diff --git a/msal-dotnet-articles/resources/handling-pii.md b/msal-dotnet-articles/resources/handling-pii.md index a97961b4a..21c695d78 100644 --- a/msal-dotnet-articles/resources/handling-pii.md +++ b/msal-dotnet-articles/resources/handling-pii.md @@ -1,34 +1,53 @@ --- title: Handling of personally-identifiable information in MSAL.NET +description: Outlines what MSAL considers to be personally identifiable information. --- # Handling of personally-identifiable information in MSAL.NET +## Data classification + +Microsoft defines the following [data classification](https://www.microsoft.com/en-us/trust-center/privacy/customer-data-definitions). MSAL libraries, for simplicity, expose a single "allow PII" (personally identifiable information) flag for logging. This single flag combines all data categories mention above. + ## What MSAL will never log -- tokens (access tokens, id tokens, refresh tokens, client assertions generated by MSAL etc.) -- passwords (in any case MSAL is only given the password in the Username / Password (ROPC) flow. MSAL does not have access to the password entered by the user in a browser) +- tokens (access tokens, ID tokens, refresh tokens, client assertions generated by MSAL, etc.) +- passwords (MSAL is only given the password during the Username / Password (ROPC) flow. MSAL does not have access to the password entered by the user in a browser.) - authorization codes - PKCE code -- successful network responses from the /authorize or /token endpoint (they might contain tokens or auth codes) -- network requests (they might contain passwords) -- private keys of certs +- successful network responses from the _/authorize_ or _/token_ endpoints (because they may contain tokens or auth codes) +- network requests (they may contain passwords) +- private keys of certificates -## What MSALs consider as PII +## What MSAL considers as PII - username - login hint -- id token claims (note that MSAL only parses the id token, it never looks at access token / refresh token) - this includes names, address and other user details. -- authorization uri (it may contain a login hint) -- Object ID aka `oid` - -## What MSALs do not consider as PII - -- IDs related to an organization / tenant (not the user) - tenant id, directory id, directory name (e.g. contonso.onmicrosoft.com) -- authority -- client / application id -- exception messages and stack traces, including error codes coming from AAD -- HTTP details other than request / response (e.g. HTTP status codes, payload size etc.) -- correlation id +- ID token claims, which include names, address, and other user details (MSAL only parses the ID token, it never looks at access or refresh tokens) +- authorization URI (it may contain a login hint) +- object ID (i.e. `oid` claim) + +## What MSAL does not consider as PII + +- IDs related to an organization or tenant, not the user, like tenant ID, directory ID, directory name (e.g. contonso.onmicrosoft.com) +- authority +- scopes and resource names +- client (application) ID +- service principal details (object ID, client ID) +- exception messages and stack traces, including error codes coming from Microsoft Entra ID +- HTTP details other than request and response (HTTP status codes, payload size, etc.) +- correlation ID - runtime details (OS name, .NET version) -- \ No newline at end of file +- internal API details (class names, method names) +- request details (algorithm names (e.g. RSA), OIDC constants, etc.) +- certificate thumbprints other than key IDs + +## PII in exceptions + +MSAL generates exception messages that do not contain PII. s, generated by MSAL or passed from Microsoft Entra ID) are considered to not contain PII. + +Some framework exception may contain PII, although this is rare (e.g. a `PathInvalidException` may contain the username). SDKs take care to not log framework exceptions which may contain PII. + +## Organization identifiable information + +MSAL can log organization identifiable information (OII) because as per the official data classification, organization identifiable information is not PII. OII includes data like tenant ID, object ID for service principals, scope names. Remember that the app developer still controls the destination of this logging data.