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
+        if (!tenantId) {
+            throw new CredentialUnavailableError("ClientSecretCredential: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
+        }
+        if (!clientId) {
+            throw new CredentialUnavailableError("ClientSecretCredential: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
+        }
+        if (!clientSecret) {
+            throw new CredentialUnavailableError("ClientSecretCredential: clientSecret is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
         }
         this.clientSecret = clientSecret;
         this.tenantId = tenantId;
@@ -3673,8 +3253,17 @@ class UsernamePasswordCredential {
      * @param options - Options for configuring the client which makes the authentication request.
      */
     constructor(tenantId, clientId, username, password, options = {}) {
-        if (!tenantId || !clientId || !username || !password) {
-            throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
+        if (!tenantId) {
+            throw new CredentialUnavailableError("UsernamePasswordCredential: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
+        }
+        if (!clientId) {
+            throw new CredentialUnavailableError("UsernamePasswordCredential: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
+        }
+        if (!username) {
+            throw new CredentialUnavailableError("UsernamePasswordCredential: username is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
+        }
+        if (!password) {
+            throw new CredentialUnavailableError("UsernamePasswordCredential: password is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
         }
         this.tenantId = tenantId;
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
@@ -3721,6 +3310,7 @@ const AllSupportedEnvironmentVariables = [
     "AZURE_USERNAME",
     "AZURE_PASSWORD",
     "AZURE_ADDITIONALLY_ALLOWED_TENANTS",
+    "AZURE_CLIENT_SEND_CERTIFICATE_CHAIN",
 ];
 function getAdditionallyAllowedTenants() {
     var _a;
@@ -3729,6 +3319,13 @@ function getAdditionallyAllowedTenants() {
 }
 const credentialName$2 = "EnvironmentCredential";
 const logger$6 = credentialLogger(credentialName$2);
+function getSendCertificateChain() {
+    var _a;
+    const sendCertificateChain = ((_a = process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN) !== null && _a !== void 0 ? _a : "").toLowerCase();
+    const result = sendCertificateChain === "true" || sendCertificateChain === "1";
+    logger$6.verbose(`AZURE_CLIENT_SEND_CERTIFICATE_CHAIN: ${process.env.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN}; sendCertificateChain: ${result}`);
+    return result;
+}
 /**
  * Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user
  * with a username and password.
@@ -3748,6 +3345,7 @@ class EnvironmentCredential {
      * - `AZURE_CLIENT_SECRET`: A client secret that was generated for the App Registration.
      * - `AZURE_CLIENT_CERTIFICATE_PATH`: The path to a PEM certificate to use during the authentication, instead of the client secret.
      * - `AZURE_CLIENT_CERTIFICATE_PASSWORD`: (optional) password for the certificate file.
+     * - `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN`: (optional) indicates that the certificate chain should be set in x5c header to support subject name / issuer based authentication.
      *
      * Alternatively, users can provide environment variables for username and password authentication:
      * - `AZURE_USERNAME`: Username to authenticate with.
@@ -3765,7 +3363,8 @@ class EnvironmentCredential {
         logger$6.info(`Found the following environment variables: ${assigned}`);
         const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
         const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();
-        const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds });
+        const sendCertificateChain = getSendCertificateChain();
+        const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds, sendCertificateChain });
         if (tenantId) {
             checkTenantId(logger$6, tenantId);
         }
@@ -4026,7 +3625,7 @@ class InteractiveBrowserCredential {
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
-     * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
+     * If the token can't be retrieved silently, this method will always generate a challenge for the user.
      *
      * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.
      * PKCE is a security feature that mitigates authentication code interception attacks.
@@ -4112,7 +3711,7 @@ class DeviceCodeCredential {
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
      * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
      *
-     * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
+     * If the token can't be retrieved silently, this method will always generate a challenge for the user.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
@@ -4146,8 +3745,17 @@ class AzurePipelinesCredential {
      * @param options - The identity client options to use for authentication.
