From 9acb2cd1b91f2f6e144b586b13d3f35873458056 Mon Sep 17 00:00:00 2001
From: fadidurah <fadidurah@microsoft.com>
Date: Mon, 1 Dec 2025 21:48:48 -0500
Subject: [PATCH 1/3] lab tweak, one auth client

---
 .../LabApiAuthenticationClient.java           | 19 ++++++++++++++-----
 .../labapi/utilities/client/LabClient.java    |  5 +----
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/LabApiUtilities/src/main/com/microsoft/identity/labapi/utilities/authentication/LabApiAuthenticationClient.java b/LabApiUtilities/src/main/com/microsoft/identity/labapi/utilities/authentication/LabApiAuthenticationClient.java
index 9b76a87782..6e6010ac09 100644
--- a/LabApiUtilities/src/main/com/microsoft/identity/labapi/utilities/authentication/LabApiAuthenticationClient.java
+++ b/LabApiUtilities/src/main/com/microsoft/identity/labapi/utilities/authentication/LabApiAuthenticationClient.java
@@ -76,23 +76,28 @@ public LabApiAuthenticationClient(@NonNull final String labSecret, final String
 
     @Override
     public String getAccessToken() throws LabApiException {
-        return getAccessToken(DEFAULT_ACCESS_TOKEN_RETRIES);
+        return getAccessToken(DEFAULT_ACCESS_TOKEN_RETRIES, null);
+    }
+
+    public String getAccessTokenForCustomScope(final String scope) throws LabApiException {
+        return getAccessToken(DEFAULT_ACCESS_TOKEN_RETRIES, scope);
     }
 
     /**
      * Attempt to acquire an access token. Accepts a parameter to denote number of retries
      * @param retries how many times to attempt acquire access token before returning a failure.
+     * @param customScope the custom scope for which the access token is requested. If null, use the default scope.
      * @return an access token for Lab API
      * @throws LabApiException exception given back by Lab API
      */
-    public String getAccessToken(final int retries) throws LabApiException {
+    public String getAccessToken(final int retries, final String customScope) throws LabApiException {
 
         // Do this in a loop, if we get an exception or null result, try again
         for (int i = 1; i <= retries; i++) {
             System.out.printf(Locale.ENGLISH, "getAccessToken attempt #%d%n", i);
 
             try {
-                final String result = getAccessTokenInternal();
+                final String result = getAccessTokenInternal(customScope);
                 if (result != null) {
                     return result;
                 }
@@ -120,12 +125,16 @@ public String getAccessToken(final int retries) throws LabApiException {
         return null;
     }
 
-    private String getAccessTokenInternal() throws LabApiException {
+    private String getAccessTokenInternal(final String customScope) throws LabApiException {
+        String authScope = mScope;
+        if (customScope != null) {
+            authScope = customScope;
+        }
         final IConfidentialAuthClient confidentialAuthClient = new Msal4jAuthClient();
         final TokenParameters tokenParameters = TokenParameters.builder()
                 .clientId(mClientId)
                 .authority(AUTHORITY)
-                .scope(mScope)
+                .scope(authScope)
                 .build();
 
         final IAuthenticationResult authenticationResult;
diff --git a/LabApiUtilities/src/main/com/microsoft/identity/labapi/utilities/client/LabClient.java b/LabApiUtilities/src/main/com/microsoft/identity/labapi/utilities/client/LabClient.java
index d646f7309f..53a12fb2d5 100644
--- a/LabApiUtilities/src/main/com/microsoft/identity/labapi/utilities/client/LabClient.java
+++ b/LabApiUtilities/src/main/com/microsoft/identity/labapi/utilities/client/LabClient.java
@@ -61,9 +61,6 @@
 public class LabClient implements ILabClient {
 
     private final LabApiAuthenticationClient mLabApiAuthenticationClient;
-    private final LabApiAuthenticationClient mLabApiAuthenticationClientForKeyVault = new LabApiAuthenticationClient(
-            BuildConfig.LAB_CLIENT_SECRET, KEYVAULT_SCOPE, DEFAULT_LAB_CLIENT_ID
-    );
     private final long PASSWORD_RESET_WAIT_DURATION = TimeUnit.SECONDS.toMillis(65);
     private final long LAB_API_RETRY_WAIT = TimeUnit.SECONDS.toMillis(5);
 
@@ -308,7 +305,7 @@ public String getPasswordForGuestUser(LabGuestAccount guestUser) throws LabApiEx
     @Override
     public String getKeyVaultSecret(@NonNull final String secretName) throws LabApiException {
         Configuration.getKeyVaultApiClient().setAccessToken(
-                mLabApiAuthenticationClientForKeyVault.getAccessToken()
+                mLabApiAuthenticationClient.getAccessTokenForCustomScope(KEYVAULT_SCOPE)
         );
         final KeyVaultSecretsApi keyVaultSecretsApi = new KeyVaultSecretsApi();
 

From 7e297b6ced64a68eebf9e153f3d4d217dafad0aa Mon Sep 17 00:00:00 2001
From: fadidurah <fadidurah@microsoft.com>
Date: Mon, 1 Dec 2025 21:58:44 -0500
Subject: [PATCH 2/3] pipeline agent

