Disconnect-MgGraph does not clear the persisted MSAL token cache

[gavinbarron]

Description

When a user runs Disconnect-MgGraph, the MSAL token cache persisted to disk is not cleared. Currently, LogoutAsync() only:

1. Clears the in-memory token cache
2. Nulls out the AuthContext and GraphHttpClient
3. Deletes the authentication record file (mg.authrecord.json)

The disk-persisted MSAL cache (used when ContextScope == CurrentUser) at %LOCALAPPDATA%\.IdentityService\mg.msal.cache.cae and mg.msal.cache.nocae remains intact. This means cached tokens survive disconnection and can be reused in subsequent sessions without re-authentication.

Expected Behavior

Running Disconnect-MgGraph should fully clear all cached authentication state, including the persisted MSAL token cache on disk, so that subsequent Connect-MgGraph calls require fresh authentication.

Current Behavior

After Disconnect-MgGraph, the persisted token cache files remain on disk. A new PowerShell session can silently reuse cached tokens without prompting for authentication.

Suggested Approach

Azure.Identity does not expose APIs to clear the persisted token cache. However, the MSAL library (Microsoft.Identity.Client.Extensions.Msal) that Azure.Identity depends on can be used directly:

1. Create StorageCreationProperties matching Azure.Identity's internal cache configuration
2. Build a MsalCacheHelper targeting the named cache
3. Call MsalCacheHelper.Clear() to wipe both .cae and .nocae cache variants during disconnect

Environment

• Module: Microsoft.Graph.Authentication
• Affected scope: ContextScope.CurrentUser (disk-persisted cache)
• Platforms: Windows (DPAPI), macOS (Keychain), Linux (libsecret/plaintext)