AzureAD · Ugonnaak1 · Sep 30, 2025 · Sep 25, 2025 · Sep 25, 2025 · Sep 25, 2025
diff --git a/apps/confidential/confidential.go b/apps/confidential/confidential.go
@@ -621,7 +621,7 @@ type AcquireByUsernamePasswordOption interface {
 }
 
 // AcquireTokenByUsernamePassword acquires a security token from the authority, via Username/Password Authentication.
-// NOTE: this flow is NOT recommended.
+// Deprecated: This API will be removed in a future release. Use a more secure flow instead. Follow this guide for migration: https://aka.ms/msal-ropc-migration
 //
 // Options: [WithClaims], [WithTenantID]
 func (cca Client) AcquireTokenByUsernamePassword(ctx context.Context, scopes []string, username, password string, opts ...AcquireByUsernamePasswordOption) (AuthResult, error) {

@@ -368,9 +368,8 @@ type AcquireByUsernamePasswordOption interface {
 	acquireByUsernamePasswordOption()
 }
 
+// Deprecated: This API will be removed in a future release. Use a more secure flow instead. Follow this migration guide: https://aka.ms/msal-ropc-migration
 // AcquireTokenByUsernamePassword acquires a security token from the authority, via Username/Password Authentication.
-// NOTE: this flow is NOT recommended.
-//
 // Options: [WithClaims], [WithTenantID]
 func (pca Client) AcquireTokenByUsernamePassword(ctx context.Context, scopes []string, username, password string, opts ...AcquireByUsernamePasswordOption) (AuthResult, error) {
 	o := acquireTokenByUsernamePasswordOptions{}

diff --git a/apps/public/public_test.go b/apps/public/public_test.go
@@ -116,6 +116,7 @@ func TestAcquireTokenSilentHomeTenantAliases(t *testing.T) {
 }
 
 func TestAcquireTokenSilentWithTenantID(t *testing.T) {
+	t.Skip("Test skipped due to deprecated AcquireTokenByUsernamePassword API usage")
 	tenantA, tenantB := "a", "b"
 	lmo := "login.microsoftonline.com"
 	mockClient := mock.NewClient()
@@ -278,6 +279,7 @@ func TestAcquireTokenByDeviceCode(t *testing.T) {
 }
 
 func TestAcquireTokenWithTenantID(t *testing.T) {
+	t.Skip("Test skipped due to deprecated AcquireTokenByUsernamePassword API usage")
 	accessToken := "*"
 	clientInfo := base64.RawStdEncoding.EncodeToString([]byte(`{"uid":"uid","utid":"utid"}`))
 	uuid1 := "00000000-0000-0000-0000-000000000000"
@@ -295,7 +297,7 @@ func TestAcquireTokenWithTenantID(t *testing.T) {
 		{authority: host + uuid1, tenant: "organizations", expectError: true},
 		{authority: host + "consumers", tenant: uuid1, expectError: true},
 	} {
-		for _, method := range []string{"authcode", "authcodeURL", "devicecode", "interactive", "password"} {
+		for _, method := range []string{"authcode", "authcodeURL", "devicecode", "interactive"} {
 			t.Run(method, func(t *testing.T) {
 				URL := ""
 				mockClient := mock.NewClient()
@@ -306,10 +308,7 @@ func TestAcquireTokenWithTenantID(t *testing.T) {
 				mockClient.AppendResponse(mock.WithBody(mock.GetTenantDiscoveryBody(lmo, test.tenant)))
 				if method == "devicecode" {
 					mockClient.AppendResponse(mock.WithBody([]byte(`{"device_code":"...","expires_in":600}`)))
-				} else if method == "password" {
-					// user realm metadata
-					mockClient.AppendResponse(mock.WithBody([]byte(`{"account_type":"Managed","cloud_audience_urn":"urn","cloud_instance_name":"...","domain_name":"..."}`)))
-				}
+				} 
 				mockClient.AppendResponse(
 					mock.WithBody(mock.GetAccessTokenBody(accessToken, mock.GetIDToken(test.tenant, test.authority), "rt", clientInfo, 3600, 0)),
 					mock.WithCallback(func(r *http.Request) { URL = r.URL.String() }),
@@ -331,8 +330,6 @@ func TestAcquireTokenWithTenantID(t *testing.T) {
 					dc, err = client.AcquireTokenByDeviceCode(ctx, tokenScope, WithTenantID(test.tenant))
 				case "interactive":
 					ar, err = client.AcquireTokenInteractive(ctx, tokenScope, WithTenantID(test.tenant), WithOpenURL(fakeBrowserOpenURL))
-				case "password":
-					ar, err = client.AcquireTokenByUsernamePassword(ctx, tokenScope, "username", "password", WithTenantID(test.tenant))
 				default:
 					t.Fatalf("test bug: no test for %s", method)
 				}
@@ -379,6 +376,7 @@ func TestAcquireTokenWithTenantID(t *testing.T) {
 }
 
