Deprecate AcquireTokenByIntegratedWindowsAuth API (#5345)

ashok672 · gladjohn · web-flow · commit bccbce95f21a · 2025-06-20T16:48:54.000-07:00
* Deprecate IntegratedWindowsAuth API

* Update src/client/Microsoft.Identity.Client/IPublicClientApplication.cs

Co-authored-by: Gladwin Johnson &lt;90415114+gladjohn@users.noreply.github.com&gt;

* Update WsTrustWebRequestManager.cs

* Update WsTrustWebRequestManager.cs

* Fix build break

---------

Co-authored-by: Gladwin Johnson &lt;90415114+gladjohn@users.noreply.github.com&gt;
diff --git a/src/client/Microsoft.Identity.Client/IPublicClientApplication.cs b/src/client/Microsoft.Identity.Client/IPublicClientApplication.cs
@@ -77,8 +77,9 @@ AcquireTokenWithDeviceCodeParameterBuilder AcquireTokenWithDeviceCode(
 
         /// <summary>
         /// <para>
-        /// This API is no longer recommended and will be deprecated in future versions in favor of 
-        /// similar functionality via <see href="https://aka.ms/msal-net-wam">the Windows broker (WAM)</see>.
+        /// This API is no longer recommended. If your application requires single sign-on (SSO) with the Windows OS's default account, 
+        /// please transition to using WAM, which provides similar functionality 
+        /// via <see href="https://aka.ms/msal-net-wam">the Windows broker (WAM)</see>.
         /// WAM does not require any setup for desktop apps to login with the Windows account.
         /// </para>
         /// <para>
@@ -94,6 +95,9 @@ AcquireTokenWithDeviceCodeParameterBuilder AcquireTokenWithDeviceCode(
         /// <remarks>
         /// See <see href="https://aka.ms/msal-net-iwa">our documentation</see> for more details.
         /// </remarks>
+
+        [Obsolete("This API is no longer recommended. For scenarios requiring SSO with the Windows OS's default account, please transition to using WAM.", false)]
+        [EditorBrowsable(EditorBrowsableState.Never)]
         AcquireTokenByIntegratedWindowsAuthParameterBuilder AcquireTokenByIntegratedWindowsAuth(
             IEnumerable<string> scopes);
 
diff --git a/src/client/Microsoft.Identity.Client/WsTrust/WsTrustWebRequestManager.cs b/src/client/Microsoft.Identity.Client/WsTrust/WsTrustWebRequestManager.cs
@@ -96,11 +96,9 @@ public async Task<WsTrustResponse> GetWsTrustResponseAsync(
             {
                 { "SOAPAction", (wsTrustEndpoint.Version == WsTrustVersion.WsTrust2005) ? XmlNamespace.Issue2005.ToString() : XmlNamespace.Issue.ToString() }
             };
-
-            var body = new StringContent(
-                // CodeQL [SM00417] False Positive: wsTrustRequest is a body parameter for HttpRequest that follows WsTrust protocol
-                wsTrustRequest,
-                Encoding.UTF8, "application/soap+xml");
+            
+            // CodeQL [SM00417] False Positive: wsTrustRequest is a body parameter for HttpRequest that follows WsTrust protocol
+            var body = new StringContent(wsTrustRequest, Encoding.UTF8, "application/soap+xml");
 
             IRetryPolicyFactory retryPolicyFactory = requestContext.ServiceBundle.Config.RetryPolicyFactory;
             IRetryPolicy retryPolicy = retryPolicyFactory.GetRetryPolicy(RequestType.STS);
diff --git a/tests/Microsoft.Identity.Test.Unit/PublicApiTests/PublicClientApplicationTests.cs b/tests/Microsoft.Identity.Test.Unit/PublicApiTests/PublicClientApplicationTests.cs
@@ -1159,7 +1159,9 @@ public void EnsurePublicApiSurfaceExistsOnInterface()
 #endif
             CheckBuilderCommonMethods(interactiveBuilder);
 
