Skip to content

Improve MtlsPopTokenNotSupportedinImdsV1 error message clarity#5908

Open
Copilot wants to merge 3 commits intomainfrom
copilot/update-error-message-mtls-pop-token
Open

Improve MtlsPopTokenNotSupportedinImdsV1 error message clarity#5908
Copilot wants to merge 3 commits intomainfrom
copilot/update-error-message-mtls-pop-token

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 6, 2026
edited by gladjohn
Loading

Fixes - #5868

The error message for MtlsPopTokenNotSupportedinImdsV1 used internal jargon ("IMDSv1") that gave users no actionable information. Replaced it with a plain-language message that communicates the feature's preview status and the VM requirement.

Changes proposed in this request

  • MsalErrorMessage.MtlsPopTokenNotSupportedinImdsV1: replaced opaque IMDSv1 reference with user-facing language

Before:

A mTLS PoP token cannot be requested because the application's source was determined to be ImdsV1.

After:

mTLS Proof of Possession with managed identity is currently in private preview and is not supported on this VM. Ensure you're running on a supported VM image.

Testing
No test changes needed — existing tests assert only on the error code (mtls_pop_token_not_supported_in_imds_v1), which is unchanged.

Performance impact
None.

Documentation

  • All relevant documentation is updated.
Original prompt

Problem

The error message for MtlsPopTokenNotSupportedinImdsV1 is confusing because:

  • It uses technical jargon (IMDSv1/IMDSv2) that users don't understand
  • It doesn't clearly explain that the feature is in private preview
  • It doesn't indicate that this is a VM/infrastructure support issue

Solution

Simplify the error message to:

  1. Clearly state the feature is in private preview
  2. Avoid technical terms like "IMDSv1"
  3. Simply state the feature is "not supported on this VM"
  4. Direct users to use a supported VM image

Changes Required

  1. Update MsalErrorMessage.cs - improve the error message constant
  2. Update any related tests that validate this error message

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: how to fix this

Assistant: I can see you've shared an issue from the MSAL (Microsoft Authentication Library) repository about a confusing error message when acquiring bound tokens using System-Assigned Managed Identity.

Let me analyze this issue and provide guidance on how to fix it:

Assistant: Now let me find where this error is being thrown and how to fix it:

Assistant: Based on my investigation, the issue #5868 describes an unclear error message when a bound token request fails because the VM only supports IMDSv1 (Instance Metadata Service v1), but the application is trying to use IMDSv2 with mTLS Proof of Possession (PoP).

Problem Summary

Current error:

ErrorCode: mtls_pop_token_not_supported_in_imds_v1
A mTLS PoP token cannot be requested because the application's source was determined to be ImdsV1.

The message is confusing because:

  • Users don't understand the IMDSv1 vs v2 distinction
  • The message doesn't explain why this is happening or how to fix it
  • No documentation references are provided

How to Fix

The solution is to improve the error message in MsalErrorMessage.cs to be more actionable. Here's what needs to change:

// Current (confusing):
public const string MtlsPopTokenNotSupportedinImdsV1 = 
    "A mTLS PoP token cannot be requested because the application's source was determined to be ImdsV1.";

// Improved (clear & actionable):
public const string MtlsPopTokenNotSupportedinImdsV1 = 
    "mTLS Proof of Possession (PoP) tokens require Azure Instance Metadata Service v2 (IMDSv2), " +
    "but this VM only supports IMDSv1. " +
    "To use mTLS PoP with managed identity, ensure your VM image supports IMDSv2. " +
    "See https://aka.ms/msal-net-mtls-pop and https://aka.ms/msal-net-imdsv2 for details.";

Key Improvements

  1. Explains the root cause — IMDSv2 is required but only v1 is available
  2. Provides clear next steps — Update VM image to support IMDSv2
  3. Includes documentation links — Points to MSAL and Azure documentation
  4. Uses plain language — Avoids technical jargon users won't understand

Implementation

The error is thrown in two places:

  1. ImdsV2ManagedIdentitySource.cs (line ~90) — When /getplatformmetadata endpoint returns 404
  2. ManagedIdentityClient.cs (line ~130) — When source is ImdsV1 but mTLS PoP is requested

Both locations use the same error constant from MsalErrorMessage.cs, so updating that one constant fixes both code paths.

