AzureAD
diff --git a/‎.Pipelines/CI-AND-RELEASE-PIPELINES.md‎
Lines changed: 24 additions & 11 deletions b/‎.Pipelines/CI-AND-RELEASE-PIPELINES.md‎
Lines changed: 24 additions & 11 deletions
diff --git a/‎.Pipelines/pipeline-publish.yml‎
Lines changed: 3 additions & 3 deletions b/‎.Pipelines/pipeline-publish.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/python-package.yml‎
Lines changed: 51 additions & 100 deletions b/‎.github/workflows/python-package.yml‎
Lines changed: 51 additions & 100 deletions
@@ -11,7 +11,7 @@ including what each pipeline does, when it runs, and how to trigger a release.
 |------|-------------|---------|
 | [`azure-pipelines.yml`](../azure-pipelines.yml) | [MSAL.Python-PR-OneBranch-Official (3064)](https://dev.azure.com/IdentityDivision/IDDP/_build?definitionId=3064) | PR gate, post-merge CI, and performance benchmarks — calls the shared template with `runPublish: false`; runs benchmarks on post-merge pushes to `dev` |
 | [`pipeline-publish.yml`](pipeline-publish.yml) | [MSAL.Python-Publish (3067)](https://dev.azure.com/IdentityDivision/IDDP/_build?definitionId=3067) | Release pipeline — manually queued, builds and publishes to PyPI |
-| [`template-pipeline-stages.yml`](template-pipeline-stages.yml) | — | Shared stages template — PreBuildCheck, Validate, and CI stages reused by both pipelines |
+| [`template-pipeline-stages.yml`](template-pipeline-stages.yml) | — | Shared stages template — PreBuildCheck, Validate, UnitTests, and E2ETests stages reused by both pipelines |
 | [`credscan-exclusion.json`](credscan-exclusion.json) | — | CredScan suppression file for known test fixtures |
 
 ---
@@ -22,23 +22,29 @@ including what each pipeline does, when it runs, and how to trigger a release.
 
 | Event | Branches |
 |-------|----------|
-| Pull request opened / updated | all branches |
-| Push / merge | `dev`, `azure-pipelines` |
+| Pull request opened / updated | `dev` (PRs targeting `dev` only) |
+| Push / merge | `dev` |
 | Scheduled | Daily at 11:45 PM Pacific, `dev` branch (only when there are new changes) |
 
+Fast unit-test feedback for PRs targeting **other** branches (e.g. `release-x.y.z`)
+is provided separately by the GitHub Actions workflow
+[`.github/workflows/python-package.yml`](../.github/workflows/python-package.yml),
+which runs the package build and unit tests on every PR.
+
 ### Stages
 
 ```
-PreBuildCheck ─► CI ─► Benchmark (post-merge to dev only)
+PreBuildCheck ─► UnitTests ─► E2ETests ─► Benchmark (post-merge to dev only)
 ```
 
 | Stage | What it does | When it runs |
 |-------|-------------|-------------|
 | **PreBuildCheck** | Runs SDL security scans: PoliCheck (policy/offensive content), CredScan (leaked credentials), and PostAnalysis (breaks the build on findings) | Always |
-| **CI** | Runs the full test suite on Python 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, and 3.14 | Always |
+| **UnitTests** | Runs the unit test suite on Python 3.9, 3.10, 3.11, 3.12, 3.13, and 3.14 (no Key Vault required) | After PreBuildCheck |
+| **E2ETests** | Fetches the MSID Lab certificate from Key Vault and runs `tests/test_e2e.py` + `tests/test_fmi_e2e.py` on the same Python matrix. Skipped on forked PRs (no Key Vault access). | After UnitTests |
 | **Benchmark** | Runs performance benchmarks on Python 3.9 and publishes `benchmark-results` artifact | Post-merge pushes to `dev` and manual runs only |
 
-The Validate stage is **skipped** on PR/CI runs (it only applies to release builds).
+The `Validate` stage is **skipped** on PR/CI runs (it only applies to release builds).
 
