diff --git a/sdk/identity/Azure.Identity.BrokeredAuthentication/src/InteractiveBrowserCredentialBrokerOptions.cs b/sdk/identity/Azure.Identity.BrokeredAuthentication/src/InteractiveBrowserCredentialBrokerOptions.cs
index 33471699ef3d..3c125b7d6ca2 100644
--- a/sdk/identity/Azure.Identity.BrokeredAuthentication/src/InteractiveBrowserCredentialBrokerOptions.cs
+++ b/sdk/identity/Azure.Identity.BrokeredAuthentication/src/InteractiveBrowserCredentialBrokerOptions.cs
@@ -15,7 +15,7 @@ public class InteractiveBrowserCredentialBrokerOptions : InteractiveBrowserCrede
private readonly IntPtr _parentWindowHandle;
///
- /// Gets or sets whether Microsoft Account (MSA) passthough.
+ /// Gets or sets whether Microsoft Account (MSA) passthrough is enabled.
///
///
public bool? IsMsaPassthroughEnabled { get; set; }
diff --git a/sdk/identity/Azure.Identity.BrokeredAuthentication/src/SharedTokenCacheCredentialBrokerOptions.cs b/sdk/identity/Azure.Identity.BrokeredAuthentication/src/SharedTokenCacheCredentialBrokerOptions.cs
index a4134e53f82e..e8daf2a07333 100644
--- a/sdk/identity/Azure.Identity.BrokeredAuthentication/src/SharedTokenCacheCredentialBrokerOptions.cs
+++ b/sdk/identity/Azure.Identity.BrokeredAuthentication/src/SharedTokenCacheCredentialBrokerOptions.cs
@@ -13,7 +13,7 @@ namespace Azure.Identity.BrokeredAuthentication
public class SharedTokenCacheCredentialBrokerOptions : SharedTokenCacheCredentialOptions, IMsalPublicClientInitializerOptions
{
///
- /// Gets or sets whether Microsoft Account (MSA) passthough.
+ /// Gets or sets whether Microsoft Account (MSA) passthrough is enabled.
///
///
public bool? IsMsaPassthroughEnabled { get; set; }
diff --git a/sdk/identity/Azure.Identity/README.md b/sdk/identity/Azure.Identity/README.md
index f6d4887f965f..ea4aa4bdd14d 100644
--- a/sdk/identity/Azure.Identity/README.md
+++ b/sdk/identity/Azure.Identity/README.md
@@ -95,6 +95,12 @@ The `DefaultAzureCredential` attempts to authenticate via the following mechanis
1. **Azure Developer CLI** - If the developer has authenticated via the Azure Developer CLI `azd auth login` command, the `DefaultAzureCredential` will authenticate with that account.
1. **Interactive browser** - If enabled, the `DefaultAzureCredential` will interactively authenticate the developer via the current system's default browser. By default, this credential type is disabled.
+#### Continuation policy
+
+As of version 1.10.1, `DefaultAzureCredential` will attempt to authenticate with all developer credentials until one succeeds, regardless of any errors previous developer credentials experienced. For example, a developer credential may attempt to get a token and fail, so `DefaultAzureCredential` will continue to the next credential in the flow. Deployed service credentials will stop the flow with a thrown exception if they're able to attempt token retrieval, but don't receive one. Prior to version 1.10.1, developer credentials would similarly stop the authentication flow if token retrieval failed.
+
+This behavior allows for trying all of the developer credentials on your machine while having predictable deployed behavior.
+
## Examples
### Authenticate with `DefaultAzureCredential`
@@ -260,6 +266,11 @@ Not all credentials require this configuration. Credentials which authenticate t
Configuration is attempted in the above order. For example, if values for a
client secret and certificate are both present, the client secret will be used.
+## Continuous Access Evaluation
+
+As of version 1.10.0, accessing resources protected by [Continuous Access Evaluation (CAE)][cae] is possible on a per-request basis. This behavior can be enabled by setting the `IsCaeEnabled` property of `TokenRequestContext` via its constructor. CAE isn't supported for developer and managed identity credentials.
