AzureAD · bgavrilMS · Feb 5, 2026 · Feb 3, 2026 · Feb 3, 2026 · Feb 4, 2026
@@ -37,7 +37,7 @@
     <Nullable>enable</Nullable>
     <EnableNETAnalyzers>true</EnableNETAnalyzers>
     <EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild>
-    <LangVersion>13</LangVersion>
+    <LangVersion>14</LangVersion>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>
 
@@ -77,13 +77,13 @@
   </ItemGroup>
 
   <PropertyGroup Condition="'$(TargetFramework)' == 'net472' Or '$(TargetFramework)' == 'net462' Or '$(TargetFramework)' == 'netstandard2.0'">
-    <LangVersion>13</LangVersion>
+    <LangVersion>14</LangVersion>
   </PropertyGroup>
 
   <PropertyGroup Label="Common dependency versions">
     <MicrosoftIdentityModelVersion Condition="'$(MicrosoftIdentityModelVersion)' == ''">8.15.0</MicrosoftIdentityModelVersion>
     <MicrosoftIdentityClientVersion Condition="'$(MicrosoftIdentityClientVersion)' == ''">4.81.0</MicrosoftIdentityClientVersion>
-    <MicrosoftIdentityAbstractionsVersion Condition="'$(MicrosoftIdentityAbstractionsVersion)' == ''">10.0.0</MicrosoftIdentityAbstractionsVersion>
+    <MicrosoftIdentityAbstractionsVersion Condition="'$(MicrosoftIdentityAbstractionsVersion)' == ''">11.0.0</MicrosoftIdentityAbstractionsVersion>
     <FxCopAnalyzersVersion>3.3.0</FxCopAnalyzersVersion>
     <SystemTextEncodingsWebVersion>4.7.2</SystemTextEncodingsWebVersion>
     <AzureSecurityKeyVaultSecretsVersion>4.6.0</AzureSecurityKeyVaultSecretsVersion>

@@ -161,12 +161,19 @@ public static CertificateDescription FromStoreWithDistinguishedName(
         /// <summary>
         /// <inheritdoc/>.
         /// </summary>
+#if NET10_0_OR_GREATER
+        public X509Certificate2? Certificate
+        {
+            get { return base.GetCertificateInternal(); }
+            protected internal set { base.SetCertificateInternal(value); }
+        }
+#else
         public new X509Certificate2? Certificate
         {
             get { return base.Certificate; }
             protected internal set { base.Certificate = value; }
         }
-
+#endif        
         /// <summary>
         /// <inheritdoc/>.
         /// </summary>

@@ -67,13 +67,15 @@ internal static class Logger
             /// <param name="ex"></param>
             public static void AttemptToLoadCredentialsFailed(
                 ILogger logger,
-                CredentialDescription certificateDescription, 
-                Exception ex) =>
-                    s_credentialAttemptFailed(
+                CredentialDescription certificateDescription,
+                Exception ex)
+            {
+                s_credentialAttemptFailed(
                         logger,
                         certificateDescription.Id,
                         certificateDescription.Skip.ToString(),
                         ex);
+            }
 
             /// <summary>
             /// Logger for attempting to use a CredentialDescription with MSAL
@@ -82,12 +84,14 @@ public static void AttemptToLoadCredentialsFailed(
             /// <param name="certificateDescription"></param>
             public static void AttemptToLoadCredentials(
                 ILogger logger,
-                CredentialDescription certificateDescription) => 
-                    s_credentialAttempt(
-                        logger, 
-                        certificateDescription.Id, 
-                        certificateDescription.Skip.ToString(), 
+                CredentialDescription certificateDescription)
+            {
+                s_credentialAttempt(
+                        logger,
+                        certificateDescription.Id,
+                        certificateDescription.Skip.ToString(),
                         default!);
+            }
 