 > **SDL coverage:** The PreBuildCheck stage satisfies the OneBranch SDL requirement.
 > It runs on every PR, every merge to `dev`, and on the daily schedule — ensuring
@@ -63,18 +69,25 @@ with both parameters filled in.
 ### Stage Flow
 
 ```
-PreBuildCheck ─► Validate ─► CI ─► Build ─┬─► PublishMSALPython  (publishTarget == 'test.pypi.org (Preview / RC)')
-                                           └─► PublishPyPI        (publishTarget == 'pypi.org (ESRP Production)')
+PreBuildCheck ─► Validate ─► UnitTests ─► E2ETests ─► Build ─┬─► PublishMSALPython  (publishTarget == 'test.pypi.org (Preview / RC)')
+                                                       └─► PublishPyPI        (publishTarget == 'pypi.org (ESRP Production)')
 ```
 
 | Stage | What it does | Condition |
 |-------|-------------|-----------|
 | **PreBuildCheck** | PoliCheck + CredScan scans | Always |
 | **Validate** | Asserts the `packageVersion` parameter matches `msal/sku.py __version__` | Always (release runs only) |
-| **CI** | Full test matrix (Python 3.8–3.14) | After Validate passes |
-| **Build** | Builds `sdist` and `wheel` via `python -m build`; publishes `python-dist` artifact | After CI passes |
+| **UnitTests** | Unit test matrix (Python 3.9–3.14) | After Validate passes |
+| **E2ETests** | E2E test matrix (Python 3.9–3.14) with MSID Lab cert from Key Vault | After UnitTests passes |
+| **Build** | Builds `sdist` and `wheel` via `python -m build`; publishes `python-dist` artifact | After E2ETests passes |
 | **PublishMSALPython** | Uploads to test.pypi.org | `publishTarget == test.pypi.org (Preview / RC)` |
-| **PublishPyPI** | Uploads to PyPI via ESRP; requires manual approval | `publishTarget == pypi.org (ESRP Production)` |
+| **PublishPyPI** | Uploads to PyPI via ESRP (`EsrpRelease@12`); requires manual approval | `publishTarget == pypi.org (ESRP Production)` |
+
+> ⚠️ **TestPyPI publishing is currently a no-op.** The `MSAL-Test-Python-Upload`
+> service connection has not yet been created (pending a test.pypi.org API
+> token), so the `PublishMSALPython` stage prints a skip message rather than
+> uploading. Until the SC exists, use the `pypi.org (ESRP Production)` path
+> with an RC version (e.g. `1.36.0rc1`) for end-to-end validation.
 
 ---
 
 
@@ -6,7 +6,7 @@
 # Publish targets:
 #   test.pypi.org (Preview / RC) — preview releases via MSAL-Test-Python-Upload SC
 #                                   (SC creation pending test.pypi.org API token)
-#   pypi.org (ESRP Production)   — production releases via ESRP (EsrpRelease@9) using MSAL-ESRP-AME SC
+#   pypi.org (ESRP Production)   — production releases via ESRP (EsrpRelease@12) using MSAL-ESRP-AME SC
 #
 # For pipeline documentation, see .Pipelines/CI-AND-RELEASE-PIPELINES.md.
 
@@ -130,10 +130,10 @@ stages:
 
 # ══════════════════════════════════════════════════════════════════════════════
 # Stage 4b · Publish to PyPI (ESRP Production)
-#   Uses EsrpRelease@9 via the MSAL-ESRP-AME service connection.
+#   Uses EsrpRelease@12 via the MSAL-ESRP-AME service connection.
 #   IMPORTANT: configure a required manual approval on this environment in
 #   ADO → Pipelines → Environments → MSAL-Python-Release → Approvals and checks.
-#   IMPORTANT: EsrpRelease@9 requires a Windows agent.
+#   IMPORTANT: EsrpRelease@12 requires a Windows agent.
 # ══════════════════════════════════════════════════════════════════════════════
 - stage: PublishPyPI
   displayName: 'Publish to PyPI (ESRP Production)'
 
@@ -1,30 +1,57 @@
-# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
-# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+# Build verification + unit tests for the msal Python package.
+#
+# This workflow runs on every PR (against any target branch) to give contributors
+# fast feedback that the package still builds and that the unit tests pass across
+# all supported Python versions.
+#
+# Post-merge validation on dev, E2E tests, benchmarks, SDL scans, and PyPI
+# publishing are NOT run here. Those run in the ADO pipelines:
+#   - azure-pipelines.yml             (PRs + pushes to dev: unit + E2E + SDL)
+#   - .Pipelines/pipeline-publish.yml (manual release to TestPyPI / PyPI)
 
-name: CI/CD
+name: Build and Unit Tests
 
 on:
-  push:
   pull_request:
-    branches: [ dev ]
-
-    # This guards against unknown PR until a community member vet it and label it.
-    types: [ labeled ]
+    # No `branches` filter — run on PRs against any target branch.
 
