AzureAD · trwalke · May 23, 2023 · Oct 6, 2022 · Oct 7, 2022 · Oct 7, 2022
@@ -160,7 +160,6 @@ public X509Certificate2 ClientCredentialCertificate
                 return null;
             }
         }
-
 #endregion
 
 #region Region

@@ -341,8 +341,6 @@ public ConfidentialClientApplicationBuilder WithGenericAuthority(string authorit
         /// <returns>The builder to chain the .With methods</returns>
         public ConfidentialClientApplicationBuilder WithTelemetryClient(params ITelemetryClient[] telemetryClients)
         {
-            ValidateUseOfExperimentalFeature("ITelemetryClient");
-
             if (telemetryClients == null)
             {
                 throw new ArgumentNullException(nameof(telemetryClients));

@@ -0,0 +1,35 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Microsoft.Identity.Client.Cache
+{
+    /// <summary>
+    /// Identifies the type of cache that the token was read from. Cache implementations must provide this.
+    /// </summary>
+    public enum CacheLevel
+    {
+        /// <summary>
+        /// Specifies that the cache level used is None.
+        /// Token was retrieved from ESTS
+        /// </summary>
+        None = 0,
+        /// <summary>
+        /// Specifies that the cache level used is unknown.
+        /// Token was retrieved from cache but the token cache implementation didn't specify which cache level was used.
+        /// </summary>
+        Unknown = 1,
+        /// <summary>
+        /// Specifies if the L1 cache is used.
+        /// </summary>
+        L1Cache = 2,
+        /// <summary>
+        /// Specifies if the L2 cache is used.
+        L2Cache = 3
+    }
+}
@@ -10,6 +10,7 @@
 using Microsoft.Identity.Client.Internal;
 using Microsoft.Identity.Client.Internal.Requests;
 using Microsoft.Identity.Client.OAuth2;
+using Microsoft.Identity.Client.TelemetryCore.TelemetryClient;
 
 namespace Microsoft.Identity.Client.Cache
 {
@@ -106,6 +107,7 @@ private async Task RefreshCacheForReadOperationsAsync()
                     await TokenCacheInternal.Semaphore.WaitAsync(_requestParams.RequestContext.UserCancellationToken).ConfigureAwait(false);
                     _requestParams.RequestContext.Logger.Verbose(()=>"[Cache Session Manager] Entered cache semaphore");
 
+                    TelemetryData telemetryData = new TelemetryData();
                     Stopwatch stopwatch = new Stopwatch();
                     try
                     {
@@ -129,7 +131,8 @@ private async Task RefreshCacheForReadOperationsAsync()
                                   requestScopes: _requestParams.Scope, 
                                   requestTenantId: _requestParams.AuthorityManager.OriginalAuthority.TenantId,
                                   identityLogger: _requestParams.RequestContext.Logger.IdentityLogger,
-                                  piiLoggingEnabled: _requestParams.RequestContext.Logger.PiiLoggingEnabled);
+                                  piiLoggingEnabled: _requestParams.RequestContext.Logger.PiiLoggingEnabled,
+                                  telemetryData: telemetryData);
 
                                 stopwatch.Start();
                                 await TokenCacheInternal.OnBeforeAccessAsync(args).ConfigureAwait(false);
@@ -155,7 +158,8 @@ private async Task RefreshCacheForReadOperationsAsync()
                                   requestScopes: _requestParams.Scope,
                                   requestTenantId: _requestParams.AuthorityManager.OriginalAuthority.TenantId,
                                   identityLogger: _requestParams.RequestContext.Logger.IdentityLogger,
-                                  piiLoggingEnabled: _requestParams.RequestContext.Logger.PiiLoggingEnabled);
+                                  piiLoggingEnabled: _requestParams.RequestContext.Logger.PiiLoggingEnabled,
+                                  telemetryData: telemetryData);
 
                                 await TokenCacheInternal.OnAfterAccessAsync(args).ConfigureAwait(false);
                                 RequestContext.ApiEvent.DurationInCacheInMs += stopwatch.ElapsedMilliseconds;
@@ -170,6 +174,7 @@ private async Task RefreshCacheForReadOperationsAsync()
                     {
                         TokenCacheInternal.Semaphore.Release();
                         _requestParams.RequestContext.Logger.Verbose(()=>"[Cache Session Manager] Released cache semaphore");
+                        RequestContext.ApiEvent.CacheLevel = telemetryData.CacheLevel;
                     }
                 }
             }

@@ -8,6 +8,7 @@
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.OAuth2;
 using Microsoft.Identity.Client.PlatformsCommon.Interfaces;
+using Microsoft.Identity.Client.TelemetryCore;
 using Microsoft.Identity.Client.Utils;
 
 namespace Microsoft.Identity.Client.Internal.ClientCredential
@@ -19,6 +20,8 @@ internal class CertificateAndClaimsClientCredential : IClientCredential
         private readonly string _base64EncodedThumbprint; // x5t
         public X509Certificate2 Certificate { get; }
 
