Skip to content

Bump Microsoft.AspNetCore.DataProtection and 10 others#17

Merged
razeone merged 1 commit into
mainfrom
dependabot/nuget/microsoft-0218de224a
Apr 28, 2026
Merged

Bump Microsoft.AspNetCore.DataProtection and 10 others#17
razeone merged 1 commit into
mainfrom
dependabot/nuget/microsoft-0218de224a

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 22, 2026
edited
Loading

Copy link
Copy Markdown

Updated Microsoft.AspNetCore.DataProtection from 10.0.0 to 10.0.7.

Release notes

Sourced from Microsoft.AspNetCore.DataProtection's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.Mvc.Testing from 10.0.0 to 10.0.7.

Release notes

Sourced from Microsoft.AspNetCore.Mvc.Testing's releases.

No release notes found for this version range.

Commits viewable in compare view.

Pinned Microsoft.Data.SqlClient at 7.0.0.

Release notes

Sourced from Microsoft.Data.SqlClient's releases.

7.0.0

This is the general availability release of Microsoft.Data.SqlClient 7.0, a major milestone for the .NET data provider for SQL Server. This release addresses the most upvoted issue in the repository's history — extracting Azure dependencies from the core package — introduces pluggable SSPI authentication, adds enhanced routing for Azure SQL Hyperscale, and delivers async read performance improvements.

Also released as part of this milestone:

  • Released Microsoft.Data.SqlClient.Extensions.Abstractions 1.0.0. See release notes.
  • Released Microsoft.Data.SqlClient.Extensions.Azure 1.0.0. See release notes.
  • Released Microsoft.Data.SqlClient.Internal.Logging 1.0.0. See release notes.
  • Released Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider 7.0.0. See release notes.

Changes Since 7.0.0-preview4

Added

  • Added actionable error message when Entra ID authentication methods are used without the Microsoft.Data.SqlClient.Extensions.Azure package installed, guiding users to install the correct package. (#​3962, #​4046)
  • Added Azure authentication sample application. (#​3988)

Changed

Other changes

  • Renamed the Microsoft.Data.SqlClient.Extensions.Logging package to Microsoft.Data.SqlClient.Internal.Logging to indicate it is for internal use only and should not be referenced directly by application code. (#​4038)
  • Fixed non-localized exception strings. (#​4022)
  • Codebase merge and cleanup: (#​3997, #​4052)
  • Various test improvements: (#​3891, #​3996, #​4002, #​4034, #​4041, #​4044)
  • Documentation improvements (including Entra ID branding updates): (#​4021, #​4047, #​4049)
  • Updated Dependencies (#​4045):
    • Updated Azure.Core to v1.51.1
    • Updated Azure.Identity to v1.18.0
    • Updated Azure.Security.KeyVault.Keys to v4.9.0
    • Updated Microsoft.Extensions.Caching.Memory to v9.0.13 (.NET 9.0)
    • Updated Microsoft.IdentityModel.JsonWebTokens to v8.16.0
    • Updated Microsoft.IdentityModel.Protocols.OpenIdConnect to v8.16.0
    • Updated Microsoft.Bcl.Cryptography to v9.0.13 (.NET 9.0)
    • Updated System.Configuration.ConfigurationManager to v9.0.13 (.NET 9.0)
    • Updated System.Diagnostics.DiagnosticSource to v10.0.3
    • Updated System.Security.Cryptography.Pkcs to v9.0.13 (.NET 9.0)
    • Updated System.Text.Json to v10.0.3
    • Updated System.Threading.Channels to v10.0.3
    • Updated System.ValueTuple to v4.6.2

Cumulative Changes Since 6.1

This section summarizes all changes across the 7.0 preview cycle for users upgrading from the latest 6.1 stable release.

Changed

Azure Dependencies Removed from Core Package

What Changed:

  • The core Microsoft.Data.SqlClient package no longer depends on Azure.Core, Azure.Identity, or their transitive dependencies (e.g., Microsoft.Identity.Client, Microsoft.Web.WebView2). Azure Active Directory / Entra ID authentication functionality (ActiveDirectoryAuthenticationProvider and related types) has been extracted into a new Microsoft.Data.SqlClient.Extensions.Azure package. (#​1108, #​3680, #​3902, #​3904, #​3908, #​3917, #​3982, #​3978, #​3986)
    ... (truncated)

7.0.0-preview4

Changed

Azure Dependencies Removed from Core Package

What Changed:

  • The core Microsoft.Data.SqlClient package no longer depends on Azure.Core, Azure.Identity, or their transitive dependencies (e.g., Microsoft.Identity.Client, Microsoft.Web.WebView2). Azure Active Directory / Entra authentication functionality (ActiveDirectoryAuthenticationProvider and related types) has been extracted into a new Microsoft.Data.SqlClient.Extensions.Azure package that can be installed separately when needed. (#​1108, #​3680, #​3902, #​3904, #​3908, #​3917, #​3982, #​3978, #​3986)
  • To support this separation, two additional packages were introduced: Microsoft.Data.SqlClient.Extensions.Abstractions (shared types between the core driver and extensions) and Microsoft.Data.SqlClient.Extensions.Logging (shared ETW tracing infrastructure). (#​3626, #​3628, #​3967)

Who Benefits:

  • All users benefit from a significantly lighter core package. Previously, the Azure dependency chain pulled in numerous assemblies (including Azure.Core, Azure.Identity, Microsoft.Identity.Client, and Microsoft.Web.WebView2) even for applications that only needed basic SQL Server connectivity. This was the most upvoted open issue in the repository (#​1108).
  • Users who do not use Azure AD authentication no longer carry Azure-related assemblies in their build output, reducing deployment size and eliminating confusion about unexpected dependencies.
  • Users who do use Azure AD authentication can now manage Azure dependency versions independently from the core driver.

Impact:

  • Applications using Azure AD authentication (e.g., ActiveDirectoryPassword, ActiveDirectoryInteractive, ActiveDirectoryDefault, etc.) must now install the Microsoft.Data.SqlClient.Extensions.Azure NuGet package separately. No code changes are required beyond adding the package reference.

Added

Expose SSPI Context Provider as Public API

What Changed:

  • Added the SspiContextProvider abstract class and a public SspiContextProvider property on SqlConnection, allowing applications to supply a custom SSPI context provider for integrated authentication. This enables custom Kerberos ticket negotiation and NTLM username/password authentication scenarios that the driver does not natively support. (#​2253, #​2494)

Who Benefits:

  • Users authenticating across untrusted domains, non-domain-joined machines, or cross-platform environments where configuring integrated authentication on the client is difficult or impossible.
  • Users running in containers who need manual Kerberos negotiation without deploying sidecars or external ticket-refresh mechanisms.
  • Users who need NTLM username/password authentication to SQL Server, which the driver does not provide natively.

Impact:

  • Applications can set a custom SspiContextProvider on SqlConnection before opening the connection. The provider handles the authentication token exchange during integrated authentication. This is an additive API — existing authentication behavior is unchanged when no custom provider is set. See SspiContextProvider_CustomProvider.cs for a sample implementation.
  • Note: The SspiContextProvider is a part of the connection pool key. Care should be taken when using this property to ensure the implementation returns a stable identity per resource.

Expose Default Transient Error List

What Changed:

  • Exposed the default transient error codes list via the new SqlConfigurableRetryFactory.BaselineTransientErrors static property (returns a ReadOnlyCollection<int>), making it easier to extend the set of transient errors without copy-pasting from the repository source. (#​3903)

Who Benefits:

  • Developers implementing custom retry logic who want to extend the built-in transient error list rather than replacing it.

Impact:

... (truncated)

7.0.0-preview3

Preview Release 7.0.0-preview3.25342.7 - December 8, 2025

Added

Support for .NET 10

What Changed:

  • Updated pipelines and test suites to compile the driver using the .NET 10 SDK. Cleaned up unnecessary dependency references.
    (#​3686)

Who Benefits:

  • Developers targeting .NET 10.

Impact:

  • Addressed .NET 10 warnings regarding unused/unnecessary dependencies.

Enable SqlClientDiagnosticListener in SqlCommand on .NET Framework

What Changed:

  • Enabled SqlClientDiagnosticListener functionality on SqlCommand for .NET Framework.
    (#​3658)

Who Benefits:

  • Developers requiring diagnostic information on .NET Framework.

Impact:

  • Improved observability and diagnostics for SqlCommand on .NET Framework.

Enable User Agent Extension

What Changed:

  • Enabled User Agent Feature Extension.
    (#​3606)

Who Benefits:

  • Telemetry and diagnostics consumers.

Impact:

  • When the Switch.Microsoft.Data.SqlClient.EnableUserAgent app context switch is enabled, the driver sends more detailed user agent strings. This switch is disabled by default. This change will assist with troubleshooting and quantifying driver usage by version and operating system.