+
+
## Token caching
Token caching is a feature provided by the Azure Identity library that allows apps to:
@@ -411,5 +422,6 @@ This project has adopted the [Microsoft Open Source Code of Conduct][code_of_con
[ref_VisualStudioCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.visualstudiocredential?view=azure-dotnet
[ref_VisualStudioCodeCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.visualstudiocodecredential?view=azure-dotnet
[ref_WorkloadIdentityCredential]: https://learn.microsoft.com/dotnet/api/azure.identity.workloadidentitycredential?view=azure-dotnet
+[cae]: https://learn.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation
diff --git a/sdk/identity/Azure.Identity/TROUBLESHOOTING.md b/sdk/identity/Azure.Identity/TROUBLESHOOTING.md
index 217da90df4bb..d127b396981c 100644
--- a/sdk/identity/Azure.Identity/TROUBLESHOOTING.md
+++ b/sdk/identity/Azure.Identity/TROUBLESHOOTING.md
@@ -26,6 +26,7 @@ This troubleshooting guide covers failure investigation techniques, common error
- [Troubleshoot AzureCliCredential authentication issues](#troubleshoot-azureclicredential-authentication-issues)
- [Troubleshoot AzurePowerShellCredential authentication issues](#troubleshoot-azurepowershellcredential-authentication-issues)
- [Troubleshoot multi-tenant authentication issues](#troubleshoot-multi-tenant-authentication-issues)
+- [Troubleshoot WAM with MSA login issues](#troubleshoot-wam-with-msa-login-issues)
- [Get additional help](#get-additional-help)
## Handle Azure Identity exceptions
@@ -339,6 +340,24 @@ Get-AzAccessToken -ResourceUrl "https://management.core.windows.net"
|---|---|---|
|The current credential is not configured to acquire tokens for tenant |The application must configure the credential to allow token acquisition from the requested tenant.|Make one of the following changes in your app:
- Add the requested tenant ID to `AdditionallyAllowedTenants` on the credential options.
- Add `*` to `AdditionallyAllowedTenants` to allow token acquisition for any tenant.
This exception was added as part of a breaking change to multi-tenant authentication in version `1.7.0`. Users experiencing this error after upgrading can find details on the change and migration in [BREAKING_CHANGES.md](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/BREAKING_CHANGES.md#170).
|
+## Troubleshoot WAM with MSA login issues
+
+When using `InteractiveBrowserCredential`, by default, only the Azure AD account is listed:
+
+
+
+If you choose "Use another account" and type in an MSA outlook.com account, it fails:
+
+
+
+Since version `1.0.0-beta.4` of [Azure.Identity.BrokeredAuthentication](https://www.nuget.org/packages/Azure.Identity.BrokeredAuthentication), you can set the `IsMsaPassthroughEnabled` property on `InteractiveBrowserCredentialBrokerOptions` or `SharedTokenCacheCredentialBrokerOptions` to `true`. MSA outlook.com accounts that are logged in to Windows are automatically listed:
+
+
+
+You may also log in another MSA account by selecting "Microsoft account":
+
+
+
## Get additional help
Additional information on ways to reach out for support can be found in the [SUPPORT.md](https://github.com/Azure/azure-sdk-for-net/blob/main/SUPPORT.md) at the root of the repo.
diff --git a/sdk/identity/Azure.Identity/images/MSA1.png b/sdk/identity/Azure.Identity/images/MSA1.png
new file mode 100644
index 000000000000..5bd109bb52ab
Binary files /dev/null and b/sdk/identity/Azure.Identity/images/MSA1.png differ
diff --git a/sdk/identity/Azure.Identity/images/MSA2.png b/sdk/identity/Azure.Identity/images/MSA2.png
new file mode 100644
index 000000000000..4ad3fdf043e1
Binary files /dev/null and b/sdk/identity/Azure.Identity/images/MSA2.png differ
diff --git a/sdk/identity/Azure.Identity/images/MSA3.png b/sdk/identity/Azure.Identity/images/MSA3.png
new file mode 100644
index 000000000000..f0641904c8c2
Binary files /dev/null and b/sdk/identity/Azure.Identity/images/MSA3.png differ
diff --git a/sdk/identity/Azure.Identity/images/MSA4.png b/sdk/identity/Azure.Identity/images/MSA4.png
new file mode 100644
index 000000000000..954484cc3def
Binary files /dev/null and b/sdk/identity/Azure.Identity/images/MSA4.png differ