From 407f7a63a70808ef4da1acb65748be39329aba2c Mon Sep 17 00:00:00 2001
From: kcpitt <kellypi@microsoft.com>
Date: Fri, 20 Mar 2026 11:33:13 -0700
Subject: [PATCH 1/7] Update Azure VMs link to tracking URL

---
 msal-python-conceptual/advanced/managed-identity.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/msal-python-conceptual/advanced/managed-identity.md b/msal-python-conceptual/advanced/managed-identity.md
index 00c87642..f3984cb7 100644
--- a/msal-python-conceptual/advanced/managed-identity.md
+++ b/msal-python-conceptual/advanced/managed-identity.md
@@ -22,7 +22,7 @@ ms.reviewer: rayluo, dmwendia
 MSAL Python supports acquiring tokens through the managed identity service when used with applications running inside Azure infrastructure, such as:
 
 - [Azure App Service](https://azure.microsoft.com/products/app-service/) (API version `2019-08-01`)
-- [Azure VMs](https://azure.microsoft.com/free/virtual-machines/)
+- [Azure VMs](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn)
 - [Azure Arc](/azure/azure-arc/overview)
 - [Azure Cloud Shell](/azure/cloud-shell/overview)
 - [Azure Service Fabric](/azure/service-fabric/service-fabric-overview)

From 5fe4dd3dfc9e00c103fbd930b363351c74060381 Mon Sep 17 00:00:00 2001
From: "docsreference@microsoft.com" <docsreference@microsoft.com>
Date: Mon, 23 Mar 2026 18:07:17 +0000
Subject: [PATCH 2/7] CI Update  Build.Reason:Schedule 
 Build.Url:https://apidrop.visualstudio.com/Content%20CI/_build/results?buildId=597637&view=results

---
 xrefmap.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/xrefmap.yml b/xrefmap.yml
index 975efbc4..5550b94b 100644
--- a/xrefmap.yml
+++ b/xrefmap.yml
@@ -2171,6 +2171,10 @@ references:
   href: https://docs.python.org/3/library/ctypes.html#ctypes._Pointer.contents
   name: contents
   uid: ctypes._Pointer.contents
+- fullName: ctypes._SimpleCData._type_
+  href: https://docs.python.org/3/library/ctypes.html#ctypes._SimpleCData._type_
+  name: _type_
+  uid: ctypes._SimpleCData._type_
 - fullName: ctypes._SimpleCData.value
   href: https://docs.python.org/3/library/ctypes.html#ctypes._SimpleCData.value
   name: value

From 41c7bf0e6549d42eb7a67dc50a81c37f02c6a4b7 Mon Sep 17 00:00:00 2001
From: "docsreference@microsoft.com" <docsreference@microsoft.com>
Date: Fri, 10 Apr 2026 05:07:49 +0000
Subject: [PATCH 3/7] CI Update  Build.Reason:Schedule 
 Build.Url:https://apidrop.visualstudio.com/Content%20CI/_build/results?buildId=601307&view=results

---
 ...application.ConfidentialClientApplication.yml | 16 +++++++++++++++-
 python/docs-ref-autogen/msal/msal.sku.yml        |  2 +-
 ...sal.token_cache.TokenCache.CredentialType.yml |  3 +++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/python/docs-ref-autogen/msal/msal.application.ConfidentialClientApplication.yml b/python/docs-ref-autogen/msal/msal.application.ConfidentialClientApplication.yml
index 6075509f..95ec77ce 100644
--- a/python/docs-ref-autogen/msal/msal.application.ConfidentialClientApplication.yml
+++ b/python/docs-ref-autogen/msal/msal.application.ConfidentialClientApplication.yml
@@ -358,7 +358,8 @@ methods:
     Since MSAL Python 1.23, it will automatically look for token from cache,
 
