| title | What's new in Microsoft single sign-on for Linux |
|---|---|
| description | Discusses new feature releases of Microsoft single sign-on for Linux |
| ai-usage | ai-assisted |
| author | ploegert |
| ms.author | jploegert |
| ms.topic | whats-new |
| ms.date | 04/02/2026 |
| ms.custom | linux-related-content |
Microsoft periodically adds and modifies features and functionality in the Microsoft identity platform to improve security, usability, and standards compliance.
Unless otherwise noted, the changes described here apply only to applications registered after the stated effective date of the change.
Check this article regularly to learn about:
- Known issues and fixes
- Protocol changes
- Deprecated functionality
This article provides information about the latest updates to Microsoft single sign-on for Linux.
Microsoft uses the following package repositories to distribute Microsoft Identity Broker and Microsoft Identity Diagnostics for Linux. Packages are available in either .deb or .rpm format; however, only Ubuntu long-term support (LTS) and Red Hat Enterprise Linux (RHEL) are supported.
| Channel | Primary purpose | Latest version | Supported | Source |
|---|---|---|---|---|
| stable | Production workloads | 3.0.x | Yes | Ubuntu 24.04 - Noble Ubuntu 22.04 - Jammy RHEL8 RHEL9 |
| insiders-fast | Testing prerelease packages | 3.0.x | No | Ubuntu 24.04 - Noble Ubuntu 22.04 - Jammy RHEL8 RHEL9 RHEL10 |
Note
The current production version of the microsoft-identity-broker is 3.0.1.
The insiders-fast channel in packages.microsoft.com lets you test prerelease packages. Don't use it for production workloads. It might contain breaking changes or incomplete features.
Warning
Versions 2.0.2 and later represent a major architectural change from Java-based to C++-based broker implementation. If you're upgrading from a previous version (prod: 2.0.1 or earlier, insiders-fast: 2.0.4 or earlier), users will need to re-register and re-enroll their devices after performing an upgrade of the previous version.
To add the appropriate package repository for your Linux distribution, follow the instructions below:
-
Install
curlandgpg.sudo apt install curl gpg
-
Install the Microsoft package signing key.
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings rm microsoft.gpg
-
Add the Microsoft package repository and update package metadata.
sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/$(lsb_release -rs)/prod $(lsb_release -cs) main" >> /etc/apt/sources.list.d/microsoft-ubuntu-$(lsb_release -cs)-prod.list' sudo apt update
-
Install
curlandgpg.sudo apt install curl gpg
-
Install the insiders-fast repository signing key.
curl -s https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft-insiders-fast.gpg sudo install -o root -g root -m 644 microsoft-insiders-fast.gpg /usr/share/keyrings rm microsoft-insiders-fast.gpg
-
Add the Microsoft package repository and update package metadata.
sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft-insiders-fast.gpg] https://packages.microsoft.com/ubuntu/$(lsb_release -rs)/prod insiders-fast main" >> /etc/apt/sources.list.d/microsoft-ubuntu-$(lsb_release -cs)-insiders-fast.list' sudo apt update
-
Install the Microsoft package signing key.
# Legacy key (needed for RHEL 8 and RHEL 9 packages and Microsoft Edge) sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc -
Add the Microsoft package repository.
sudo dnf install -y dnf-plugins-core sudo dnf config-manager --add-repo https://packages.microsoft.com/yumrepos/microsoft-rhel$(rpm -E %rhel).0-prod
-
Install the Microsoft package signing keys. RHEL 10 packages are signed with a newer Microsoft GPG key (RSA-4096), different from the
microsoft.asckey used for RHEL 8 and RHEL 9.# Legacy key (needed for Microsoft Edge) sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc # New key for RHEL 10 packages sudo rpm --import https://packages.microsoft.com/rhel/10/prod/repodata/repomd.xml.key
-
Add the repository by creating a new repo file under
/etc/yum.repos.d/with the following content:sudo tee /etc/yum.repos.d/microsoft-prod.repo > /dev/null <<EOF [microsoft-prod] name=Microsoft prod - RHEL 10 baseurl=https://packages.microsoft.com/rhel/10/prod enabled=1 gpgcheck=1 gpgkey=https://packages.microsoft.com/rhel/10/prod/repodata/repomd.xml.key EOF
-
Install the Microsoft package signing keys.
