Add confidential client troubleshooting guide

[neha-bhargava]

Summary

Adds a new troubleshooting page for confidential client applications under Advanced > Handling exceptions and errors.

Topics covered

• Throttling (HTTP 429 / AADSTS50196) — detecting cache misses, respecting Retry-After
• Network instability and socket exceptions — token caching as primary mitigation, HttpClient guidance
• On-Behalf-Of (OBO) failures — AADSTS50013, consent issues, token size
• Client credential errors — invalid secret (AADSTS7000215), expired cert (AADSTS700024), app not found (AADSTS700016)
• Token cache miss diagnosis — CacheRefreshReason table, distributed cache verification
• Managed Identity failures — IMDS timeout, federated identity credential mismatch

Motivation

These scenarios were identified as gaps in the existing MSAL.NET documentation. The current exception/error handling docs focus primarily on public client (desktop/mobile) flows. This page provides equivalent guidance for service-to-service scenarios that are common in production workloads.

Changes

• \msal-dotnet-articles/advanced/exceptions/confidential-client-troubleshooting.md\ — new page
• \msal-dotnet-articles/TOC.yml\ — added TOC entry under 'Handling exceptions and errors'

[learn-build-service-prod]

Learn Build status updates of commit b9d6304:

✅ Validation status: passed

File	Status	Preview URL	Details
msal-dotnet-articles/advanced/exceptions/confidential-client-troubleshooting.md	✅Succeeded	View
msal-dotnet-articles/TOC.yml	✅Succeeded	View

For more details, please refer to the build report.

[learn-build-service-prod]

PoliCheck Scan Report

The following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans.

✅ No issues found

More information about PoliCheck

Information: PoliCheck | Severity Guidance | Term
For any questions: Try searching the learn.microsoft.com contributor guides or post your question in the Learn support channel.

[trwalke]

there are also cases where a UiRequiredException is thrown and the user needs to handle conditional access by satisfying the provided access policies in the claims.

See MsalUiRequiredException

[trwalke]

Should handle claims challenge for conditional access. otherwise LGTM

[trwalke]

My understanding is that we wanted to move away from client secrets due to security. Should probable add a comment here encouraging customers to use certs or some other auth method.

[bgavrilMS]

I think it's worth stating that apps should not try to extract the AADSTS error codes and to handle these dynamically. The codes are just references.

The exception types are sufficient for dynamic processing, e.g. UiRequiredException - need to reprompt the user, ClaimsExcepton - need to add claims.