Skip to content

MSAL Monitoring

Travis Walker edited this page Oct 7, 2021 · 4 revisions

In order to ensure authentication services using MSAL.NET are running correctly, MSAL provides a number of ways to monitor its behavior so that issues can be identified and addressed before they occur in production. The incorrect use of MSAL (lifecycle and token cache) does not lead to immediate failures. But sometimes, they will bubble up under high traffic scenarios after the app is in production for a period of time. For example, if only one instance of confidential client application is used and MSAL is not configured serialize the token cache, the cache will grow forever. Another issue can arise when creating a new confidential client application and not utilizing the cache which will lead to various issues such as throttling from the identity provider.

One of the tools MSAL provides to combat these issues is logging errors when MSAL in not configured correctly. It is critical to enable logging whenever possible to not only monitor logs for these monitoring errors but also help in the diagnosis of issues that may occur. See Logging.

For recommendations on how to utilize MSAL appropriately, See High Availability

The following errors will be logged in MSAL:

  • When using an authority ending in /common or /organizations for client credential authentication. AcquireTokenForCleint

  • When the default internal token cache is used when using confidential client applications.

In addition to logging, MSAL exposes important metrics as part of AuthenticationResult.AuthenticationResultMetadata. See Add monitoring around MSAL operations for more details.

Getting started with MSAL.NET

Acquiring tokens

Desktop/Mobile apps

Web Apps / Web APIs / daemon apps

Advanced topics

News

FAQ

Other resources

Clone this wiki locally