AzureAD · Avery-Dunn · Jan 9, 2026 · Jan 5, 2026 · Jan 6, 2026 · Jan 6, 2026
@@ -19,12 +19,13 @@ public class CacheExecutionTests
 
         private static async Task<LabUserData> GetPublicAadUserDataAsync()
         {
-            var labUser = await LabUserHelper.GetDefaultUserAsync().ConfigureAwait(false);
+            var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false);
+            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppPCAClient).ConfigureAwait(false);
             return new LabUserData(
-              labUser.User.Upn,
-              labUser.User.GetOrFetchPassword(),
-              labUser.App.AppId,
-              labUser.User.TenantId);
+              user.Upn,
+              user.GetOrFetchPassword(),
+              app.AppId,
+              user.TenantId);
         }
 
         [AssemblyInitialize]

@@ -32,40 +32,41 @@ public async Task ROPC_Ciam_StandardDomains_CompletesSuccessfully()
         {
             string authority;
             //Get lab details
-            var labResponse = await LabUserHelper.GetCIAMUserAsync().ConfigureAwait(false);
+            var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserCiam).ConfigureAwait(false);
+            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.MsalAppCiam).ConfigureAwait(false);
 
             //https://tenantName.ciamlogin.com/
-            authority = string.Format("https://{0}.ciamlogin.com/", labResponse.User.LabName);
-            await RunCiamRopcTest(authority, labResponse).ConfigureAwait(false);
+            authority = string.Format("https://{0}.ciamlogin.com/", user.LabName);
+            await RunCiamRopcTest(authority, user, app).ConfigureAwait(false);
 
             //https://tenantName.ciamlogin.com/tenantName.onmicrosoft.com
-            authority = string.Format("https://{0}.ciamlogin.com/{1}.onmicrosoft.com", labResponse.User.LabName, labResponse.User.LabName);
-            await RunCiamRopcTest(authority, labResponse).ConfigureAwait(false);
+            authority = string.Format("https://{0}.ciamlogin.com/{1}.onmicrosoft.com", user.LabName, user.LabName);
+            await RunCiamRopcTest(authority, user, app).ConfigureAwait(false);
 
             //https://tenantName.ciamlogin.com/tenantGuid
-            authority = string.Format("https://{0}.ciamlogin.com/{1}", labResponse.User.LabName, labResponse.Lab.TenantId);
-            await RunCiamRopcTest(authority, labResponse).ConfigureAwait(false);
+            authority = string.Format("https://{0}.ciamlogin.com/{1}", user.LabName, user.TenantId);
+            await RunCiamRopcTest(authority, user, app).ConfigureAwait(false);
         }
 
-        private async Task RunCiamRopcTest(string authority, LabResponse labResponse)
+        private async Task RunCiamRopcTest(string authority, UserConfig user, AppConfig app)
         {
             //Acquire tokens
             var msalPublicClient = PublicClientApplicationBuilder
-                .Create(labResponse.App.AppId)
+                .Create(app.AppId)
                 .WithAuthority(new Uri(authority), false)
                 .WithRedirectUri(_ciamRedirectUri)
                 .Build();
 
             #pragma warning disable CS0618 // Type or member is obsolete
             var result = await msalPublicClient
-                .AcquireTokenByUsernamePassword(_ciamScopes, labResponse.User.Upn, labResponse.User.GetOrFetchPassword())
+                .AcquireTokenByUsernamePassword(_ciamScopes, user.Upn, user.GetOrFetchPassword())
                 .ExecuteAsync()
                 .ConfigureAwait(false);
             #pragma warning restore CS0618
 
             Assert.IsNotNull(result.AccessToken);
             Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
-            Assert.AreEqual($"{labResponse.User.LabName}{Constants.CiamAuthorityHostSuffix}".ToLower(), result.Account.Environment);
+            Assert.AreEqual($"{user.LabName}{Constants.CiamAuthorityHostSuffix}".ToLower(), result.Account.Environment);
 
