PII

Microsoft data classification

Microsoft defines the following data classification: https://www.microsoft.com/en-us/trust-center/privacy/customer-data-definitions

MSAL libraries, for simplicity, expose a single "allow PII" (personal identifiable information) flag for logging. This single flag combines all data categories mention above.

Logging Cheat Sheet

Here's what never gets logged, what gets logged only as "PII" and what gets logged all the time.

Never	PII	Not PII
tokens (of any type)	username	tenant id
client assertions	login hint	authority (including B2C, ADFS, CIAM)
auth code	id token claims such as name, address etc.	client id
PKCE code	device id	service principal details (oid, client id)
successful network responses from /authorize and /token endpoints	authorization URI (it may contain login hint)	scopes / resource names
network requests that main contain passwords	oid for a user	error messages and error codes from AAD
private keys		HTTP details such as status codes, payload sizes
		correlation id
		runtime details: OS name, .NET version, dates
		internal API details: class names, method names
		request details such as: algorith names (e.g. RSA), OIDC constants etc.
		Certificate thumbprints, other key IDs

Exceptions

MSALs generate exception messages that do not contain PII. MSAL exceptions - MsalException (i.e. either generated by MSAL or translated from AAD) are considered to not contain PII.

Some framework exception may contain PII, although this is rare (e.g. a PathInvalidException may contain the username). SDKs take care to not log framework exception which may contain PII.

Can MSALs log Organization specific data?

Yes. As per the official data classification, this is not PII. This includes things like: tenant id, object id for service principals, scope names. Remember that the app developer still controls where this data goes to.