diff --git a/Directory.Packages.props b/Directory.Packages.props
index a58477f84e..6d2b8f63ee 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -32,11 +32,15 @@
     <PackageVersion Include="Xamarin.AndroidX.Browser" Version="1.4.0" PrivateAssets="All" />
   </ItemGroup>
   <ItemGroup>
-    <!-- Analyzers and dev packages -->
+    <!-- Analyzers, dev packages and Lab -->
+    <PackageVersion Include="Azure.Identity" Version="1.15.0" />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="9.0.8" />
+    <PackageVersion Include="Microsoft.Extensions.Options" Version="9.0.8" />
     <PackageVersion Include="Microsoft.VisualStudio.Threading.Analyzers" Version="17.12.19" PrivateAssets="All" />
     <PackageVersion Include="Microsoft.CodeAnalysis.NetAnalyzers" Version="8.0.0" PrivateAssets="All" />
     <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="8.0.0" PrivateAssets="All" />
     <PackageVersion Include="Microsoft.CodeAnalysis.PublicApiAnalyzers" Version="3.3.4" PrivateAssets="All" />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="9.0.8" />
   </ItemGroup>
   <ItemGroup>
     <!-- Packages for the tests -->
diff --git a/LibsAndSamples.sln b/LibsAndSamples.sln
index ce76cc9fab..f99f608d00 100644
--- a/LibsAndSamples.sln
+++ b/LibsAndSamples.sln
@@ -189,6 +189,10 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MacMauiAppWithBroker", "tes
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MacConsoleAppWithBroker", "tests\devapps\MacConsoleAppWithBroker\MacConsoleAppWithBroker.csproj", "{DBD18BC8-72E4-47D4-BD79-8DEBD9F2C0D0}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.Identity.Client.Labs", "src\client\Microsoft.Identity.Client.Labs\Microsoft.Identity.Client.Labs.csproj", "{0175FBD0-A14C-4742-803A-CCE71B4FA566}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.Identity.Client.Labs.Tests", "tests\Microsoft.Identity.Client.Labs.Tests\Microsoft.Identity.Client.Labs.Tests.csproj", "{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug + MobileApps|Any CPU = Debug + MobileApps|Any CPU
@@ -1907,6 +1911,90 @@ Global
 		{DBD18BC8-72E4-47D4-BD79-8DEBD9F2C0D0}.Release|x64.Build.0 = Release|Any CPU
 		{DBD18BC8-72E4-47D4-BD79-8DEBD9F2C0D0}.Release|x86.ActiveCfg = Release|Any CPU
 		{DBD18BC8-72E4-47D4-BD79-8DEBD9F2C0D0}.Release|x86.Build.0 = Release|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug + MobileApps|Any CPU.ActiveCfg = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug + MobileApps|Any CPU.Build.0 = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug + MobileApps|ARM.ActiveCfg = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug + MobileApps|ARM.Build.0 = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug + MobileApps|ARM64.ActiveCfg = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug + MobileApps|ARM64.Build.0 = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug + MobileApps|iPhone.ActiveCfg = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug + MobileApps|iPhone.Build.0 = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug + MobileApps|iPhoneSimulator.ActiveCfg = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug + MobileApps|iPhoneSimulator.Build.0 = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug + MobileApps|x64.ActiveCfg = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug + MobileApps|x64.Build.0 = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug + MobileApps|x86.ActiveCfg = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug + MobileApps|x86.Build.0 = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug|ARM.ActiveCfg = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug|ARM.Build.0 = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug|ARM64.ActiveCfg = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug|ARM64.Build.0 = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug|iPhone.ActiveCfg = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug|iPhone.Build.0 = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug|iPhoneSimulator.ActiveCfg = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug|iPhoneSimulator.Build.0 = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug|x64.Build.0 = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Debug|x86.Build.0 = Debug|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Release|Any CPU.Build.0 = Release|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Release|ARM.ActiveCfg = Release|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Release|ARM.Build.0 = Release|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Release|ARM64.ActiveCfg = Release|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Release|ARM64.Build.0 = Release|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Release|iPhone.ActiveCfg = Release|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Release|iPhone.Build.0 = Release|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Release|iPhoneSimulator.ActiveCfg = Release|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Release|iPhoneSimulator.Build.0 = Release|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Release|x64.ActiveCfg = Release|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Release|x64.Build.0 = Release|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Release|x86.ActiveCfg = Release|Any CPU