+        public AssertionType AssertionType => AssertionType.CertificateWithoutSni;
+
         public CertificateAndClaimsClientCredential(X509Certificate2 certificate, IDictionary<string, string> claimsToSign, bool appendDefaultClaims)
         {
             Certificate = certificate;
@@ -42,7 +45,7 @@ public Task AddConfidentialClientParametersAsync(
                 tokenEndpoint,
                 _claimsToSign,
                 _appendDefaultClaims);
-            
+
             string assertion = jwtToken.Sign(Certificate, _base64EncodedThumbprint, sendX5C);
 
             oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertionType, OAuth2AssertionType.JwtBearer);

@@ -11,12 +11,15 @@
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.OAuth2;
 using Microsoft.Identity.Client.PlatformsCommon.Interfaces;
+using Microsoft.Identity.Client.TelemetryCore;
 using Microsoft.Identity.Client.Utils;
 
 namespace Microsoft.Identity.Client.Internal.ClientCredential
 {
     internal interface IClientCredential
     {
+        AssertionType AssertionType { get; }
+
         Task AddConfidentialClientParametersAsync(
               OAuth2Client oAuth2Client,
               ILoggerAdapter logger,

@@ -6,6 +6,7 @@
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.OAuth2;
 using Microsoft.Identity.Client.PlatformsCommon.Interfaces;
+using Microsoft.Identity.Client.TelemetryCore;
 using Microsoft.Identity.Client.Utils;
 
 namespace Microsoft.Identity.Client.Internal.ClientCredential
@@ -14,6 +15,8 @@ internal class SecretStringClientCredential : IClientCredential
     {
         internal string Secret { get; }
 
+        public AssertionType AssertionType => AssertionType.Secret;
+
         public SecretStringClientCredential(string secret)
         {
             Secret = secret;

@@ -6,6 +6,7 @@
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.OAuth2;
 using Microsoft.Identity.Client.PlatformsCommon.Interfaces;
+using Microsoft.Identity.Client.TelemetryCore;
 using Microsoft.Identity.Client.Utils;
 
 namespace Microsoft.Identity.Client.Internal.ClientCredential
@@ -14,10 +15,13 @@ internal class SignedAssertionClientCredential : IClientCredential
     {
         private readonly string _signedAssertion;
 
+        public AssertionType AssertionType => AssertionType.ClientAssertion;
+
         public SignedAssertionClientCredential(string signedAssertion)
         {
             _signedAssertion = signedAssertion;
         }
+
         public Task AddConfidentialClientParametersAsync(OAuth2Client oAuth2Client, ILoggerAdapter logger, ICryptographyManager cryptographyManager, string clientId, string tokenEndpoint, bool sendX5C, CancellationToken cancellationToken)
         {
             oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertionType, OAuth2AssertionType.JwtBearer);

@@ -7,13 +7,15 @@
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.OAuth2;
 using Microsoft.Identity.Client.PlatformsCommon.Interfaces;
+using Microsoft.Identity.Client.TelemetryCore;
 
 namespace Microsoft.Identity.Client.Internal.ClientCredential
 {
     internal class SignedAssertionDelegateClientCredential : IClientCredential
     {
         internal Func<CancellationToken, Task<string>> _signedAssertionDelegate { get; }
         internal Func<AssertionRequestOptions, Task<string>> _signedAssertionWithInfoDelegate { get; }
+        public AssertionType AssertionType => AssertionType.ClientAssertion;
 
         [System.ComponentModel.EditorBrowsable(System.ComponentModel.EditorBrowsableState.Never)]
         public SignedAssertionDelegateClientCredential(Func<CancellationToken, Task<string>> signedAssertionDelegate)

@@ -2,11 +2,13 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Collections.Generic;
 using System.Threading;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Internal.Logger;
 using Microsoft.Identity.Client.TelemetryCore;
 using Microsoft.Identity.Client.TelemetryCore.Internal.Events;
+using Microsoft.Identity.Client.TelemetryCore.TelemetryClient;
 using Microsoft.IdentityModel.Abstractions;
 
 namespace Microsoft.Identity.Client.Internal

@@ -104,13 +104,14 @@ public async Task<AuthenticationResult> RunAsync(CancellationToken cancellationT
                 {
                     apiEvent.ApiErrorCode = ex.ErrorCode;
                     AuthenticationRequestParameters.RequestContext.Logger.ErrorPii(ex);
-                    LogErrorTelemetryToClient(ex.ErrorCode, telemetryEventDetails, telemetryClients);
+                    LogMsalErrorTelemetryToClient(ex, telemetryEventDetails, telemetryClients);
                     throw;
                 }
                 catch (Exception ex)
                 {
                     apiEvent.ApiErrorCode = ex.GetType().Name;
                     AuthenticationRequestParameters.RequestContext.Logger.ErrorPii(ex);
+                    LogMsalErrorTelemetryToClient(ex, telemetryEventDetails, telemetryClients);
                     throw;
                 }
                 finally
@@ -120,12 +121,27 @@ public async Task<AuthenticationResult> RunAsync(CancellationToken cancellationT
             }
         }
 