Fixed

... (truncated)

7.0.0-preview2

This update brings the following changes since the 7.0.0-preview1 release:

Bug Fixes

  • Fixed a debug assertion in connection pool (no impact to production code) (#​3587)
  • Prevent uninitialized performance counters escaping CreatePerformanceCounters (#​3623)
  • Fix SetProvider to return immediately if user-defined authentication provider found (#​3620)
  • Allow SqlBulkCopy to operate on hidden columns (#​3590)
  • Fix connection pool concurrency issue (#​3632)

Added

App Context Switch for Ignoring Server-Provided Failover Partner

What Changed:

  • A new app context switch Switch.Microsoft.Data.SqlClient.IgnoreServerProvidedFailoverPartner was introduced to let the client ignore server-provided failover partner info in Basic Availability Groups (BAGs). When the switch is enabled, only the failover partner specified in the connection string is used; server-supplied partner values are skipped. This context switch was introduced in PR #​3625.

Who Benefits:

  • Applications connecting to SQL Server BAGs using TCP and custom ports, especially where the server's provided partner name lacks the protocol, host, or port. This avoids connection failures when the server-provided partner is incompatible or incomplete.
  • Teams who manage availability groups and rely on client-side control of failover behavior in heterogeneous networking environments.

Impact:

  • If your environment might be affected (i.e., you operate a BAG with custom ports, or have experienced failures after failover), you can enable the new switch in your application:
AppContext.SetSwitch("Switch.Microsoft.Data.SqlClient.IgnoreServerProvidedFailoverPartner", true);
  • Then, ensure your connection string includes your preferred failover partner (with correct tcp:host,port) so that the client uses that instead of the server's suggestion.
  • Without enabling this, by default, the client continues to prefer the server-provided partner, maintaining backwards compatibility.

Other Additions

  • Add app context switch for enabling asynchronous multi-packet improvements (#​3605)

Changed

Deprecation of SqlAuthenticationMethod.ActiveDirectoryPassword

What Changed:

  • Username/Password authentication for Microsoft Entra (formerly Active Directory) has been deprecated. SqlAuthenticationMethod.ActiveDirectoryPassword is now marked as [Obsolete]. This change occurred in PR #​3671

Who benefits:

... (truncated)

7.0.0-preview1

Changes Since 6.1.0

This update brings the following changes since the 6.1.0 release:

Breaking Changes

  • Removed Constrained Execution Region error handling blocks and associated SqlConnection cleanup which may affect how potentially-broken connections are expunged from the pool. (#​3535)

Bug Fixes

  • Packet multiplexing disabled by default, and several bug fixes. (#​3534, #​3537)

Added

  • SqlColumnEncryptionCertificateStoreProvider now works on Windows, Linux, and macOS. (#​3014)

Changed

Changes Since 6.0.2

This update brings the following changes since the 6.0.2 release. Changes already noted above are omitted:

Additions

Added dedicated SQL Server vector datatype support

What Changed:

  • Optimized vector communications between MDS and SQL Server 2025, employing a custom binary format over the TDS protocol. (#​3433, #​3443)
  • Reduced processing load compared to existing JSON-based vector support.
  • Initial support for 32-bit single-precision floating point vectors.

Who Benefits:

  • Applications moving large vector data sets will see beneficial improvements to processing times and memory requirements.
  • Vector-specific APIs are ready to support future numeric representations with a consistent look-and-feel.

Impact:
... (truncated)

6.1.4

This update brings the following changes since the 6.1.3 release:

Fixed

  • Fixed NullReferenceException issue with SqlDataAdapter when processing batch scenarios where certain SQL RPC calls may not include system parameters.
    (#​3877)
  • Fixed connection pooling issue where extra connection deactivation was causing active connection counts to go negative.
    (#​3776)

Added

AppContext Switch for enabling MultiSubnetFailover

What Changed:

  • Added new AppContext switch Switch.Microsoft.Data.SqlClient.EnableMultiSubnetFailoverByDefault to set MultiSubnetFailover=true by default in connection string.
    (#​3851)

Who Benefits:

  • Applications that need MultiSubnetFailover enabled globally without modifying connection strings.