 jobs:
+  build:
+    name: Build package (sdist + wheel)
+    permissions:
+      contents: read
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.12'
+        cache: 'pip'
+    - name: Install build tooling
+      run: |
+        python -m pip install --upgrade pip
+        python -m pip install build twine
+    - name: Build sdist and wheel
+      run: python -m build --sdist --wheel --outdir dist/ .
+    - name: Verify built artifacts
+      # `twine check` catches broken long_description / metadata that would fail PyPI upload.
+      run: twine check dist/*
+    - name: Upload built artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: dist
+        path: dist/
+        retention-days: 7
+
   ci:
+    name: Unit tests Python ${{ matrix.python-version }}
     permissions:
       contents: read
-    env:
-      # Fake a TRAVIS env so that the pre-existing test cases would behave like before
-      TRAVIS: true
-      LAB_APP_CLIENT_ID: ${{ secrets.LAB_APP_CLIENT_ID }}
-      LAB_APP_CLIENT_CERT_BASE64: ${{ secrets.LAB_APP_CLIENT_CERT_BASE64 }}
-      LAB_APP_CLIENT_CERT_PFX_PATH: lab_cert.pfx
 
-    # Derived from https://docs.github.com/en/actions/guides/building-and-testing-python#starting-with-the-python-workflow-template
     runs-on: ubuntu-22.04
     strategy:
+      fail-fast: false
       matrix:
         python-version: ['3.9', '3.10', '3.11', '3.12', '3.13', '3.14']
 
@@ -41,91 +68,15 @@ jobs:
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        python -m pip install flake8 pytest
-        if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
-    - name: Populate lab cert.pfx
-      # https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#storing-base64-binary-blobs-as-secrets
-      run: echo $LAB_APP_CLIENT_CERT_BASE64 | base64 -d > $LAB_APP_CLIENT_CERT_PFX_PATH
-    - name: Test with pytest
-      run: pytest --benchmark-skip
-    - name: Lint with flake8
-      run: |
-        # stop the build if there are Python syntax errors or undefined names
-        #flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
-        # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-        #flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
-
-  cb:
-    # Benchmark only after the correctness has been tested by CI,
-    # and then run benchmark only once (sampling with only one Python version).
-    needs: ci
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-    - uses: actions/checkout@v4
-    - name: Set up Python 3.9
-      uses: actions/setup-python@v5
-      with:
-        python-version: 3.9
-        cache: 'pip'
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
+        python -m pip install pytest
         if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
-    - name: Setup an updatable cache for Performance Baselines
-      uses: actions/cache@v4
-      with:
-        path: .perf.baseline
-        key: ${{ runner.os }}-performance-${{ hashFiles('tests/test_benchmark.py') }}
-        restore-keys: ${{ runner.os }}-performance-
-    - name: Run benchmark
-      run: pytest --benchmark-only --benchmark-json benchmark.json --log-cli-level INFO tests/test_benchmark.py
-    - name: Render benchmark result
-      uses: benchmark-action/github-action-benchmark@v1
-      with:
-        tool: 'pytest'
-        output-file-path: benchmark.json
-        fail-on-alert: true
-    - name: Publish Gibhub Pages
-      run: git push origin gh-pages
 
-  cd:
-    needs: ci
-    # Note: github.event.pull_request.draft == false WON'T WORK in "if" statement,
-    # because the triggered event is a push, not a pull_request.
-    # This means each commit will trigger a release on TestPyPI.
-    # Those releases will only succeed when each push has a new version number: a1, a2, a3, etc.
-    if: |
-      github.event_name == 'push' &&
-      (
-        startsWith(github.ref, 'refs/tags') ||
-        startsWith(github.ref, 'refs/heads/release-')
-      )
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - name: Set up Python 3.9
-      uses: actions/setup-python@v5
-      with:
-        python-version: 3.9
-        cache: 'pip'
-    - name: Build a package for release
+    - name: Run unit tests
+      # Skip benchmarks and E2E tests — those require lab credentials and run in ADO.
       run: |
-        python -m pip install build --user
-        python -m build --sdist --wheel --outdir dist/ .
-    - name: |
-        Publish to TestPyPI when pushing to release-* branch.
-        You better test with a1, a2, b1, b2 releases first.
-      uses: pypa/gh-action-pypi-publish@v1.13.0
-      if: startsWith(github.ref, 'refs/heads/release-')
-      with:
-        user: __token__
-        password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-        repository_url: https://test.pypi.org/legacy/
-    - name: Publish to PyPI when tagged
-      if: startsWith(github.ref, 'refs/tags')
-      uses: pypa/gh-action-pypi-publish@v1.13.0
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_API_TOKEN }}
+        pytest tests/ \
+          --benchmark-skip \
+          --ignore=tests/test_e2e.py \
+          --ignore=tests/test_e2e_manual.py \
+          --ignore=tests/test_fmi_e2e.py \
+          --ignore=tests/test_client_obtain_token_by_browser.py