-        private void LogErrorTelemetryToClient(string errorCode, MsalTelemetryEventDetails telemetryEventDetails, ITelemetryClient[] telemetryClients)
+        private void LogMsalErrorTelemetryToClient(Exception ex, MsalTelemetryEventDetails telemetryEventDetails, ITelemetryClient[] telemetryClients)
         {
             if (telemetryClients.HasEnabledClients(TelemetryConstants.AcquireTokenEventName))
             {
                 telemetryEventDetails.SetProperty(TelemetryConstants.Succeeded, false);
-                telemetryEventDetails.SetProperty(TelemetryConstants.ErrorCode, errorCode);
+                telemetryEventDetails.SetProperty(TelemetryConstants.ErrorMessage, ex.Message);
+
+                if (ex is MsalClientException clientException)
+                {
+                    telemetryEventDetails.SetProperty(TelemetryConstants.ErrorCode, clientException.ErrorCode);
+                    return;
+                }
+
+                if (ex is MsalServiceException serviceException)
+                {
+                    telemetryEventDetails.SetProperty(TelemetryConstants.ErrorCode, serviceException.ErrorCode);
+                    telemetryEventDetails.SetProperty(TelemetryConstants.StsErrorCode, serviceException.ErrorCodes?.FirstOrDefault());
+                    return;
+                }
+
+                telemetryEventDetails.SetProperty(TelemetryConstants.ErrorCode, ex.GetType().ToString());
             }
         }
 
@@ -139,12 +155,66 @@ private void LogSuccessfulTelemetryToClient(AuthenticationResult authenticationR
                 telemetryEventDetails.SetProperty(TelemetryConstants.DurationInCache, authenticationResult.AuthenticationResultMetadata.DurationInCacheInMs);
                 telemetryEventDetails.SetProperty(TelemetryConstants.DurationInHttp, authenticationResult.AuthenticationResultMetadata.DurationInHttpInMs);
                 telemetryEventDetails.SetProperty(TelemetryConstants.Succeeded, true);
-                telemetryEventDetails.SetProperty(TelemetryConstants.PopToken, authenticationResult.TokenType.Equals(Constants.PoPTokenType));
+                telemetryEventDetails.SetProperty(TelemetryConstants.TokenType, (int)AuthenticationRequestParameters.RequestContext.ApiEvent.TokenType);
                 telemetryEventDetails.SetProperty(TelemetryConstants.RemainingLifetime, (authenticationResult.ExpiresOn - DateTime.Now).TotalMilliseconds);
                 telemetryEventDetails.SetProperty(TelemetryConstants.ActivityId, authenticationResult.CorrelationId);
+
+                if (authenticationResult.AuthenticationResultMetadata.RefreshOn.HasValue)
+                {
+                    telemetryEventDetails.SetProperty(TelemetryConstants.RefreshOn, DateTimeHelpers.DateTimeToUnixTimestampMilliseconds(authenticationResult.AuthenticationResultMetadata.RefreshOn.Value));
+                }
+                telemetryEventDetails.SetProperty(TelemetryConstants.AssertionType, (int)AuthenticationRequestParameters.RequestContext.ApiEvent.AssertionType);
+                telemetryEventDetails.SetProperty(TelemetryConstants.Endpoint, AuthenticationRequestParameters.Authority.AuthorityInfo.CanonicalAuthority.ToString());
+                telemetryEventDetails.SetProperty(TelemetryConstants.CacheLevel, (int)GetCacheLevel(authenticationResult));
+                ParseScopesForTelemetry(telemetryEventDetails);
+            }
+        }
+
+        private void ParseScopesForTelemetry(MsalTelemetryEventDetails telemetryEventDetails)
+        {
+            if (AuthenticationRequestParameters.Scope.Count > 0)
+            {
+                string firstScope = AuthenticationRequestParameters.Scope.First();
+
+                if (Uri.IsWellFormedUriString(firstScope, UriKind.Absolute))
+                {
+                    Uri firstScopeAsUri = new Uri(firstScope);
+                    telemetryEventDetails.SetProperty(TelemetryConstants.Resource, $"{firstScopeAsUri.Scheme}://{firstScopeAsUri.Host}");
+
+                    StringBuilder stringBuilder = new StringBuilder();
+
+                    foreach (string scope in AuthenticationRequestParameters.Scope)
+                    {
+                        var splitString = scope.Split(new[] { firstScopeAsUri.Host }, StringSplitOptions.None);
+                        string scopeToAppend = splitString.Count() > 1 ? splitString[1].TrimStart('/') + " " : splitString.FirstOrDefault();
+                        stringBuilder.Append(scopeToAppend);
+                    }
+
+                    telemetryEventDetails.SetProperty(TelemetryConstants.Scopes, stringBuilder.ToString().TrimEnd(' '));
+                }
+                else
+                {
+                    telemetryEventDetails.SetProperty(TelemetryConstants.Scopes, AuthenticationRequestParameters.Scope.AsSingleString());
+                }
             }
         }
 
