4.84.2

New Features

• Added ManagedIdentityApplication.GetManagedIdentityCapabilitiesAsync(CancellationToken) returning a ManagedIdentityCapabilities object that reports the detected managed identity Source, the host's MaxSupportedBindingStrength (new MtlsBindingStrength enum: None, Software, KeyGuard), and a derived IsMtlsPopSupportedByHost. Replaces GetManagedIdentitySourceAsync()/ManagedIdentitySourceResult. The public ManagedIdentitySource.ImdsV2 value is folded into Imds (v1/v2 routing remains internal). #6049
• Added OID-based user identification to the User Federated Identity Credential (user_fic) flow via AcquireTokenByUserFederatedIdentityCredential(scopes, Guid userObjectId, assertion). #6050
• Added WithClaimsFromClient(claimsJson) to forward client-originated claims across managed identity and confidential client flows. #5999
• Added mTLS PoP support for WithCertificate(() => x509) (dynamic certificate credential). #5957
• Added opt-in token-acquisition metrics covering both successful and failed attempts. #6004

Changes

• Extended mTLS bearer transport (CertificateOptions.SendCertificateOverMtls) to the OBO, refresh-token, and authorization-code flows. #6009
• General Availability of the Microsoft.Identity.Client.KeyAttestation package. #6038
• Managed identity now probes IMDSv2 first and the preview latch was removed. #6041
• Updated NativeInterop baseline and corrected devapp version ranges. #6045
• Simplified GetTenantedAuthority in CiamAuthority and DstsAuthority. #6001

Bug Fixes

• Fixed WithExtraQueryParameters on ManagedIdentityApplicationBuilder bypassing token caching. #6035
• Guarded HTTP status codes on discovery endpoints in KnownInstanceMetadataIsUpToDateAsync. #6048
• Detect orphaned KeyGuard certificates via public-key modulus comparison. #6020