             //Fetch cached tokens
             var accounts = await msalPublicClient.GetAccountsAsync().ConfigureAwait(false);
@@ -77,28 +78,28 @@ private async Task RunCiamRopcTest(string authority, LabResponse labResponse)
 
             Assert.IsNotNull(result.AccessToken);
             Assert.AreEqual(TokenSource.Cache, result.AuthenticationResultMetadata.TokenSource);
-            Assert.AreEqual($"{labResponse.User.LabName}{Constants.CiamAuthorityHostSuffix}".ToLower(), result.Account.Environment);
+            Assert.AreEqual($"{user.LabName}{Constants.CiamAuthorityHostSuffix}".ToLower(), result.Account.Environment);
         }
 
         [TestMethod]
         public async Task ClientCredentialCiam_WithClientCredentials_ReturnsValidTokens()
         {
             string authority;
             //Get lab details
-            var labResponse = await LabUserHelper.GetCIAMUserAsync().ConfigureAwait(false);
-
+            var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserCiam).ConfigureAwait(false);
+            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.MsalAppCiam).ConfigureAwait(false);
 
             //https://tenantName.ciamlogin.com/
-            authority = string.Format("https://{0}.ciamlogin.com/", labResponse.User.LabName);
-            await RunCiamCCATest(authority, labResponse.App.AppId).ConfigureAwait(false);
+            authority = string.Format("https://{0}.ciamlogin.com/", user.LabName);
+            await RunCiamCCATest(authority, app.AppId).ConfigureAwait(false);
 
             //https://tenantName.ciamlogin.com/tenantName.onmicrosoft.com
-            authority = string.Format("https://{0}.ciamlogin.com/{1}.onmicrosoft.com", labResponse.User.LabName, labResponse.User.LabName);
-            await RunCiamCCATest(authority, labResponse.App.AppId).ConfigureAwait(false);
+            authority = string.Format("https://{0}.ciamlogin.com/{1}.onmicrosoft.com", user.LabName, user.LabName);
+            await RunCiamCCATest(authority, app.AppId).ConfigureAwait(false);
 
             //https://tenantName.ciamlogin.com/tenantGuid
-            authority = string.Format("https://{0}.ciamlogin.com/{1}", labResponse.User.LabName, labResponse.Lab.TenantId);
-            await RunCiamCCATest(authority, labResponse.App.AppId).ConfigureAwait(false);
+            authority = string.Format("https://{0}.ciamlogin.com/{1}", user.LabName, user.TenantId);
+            await RunCiamCCATest(authority, app.AppId).ConfigureAwait(false);
 
             //Ciam CUD
             authority = "https://login.msidlabsciam.com/fe362aec-5d43-45d1-b730-9755e60dc3b9/v2.0/";
@@ -150,18 +151,19 @@ public async Task OBOCiam_CustomDomain_ReturnsValidTokens()
             string ciamWebApi = "634de702-3173-4a71-b336-a4fab786a479";
 
             //Get lab details
-            LabResponse labResponse = await LabUserHelper.GetCIAMUserAsync().ConfigureAwait(false);
+            var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserCiam).ConfigureAwait(false);
+            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.MsalAppCiam).ConfigureAwait(false);
 
             //Acquire tokens
             var msalPublicClient = PublicClientApplicationBuilder
-                .Create(labResponse.App.AppId)
-                .WithAuthority(labResponse.App.Authority, false)
-                .WithRedirectUri(labResponse.App.RedirectUri)
+                .Create(app.AppId)
+                .WithAuthority(app.Authority, false)
+                .WithRedirectUri(app.RedirectUri)
                 .Build();
 