+        private CacheLevel GetCacheLevel(AuthenticationResult authenticationResult)
+        {
+            if (authenticationResult.AuthenticationResultMetadata.TokenSource == TokenSource.Cache) //Check if token source is cache
+            {
+                if (AuthenticationRequestParameters.RequestContext.ApiEvent.CacheLevel > CacheLevel.Unknown) //Check if cache has indicated which level was used
+                {
+                    return AuthenticationRequestParameters.RequestContext.ApiEvent.CacheLevel;
+                }
+
+                //If no level was used, set to unknown
+                return CacheLevel.Unknown;
+            }
+
+            return CacheLevel.None;
+        }
+
         private static void LogMetricsFromAuthResult(AuthenticationResult authenticationResult, ILoggerAdapter logger)
         {
             if (logger.IsLoggingEnabled(LogLevel.Always))
@@ -193,13 +263,40 @@ private ApiEvent InitializeApiEvent(string accountId)
             apiEvent.IsLegacyCacheEnabled = AuthenticationRequestParameters.RequestContext.ServiceBundle.Config.LegacyCacheCompatibilityEnabled;
             apiEvent.CacheInfo = CacheRefreshReason.NotApplicable;
             apiEvent.TokenType = AuthenticationRequestParameters.AuthenticationScheme.TelemetryTokenType;
+            apiEvent.AssertionType = GetAssertionType();
 
             // Give derived classes the ability to add or modify fields in the telemetry as needed.
             EnrichTelemetryApiEvent(apiEvent);
 
             return apiEvent;
         }
 
+        private AssertionType GetAssertionType()
+        {
+            if (ServiceBundle.Config.IsManagedIdentity ||
+                ServiceBundle.Config.AppTokenProvider != null)
+            {
+                return AssertionType.ManagedIdentity;
+            }
+
+            if (ServiceBundle.Config.ClientCredential != null)
+            {
+                if (ServiceBundle.Config.ClientCredential.AssertionType == AssertionType.CertificateWithoutSni)
+                {
+                    if (ServiceBundle.Config.SendX5C)
+                    {
+                        return AssertionType.CertificateWithSni;
+                    }
+
+                    return AssertionType.CertificateWithoutSni;
+                }
+
+                return ServiceBundle.Config.ClientCredential.AssertionType;
+            }
+
+            return AssertionType.None;
+        }
+
         protected async Task<AuthenticationResult> CacheTokenResponseAndCreateAuthenticationResultAsync(MsalTokenResponse msalTokenResponse)
         {
             // developer passed in user object.

@@ -221,6 +221,11 @@ public HttpResponseHeaders Headers
         /// </remarks>
         internal string SubError { get; set; }
 
+        /// <summary>
+        /// A list of STS-specific error codes that can help in diagnostics.
+        /// </summary>
+        internal string[] ErrorCodes { get; set; }
+
         /// <summary>
         /// As per discussion with Evo, AAD 
         /// </summary>

@@ -58,6 +58,7 @@ internal static MsalServiceException FromHttpResponse(
             ex.Claims = oAuth2Response?.Claims;
             ex.CorrelationId = oAuth2Response?.CorrelationId;
             ex.SubError = oAuth2Response?.SubError;
+            ex.ErrorCodes = oAuth2Response?.ErrorCodes;
 
             return ex;
         }

@@ -0,0 +1,15 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Microsoft.Identity.Client.TelemetryCore
+{
+    internal enum AssertionType
+    {
+        None = 0,
+        CertificateWithoutSni = 1,
+        CertificateWithSni = 2,
+        Secret = 3,
+        ClientAssertion = 4,
+        ManagedIdentity = 5
+    }
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -160,7 +160,6 @@ public X509Certificate2 ClientCredentialCertificate @@
                     return null;
                 }
             }
     #endregion
     #region Region
@@ Expand Down @@