      */
     constructor(tenantId, clientId, serviceConnectionId, systemAccessToken, options) {
-        if (!clientId || !tenantId || !serviceConnectionId || !systemAccessToken) {
-            throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. tenantId, clientId, serviceConnectionId, and systemAccessToken are required parameters.`);
+        if (!clientId) {
+            throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. clientId is a required parameter.`);
+        }
+        if (!tenantId) {
+            throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. tenantId is a required parameter.`);
+        }
+        if (!serviceConnectionId) {
+            throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. serviceConnectionId is a required parameter.`);
+        }
+        if (!systemAccessToken) {
+            throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. systemAccessToken is a required parameter.`);
         }
         this.identityClient = new IdentityClient(options);
         checkTenantId(logger$2, tenantId);
@@ -4200,31 +3808,46 @@ class AzurePipelinesCredential {
             }),
         });
         const response = await this.identityClient.sendRequest(request);
-        const text = response.bodyAsText;
-        if (!text) {
-            logger$2.error(`${credentialName$1}: Authenticated Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
-            throw new AuthenticationError(response.status, `${credentialName$1}: Authenticated Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
+        return handleOidcResponse(response);
+    }
+}
+function handleOidcResponse(response) {
+    const text = response.bodyAsText;
+    if (!text) {
+        logger$2.error(`${credentialName$1}: Authentication Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
+        throw new AuthenticationError(response.status, {
+            error: `${credentialName$1}: Authentication Failed. Received null token from OIDC request.`,
+            error_description: `${JSON.stringify(response)}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
+        });
+    }
+    try {
+        const result = JSON.parse(text);
+        if (result === null || result === void 0 ? void 0 : result.oidcToken) {
+            return result.oidcToken;
         }
-        try {
-            const result = JSON.parse(text);
-            if (result === null || result === void 0 ? void 0 : result.oidcToken) {
-                return result.oidcToken;
-            }
-            else {
-                let errorMessage = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
-                if (response.status !== 200) {
-                    errorMessage += `Response = ${JSON.stringify(result)}`;
-                }
-                logger$2.error(errorMessage);
-                throw new AuthenticationError(response.status, errorMessage);
+        else {
+            const errorMessage = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
+            let errorDescription = ``;
+            if (response.status !== 200) {
+                errorDescription = `Complete response - ${JSON.stringify(result)}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;
             }
-        }
-        catch (e) {
-            logger$2.error(e.message);
-            logger$2.error(`${credentialName$1}: Authentication Failed. oidcToken field not detected in the response. Response = ${text}`);
-            throw new AuthenticationError(response.status, `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response. Response = ${text}`);
+            logger$2.error(errorMessage);
+            logger$2.error(errorDescription);
+            throw new AuthenticationError(response.status, {
+                error: errorMessage,
+                error_description: errorDescription,
+            });
         }
     }
+    catch (e) {
+        const errorDetails = `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response.`;
+        logger$2.error(`Response from service = ${text} and error message = ${e.message}`);
+        logger$2.error(errorDetails);
+        throw new AuthenticationError(response.status, {
+            error: errorDetails,
+            error_description: `Response = ${text}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
+        });
+    }
 }
 
 // Copyright (c) Microsoft Corporation.
@@ -4294,11 +3917,17 @@ class OnBehalfOfCredential {
         const { certificatePath, sendCertificateChain } = options;
         const { getAssertion } = options;
         const { tenantId, clientId, userAssertionToken, additionallyAllowedTenants: additionallyAllowedTenantIds, } = options;
-        if (!tenantId ||
-            !clientId ||
-            !(clientSecret || certificatePath || getAssertion) ||
-            !userAssertionToken) {
-            throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath or getAssertion) and userAssertionToken are required parameters.`);
+        if (!tenantId) {
+            throw new CredentialUnavailableError(`${credentialName}: tenantId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
+        }
+        if (!clientId) {
+            throw new CredentialUnavailableError(`${credentialName}: clientId is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
+        }
+        if (!clientSecret && !certificatePath && !getAssertion) {
+            throw new CredentialUnavailableError(`${credentialName}: You must provide one of clientSecret, certificatePath, or a getAssertion callback but none were provided. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
+        }
+        if (!userAssertionToken) {
+            throw new CredentialUnavailableError(`${credentialName}: userAssertionToken is a required parameter. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
         }
         this.certificatePath = certificatePath;
         this.clientSecret = clientSecret;
@@ -4467,7 +4096,7 @@ exports.WorkloadIdentityCredential = WorkloadIdentityCredential;
 exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
 exports.getBearerTokenProvider = getBearerTokenProvider;
 exports.getDefaultAzureCredential = getDefaultAzureCredential;
-exports.logger = logger$q;
+exports.logger = logger$l;
 exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
 exports.useIdentityPlugin = useIdentityPlugin;
 //# sourceMappingURL=index.js.map