From efa627af282e66a0a3ae03af0fd3791ef8634b22 Mon Sep 17 00:00:00 2001 From: Jo Arroyo Date: Fri, 14 Nov 2025 12:57:55 -0800 Subject: [PATCH] Remove references to instance aware --- lib/msal-browser/README.md | 1 - lib/msal-browser/docs/instance-aware.md | 66 ------------------------- lib/msal-common/docs/authority.md | 1 - 3 files changed, 68 deletions(-) delete mode 100644 lib/msal-browser/docs/instance-aware.md diff --git a/lib/msal-browser/README.md b/lib/msal-browser/README.md index 9147f8ad9a..e1acdf2b70 100644 --- a/lib/msal-browser/README.md +++ b/lib/msal-browser/README.md @@ -77,7 +77,6 @@ npm install @azure/msal-browser - [Request and Response Details](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md) - [Cache Storage](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/caching.md) - [Performance Enhancements](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/performance.md) -- [Instance Aware Flow](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/instance-aware.md) ## Samples diff --git a/lib/msal-browser/docs/instance-aware.md b/lib/msal-browser/docs/instance-aware.md deleted file mode 100644 index c5017bff69..0000000000 --- a/lib/msal-browser/docs/instance-aware.md +++ /dev/null @@ -1,66 +0,0 @@ -# Instance Aware flow - -There are two options to enable instance aware flow: - -1. Set `instanceAware` to `true` in [auth config options](./configuration.md#auth-config-options). -1. Set `instance_aware` to `"true"` in request `extraQueryParameters`. This takes precedence over configuration option above to allow fine-grained instance aware flow control. - -When enabling instance aware flow, the STS will send back additional parameters in the `/authorize` response to specify where the tokens should be retrieved from. - -- Sample Request using instance_aware - -```javascript -const tokenRequest = { - scopes: ["Mail.Read"], - extraQueryParameters: { - "instance_aware": "true" - } -}; -``` - -- Sample Response from the `/authorize` endpoint - -```text -http://localhost:30662/ -#code=0.AAAA-KLuGXrhD0eVTd... -&cloud_instance_name=windows-ppe.net -&cloud_instance_host_name=login.windows-ppe.net -&cloud_graph_host_name=graph.ppe.windows.net -&msgraph_host=graph.microsoft-ppe.com -&client_info=eyJ1aWQiOiJiZT... -``` - -MSAL will read the data returned in this response and use it to construct the endpoint to trade the code for tokens. If the `cloud_instance_host_name` is different from the one used in the `/authorize` call, MSAL must perform endpoint discovery before making the request to the `/token` endpoint. The authority host name may change if the user's home tenant is in a different cloud. - - -## Using the correct graph hosts - -The MSAL response object will also inform you which graph hosts to use for a given account. The Graph hosts are specific to the tenant that the user's account resides in, and must change if `instance_aware=true` is used. - -### Difference Between cloud_graph_host_name and msgraph_host - -The STS will return two graph host names: `cloud_graph_host_name` and `msgraph_host`. `cloud_graph_host_name` is the AAD graph host, and is used for [AAD graph calls](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api). `msgraph_host` is the Microsoft Graph, and is used for [MS Graph API calls](https://docs.microsoft.com/en-us/graph/overview). - -### Using the graph hosts from the response - -You can do this for either the AAD graph host or the MS Graph Host. - -```javascript -function getGraphMeEndpoint(msGraphHost) { - if (!msGraphHost) { - return "https://graph.microsoft-ppe.com/v1.0/me"; - } - return `https://${msGraphHost}/v1.0/me` -} - -async function seeProfile() { - const currentAcc = myMSALObj.getAccount({ homeAccountId: accountId }); - if (currentAcc) { - const response = await getTokenPopup(loginRequest, currentAcc).catch(error => { - console.log(error); - }); - callMSGraph(getGraphMeEndpoint(response.msGraphHost), response.accessToken, updateUI); - profileButton.style.display = 'none'; - } -} -``` diff --git a/lib/msal-common/docs/authority.md b/lib/msal-common/docs/authority.md index 93597df05e..11909bff1a 100644 --- a/lib/msal-common/docs/authority.md +++ b/lib/msal-common/docs/authority.md @@ -135,7 +135,6 @@ MSAL can be configured to acquire tokens from any OIDC-compliant IdP. See [initi - You can obtain the authority URL required for your app via the **Endpoints** panel on the Azure portal [App Registration](https://aka.ms/appregistrations) experience. - You can improve MSAL's performance during token acquisition by providing authority information out-of-band. See [Performance](./performance.md) for how to do so. -- When working with national/regional clouds, consider using the [instance-aware](../../msal-browser/docs/instance-aware.md) flow, which indicates the particular instance the tokens are obtained from and Microsoft Graph hosts that they can be used with. ## More information