[Documentation] enabling pii and euii data in logging & exceptions

[gtsc]

Documentation related to component
Logging

Please check those that apply

• typo
• documentation doesn't exist
• documentation needs clarification
• error(s) in example
• needs example

Description of the issue
I have a hard time finding information how to control masking of PII and EUII data in log messages and exceptions when using MSAL.NET.
The article on logging in MSAL has been of great help, but is lacking a few aspects:

1. Setting enablePiiLogging to true in .withLogging will also influence the pii data being shown or hidden in messages in exceptions that MSAL throws. It would be helpful indicating that more clearly, as it isn't obvious that setting a variable that seems to only influence logging behaviour also influences exceptions
2. Even with enablePiiLogging set to true, the most sensitive information (EUII, like upn, name, email etc) will be hidden in log / exception messages, as they are replaced by {EUII Hidden}. I couldn't find any information if it is possible to control how EUII data should be masked. The only information I could find was in a PR for MSAL for Objective-C, but I am not sure if this functionality is even part of MSAL.NET.
   • if it is, could it be documented in a clearer way?
   • if it isn't, is there any plan to add support for controlling the masking behaviour of EUII data?

[localden]

@gtsc - I am looking into this with the engineering team, thank you for bringing this up.

[bgavrilMS]

@gtsc - Microsoft's official data classification is https://www.microsoft.com/en-us/trust-center/privacy/customer-data-definitions and it does not define EUII per se. EUII is an internal classification, used by some Microsoft products.

With regards to exception messages:

• broker exception messages are indeed influenced by this flag (this is not documented well)
• for the rest of the flows, the exception messages are in clear but will generally not be logged. We recommend logging exception messages. See https://learn.microsoft.com/en-us/entra/msal/dotnet/resources/handling-pii#pii-in-exceptions

With regards to EUII: MSAL.NET uses only "PII" flag, which includes EUII.

[gtsc]

@bgavrilMS Thanks for clarifying! I had a hard time understanding what falls under EUII when looking into that.

Are you sure about the statement that enabling "PII" with the flag also shows all EUII unmasked?
I am asking because I faced that issue:

• MSAL.NET threw an exception that only showed something like PII is hidden
• I then found about the logging flag also controlling the exception messages, turned that on and got a more complete message, however, there were still parts in that message that had {EUII hidden} parts - the error message looked roughly similar to this one
• this behaviour should be easy to replicate when using WAM, and trying to authenticate against a client-id where you are lacking permission to obtain a token

[localden]

I have a PR in our documentation that clarifies the PII/EUII handling. Referenced above. @bgavrilMS - I couldn't find any references to {EUII hidden} in our code. Is that something that we control or is it managed by eSTS?

[gtsc]

@localden Had a look and that definitely clarifies things. Let's make sure we can figure out where the {EUII hidden} thing is coming from so the documentation is consistent with the implementation.

I also had a quick look through the MSAL.NET code and couldn't really find any mention to {EUII hidden} so I was thinking that it must be something that is controlled by some upstream component? Funnily, when performing the same flow where I saw {EUII hidden} via an interactive client (through the browser), I can see the same but full error message without {EUII hidden} as error coming back.
So something that sits between MSAL.NET and the OAuth2 endpoints / the EntraID servers must be performing this masking.

[bgavrilMS]

@localden @gtsc - there are 2 components that MSAL uses:

• the service (Entra ID)... I believe it masks PII values by default. Error messages from Entra will be transfored into MsalServiceException.
• msal_runtime, today used if broker (WAM) is enabled on desktop. Is this your case @gtsc ? This component was designed slightly differently when it comes to PII

[gtsc]

@bgavrilMS Yes, I've been using the broker (WAM, so msal_runtime) - are you suggesting that this is where the {EUII hidden} is bubbling up from?