Add EnableSupportLogging feature

sdk/identity/azure-identity/CHANGELOG.md

@@ -4,6 +4,7 @@
 
 ### Features Added
 - Added CAE Authentication support for Service principal authentication.
+- Added the ability to log PII from MSAL using new `enableSupportLogging` API.
 
 ### Other Changes
 

sdk/identity/azure-identity/src/main/java/com/azure/identity/AadCredentialBuilderBase.java

@@ -126,4 +126,15 @@ public T disableInstanceDiscovery() {
         this.identityClientOptions.disableInstanceDiscovery();
         return (T) this;
     }
+
+    /**
+     * Enables additional support logging for public and confidential client applications. This enables
+     * PII logging in MSAL4J as described <a href="https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-logging-java#personal-and-organization-information">here.</a>
+     * @return An updated instance of this builder with additional support logging enabled.
+     */
+    @SuppressWarnings("unchecked")
+    public T enableSupportLogging() {
+        this.identityClientOptions.enableSupportLogging();
+        return (T) this;
+    }
 }

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClientBase.java

@@ -214,7 +214,10 @@ ConfidentialClientApplication getConfidentialClient(boolean enableCae) {
         ConfidentialClientApplication.Builder applicationBuilder =
             ConfidentialClientApplication.builder(clientId, credential);
         try {
-            applicationBuilder = applicationBuilder.authority(authorityUrl).instanceDiscovery(options.isInstanceDiscoveryEnabled());
+            applicationBuilder = applicationBuilder.
+                logPii(options.isSupportLoggingEnabled()).
+                authority(authorityUrl).
+                instanceDiscovery(options.isInstanceDiscoveryEnabled());
 
             if (!options.isInstanceDiscoveryEnabled()) {
                 LOGGER.log(LogLevel.VERBOSE, () -> "Instance discovery and authority validation is disabled. In this"
@@ -281,7 +284,9 @@ PublicClientApplication getPublicClient(boolean sharedTokenCacheCredential, bool
             + tenantId;
         PublicClientApplication.Builder builder = PublicClientApplication.builder(clientId);
         try {
-            builder = builder.authority(authorityUrl).instanceDiscovery(options.isInstanceDiscoveryEnabled());
+            builder = builder.
+                logPii(options.isSupportLoggingEnabled()).
+                authority(authorityUrl).instanceDiscovery(options.isInstanceDiscoveryEnabled());
 
             if (!options.isInstanceDiscoveryEnabled()) {
                 LOGGER.log(LogLevel.VERBOSE, () -> "Instance discovery and authority validation is disabled. In this"
@@ -340,7 +345,11 @@ ConfidentialClientApplication getManagedIdentityConfidentialClient() {
         ConfidentialClientApplication.Builder applicationBuilder =
             ConfidentialClientApplication.builder(clientId == null ? "SYSTEM-ASSIGNED-MANAGED-IDENTITY"
                 : clientId, credential);
-        applicationBuilder.validateAuthority(false);
+
+        applicationBuilder.
+            validateAuthority(false).
+            logPii(options.isSupportLoggingEnabled());
+
         try {
             applicationBuilder = applicationBuilder.authority(authorityUrl);
         } catch (MalformedURLException e) {
@@ -395,7 +404,9 @@ ConfidentialClientApplication getWorkloadIdentityConfidentialClient() {
                 : clientId, credential);
 
         try {
-            applicationBuilder = applicationBuilder.authority(authorityUrl).instanceDiscovery(options.isInstanceDiscoveryEnabled());
+            applicationBuilder = applicationBuilder.authority(authorityUrl).
+                logPii(options.isSupportLoggingEnabled()).
+                instanceDiscovery(options.isInstanceDiscoveryEnabled());
 
             if (!options.isInstanceDiscoveryEnabled()) {
                 LOGGER.log(LogLevel.VERBOSE, () -> "Instance discovery and authority validation is disabled. In this"

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClientOptions.java

@@ -73,6 +73,7 @@ public final class IdentityClientOptions implements Cloneable {
     private Duration credentialProcessTimeout = Duration.ofSeconds(10);
 
     private boolean isChained;
+    private boolean enableSupportLogging;
 
     /**
      * Creates an instance of IdentityClientOptions with default settings.
@@ -713,6 +714,23 @@ public IdentityClientOptions setChained(boolean isChained) {
         return this;
     }
 
+    /**
+     * Gets the status whether support logging is enabled or not.
+     * @return the flag indicating if support logging is enabled or not.
+     */
+    public boolean isSupportLoggingEnabled() {
+        return enableSupportLogging;
+    }
+
+    /**
+     * Enables additional support logging (including PII) for MSAL based credentials.
+     * @return the updated client options
+     */
+    public IdentityClientOptions enableSupportLogging() {
+        this.enableSupportLogging = true;
+        return this;
+    }
+
     public IdentityClientOptions clone() {
         IdentityClientOptions clone =  new IdentityClientOptions()
             .setAdditionallyAllowedTenants(this.additionallyAllowedTenants)
@@ -745,6 +763,9 @@ public IdentityClientOptions clone() {
         if (!isInstanceDiscoveryEnabled()) {
             clone.disableInstanceDiscovery();
         }
+        if (isSupportLoggingEnabled()) {
+            clone.enableSupportLogging();
+        }
         return clone;
     }
 }