fix: Clear persisted MSAL token cache on Disconnect-MgGraph#3649
Merged
Conversation
When ContextScope is CurrentUser, Disconnect-MgGraph now clears the disk-persisted MSAL token cache (both .cae and .nocae variants) using MsalCacheHelper.Clear() from Microsoft.Identity.Client.Extensions.Msal. Previously only the in-memory cache and auth record file were cleared, leaving cached tokens on disk that could be reused without re-authentication. Fixes #3648 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jsquire
reviewed
Jun 23, 2026
jsquire
left a comment
There was a problem hiding this comment.
This looks correct to me, though I don't have a deep understanding in the area. I've asked @g2vinay and @JonathanCrd to also review. I'd consider them to be the authoritative voices from the Azure.Identity perspective.
ramsessanchez
previously approved these changes
Jun 23, 2026
Contributor
|
Approving the changes, however, in line with @jsquire 's comments, we should await feedback from the folks he mentioned. In order to reduce the change of needing a patch release later on, lets await their sign-off and before merging and releasing. |
Member
Author
|
Agreed |
JonathanCrd
reviewed
Jun 23, 2026
JonathanCrd
reviewed
Jun 23, 2026
JonathanCrd
reviewed
Jun 23, 2026
JonathanCrd
left a comment
There was a problem hiding this comment.
Overall it looks good but I left a couple of comments about certain scenarios that might be missing and some questions too.
|
Looks fine to me, left my comments on the ongoing discussions. |
…nnect-clear-token-cache
…l WAM cache clearing Adds an opt-in -SignOutFromBroker switch that removes cached accounts from the Windows broker (WAM) on disconnect. Because the broker store is shared at the OS level, this is opt-in to avoid signing users out of other broker-enabled apps by default. Also replaces silent cache-clear catch blocks with best-effort WriteWarning/WriteDebug diagnostics so failures are diagnosable. All cache/broker clearing remains non-fatal. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ClearBrokerTokenCacheAsync now removes only the account that signed in for the current session, matched via the persisted AuthenticationRecord.HomeAccountId against IAccount.HomeAccountId.Identifier. When no session account can be identified, it falls back to removing all accounts for the module. This reduces the shared-broker blast radius so other accounts the user signed into via this module are left untouched. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ccount ClearPersistedTokenCacheAsync now registers the on-disk MSAL cache with a public client application and removes only the current session's account (matched by HomeAccountId) from both the .cae and .nocae cache files. When no session account can be identified, it falls back to a full MsalCacheHelper.Clear(). HomeAccountId is now resolved once in LogoutAsync and shared between the file-cache and broker clearing paths for consistent, account-scoped sign-out. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… isolation Captures the signed-in account's HomeAccountId on the session auth context at sign-in (interactive and device-code flows). LogoutAsync now scopes cache clearing on the session's own HomeAccountId, falling back to the shared auth record and then to a full clear. This isolates Disconnect-MgGraph to the identity used in the current session, so other identities cached in the shared per-user store are preserved. HomeAccountId is read defensively so capturing this diagnostic id can never fail sign-in. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replaces the platyPS-generated '{{ Fill ProgressAction Description }}' placeholder with a proper description of the PowerShell 7.4+ ProgressAction common parameter.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The new -SignOutFromBroker switch raises the parameter count from 12 to 13 (SignOutFromBroker + PowerShell common parameters), so the Pester assertion is updated accordingly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ramsessanchez
approved these changes
Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #3648
When
Disconnect-MgGraphis called withContextScope == CurrentUser, the persisted MSAL token cache on disk was not being cleared. This PR adds cache clearing usingMsalCacheHelper.Clear()from the MSAL Extensions library.Changes
Microsoft.Identity.Client.Extensions.Msalv4.78.0 package reference toAuthentication.Core.csprojTokenCacheUtilities.cs— buildsStorageCreationPropertiesmatching Azure.Identity's internal cache layout (Windows DPAPI, macOS Keychain, Linux KeyRing) and clears both.caeand.nocaecache variantsAuthenticationHelpers.LogoutAsync()— callsTokenCacheUtilities.ClearPersistedTokenCacheAsync()whenContextScope == CurrentUser, with non-fatal error handling (disconnect still succeeds if cache clear fails)Disconnect-MgGraphdocumentationDesign Decisions
.caeand.nocaecache files; both are clearedStorageCreationPropertiesare configured to match the exact storage layout Azure.Identity uses (directory, keychain service, keyring schema/attributes)Testing