             /// <summary>
             /// Logger for attempting to use a CredentialDescription with MSAL
@@ -96,12 +100,14 @@ public static void AttemptToLoadCredentials(
             /// <param name="certificateDescription"></param>
             public static void FailedToLoadCredentials(
                 ILogger logger,
-                CredentialDescription certificateDescription) =>
-                    s_credentialAttemptFailed(
+                CredentialDescription certificateDescription)
+            {
+                s_credentialAttemptFailed(
                         logger,
                         certificateDescription.Id,
                         certificateDescription.Skip.ToString(),
                         default!);
+            }
 
             /// <summary>
             /// Logger for handling information specific to ConfidentialClientApplicationBuilderExtension.
@@ -110,14 +116,20 @@ public static void FailedToLoadCredentials(
             /// <param name="message">Exception message.</param>
             public static void NotUsingManagedIdentity(
                 ILogger logger,
-                string message) => s_notManagedIdentity(logger, message, default!);
+                string message)
+            {
+                s_notManagedIdentity(logger, message, default!);
+            }
 
             /// <summary>
             /// Logger for handling information specific to ConfidentialClientApplicationBuilderExtension.
             /// </summary>
             /// <param name="logger">ILogger.</param>
             public static void UsingManagedIdentity(
-                ILogger logger) => s_usingManagedIdentity(logger, default!);
+                ILogger logger)
+            {
+                s_usingManagedIdentity(logger, default!);
+            }
 
             /// <summary>
             /// Logger for handling information specific to ConfidentialClientApplicationBuilderExtension.
@@ -126,7 +138,10 @@ public static void UsingManagedIdentity(
             /// <param name="signedAssertionFileDiskPath"></param>
             public static void UsingPodIdentityFile(
                 ILogger logger,
-                string signedAssertionFileDiskPath) => s_usingPodIdentityFile(logger, signedAssertionFileDiskPath, default!);
+                string signedAssertionFileDiskPath)
+            {
+                s_usingPodIdentityFile(logger, signedAssertionFileDiskPath, default!);
+            }
 
             /// <summary>
             /// Logger for handling information specific to ConfidentialClientApplicationBuilderExtension.
@@ -135,7 +150,10 @@ public static void UsingPodIdentityFile(
             /// <param name="signedAssertionUri"></param>
             public static void UsingSignedAssertionFromVault(
                 ILogger logger,
-                string signedAssertionUri) => s_usingSignedAssertionFromVault(logger, signedAssertionUri, default!);
+                string signedAssertionUri)
+            {
+                s_usingSignedAssertionFromVault(logger, signedAssertionUri, default!);
+            }
 
             /// <summary>
             /// Logger for handling information specific to ConfidentialClientApplicationBuilderExtension.
@@ -144,7 +162,10 @@ public static void UsingSignedAssertionFromVault(
             /// <param name="signedAssertionUri"></param>
             public static void UsingSignedAssertionFromCustomProvider(
                 ILogger logger,
-                string signedAssertionUri) => s_usingSignedAssertionFromCustomProvider(logger, signedAssertionUri, default!);
+                string signedAssertionUri)
+            {
+                s_usingSignedAssertionFromCustomProvider(logger, signedAssertionUri, default!);
+            }
 
             /// <summary>
             /// Logger for handling information specific to ConfidentialClientApplicationBuilderExtension.
@@ -153,7 +174,10 @@ public static void UsingSignedAssertionFromCustomProvider(
             /// <param name="certThumbprint"></param>
             public static void UsingCertThumbprint(
                 ILogger logger,
-                string certThumbprint) => s_usingCertThumbprint(logger, certThumbprint, default!);
+                string? certThumbprint)
+            {
+                s_usingCertThumbprint(logger, certThumbprint ?? "null", default!);
+            }
         }
     }
 }
@@ -146,7 +146,7 @@ public static async Task<ConfidentialClientApplicationBuilder> WithClientCredent
                     {
                         if (credential.Certificate != null)
                         {
-                            Logger.UsingCertThumbprint(logger, credential.Certificate.Thumbprint);
+                            Logger.UsingCertThumbprint(logger, credential.Certificate?.Thumbprint);
                             return credential;
                         }
                     }