Impact:

  • Applications can now enable MultiSubnetFailover globally using one of the following methods:
// In application code
AppContext.SetSwitch("Switch.Microsoft.Data.SqlClient.EnableMultiSubnetFailoverByDefault", true);
// In runtimeconfig.json
{
  "configProperties": {
    "Switch.Microsoft.Data.SqlClient.EnableMultiSubnetFailoverByDefault": true
  }
}
<!-- In App.Config -->
<runtime>
  <AppContextSwitchOverrides value="Switch.Microsoft.Data.SqlClient.EnableMultiSubnetFailoverByDefault=true" />
</runtime>

Changed

  • Optimized SqlStatistics execution timing by using Environment.TickCount instead of more expensive timing mechanisms.
    ... (truncated)

6.1.3

This update includes the following changes since the 6.1.2 release:

Added

App Context Switch for Ignoring Server-Provided Failover Partner

What Changed:

  • A new app context switch Switch.Microsoft.Data.SqlClient.IgnoreServerProvidedFailoverPartner was introduced to let the client ignore server-provided failover partner info in Basic Availability Groups (BAGs). When the switch is enabled, only the failover partner specified in the connection string is used; server-supplied partner values are skipped. This context switch was introduced in PR #​3702.

Who Benefits:

  • Applications connecting to SQL Server BAGs using TCP and custom ports, especially where the server's provided partner name lacks the protocol, host, or port. This avoids connection failures when the server-provided partner is incompatible or incomplete.
  • Teams who manage availability groups and rely on client-side control of failover behavior in heterogeneous networking environments.

Impact:

  • If your environment might be affected (i.e., you operate a BAG with custom ports, or have experienced failures after failover), you can enable the new switch in your application:
AppContext.SetSwitch("Switch.Microsoft.Data.SqlClient.IgnoreServerProvidedFailoverPartner", true);
  • Then, ensure your connection string includes your preferred failover partner (with correct tcp:host,port) so that the client uses that instead of the server's suggestion.
  • Without enabling this, by default, the client continues to prefer the server-provided partner, maintaining backwards compatibility.

Fixed

  • Fixed an issue to ensure reliable metrics initialization during startup, preventing missed telemetry when EventSource is enabled early. (#​3718)

Target Platform Support

  • .NET Framework 4.6.2+ (Windows ARM64, Windows x86, Windows x64)
  • .NET 8.0+ (Windows x86, Windows x64, Windows ARM64, Windows ARM, Linux, macOS)

Dependencies

.NET Framework 4.6.2+

  • Azure.Core 1.47.1
  • Azure.Identity 1.14.2
  • Microsoft.Bcl.Cryptography 8.0.0
  • Microsoft.Data.SqlClient.SNI 6.0.2
  • Microsoft.Extensions.Caching.Memory 8.0.1
  • Microsoft.IdentityModel.JsonWebTokens 7.7.1
  • Microsoft.IdentityModel.Protocols.OpenIdConnect 7.7.1
  • System.Buffers 4.5.1
  • System.Data.Common 4.3.0
  • System.Security.Cryptography.Pkcs 8.0.1
  • System.Text.Encodings.Web 8.0.0
    ... (truncated)

6.1.2

This update brings the below changes over the previous stable release:

Fixed

  • Fixed an issue where initializing PerformanceCounters would throw System.InvalidOperationException #​3629
  • Fixed an issue where a Custom SqlClientAuthenticationProvider was being overwritten by default implementation. #​3651
  • Fixed a concurrency issue in connection pooling where the number of active connections could be lower than the configured maximum pool size. #​3653

Commits viewable in compare view.

Pinned Microsoft.EntityFrameworkCore at 10.0.7.

Release notes

Sourced from Microsoft.EntityFrameworkCore's releases.

No release notes found for this version range.

Commits viewable in compare view.

Pinned Microsoft.EntityFrameworkCore.Design at 10.0.7.

Release notes

Sourced from Microsoft.EntityFrameworkCore.Design's releases.

No release notes found for this version range.

Commits viewable in compare view.

Pinned Microsoft.EntityFrameworkCore.SqlServer at 10.0.7.

Release notes

Sourced from Microsoft.EntityFrameworkCore.SqlServer's releases.

No release notes found for this version range.

Commits viewable in compare view.

Pinned Microsoft.Extensions.Configuration.Abstractions at 10.0.7.

Release notes

Sourced from Microsoft.Extensions.Configuration.Abstractions's releases.

No release notes found for this version range.

Commits viewable in compare view.

Pinned Microsoft.Extensions.DependencyInjection.Abstractions at 10.0.7.

