MtlsBindingStrength Enum

Definition

Namespace:: Microsoft.Identity.Client.AppConfig

Assembly:: Microsoft.Identity.Client.dll

Package:: Microsoft.Identity.Client v4.84.2

Important

Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Describes the strength with which a token can be bound to a cryptographic key on the current host. Higher values indicate stronger binding. The value reflects what the host is capable of producing, not what a particular request used.

public enum MtlsBindingStrength

type MtlsBindingStrength =

Public Enum MtlsBindingStrength

Inheritance: Enum
MtlsBindingStrength

Fields

Name	Value	Description
None	0	No key binding is available, so the host cannot perform mTLS Proof-of-Possession. This is the floor of the range (for example, on .NET Framework 4.6.2, which does not support PoP).
Software	1	The token can be bound to a software-backed key (for example, a persisted CNG key on Windows, or a software RSA key elsewhere). The key is not hardware-isolated.
KeyGuard	3	The token can be bound to a key isolated by Virtualization-based Security (VBS), such as KeyGuard on a Trusted Launch (TVM) or Confidential (CVM) virtual machine. This is the only tier that implies hardware-backed attestation.

Remarks

This type is shared by managed identity and confidential client mTLS Proof-of-Possession scenarios. A value greater than None means the host can bind a token to a key; it does not by itself imply hardware attestation. Attestation corresponds to the KeyGuard tier specifically.

Applies to

Feedback

Was this page helpful?