@@ -3,4 +3,5 @@ const Microsoft.Identity.Web.Constants.ClientAssertionContainsInvalidSignature =
 const Microsoft.Identity.Web.Constants.CertificateWasRevoked = "AADSTS7000277" -> string!
 Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForOnBehalfOf(Microsoft.Identity.Client.AcquireTokenOnBehalfOfParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions, System.Security.Claims.ClaimsPrincipal! user) -> void
 Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync(Microsoft.Identity.Client.AcquireTokenOnBehalfOfParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions, System.Security.Claims.ClaimsPrincipal! user) -> System.Threading.Tasks.Task!
+static Microsoft.Identity.Web.ConfidentialClientApplicationBuilderExtension.Logger.UsingCertThumbprint(Microsoft.Extensions.Logging.ILogger! logger, string? certThumbprint) -> void
 static readonly Microsoft.Identity.Web.Constants.s_certificateRelatedErrorCodes -> System.Collections.Generic.HashSet<string!>!
@@ -3,4 +3,5 @@ const Microsoft.Identity.Web.Constants.ClientAssertionContainsInvalidSignature =
 const Microsoft.Identity.Web.Constants.CertificateWasRevoked = "AADSTS7000277" -> string!
 Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForOnBehalfOf(Microsoft.Identity.Client.AcquireTokenOnBehalfOfParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions, System.Security.Claims.ClaimsPrincipal! user) -> void
 Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync(Microsoft.Identity.Client.AcquireTokenOnBehalfOfParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions, System.Security.Claims.ClaimsPrincipal! user) -> System.Threading.Tasks.Task!
+static Microsoft.Identity.Web.ConfidentialClientApplicationBuilderExtension.Logger.UsingCertThumbprint(Microsoft.Extensions.Logging.ILogger! logger, string? certThumbprint) -> void
 static readonly Microsoft.Identity.Web.Constants.s_certificateRelatedErrorCodes -> System.Collections.Generic.HashSet<string!>!
@@ -3,4 +3,5 @@ const Microsoft.Identity.Web.Constants.ClientAssertionContainsInvalidSignature =
 const Microsoft.Identity.Web.Constants.CertificateWasRevoked = "AADSTS7000277" -> string!
 Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForOnBehalfOf(Microsoft.Identity.Client.AcquireTokenOnBehalfOfParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions, System.Security.Claims.ClaimsPrincipal! user) -> void
 Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync(Microsoft.Identity.Client.AcquireTokenOnBehalfOfParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions, System.Security.Claims.ClaimsPrincipal! user) -> System.Threading.Tasks.Task!
+static Microsoft.Identity.Web.ConfidentialClientApplicationBuilderExtension.Logger.UsingCertThumbprint(Microsoft.Extensions.Logging.ILogger! logger, string? certThumbprint) -> void
 static readonly Microsoft.Identity.Web.Constants.s_certificateRelatedErrorCodes -> System.Collections.Generic.HashSet<string!>!
@@ -3,4 +3,5 @@ const Microsoft.Identity.Web.Constants.ClientAssertionContainsInvalidSignature =
 const Microsoft.Identity.Web.Constants.CertificateWasRevoked = "AADSTS7000277" -> string!
 Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForOnBehalfOf(Microsoft.Identity.Client.AcquireTokenOnBehalfOfParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions, System.Security.Claims.ClaimsPrincipal! user) -> void
 Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync(Microsoft.Identity.Client.AcquireTokenOnBehalfOfParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions, System.Security.Claims.ClaimsPrincipal! user) -> System.Threading.Tasks.Task!
+static Microsoft.Identity.Web.ConfidentialClientApplicationBuilderExtension.Logger.UsingCertThumbprint(Microsoft.Extensions.Logging.ILogger! logger, string? certThumbprint) -> void
 static readonly Microsoft.Identity.Web.Constants.s_certificateRelatedErrorCodes -> System.Collections.Generic.HashSet<string!>!
@@ -3,4 +3,5 @@ const Microsoft.Identity.Web.Constants.ClientAssertionContainsInvalidSignature =
 const Microsoft.Identity.Web.Constants.CertificateWasRevoked = "AADSTS7000277" -> string!
 Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForOnBehalfOf(Microsoft.Identity.Client.AcquireTokenOnBehalfOfParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions, System.Security.Claims.ClaimsPrincipal! user) -> void
 Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync(Microsoft.Identity.Client.AcquireTokenOnBehalfOfParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions, System.Security.Claims.ClaimsPrincipal! user) -> System.Threading.Tasks.Task!
+static Microsoft.Identity.Web.ConfidentialClientApplicationBuilderExtension.Logger.UsingCertThumbprint(Microsoft.Extensions.Logging.ILogger! logger, string? certThumbprint) -> void
 static readonly Microsoft.Identity.Web.Constants.s_certificateRelatedErrorCodes -> System.Collections.Generic.HashSet<string!>!
@@ -3,4 +3,5 @@ const Microsoft.Identity.Web.Constants.ClientAssertionContainsInvalidSignature =
 const Microsoft.Identity.Web.Constants.CertificateWasRevoked = "AADSTS7000277" -> string!
 Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForOnBehalfOf(Microsoft.Identity.Client.AcquireTokenOnBehalfOfParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions, System.Security.Claims.ClaimsPrincipal! user) -> void
 Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync(Microsoft.Identity.Client.AcquireTokenOnBehalfOfParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions, System.Security.Claims.ClaimsPrincipal! user) -> System.Threading.Tasks.Task!
+static Microsoft.Identity.Web.ConfidentialClientApplicationBuilderExtension.Logger.UsingCertThumbprint(Microsoft.Extensions.Logging.ILogger! logger, string? certThumbprint) -> void
 static readonly Microsoft.Identity.Web.Constants.s_certificateRelatedErrorCodes -> System.Collections.Generic.HashSet<string!>!
@@ -40,7 +40,10 @@ internal static class Logger
             public static void TokenAcquisitionError(
                 ILogger logger,
                 string msalErrorMessage,
-                Exception? ex) => s_tokenAcquisitionError(logger, msalErrorMessage, ex);
+                Exception? ex)
+            {
+                s_tokenAcquisitionError(logger, msalErrorMessage, ex);
+            }
 