+#pragma warning disable CS0618 // Type or member is obsolete
             var iwaBuilder = app.AcquireTokenByIntegratedWindowsAuth(TestConstants.s_scope)
+#pragma warning restore CS0618 // Type or member is obsolete
                .WithUsername("upn@live.com");
             CheckBuilderCommonMethods(iwaBuilder);
 
diff --git a/tests/devapps/FociTestApp/Program.cs b/tests/devapps/FociTestApp/Program.cs
@@ -180,7 +180,9 @@ private static Task<AuthenticationResult> StartAcquireTokenAsync(IPublicClientAp
         {
             if (s_useIWA)
             {
+#pragma warning disable CS0618 // Type or member is obsolete
                 return pca.AcquireTokenByIntegratedWindowsAuth(s_scopes).ExecuteAsync();
+#pragma warning restore CS0618 // Type or member is obsolete
             }
             return pca.AcquireTokenInteractive(s_scopes).WithUseEmbeddedWebView(false).ExecuteAsync();
         }
diff --git a/tests/devapps/NetCoreTestApp/Program.cs b/tests/devapps/NetCoreTestApp/Program.cs
@@ -36,7 +36,6 @@ public class Program
         // Confidential client app with access to https://graph.microsoft.com/.default
         private static string s_clientIdForConfidentialApp;
 
-
         // App certificate for app above 
         private static X509Certificate2 s_confidentialClientCertificate;
 
@@ -172,7 +171,9 @@ 0. Exit App
                     switch (selection)
                     {
                         case 1: // acquire token
+#pragma warning disable CS0618 // Type or member is obsolete
                             authTask = pca.AcquireTokenByIntegratedWindowsAuth(s_scopes).WithUsername(s_username).ExecuteAsync(CancellationToken.None);
+#pragma warning restore CS0618 // Type or member is obsolete
                             await FetchTokenAndCallGraphAsync(pca, authTask).ConfigureAwait(false);
 
                             break;
@@ -432,7 +433,6 @@ private static IConfidentialClientApplication CreateCcaForMtlsPop(string region)
                 .WithAuthority("https://login.microsoftonline.com/bea21ebe-8b64-4d06-9f6d-6a889b120a7c")
                 .WithAzureRegion(region);
 
-
             ccaBuilder = ccaBuilder.WithCertificate(s_confidentialClientCertificate, true);
 
             //Add Experimental feature for MTLS PoP
diff --git a/tests/devapps/NetFxConsoleTestApp/Program.cs b/tests/devapps/NetFxConsoleTestApp/Program.cs
@@ -223,8 +223,10 @@ x. Exit app
                     switch (selection)
                     {
                         case '1': // acquire token
+#pragma warning disable CS0618 // Type or member is obsolete
                             var iwaBuilder =
                                 pca.AcquireTokenByIntegratedWindowsAuth(s_scopes)
+#pragma warning restore CS0618 // Type or member is obsolete
                                 .WithUsername(s_username);
 
                             var result = await iwaBuilder.ExecuteAsync().ConfigureAwait(false);
diff --git a/tests/devapps/WAM/NetCoreWinFormsWam/Form1.cs b/tests/devapps/WAM/NetCoreWinFormsWam/Form1.cs
@@ -946,9 +946,11 @@ private async void btn_wia_Click(object sender, EventArgs e)
                 var cancellationTokenSource = new CancellationTokenSource();
 
                 var pca = await CreatePca(GetAuthMethod()).ConfigureAwait(false);
+#pragma warning disable CS0618 // Type or member is obsolete
                 AuthenticationResult authenticationResult = await pca
                     .AcquireTokenByIntegratedWindowsAuth(
                         GetScopes())
+#pragma warning restore CS0618 // Type or member is obsolete
                     .ExecuteAsync(cancellationTokenSource.Token)
                     .ConfigureAwait(true);
 

Original file line number	Diff line number	Diff line change
`@@ -180,7 +180,9 @@ private static Task<AuthenticationResult> StartAcquireTokenAsync(IPublicClientAp`
`180`	`180`	`{`
`181`	`181`	`if (s_useIWA)`
`182`	`182`	`{`
	`183`	`+#pragma warning disable CS0618 // Type or member is obsolete`
`183`	`184`	`return pca.AcquireTokenByIntegratedWindowsAuth(s_scopes).ExecuteAsync();`
	`185`	`+#pragma warning restore CS0618 // Type or member is obsolete`
`184`	`186`	`}`
`185`	`187`	`return pca.AcquireTokenInteractive(s_scopes).WithUseEmbeddedWebView(false).ExecuteAsync();`
`186`	`188`	`}`