Would you like me to create a pull request with this fix?

User: the feature is still not in GA and in priuvate preview, the VM you are runing may nmot support reh feature

Assistant: You're absolutely right. Looking at the code and documentation more carefully, I can see this is still in private preview (as noted in the constraint table in the docs).

The real issue is that the error message should clarify:

  1. This feature is in preview — not generally available yet
  2. The specific prerequisite — IMDSv2 support on the VM
  3. What to do — Either upgrade the VM image OR enroll in the preview program if needed

Here's a better error message that accounts for the preview status:

public const string MtlsPopTokenNotSupportedinImdsV1 = 
    "mTLS Proof of Possession (PoP) with managed identity is currently in private preview and requires Azure Instance Metadata Service v2 (IMDSv2). " +
    "Your VM appears to only support IMDSv1. " +
    "To use this feature, ensure your VM image supports IMDSv2 (available on recent Windows Server and Azure VM images). " +
    "If your image should support IMDSv2 but you're still seeing this error, your VM configuration may need to be updated. " +
    "For more information and to join the preview, see https://aka.ms/msal-net-mtls-pop.";

Key additions:

  • Explicitly states it's private preview
  • Notes that this is a VM/infrastructure requirement, not a code issue
  • Suggests users check their VM image version
  • Points to preview enrollment documentation
  • Sets proper expectations (may not be available in all regions/environments yet)

Would you like me to create a PR with this improved me...

This pull request was created from Copilot chat.

Copilot AI requested review from Copilot and removed request for Copilot April 6, 2026 15:34
Copilot AI requested review from Copilot and removed request for Copilot April 6, 2026 15:36
Copilot AI requested review from Copilot and removed request for Copilot April 6, 2026 15:40
Copilot AI changed the title [WIP] Improve MtlsPopTokenNotSupportedinImdsV1 error message Improve MtlsPopTokenNotSupportedinImdsV1 error message clarity Apr 6, 2026
Copilot AI requested a review from gladjohn April 6, 2026 15:41
@gladjohn gladjohn marked this pull request as ready for review April 6, 2026 15:53
@gladjohn gladjohn requested a review from a team as a code owner April 6, 2026 15:53
Copilot AI review requested due to automatic review settings April 6, 2026 15:53
Copilot AI reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the MtlsPopTokenNotSupportedinImdsV1 error message to replace internal “IMDSv1” jargon with a more plain-language, user-facing explanation about preview status and VM/image support.

Changes:

  • Updated MsalErrorMessage.MtlsPopTokenNotSupportedinImdsV1 string to a clearer, more actionable message for end users.

bgavrilMS
bgavrilMS reviewed Apr 10, 2026
View reviewed changes
src/client/Microsoft.Identity.Client/MsalErrorMessage.cs
public const string InvalidCertificate = "The certificate received from the Imds server is invalid.";
public const string CannotSwitchBetweenImdsVersionsForPreview = "ImdsV2 is currently experimental - A Bearer token has already been received; Please restart the application to receive a mTLS PoP token.";
public const string MtlsPopTokenNotSupportedinImdsV1 = "A mTLS PoP token cannot be requested because the application\'s source was determined to be ImdsV1.";
public const string MtlsPopTokenNotSupportedinImdsV1 = "mTLS Proof of Possession with managed identity is currently in private preview and is not supported on this VM. Ensure you're running on a supported VM image.";
Copy link
Copy Markdown
Member

@bgavrilMS bgavrilMS Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, but this is a point in time state. In some N months it will not be in private preview.

How about creating an aka.ms link (can be to our wiki) and explaining more there? And here you just give a messgae saying "The VM doesn't currently support mTLS POP tokens. See https://aka.ms/msal/imdsv2 for details)"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgavrilMS bgavrilMS bgavrilMS left review comments

Copilot code review Copilot Copilot left review comments

@Robbie-Microsoft Robbie-Microsoft Robbie-Microsoft approved these changes

+1 more reviewer

@gladjohn gladjohn gladjohn approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

@gladjohn gladjohn

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@bgavrilMS @Robbie-Microsoft @gladjohn