# Legacy key (needed for Microsoft Edge) sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc # Repository key for insiders-fast packages sudo rpm --import https://packages.microsoft.com/rhel/10/insiders-fast/repodata/repomd.xml.key
-
Add the Microsoft package repository.
sudo dnf install -y dnf-plugins-core # for rhel 8 and 9 sudo dnf config-manager --add-repo https://packages.microsoft.com/yumrepos/microsoft-rhel$(rpm -E %rhel).0-insiders-fast-prod # for rhel10: sudo dnf config-manager --add-repo https://packages.microsoft.com/yumrepos/microsoft-rhel10-insiders-fast-prod
-
Install the Microsoft package signing keys. RHEL 10 packages are signed with a newer Microsoft GPG key (RSA-4096), different from the
microsoft.asckey used for RHEL 8 and RHEL 9.# Legacy key (needed for Edge) sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc # Key for RHEL 10 packages sudo rpm --import https://packages.microsoft.com/rhel/10/insiders-fast/repodata/repomd.xml.key
-
Add the repository by creating a new repo file under
/etc/yum.repos.d/with the following content:sudo tee /etc/yum.repos.d/microsoft-insiders-fast.repo > /dev/null <<EOF [microsoft-insiders-fast] name=Microsoft insiders-fast - RHEL 10 baseurl=https://packages.microsoft.com/rhel/10/insiders-fast enabled=1 gpgcheck=1 gpgkey=https://packages.microsoft.com/rhel/10/insiders-fast/repodata/repomd.xml.key EOF
GA release of the Microsoft Identity Broker for Linux, now using a newly rewritten C++ broker instead of the previous Java-based broker.
- Introduces support for Phish Resistant MFA (PRMFA) on Linux devices using a SmartCard, Certificate Based Authentication (CBA), or FIDO2 key with a Personal Identity Verification (PIV) profile.
- Added a header to token requests to help differentiate identity broker versions.
- When a user configures single sign-on with a new Linux device, the device performs a Microsoft Entra join instead of a Microsoft Entra registration. A join results in creating a trust with the entire device, where a registration creates a trust only within the user profile. A join trust is a prerequisite step to enable platformSSO in the future.
- Renamed the device broker service to
microsoft-identity-devicebroker. - There's no longer a user broker service named
microsoft-identity-broker. The user broker is now an executable invoked over D-Bus. - Device certificates are moved from the keychain to
/etc/ssl/private. In that directory, the broker creates a device certificate per tenant, a session transport key per tenant, and a deviceless key. All other user data, such as access tokens and refresh tokens, are stored in the keychain and accessed via Microsoft Authentication Library (MSAL). - Added support for the
microsoft-identity-broker-diagnosticspackage. - Renamed a service component from
linux_brokertomicrosoft-identity-brokerfor consistency. - Renamed a service component from
linux_devicebrokertomicrosoft-identity-device-brokerfor consistency. - Updated
x-client-osto use the distro name. - Changed package file names to include the target OS.
- Included a LICENSE file and a broker-specific CHANGELOG.md in the Linux broker package.
- Updated embedded authentication window defaults (title/size) and improved centering behavior.
- Added support for RHEL 10.
- Added a
dsregcommand-line tool for device registration management and diagnostics. - Updated the certificates and keys location used by the Linux device broker.
- Included the broker version in broker-produced telemetry.
- Added DUNA cross-platform support and DUNA iOS CBA.
- Fixed smart card dialog layout for GTK4.
- Fixed a callback issue when the browser is reused.
- Added GetDeviceState support with TLS 1.3 in the C++ broker.
- Handled
sem_timedwaitfailures due to signals inMsai::SecureStorageLockandMsoa::SystemMutex.
- Ubuntu-24.04 - microsoft-identity-broker_3.0.1-noble_amd64.deb
- Ubuntu-22.04 - microsoft-identity-broker_3.0.1-jammy_amd64.deb
- Red Hat Enterprise Linux 10 - microsoft-identity-broker-3.0.1-1.el10.x86_64.rpm
- Red Hat Enterprise Linux 9.0 - microsoft-identity-broker-3.0.1-1.el9.x86_64.rpm
- Red Hat Enterprise Linux 8.0 - microsoft-identity-broker-3.0.1-1.el8.x86_64.rpm
- (Linux) Fix smartcard dialogs layout for GTK4
- (Linux) Fix a wrong callback issue if the browser is reused.