Release notes

Sourced from Microsoft.Extensions.DependencyInjection.Abstractions's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.DependencyInjection.Abstractions from 10.0.6 to 10.0.7.

Release notes

Sourced from Microsoft.Extensions.DependencyInjection.Abstractions's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Extensions.Options.ConfigurationExtensions from 10.0.0 to 10.0.7.

Release notes

Sourced from Microsoft.Extensions.Options.ConfigurationExtensions's releases.

No release notes found for this version range.

Commits viewable in compare view.

Updated Microsoft.Identity.Web from 3.10.0 to 4.8.0.

Release notes

Sourced from Microsoft.Identity.Web's releases.

4.8.0

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@4.6.0...4.8.0

4.7.0

4.7.0

Bug fixes

  • Updates to Microsoft.Identity.Abstractions 12.0.0 to revert breaking changes introduced in Abstractions 11.0.0. (On .NET 10 target, Certificate extension method in CredentialDescription was reverted to normal property.) See #​3767.

4.6.0

What's Changed

Full Changelog: AzureAD/microsoft-identity-web@4.5.0...4.6.0

4.5.0

New features

  • Add support for certificate store lookup by subject name. See #​3742.

Dependencies updates

  • Bump minimatch in /tests/DevApps/SidecarAdapter/typescript. See #​3739.
  • Bump rollup from 4.52.3 to 4.59.0 in /tests/DevApps/SidecarAdapter/typescript. See #​3740.

4.4.0

New features

  • Add AOT-compatible web API authentication for .NET 10+. See #​3705 and #​3664.
  • Propagate long-running web API session key back to callers in user token acquisition. See #​3728.
  • Add OBO event initialization for OBO APIs. See #​3724.
  • Add support for calling WithClientClaims flow for token acquisition. See #​3623.
  • Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #​3680.

Bug fixes

  • Throw InvalidOperationException with actionable message when a custom credential is not registered. See #​3626.
  • Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #​3717.
  • Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #​3714.
  • Add a retry counter for acquire token and updated tests with a fake secret. See #​3682.
  • Fix OBO user error handling. See #​3712.
  • Fix override merging for app token (and others). See #​3644.
  • Fix certificate reload logic to only trigger on certificate-specific errors. See #​3653.
  • Update ROPC flow CCA to pass SendX5C to MSAL. See #​3671.

Dependencies updates

  • Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #​3725.
  • Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #​3730.
  • Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #​3726.
  • Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #​3699.
  • Update to MSAL 4.81.0. See #​3665.

Documentation

  • Add documentation for auto-generated session key for long-running OBO session. See #​3729.
  • Improve the Aspire doc article and skills. See #​3695.
  • Add an article and agent skill to add Entra ID to an Aspire app. See #​3689.
  • Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #​3667.
  • Add Copilot explore tool functionality. See #​3694.

Fundamentals

  • Remove unnecessary warning suppression. See #​3715.
  • Migrate labs to Lab.API 2.x (first pass). See #​3710.
  • Update Sidecar E2E test constants. See #​3693.
  • Fix intermittent failures in CertificatesObserverTests. See #​3687.
  • Add validation baseline exclusions. See #​3684.
  • Add dSTS integration tests. See #​3677.
  • Fix FIC test. See #​3663.
  • Update IdentityWeb version, build logic, and validation. See #​3659.

New Contributors

4.4.0-preview.1

New features

  • Add AOT-compatible web API authentication for .NET 10+. See #​3705 and #​3664.
  • Propagate long-running web API session key back to callers in user token acquisition. See #​3728.
  • Add OBO event initialization for OBO APIs. See #​3724.
  • Add support for calling WithClientClaims flow for token acquisition. See #​3623.
  • Add OnBeforeTokenAcquisitionForOnBehalfOf event. See #​3680.

Bug fixes

  • Throw InvalidOperationException with actionable message when a custom credential is not registered. See #​3626.
  • Fix event firing for InvokeOnBeforeTokenAcquisitionForOnBehalfOfAsync. See #​3717.
  • Update OnBeforeTokenAcquisitionForOnBehalfOf to construct ClaimsPrincipal from token. See #​3714.
  • Add a retry counter for acquire token and updated tests with a fake secret. See #​3682.
  • Fix OBO user error handling. See #​3712.
  • Fix override merging for app token (and others). See #​3644.
  • Fix certificate reload logic to only trigger on certificate-specific errors. See #​3653.
  • Update ROPC flow CCA to pass SendX5C to MSAL. See #​3671.