             #pragma warning disable CS0618 // Type or member is obsolete
             var result = await msalPublicClient
-                .AcquireTokenByUsernamePassword(new[] { labResponse.App.DefaultScopes }, labResponse.User.Upn, labResponse.User.GetOrFetchPassword())
+                .AcquireTokenByUsernamePassword(new[] { app.DefaultScopes }, user.Upn, user.GetOrFetchPassword())
                 .ExecuteAsync()
                 .ConfigureAwait(false);
             #pragma warning restore CS0618
@@ -208,18 +210,19 @@ public async Task OBOCiam_CustomDomain_ReturnsValidTokens()
         public async Task WithOidcAuthority_ValidatesIssuerSuccessfully()
         {
             //Get lab details
-            var labResponse = await LabUserHelper.GetCIAMUserAsync().ConfigureAwait(false);
+            var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserCiam).ConfigureAwait(false);
+            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.MsalAppCiam).ConfigureAwait(false);
 
             //Test with standard and CUD CIAM authorities
             string[] authorities =
             {
-                string.Format("https://{0}.ciamlogin.com/{1}/v2.0/", labResponse.Lab.TenantId, labResponse.Lab.TenantId),
-                string.Format("https://login.msidlabsciam.com/{0}/v2.0/", labResponse.Lab.TenantId)
+                string.Format("https://{0}.ciamlogin.com/{1}/v2.0/", user.TenantId, user.TenantId),
+                string.Format("https://login.msidlabsciam.com/{0}/v2.0/", user.TenantId)
             };
 
             foreach (var authority in authorities)
             {
-                await RunCiamCCATest(authority, labResponse.App.AppId, true).ConfigureAwait(false);
+                await RunCiamCCATest(authority, app.AppId, true).ConfigureAwait(false);
             }
         }
 

@@ -223,26 +223,27 @@ public async Task WithOnBeforeTokenRequest_TestAsync(Cloud cloud, TargetFramewor
         public async Task ByRefreshTokenTestAsync()
         {
             // Arrange
-            var labResponse = await LabUserHelper.GetDefaultUserAsync().ConfigureAwait(false);
+            var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false);
+            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppPCAClient).ConfigureAwait(false);
 
             var msalPublicClient = PublicClientApplicationBuilder
-                .Create(labResponse.App.AppId)
+                .Create(app.AppId)
                 .WithTestLogging()
-                .WithAuthority(labResponse.Lab.Authority, "organizations")
+                .WithAuthority(app.Authority, "organizations")
                 .BuildConcrete();
 
 #pragma warning disable CS0618 // Type or member is obsolete
             AuthenticationResult authResult = await msalPublicClient
-                .AcquireTokenByUsernamePassword(s_scopes, labResponse.User.Upn, labResponse.User.GetOrFetchPassword())
+                .AcquireTokenByUsernamePassword(s_scopes, user.Upn, user.GetOrFetchPassword())
                 .ExecuteAsync(CancellationToken.None)
                 .ConfigureAwait(false);
 #pragma warning restore CS0618
 
-            var confidentialApp = ConfidentialClientApplicationBuilder
-                .Create(labResponse.App.AppId)
-                .WithAuthority(labResponse.Lab.Authority, labResponse.User.TenantId)
-                .WithTestLogging()
-                .BuildConcrete();
+var confidentialApp = ConfidentialClientApplicationBuilder
+    .Create(app.AppId)
+    .WithAuthority(app.Authority, user.TenantId)
+    .WithTestLogging()
+    .BuildConcrete();
 
             var rt = msalPublicClient.UserTokenCacheInternal.Accessor.GetAllRefreshTokens().FirstOrDefault();
 
@@ -262,12 +263,12 @@ public async Task ByRefreshTokenTestAsync()
 