 func TestADFSTokenCaching(t *testing.T) {
+	t.Skip("Test skipped due to deprecated AcquireTokenByUsernamePassword API usage")
 	client, err := New("clientID", WithAuthority("https://fake_authority/adfs"))
 	if err != nil {
 		t.Fatal(err)
@@ -444,6 +442,7 @@ func TestADFSTokenCaching(t *testing.T) {
 }
 
 func TestWithInstanceDiscovery(t *testing.T) {
+	t.Skip("Test skipped due to deprecated AcquireTokenByUsernamePassword API usage")
 	accessToken := "*"
 	clientInfo := base64.RawStdEncoding.EncodeToString([]byte(`{"uid":"uid","utid":"utid"}`))
 	host := "stack.local"
@@ -647,6 +646,9 @@ func TestWithClaims(t *testing.T) {
 		}
 		for _, method := range []string{"authcode", "authcodeURL", "devicecode", "interactive", "password", "passwordFederated"} {
 			t.Run(method, func(t *testing.T) {
+				if method == "password" || method == "passwordFederated" {
+					t.Skip("Test case skipped due to deprecated AcquireTokenByUsernamePassword API usage")
+				}
 				mockClient := mock.NewClient()
 				if method == "obo" {
 					// TODO: OBO does instance discovery twice before first token request https://github.com/AzureAD/microsoft-authentication-library-for-go/issues/351
@@ -965,6 +967,9 @@ func TestWithAuthenticationScheme(t *testing.T) {
 		},
 	} {
 		t.Run(testCase.name, func(t *testing.T) {
+			if testCase.name == "password" {
+				t.Skip("Test case skipped due to deprecated AcquireTokenByUsernamePassword API usage")
+			}
 			ctx := context.Background()
 
 			// get a fresh client to avoid any overflow from other tests

diff --git a/apps/tests/devapps/main.go b/apps/tests/devapps/main.go
@@ -21,8 +21,8 @@ func main() {
 		acquireByAuthorizationCodePublic()
 		*/
 	} else if exampleType == "3" {
-		// This sample uses a serialized cache in an ecrypted file on Windows / KeyChain on Mac / KeyRing on Linux
-		acquireByUsernamePasswordPublic(ctx)
+		// This sample has been removed due to deprecated AcquireTokenByUsernamePassword API usage
+		panic("username/password sample has been removed - use a more secure authentication flow")
 	} else if exampleType == "4" {
 		panic("currently not implemented")
 		//acquireByAuthorizationCodeConfidential()

diff --git a/apps/tests/devapps/username_password_sample.go b/apps/tests/devapps/username_password_sample.go
diff --git a/apps/tests/integration/integration_test.go b/apps/tests/integration/integration_test.go
@@ -209,6 +209,7 @@ func testUser(ctx context.Context, desc string, lc *labClient, query url.Values)
 }
 
 func TestUsernamePassword(t *testing.T) {
+	t.Skip("Test skipped due to deprecated AcquireTokenByUsernamePassword API usage")
 	if testing.Short() {
 		t.Skip("skipping integration test")
 	}
@@ -406,6 +407,7 @@ func TestOnBehalfOf(t *testing.T) {
 }
 
 func TestRemoveAccount(t *testing.T) {
+	t.Skip("Test skipped due to deprecated AcquireTokenByUsernamePassword API usage")
 	if testing.Short() {
 		t.Skip("skipping integration test")
 	}