---
 azure-pipelines/continuous-delivery/common-cd.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/azure-pipelines/continuous-delivery/common-cd.yml b/azure-pipelines/continuous-delivery/common-cd.yml
index 5f36fe106b..6f219a245b 100644
--- a/azure-pipelines/continuous-delivery/common-cd.yml
+++ b/azure-pipelines/continuous-delivery/common-cd.yml
@@ -16,7 +16,9 @@ variables:
     versionNumber: ${{ variables.customVersion }}
 
 pool:
-  name: Hosted Windows 2019 with VS2019
+  name: MSSecurity-1ES-Build-Agents-Pool
+  image: MSSecurity-1ES-Windows-2022
+  os: windows
 jobs:
 # Key Vault
 - job: keyvault_phase

From 313983892759329120b73b8173c4a8b5b734db79 Mon Sep 17 00:00:00 2001
From: fadidurah <fadidurah@microsoft.com>
Date: Mon, 1 Dec 2025 23:18:45 -0500
Subject: [PATCH 3/3] remove unneeded constructors

---
 .../LabApiAuthenticationClient.java           | 19 ++++++++-----------
 .../labutils/ConfidentialClientHelper.java    |  2 +-
 2 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/LabApiUtilities/src/main/com/microsoft/identity/labapi/utilities/authentication/LabApiAuthenticationClient.java b/LabApiUtilities/src/main/com/microsoft/identity/labapi/utilities/authentication/LabApiAuthenticationClient.java
index 6e6010ac09..96ca3e648d 100644
--- a/LabApiUtilities/src/main/com/microsoft/identity/labapi/utilities/authentication/LabApiAuthenticationClient.java
+++ b/LabApiUtilities/src/main/com/microsoft/identity/labapi/utilities/authentication/LabApiAuthenticationClient.java
@@ -51,26 +51,20 @@ public class LabApiAuthenticationClient implements IAccessTokenSupplier {
     private final static int ATTEMPT_RETRY_WAIT = 3;
     private final String mLabCredential;
     private final String mLabCertPassword;
-    private final String mScope;
+    private final String defaultScope = LabConstants.DEFAULT_LAB_SCOPE;
     private final String mClientId;
 
-
     public LabApiAuthenticationClient(@NonNull final String labSecret) {
-        this(labSecret, null, null, null);
+        this(labSecret, null, null);
     }
 
     public LabApiAuthenticationClient(@NonNull final String labSecret, final String labCertPassword) {
-        this(labSecret, labCertPassword, null, null);
-    }
-
-    public LabApiAuthenticationClient(@NonNull final String labSecret, @NonNull final String scope, @NonNull final String clientId) {
-        this(labSecret, null, scope, clientId);
+        this(labSecret, labCertPassword, null);
     }
 
-    public LabApiAuthenticationClient(@NonNull final String labSecret, final String labCertPassword, final String scope, final String clientId) {
+    public LabApiAuthenticationClient(@NonNull final String labSecret, final String labCertPassword, final String clientId) {
         mLabCredential = labSecret;
         mLabCertPassword = labCertPassword;
-        mScope = scope != null ? scope : LabConstants.DEFAULT_LAB_SCOPE;
         mClientId = clientId != null ? clientId : LabConstants.DEFAULT_LAB_CLIENT_ID;
     }
 
@@ -126,10 +120,13 @@ public String getAccessToken(final int retries, final String customScope) throws
     }
 
     private String getAccessTokenInternal(final String customScope) throws LabApiException {
-        String authScope = mScope;
+        final String authScope;
         if (customScope != null) {
             authScope = customScope;
+        } else {
+            authScope = defaultScope;
         }
+
         final IConfidentialAuthClient confidentialAuthClient = new Msal4jAuthClient();
         final TokenParameters tokenParameters = TokenParameters.builder()
                 .clientId(mClientId)
diff --git a/testutils/src/main/java/com/microsoft/identity/internal/testutils/labutils/ConfidentialClientHelper.java b/testutils/src/main/java/com/microsoft/identity/internal/testutils/labutils/ConfidentialClientHelper.java
index fc79c51d1e..9a6acda054 100644
--- a/testutils/src/main/java/com/microsoft/identity/internal/testutils/labutils/ConfidentialClientHelper.java
+++ b/testutils/src/main/java/com/microsoft/identity/internal/testutils/labutils/ConfidentialClientHelper.java
@@ -70,7 +70,7 @@ private String requestAccessTokenForAutomation()
 
     private String requestAccessTokenForKeyVault()
             throws LabApiException {
-        return (new LabApiAuthenticationClient(BuildConfig.LAB_CLIENT_SECRET, KEYVAULT_SCOPE, DEFAULT_LAB_CLIENT_ID)).getAccessToken();
+        return (new LabApiAuthenticationClient(BuildConfig.LAB_CLIENT_SECRET)).getAccessTokenForCustomScope(KEYVAULT_SCOPE);
     }
 
     void setupApiClientWithAccessToken() {