Dependencies updates

  • Bump qs in /tests/DevApps/SidecarAdapter/typescript. See #​3725.
  • Downgrade Microsoft.Extensions.Configuration.Binder to 2.1.0 on .NET Framework. See #​3730.
  • Update .NET SDK to 10.0.103 to address DOTNET-Security-10.0 vulnerability. See #​3726.
  • Upgrade to Microsoft.Identity.Abstractions 11 for AoT compatibility. See #​3699.
  • Update to MSAL 4.81.0. See #​3665.

Documentation

  • Add documentation for auto-generated session key for long-running OBO session. See #​3729.
  • Improve the Aspire doc article and skills. See #​3695.
  • Add an article and agent skill to add Entra ID to an Aspire app. See #​3689.
  • Fix misleading comment in CertificatelessOptions.ManagedIdentityClientId. See #​3667.
  • Add Copilot explore tool functionality. See #​3694.

Fundamentals

  • Remove unnecessary warning suppression. See #​3715.
  • Migrate labs to Lab.API 2.x (first pass). See #​3710.
  • Update Sidecar E2E test constants. See #​3693.
  • Fix intermittent failures in CertificatesObserverTests. See #​3687.
  • Add validation baseline exclusions. See #​3684.
  • Add dSTS integration tests. See #​3677.
  • Fix FIC test. See #​3663.
  • Update IdentityWeb version, build logic, and validation. See #​3659.

4.3.0

New features

  • Added token binding (mTLS PoP) scenario for confidential client (app-only) token acquisition and downstream API calls. See #​3622.

Dependencies updates

  • Bumped qs from 6.14.0 to 6.14.1 in /tests/DevApps/SidecarAdapter/typescript. See #​3660.

Documentation

  • Modernized Identity Web documentation, which is now can be found in docs. See #​3566.
  • Added token binding (mTLS PoP) documentation. See #​3661.

4.2.0

What's Changed

New features

  • Added CAE claims support for FIC + Managed Identity. See #​3647 for details.
  • Added AddMicrosoftIdentityMessageHandler extension methods for IHttpClientBuilder. See #​3649 for details.

Bug fixes

  • Fixed tenant not being propagated in credential FIC acquisition. See #​3633 for details.
  • Fixed ForAgentIdentity hardcoded 'AzureAd' ConfigurationSection to respect AuthenticationOptionsName. See #​3635 for details.
  • Fixed GetTokenAcquirer to propagate MicrosoftEntraApplicationOptions properties. See #​3651 for details.
  • Added meaningful error message when identity configuration is missing. See #​3637 for details.

Dependencies updates

  • Update Microsoft.Identity.Abstractions to version 10.0.0.
  • Bump express from 5.1.0 to 5.2.0 in /tests/DevApps/SidecarAdapter/typescript. #​3636
  • Bump jws from 3.2.2 to 3.2.3 in /tests/DevApps/SidecarAdapter/typescript. #​3641

Fundamentals

  • Update support policy. #​3656
  • Update agent identity coordinates in E2E tests after deauth. #​3640
  • Update E2E agent identity configuration to new tenant. #​3646

Full Changelog: AzureAD/microsoft-identity-web@4.1.1...4.2.0

4.1.1

Bug fixes

  • Authority-only configuration parsing improvements: Early parsing of Authority into Instance/TenantId and defensive fallback in PrepareAuthorityInstanceForMsal. Behavior is backward compatible; Authority is still ignored when Instance/TenantId explicitly provided—now surfaced via a warning. See #​3612.

New features

  • Added warning diagnostics for conflicting Authority vs Instance/TenantId: Emitting a single structured warning when both styles are provided. See #​3611.

Fundamentals

  • Expanded authority test matrix: Coverage for AAD (v1/v2), B2C (/tfp/ normalization, policy path), CIAM (PreserveAuthority), query parameters, scheme-less forms, and conflict scenarios. See #​3610.