             // Assert
             Assert.IsNotNull(authResult);
-            Assert.AreEqual(labResponse.User.Upn, authResult.Account.Username);
-            Assert.AreEqual(labResponse.User.ObjectId.ToString(), authResult.Account.HomeAccountId.ObjectId);
-            Assert.AreEqual(labResponse.User.TenantId, authResult.Account.HomeAccountId.TenantId);
-            Assert.AreEqual(labResponse.User.Upn, account2.Username);
-            Assert.AreEqual(labResponse.User.ObjectId.ToString(), account2.HomeAccountId.ObjectId);
-            Assert.AreEqual(labResponse.User.TenantId, account2.HomeAccountId.TenantId);
+            Assert.AreEqual(user.Upn, authResult.Account.Username);
+            Assert.AreEqual(user.ObjectId.ToString(), authResult.Account.HomeAccountId.ObjectId);
+            Assert.AreEqual(user.TenantId, authResult.Account.HomeAccountId.TenantId);
+            Assert.AreEqual(user.Upn, account2.Username);
+            Assert.AreEqual(user.ObjectId.ToString(), account2.HomeAccountId.ObjectId);
+            Assert.AreEqual(user.TenantId, account2.HomeAccountId.TenantId);
         }
 
         private static void ModifyRequest(OnBeforeTokenRequestData data, X509Certificate2 certificate)

@@ -30,12 +30,12 @@ public class InstanceDiscoveryIntegrationTests
         [TestMethod]
         public async Task AuthorityMigrationAsync()
         {
-            LabResponse labResponse = await LabUserHelper.GetDefaultUserAsync().ConfigureAwait(false);
-            LabUser user = labResponse.User;
+            var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false);
+            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppPCAClient).ConfigureAwait(false);
 
             IPublicClientApplication pca = PublicClientApplicationBuilder
-                .Create(labResponse.App.AppId)
-                .WithAuthority("https://login.windows.net/" + labResponse.Lab.TenantId + "/")
+                .Create(app.AppId)
+                .WithAuthority("https://login.windows.net/" + user.TenantId + "/")
                 .WithTestLogging()
                 .Build();
 
@@ -49,7 +49,7 @@ public async Task AuthorityMigrationAsync()
                 // BugBug https://identitydivision.visualstudio.com/Engineering/_workitems/edit/776308/
                 // sts.windows.net fails when doing instance discovery, e.g.:
                 // https://sts.windows.net/common/discovery/instance?api-version=1.1&authorization_endpoint=https%3A%2F%2Fsts.windows.net%2Ff645ad92-e38d-4d1a-b510-d1b09a74a8ca%2Foauth2%2Fv2.0%2Fauthorize
-                .WithTenantId(labResponse.Lab.TenantId)
+                .WithTenantId(user.TenantId)
                 .ExecuteAsync()
                 .ConfigureAwait(false);
             #pragma warning restore CS0618
@@ -69,11 +69,11 @@ public async Task AuthorityMigrationAsync()
         [TestMethod]
         public async Task FailedAuthorityValidationTestAsync()
         {
-            LabResponse labResponse = await LabUserHelper.GetDefaultUserWithMultiTenantAppAsync().ConfigureAwait(false);
-            LabUser user = labResponse.User;
+            var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false);
+            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.MsalAppAzureAdMultipleOrgs).ConfigureAwait(false);
 
             IPublicClientApplication pca = PublicClientApplicationBuilder
-                .Create(labResponse.App.AppId)
+                .Create(app.AppId)
                 .WithAuthority("https://bogus.microsoft.com/common")
                 .WithTestLogging()
                 .Build();
@@ -97,11 +97,11 @@ public async Task FailedAuthorityValidationTestAsync()
         [TestMethod]
         public async Task AuthorityValidationTestWithFalseValidateAuthorityAsync()
         {
-            LabResponse labResponse = await LabUserHelper.GetDefaultUserWithMultiTenantAppAsync().ConfigureAwait(false);
-            LabUser user = labResponse.User;
+            var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserPublicCloud).ConfigureAwait(false);
+            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.MsalAppAzureAdMultipleOrgs).ConfigureAwait(false);
 
             IPublicClientApplication pca = PublicClientApplicationBuilder
-                .Create(labResponse.App.AppId)
+                .Create(app.AppId)
                 .WithAuthority("https://bogus.microsoft.com/common", false)
                 .WithTestLogging()
                 .Build();