- Ubuntu-24.04 - microsoft-identity-broker_2.5.2-noble_amd64.deb
- Ubuntu-22.04 - microsoft-identity-broker_2.5.2-jammy_amd64.deb
- Red Hat Enterprise Linux 10 - microsoft-identity-broker-2.5.2-1.el10.x86_64.rpm
- Red Hat Enterprise Linux 9.0 - microsoft-identity-broker-2.5.2-1.el9.x86_64.rpm
- Red Hat Enterprise Linux 8.0 - microsoft-identity-broker-2.5.2-1.el8.x86_64.rpm
- (Linux) Fix smartcard dialogs layout for GTK4
- (Linux) Fix a wrong callback issue if the browser is reused.
- (Linux) Add GetDeviceState support with TLS 1.3 in CPP broker
- (Linux) Handle sem_timedwait failure due to process receiving a signal in Msai::SecureStorageLock and Msoa::SystemMutex
- Ubuntu-24.04 - microsoft-identity-broker_2.5.1-noble_amd64.deb
- Ubuntu-22.04 - microsoft-identity-broker_2.5.1-jammy_amd64.deb
- Red Hat Enterprise Linux 10 - microsoft-identity-broker-2.5.1-1.el10.x86_64.rpm
- Red Hat Enterprise Linux 9.0 - microsoft-identity-broker-2.5.1-1.el9.x86_64.rpm
- Red Hat Enterprise Linux 8.0 - microsoft-identity-broker-2.5.1-1.el8.x86_64.rpm
- (Linux) Change package file names to include target OS
- (Linux) Misc Bug Fixes
- (Linux) Include a LICENSE file and a broker-specific CHANGELOG.md in the Linux broker package.
- (Linux) Update embedded authentication window defaults (title/size) and improve centering behavior.
- (Linux) Add support for RHEL 10
- (Linux) Add dsreg command-line tool for device registration management and diagnostics
- (Linux) Update certificates/keys location used by Linux device broker
- (Linux) Include broker version in broker-produced telemetry
- (xplat) Add DUNA xplat and DUNA iOS CBA
- Ubuntu-24.04 - microsoft-identity-broker_2.5.0-noble_amd64.deb
- Ubuntu-22.04 - microsoft-identity-broker_2.5.0-jammy_amd64.deb
- Added support for the microsoft-identity-broker-diagnostics package.
- Renamed a service component from
linux_brokertomicrosoft-identity-brokerfor consistency. - Renamed a service component from
linux_devicebrokertomicrosoft-identity-device-brokerfor consistency. - Update x-client-os to use distro name
- Ubuntu-24.04 - microsoft-identity-broker_2.0.3_amd64.deb
- Ubuntu-22.04 - microsoft-identity-broker_2.0.3_amd64.deb
Preview update to use a newly rewritten C++ broker instead of the previous Java-based broker.
- Introduces support for Phish Resistant MFA (PRMFA) on Linux devices using a SmartCard, Certificate Based Authentication (CBA), or FIDO2 key with a Personal Identity Verification (PIV) profile.
- Added a header of token requests, enabling differentiation between identity broker versions.
- When a user configures single sign-on with a new Linux device, the device performs a Microsoft Entra join instead of a Microsoft Entra registration. A join results in creating a trust with the entire device, where a registration creates a trust only within the user profile. A join trust is a prerequisite step to enable platformSSO in the future.
- Renamed the device broker service to
microsoft-identity-devicebroker. - There no longer is a user broker service named
microsoft-identity-broker. The user broker is now an executable that gets invoked via dbus connection - Device certs are moved from the Keychain to
/etc/ssl/private. In theprivatedirectory, the broker creates a device cert per tenant, a session transport key per tenant, and a deviceless key that is stored in that directory. All other user data such as AT/RT are stored in the KeyChain and accessed via Microsoft Authentication Library (MSAL).