4.1.0

New features

Dependencies updates

  • Bump MSAL.NET to version 4.79.2 and handle changes to deprecated WithExtraQueryParameters APIs. #​3583
  • Update Microsoft.IdentityModel and Abstractions versions. #​3604
  • Update coverlet.collector to 6.0.4. #​3587
  • Update package validation baseline version to 4.0.0. #​3589
  • Bump js-yaml from 4.1.0 to 4.1.1 in /tests/DevApps/SidecarAdapter/typescript. #​3595

Entra ID SDK sidecar

  • Restrict hosts to localhost for sidecar. #​3579
  • Update http file to match endpoints. #​3555
  • Revise sidecar issue template for Entra ID. #​3577

Documentation

  • Update README to include Entra SDK container info. #​3578

Fundamentals

  • Include NET 9.0 in template-install-dependencies. #​3593
  • Fix CodeQL alerts. #​3591
  • Suppression file is needed. #​3592

4.0.1

Bugs fixes

  • Correctly compute Application Key when credential usage fails.
  • Fix bugs where agent user identities didn't work with non-default authentication schemes.

Fundamentals

  • Update .net version to CG compliance

Sidecar

  • Configure Sidecar to default AllowWebApiToBeAuthorizedByACL to true as the container doesn't do authZ

4.0.0

4.0.0

Breaking Changes

Removed support for .NET 6.0 and .NET 7.0 - Microsoft Identity Web 4.0.0 no longer targets .NET 6.0 and .NET 7.0, following Microsoft's support lifecycle. The supported target frameworks are now .NET 8.0, .NET 9.0, .NET Framework 4.6.2, .NET Framework 4.7.2, and .NET Standard 2.0.

See MIGRATION_GUIDE_V4

New features

  • Various improvements to performance logging, authentication, and credential loading capabilities.
  • Bumped MSAL.NET to 4.77.1
  • Added credential description extensibility. For details, see #​3487
  • Added a new CerticateObserverAction type: SuccessfullyUsed and support for multiple certificate observers for improved certificate lifecycle management and telemetry. See #​3505
  • Add specification of OID (in addition to upn) when requesting an authorization header for Agent User Identity. See #​3513
  • Added ClaimsPrincipal and ClaimsIdentity extension methods for agent identity detection in web APIs enabling developers to easily detect agent identities and retrieve parent agent blueprint from token claims. See #​3515
  • Added MicrosoftIdentityMessageHandler for flexible HttpClient authentication. Provides composable alternative to DownstreamApi with per-request authentication configuration. Supports WWW-Authenticate challenge handling. See #​3503
  • Support for multiple certificate observers. See #​3506
  • The Microsoft.Identity.Web.Sidecar will provide a container solution for validation and token acquisition in any-language. See #​3524

Bug Fixes

  • Fixed TokenAcquirerFactory null reference when AppContext.BaseDirectory is root path. See #​3443
  • Fixed IDW10405 error when using managed identity with common tenant. See #​3415
  • Removed hard dependency on IConfiguration in OidcIdpSignedAssertionLoader. See #​3414

Fundamentals

  • Various improvements to .NET support and dependency optimizations.
  • Added doc for Agent identities. See Agent identities
  • Combined and fixed test collections. See #​3472
  • Migrate repository agent rules from .clinerules to agents.md. See #​3475
  • Add .NET 6.x setup step to dotnetcore.yml workflow, as the default build agents don't have it any longer. See #​3489
  • Renamed NET 7 tests to ThreadingTests for framework independence. See #​3501

3.14.1

3.14.1

Bug fixe

  • Support client secrets with agent user identities. See #​3470 for details.

3.14.0

New features

  • Support multi-tenant agent user identities. See #​3461 for details.
  • Id Web now allows for passing of ExtraBodyParameters. See #​3463 for details.

3.13.1

3.13.1

Dependencies updates

  • Microsoft.IdentityModel updated to version 8.14.0.

3.13.0

3.13.0

Dependencies updates

  • Microsoft.IdentityModel updated to version 8.13.1.
  • Microsoft.Abstractions updated to version 9.3.0 and using IAuthenticationSchemeInformationProvider from that library, deprecating the interface of the same name in Microsoft.Identity.Web (introduced in 3.12.0).

Bug fixes

  • Fixed an issue with instantiation of TokenAcquirerFactory when AppContext.BaseDirectory is root path. See PR #​3443 for details.

Fundamentals

3.12.0

3.12.0

Dependencies updates

  • Updated MSAL to version 4.74.1 part of #​3398.

Bug fix

Reload certificates for all client credential based issues to solve the issue that when a bad certificate was installed on the machine and picked up, and subsequently rotated, a service restart was needed for the new certificate to be used. See issue #​3429 and PR #​3430

New features

  • Include the thrown exception in CertificateChangeEventArg. See PR #​3428 for better supportabiliby.
  • Support for Agent User identities. See PR #​3435

3.11.0

3.11.0

Dependencies updates

  • Updated global.json to the latest .NET 9 runtime framework 9.0.108. See PR #​3422 for details.