     and only send request to Identity Provider when cache misses.'
-  signature: acquire_token_for_client(scopes, claims_challenge=None, **kwargs)
+  signature: acquire_token_for_client(scopes, claims_challenge=None, fmi_path=None,
+    **kwargs)
   parameters:
   - name: scopes
     description: '(Required)
@@ -379,6 +380,19 @@ methods:
       It is a string of a JSON object which contains lists of claims being requested
       from these locations.'
     defaultValue: None
+  - name: fmi_path
+    description: "Optional. The Federated Managed Identity (FMI) credential path.\n\
+      When provided, it is sent as the `fmi_path` parameter in the\ntoken request\
+      \ body, and the resulting token is cached separately\nso that different FMI\
+      \ paths do not share cached tokens.\nExample usage:\n\n<!-- literal_block {\"\
+      ids\": [], \"classes\": [], \"names\": [], \"dupnames\": [], \"backrefs\": [],\
+      \ \"xml:space\": \"preserve\", \"language\": \"default\", \"force\": false,\
+      \ \"linenos\": false} -->\n\n````default\n\n   result = cca.acquire_token_for_client(\n\
+      \       scopes=[\"api://resource/.default\"],\n       fmi_path=\"SomeFmiPath/FmiCredentialPath\"\
+      ,\n   )\n   ````"
+    defaultValue: None
+    types:
+    - <xref:str>
   return:
     description: "A dict representing the json response from Microsoft Entra:\n\n\
       * A successful response would contain \"access_token\" key, \n\n* an error response\
diff --git a/python/docs-ref-autogen/msal/msal.sku.yml b/python/docs-ref-autogen/msal/msal.sku.yml
index 4a18ffb0..cadc69e1 100644
--- a/python/docs-ref-autogen/msal/msal.sku.yml
+++ b/python/docs-ref-autogen/msal/msal.sku.yml
@@ -2,4 +2,4 @@
 uid: msal.sku
 name: sku
 fullName: msal.sku
-summary: This module is from where we recieve the client sku name and version.
+summary: This module is from where we receive the client sku name and version.
diff --git a/python/docs-ref-autogen/msal/msal.token_cache.TokenCache.CredentialType.yml b/python/docs-ref-autogen/msal/msal.token_cache.TokenCache.CredentialType.yml
index 24217e7b..c4f54c3a 100644
--- a/python/docs-ref-autogen/msal/msal.token_cache.TokenCache.CredentialType.yml
+++ b/python/docs-ref-autogen/msal/msal.token_cache.TokenCache.CredentialType.yml
@@ -9,6 +9,9 @@ attributes:
 - uid: msal.token_cache.TokenCache.CredentialType.ACCESS_TOKEN
   name: ACCESS_TOKEN
   signature: ACCESS_TOKEN = 'AccessToken'
+- uid: msal.token_cache.TokenCache.CredentialType.ACCESS_TOKEN_EXTENDED
+  name: ACCESS_TOKEN_EXTENDED
+  signature: ACCESS_TOKEN_EXTENDED = 'atext'
 - uid: msal.token_cache.TokenCache.CredentialType.ACCOUNT
   name: ACCOUNT
   signature: ACCOUNT = 'Account'

From 303c7992dff5b4d9447a43d5b2b8bb0e5dbafd44 Mon Sep 17 00:00:00 2001
From: Dickson Mwendia <64727760+Dickson-Mwendia@users.noreply.github.com>
Date: Tue, 19 May 2026 15:31:13 +0300
Subject: [PATCH 4/7] Fix linkchecker by remapping root-relative links to
 learn.microsoft.com

Add --remap flag to lychee args so root-relative links (e.g. /entra/...)
are rewritten to https://learn.microsoft.com/... and validated against
the live site instead of failing as unresolvable local paths.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/linkvalidator.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/linkvalidator.yml b/.github/workflows/linkvalidator.yml
index a14a4302..9a1abc5d 100644
--- a/.github/workflows/linkvalidator.yml
+++ b/.github/workflows/linkvalidator.yml
@@ -22,7 +22,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
         with:
-          args: --accept=200,429,403,502,503 --verbose --no-progress './**/*.md'
+          args: --accept=200,429,403,502,503 --verbose --no-progress --remap '/(.+) https://learn.microsoft.com/$1' './**/*.md'
           fail: true
 
       - name: Create Issue From File

From 857a404706aed7497ee6843650a13f456798dbe6 Mon Sep 17 00:00:00 2001
From: Dickson Mwendia <64727760+Dickson-Mwendia@users.noreply.github.com>
Date: Tue, 19 May 2026 15:39:59 +0300
Subject: [PATCH 5/7] Anchor remap regex to only match root-relative links

The unanchored regex '/(.+)' was matching '/' inside absolute
URLs (https://, file:///), producing mangled double-protocol
URLs like 'https://https//learn.microsoft.com//github.com/...'.