- Ubuntu-24.04 - microsoft-identity-broker_2.0.2_amd64.deb
- Ubuntu-22.04 - microsoft-identity-broker_2.0.2_amd64.deb
- As of 2.0.1, the
microsoft.identity.brokernow supports using Using MSAL Python with an Auth Broker on Linux and Using MSAL.NET with broker on Linux to make token requests via broker.
- Added package support for Ubuntu 24.04.
- Ubuntu-24.04 - microsoft-identity-broker_2.0.1_amd64.deb
- Ubuntu-22.04 - microsoft-identity-broker_2.0.1_amd64.deb
- Ubuntu-20.04 - microsoft-identity-broker_2.0.1_amd64.deb
- Bug fixes
- Ubuntu-22.04 - microsoft-identity-broker_2.0.0_amd64.deb
- Ubuntu-20.04 - microsoft-identity-broker_2.0.0_amd64.deb
- Addressing the 1001 on registration failure
- Updating the install scripts for Red Hat Enterprise Linux Broker
- Adding license to Linux Broker Package
- [PATCH] Perform safe deserialization for X509 Certificate in Linux Broker (#2483)
- Ubuntu-20.04 - microsoft-identity-broker_1.6.1_amd64.deb
- Ubuntu-22.04 - microsoft-identity-broker_1.6.1_amd64.deb
- Added support for Red Hat Enterprise Linux 8 and 9.
- Ubuntu-20.04 - microsoft-identity-broker_1.6.0_amd64.deb
- Ubuntu-22.04 - microsoft-identity-broker_1.6.0_amd64.deb
- Red Hat Enterprise Linux 9.0 - microsoft-identity-broker-1.6.0-1.x86_64.rpm
- Red Hat Enterprise Linux 8.0 - microsoft-identity-broker-1.6.0-1.x86_64.rpm
- update serialization library
- Excluded the memory consumption change
- Secret service version upgrade - kubuntu
- Ubuntu-20.04 - microsoft-identity-broker_1.5.1_amd64.deb
- Ubuntu-22.04 - microsoft-identity-broker_1.5.1_amd64.deb
- Resource Owner Password Credential (ROPC) test hook.
- added logging for keyring "1001" errors.
- Ubuntu-20.04 - microsoft-identity-broker_1.4.1_amd64.deb
- Ubuntu-22.04 - microsoft-identity-broker_1.4.1_amd64.deb
- Java 17 support
- Ubuntu 22 support
- Ubuntu-20.04 - microsoft-identity-broker_1.4.0_amd64.deb
- Ubuntu-22.04 - microsoft-identity-broker_1.4.0_amd64.deb
- Ubuntu-20.04 - microsoft-identity-broker_1.3.0_amd64.deb
- Ubuntu-20.04 - microsoft-identity-broker_1.2.0_amd64.deb
- Added support for the microsoft-identity-broker-diagnostics package.
- Renamed
linux_brokertomicrosoft-identity-broker.
- Ubuntu-24.04 - microsoft-identity-diagnostics_2.0.3_amd64.deb
- Ubuntu-22.04 - microsoft-identity-diagnostics_2.0.3_amd64.deb
- Ubuntu 22.04 - microsoft-identity-diagnostics_1.1.0_amd64.deb
- Red Hat Enterprise Linux 8.0 - microsoft-identity-diagnostics-1.0.1-1.x86_64.rpm
Before upgrading:
- Check the current version:
dpkg -l microsoft-identity-broker. - Review breaking changes in the target version.
- Plan for potential device re-registration.
Java to C++ Broker Migration (2.0.1 → 2.0.2+):
- Symptom: Authentication failures after upgrade
- Solution: Complete uninstall and clean reinstall required
- Steps: Remove all broker state, reinstall new version, re-register device
Package Installation Issues:
- Verify repository configuration matches your Ubuntu/RHEL version
- Check network connectivity to packages.microsoft.com
- Ensure sufficient disk space for installation
For version-specific issues:
-
Check the release notes for known issues
-
Verify system requirements are met
-
Review logs using:
journalctl --user -u microsoft-identity-broker.service -
Consider using the microsoft-identity-diagnostics package for detailed troubleshooting