Skip to content

[Feature Request] MSI POP attestation #5591

New issue
New issue
Open
Open
[Feature Request] MSI POP attestation#5591
Labels
Feature Request
@bgavrilMS

Description

@bgavrilMS
bgavrilMS
opened on Nov 19, 2025

MSAL client type

Managed identity

Current devex

managedIdentityApp.AcquireToken("kv")
    .WithPOP()                     // this lives in MSAL.MtlsPOP package

Proposed DevEx

managedIdentityApp.AcquireToken("kv")
   .WithPOP()                      // this lives in MSAL main package
   .WithAttestationSupport();      // this lives in MSAL.Attestation package

Business logic:

  • if machine has KeyGuard available, but no attestation package, proceed anyway with ephemeral keys

Thank you for this proposal @christothes

Detailed work items

  • Create a new package Msal.KeyAttestation (name TBD)
  • Change public API
  • Change business logic to allow non-attested flows when key is KeyGuard
  • Change business logic to allow non-attested flows when is not KeyGuard (Windows only, Linux support not needed at this point)

Metadata

Metadata

Assignees

No one assigned

    Labels

    Feature Request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions