<PackageReference Include="Microsoft.Identity.Client" Version="4.83.3" />

Microsoft.Identity.Client.ManagedIdentity.KeyProviders.WindowsCngKeyOperations

static class WindowsCngKeyOperations
Provides CNG-backed cryptographic key operations for Windows platforms, supporting both CredentialGuard-protected keys (with VBS/TPM integration) and hardware-backed TPM/KSP keys for managed identity authentication scenarios.
public static bool IsKeyGuardProtected(CngKey key)

Determines whether the specified CNG key is protected by Key Guard.

public static bool TryGetOrCreateHardwareRsa(ILoggerAdapter logger, out RSA rsa)

Attempts to get or create a hardware-backed RSA key using the Platform Crypto Provider (PCP) for TPM-based key storage and operations.

public static bool TryGetOrCreateKeyGuard(ILoggerAdapter logger, out RSA rsa)

Attempts to get or create a CredentialGuard-protected RSA key for managed identity operations. This method first tries to open an existing key, and if not found, creates a fresh CredentialGuard-protected key. CredentialGuard requires VBS (Virtualization Based Security) to be enabled and supported.