             /// <summary>
             /// Logger for handling information specific to MSAL in token acquisition.
@@ -61,7 +64,9 @@ public static void TokenAcquisitionMsalAuthenticationResultTime(
                 string tokenSource,
                 string correlationId,
                 string cacheRefreshReason,
-                Exception? ex) => s_tokenAcquisitionMsalAuthenticationResultTime(
+                Exception? ex)
+            {
+                s_tokenAcquisitionMsalAuthenticationResultTime(
                     logger,
                     durationTotalInMs,
                     durationInHttpInMs,
@@ -70,6 +75,7 @@ public static void TokenAcquisitionMsalAuthenticationResultTime(
                     correlationId,
                     cacheRefreshReason,
                     ex);
+            }
         }
     }
 }
@@ -364,7 +364,7 @@ protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage reques
                     if (uri.StartsWith(kvp.Key, StringComparison.OrdinalIgnoreCase))
                     {
                         if (this.description.Certificate == null ||
-                            !this.ValidCertificates.Any(cert => cert.Thumbprint.Equals(this.description.Certificate.Thumbprint, StringComparison.OrdinalIgnoreCase)))
+                            !this.ValidCertificates.Any(cert => cert.Thumbprint.Equals(this.description.Certificate?.Thumbprint, StringComparison.OrdinalIgnoreCase)))
                         {
                             var errorResponse = new
                             {