Bug fixes

  • Fix IDW10405 error when using managed identity with common tenant. See PR #​3415 for details.
  • Fix OidcIdpSignedAssertionLoader to remove hard dependency on IConfiguration registration. See PR #​3414 for details.

New feature

  • Add support for ExtraHeaderParameters and ExtraQueryParameters properties on DownstreamApiOptions to simplify adding custom headers and query parameters to downstream API requests. See PR #​3413 for details.
  • Add better support for Azure SDK. For details see Readme-Azure and PR #​3416

What's Changed

New Contributors

Full Changelog: AzureAD/microsoft-identity-web@3.10.0...3.11.0

Commits viewable in compare view.

Updated Microsoft.NET.Test.Sdk from 17.12.0 to 18.4.0.

Release notes

Sourced from Microsoft.NET.Test.Sdk's releases.

18.4.0

What's Changed

New Contributors

Full Changelog: microsoft/vstest@v18.3.0...v18.4.0

18.3.0

What's Changed

Internal fixes and updates

New Contributors

18.0.1

What's Changed

Fixing an issue with loading covrun64.dll on systems that have .NET 10 SDK installed: https://learn.microsoft.com/en-us/dotnet/core/compatibility/sdk/10.0/code-coverage-dynamic-native-instrumentation

Internal changes

Full Changelog: microsoft/vstest@v18.0.0...v18.0.1

18.0.0

What's Changed

Internal fixes and updates

17.14.1

What's Changed

Description has been truncated

@dependabot dependabot Bot added .NET Pull requests that update .NET code dependencies Pull requests that update a dependency file labels Apr 22, 2026
@dependabot dependabot Bot force-pushed the dependabot/nuget/microsoft-0218de224a branch from 01e8ef8 to 0901c3f Compare April 22, 2026 23:37
@dependabot
Bump Microsoft.AspNetCore.DataProtection and 10 others
159ebc4 
Bumps Microsoft.AspNetCore.DataProtection from 10.0.0 to 10.0.7
Bumps Microsoft.AspNetCore.Mvc.Testing from 10.0.0 to 10.0.7
Bumps Microsoft.Data.SqlClient from 6.1.1 to 7.0.0
Bumps Microsoft.EntityFrameworkCore from 10.0.0 to 10.0.7
Bumps Microsoft.EntityFrameworkCore.Design from 10.0.0 to 10.0.7
Bumps Microsoft.EntityFrameworkCore.SqlServer from 10.0.0 to 10.0.7
Bumps Microsoft.Extensions.Configuration.Abstractions from 10.0.0 to 10.0.7
Bumps Microsoft.Extensions.DependencyInjection.Abstractions to 10.0.7
Bumps Microsoft.Extensions.Options.ConfigurationExtensions from 10.0.0 to 10.0.7
Bumps Microsoft.Identity.Web from 3.10.0 to 4.8.0
Bumps Microsoft.NET.Test.Sdk from 17.12.0 to 18.4.0

---
updated-dependencies:
- dependency-name: Microsoft.AspNetCore.DataProtection
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft
- dependency-name: Microsoft.Extensions.DependencyInjection.Abstractions
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft
- dependency-name: Microsoft.AspNetCore.Mvc.Testing
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft
- dependency-name: Microsoft.Data.SqlClient
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: microsoft
- dependency-name: Microsoft.EntityFrameworkCore
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft
- dependency-name: Microsoft.EntityFrameworkCore.Design
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft
- dependency-name: Microsoft.EntityFrameworkCore.SqlServer
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft
- dependency-name: Microsoft.Extensions.Configuration.Abstractions
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft
- dependency-name: Microsoft.Extensions.DependencyInjection.Abstractions
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft
- dependency-name: Microsoft.Extensions.Options.ConfigurationExtensions
  dependency-version: 10.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: microsoft
- dependency-name: Microsoft.Identity.Web
  dependency-version: 4.8.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: microsoft
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.4.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: microsoft
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/nuget/microsoft-0218de224a branch from 0901c3f to 159ebc4 Compare April 23, 2026 16:36
@razeone razeone merged commit 82d20b8 into main Apr 28, 2026
3 of 5 checks passed
@dependabot dependabot Bot deleted the dependabot/nuget/microsoft-0218de224a branch April 28, 2026 05:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .NET code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@razeone