Adding '^' ensures only root-relative links (/entra/...) are
remapped to learn.microsoft.com.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/linkvalidator.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/linkvalidator.yml b/.github/workflows/linkvalidator.yml
index 9a1abc5d..722a8ae7 100644
--- a/.github/workflows/linkvalidator.yml
+++ b/.github/workflows/linkvalidator.yml
@@ -22,7 +22,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
         with:
-          args: --accept=200,429,403,502,503 --verbose --no-progress --remap '/(.+) https://learn.microsoft.com/$1' './**/*.md'
+          args: --accept=200,429,403,502,503 --verbose --no-progress --remap '^/(.+) https://learn.microsoft.com/$1' './**/*.md'
           fail: true
 
       - name: Create Issue From File

From 22d860ca5231bd0416c6cc83c15094eb22db3cd1 Mon Sep 17 00:00:00 2001
From: Dickson Mwendia <64727760+Dickson-Mwendia@users.noreply.github.com>
Date: Tue, 19 May 2026 15:43:53 +0300
Subject: [PATCH 6/7] Use sed pre-processing instead of --remap for
 root-relative links

Replace the lychee --remap flag with a sed pre-processing step
(matching the approach used in MSAL Java) that rewrites
root-relative markdown links like [text](/path) to
[text](https://learn.microsoft.com/path) before lychee runs.

The --remap regex approach couldn't intercept root-relative links
before lychee's own root-relative resolver rejected them.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/linkvalidator.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/linkvalidator.yml b/.github/workflows/linkvalidator.yml
index 722a8ae7..cc2da6e2 100644
--- a/.github/workflows/linkvalidator.yml
+++ b/.github/workflows/linkvalidator.yml
@@ -16,13 +16,19 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
+      - name: Resolve root-relative links for checking
+        run: |
+          # Convert root-relative markdown links like [text](/path) to [text](https://learn.microsoft.com/path)
+          # so lychee can validate them. This only modifies the CI checkout copy.
+          find . -name '*.md' -exec sed -i -E 's|\]\(/|\](https://learn.microsoft.com/|g' {} +
+
       - name: Link Checker
         id: lychee
         uses: lycheeverse/lychee-action@master
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
         with:
-          args: --accept=200,429,403,502,503 --verbose --no-progress --remap '^/(.+) https://learn.microsoft.com/$1' './**/*.md'
+          args: --accept=200,429,403,502,503 --verbose --no-progress './**/*.md'
           fail: true
 
       - name: Create Issue From File

From 948746819daa2387b8a2239ae87ab0abbca3f056 Mon Sep 17 00:00:00 2001
From: Dickson Mwendia <64727760+Dickson-Mwendia@users.noreply.github.com>
Date: Tue, 19 May 2026 15:48:06 +0300
Subject: [PATCH 7/7] Fix empty URL in migrate.md

Link 'official APIs' to the acquiring-tokens doc, which
documents the standard MSAL Python token acquisition methods
that the migrate page contrasts with.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 msal-python-conceptual/advanced/migrate.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/msal-python-conceptual/advanced/migrate.md b/msal-python-conceptual/advanced/migrate.md
index 3c00fe30..337c6c13 100644
--- a/msal-python-conceptual/advanced/migrate.md
+++ b/msal-python-conceptual/advanced/migrate.md
@@ -25,7 +25,7 @@ and then when a new RT comes back, MSAL will store it in the usual way.
 As this method is intended for scenarios that are not typical, it is NOT readily accessible with the official API surface.
 You will have to call it via an internal helper `app.client`,
 and its naming convention is also slightly different than those other
-[official APIs]().
+[official APIs](../getting-started/acquiring-tokens.md).
 
 ```python
 from msal import PublicClientApplication