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566}.Release|x86.Build.0 = Release|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug + MobileApps|Any CPU.ActiveCfg = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug + MobileApps|Any CPU.Build.0 = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug + MobileApps|ARM.ActiveCfg = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug + MobileApps|ARM.Build.0 = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug + MobileApps|ARM64.ActiveCfg = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug + MobileApps|ARM64.Build.0 = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug + MobileApps|iPhone.ActiveCfg = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug + MobileApps|iPhone.Build.0 = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug + MobileApps|iPhoneSimulator.ActiveCfg = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug + MobileApps|iPhoneSimulator.Build.0 = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug + MobileApps|x64.ActiveCfg = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug + MobileApps|x64.Build.0 = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug + MobileApps|x86.ActiveCfg = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug + MobileApps|x86.Build.0 = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug|ARM.ActiveCfg = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug|ARM.Build.0 = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug|ARM64.ActiveCfg = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug|ARM64.Build.0 = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug|iPhone.ActiveCfg = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug|iPhone.Build.0 = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug|iPhoneSimulator.ActiveCfg = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug|iPhoneSimulator.Build.0 = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug|x64.Build.0 = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Debug|x86.Build.0 = Debug|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Release|Any CPU.Build.0 = Release|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Release|ARM.ActiveCfg = Release|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Release|ARM.Build.0 = Release|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Release|ARM64.ActiveCfg = Release|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Release|ARM64.Build.0 = Release|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Release|iPhone.ActiveCfg = Release|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Release|iPhone.Build.0 = Release|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Release|iPhoneSimulator.ActiveCfg = Release|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Release|iPhoneSimulator.Build.0 = Release|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Release|x64.ActiveCfg = Release|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Release|x64.Build.0 = Release|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Release|x86.ActiveCfg = Release|Any CPU
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -1963,6 +2051,8 @@ Global
 		{97995B86-AA0F-3AF9-DA40-85A6263E4391} = {9B0B5396-4D95-4C15-82ED-DC22B5A3123F}
 		{AEF6BB00-931F-4638-955D-24D735625C34} = {34BE693E-3496-45A4-B1D2-D3A0E068EEDB}
 		{DBD18BC8-72E4-47D4-BD79-8DEBD9F2C0D0} = {34BE693E-3496-45A4-B1D2-D3A0E068EEDB}
+		{0175FBD0-A14C-4742-803A-CCE71B4FA566} = {1A37FD75-94E9-4D6F-953A-0DABBD7B49E9}
+		{FD5E59AC-D6D3-18C6-B50A-DE15C654C942} = {9B0B5396-4D95-4C15-82ED-DC22B5A3123F}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {020399A9-DC27-4B82-9CAA-EF488665AC27}
diff --git a/src/client/Microsoft.Identity.Client.Labs/Abstractions/AppSecretKeys.cs b/src/client/Microsoft.Identity.Client.Labs/Abstractions/AppSecretKeys.cs
new file mode 100644
index 0000000000..5928dc8517
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/Abstractions/AppSecretKeys.cs
@@ -0,0 +1,55 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Microsoft.Identity.Client.Labs
+{
+    /// <summary>
+    /// Declares the Key Vault secret names for an application's credentials.
+    /// Each property is a secret <em>name</em> (not the secret value).
+    /// </summary>
+    public sealed class AppSecretKeys
+    {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="AppSecretKeys"/> class.
+        /// For optional secrets, pass an empty string (<c>""</c>) to indicate "not configured".
+        /// </summary>
+        /// <param name="clientIdSecret">Key Vault secret name that stores the application's client ID.</param>
+        /// <param name="clientSecretSecret">Optional Key Vault secret name that stores the application's client secret. Use <c>""</c> if not used.</param>
+        /// <param name="pfxSecret">Optional Key Vault secret name that stores a Base64-encoded PFX certificate. Use <c>""</c> if not used.</param>
+        /// <param name="pfxPasswordSecret">Optional Key Vault secret name that stores the password for the PFX. Use <c>""</c> if not used.</param>
+        public AppSecretKeys(
+            string clientIdSecret,
+            string clientSecretSecret = "",
+            string pfxSecret = "",
+            string pfxPasswordSecret = "")
+        {
+            ClientIdSecret = clientIdSecret;
+            ClientSecretSecret = clientSecretSecret ?? string.Empty;
+            PfxSecret = pfxSecret ?? string.Empty;
+            PfxPasswordSecret = pfxPasswordSecret ?? string.Empty;
+        }
+
+        /// <summary>
+        /// Gets the Key Vault secret name that stores the application's client ID.
+        /// </summary>
+        public string ClientIdSecret { get; }
+
+        /// <summary>
+        /// Gets the Key Vault secret name that stores the application's client secret.
+        /// Empty string indicates "not configured".
+        /// </summary>
+        public string ClientSecretSecret { get; }
+
+        /// <summary>
+        /// Gets the Key Vault secret name that stores a Base64-encoded PFX certificate.
+        /// Empty string indicates "not configured".
+        /// </summary>
+        public string PfxSecret { get; }
+
+        /// <summary>
+        /// Gets the Key Vault secret name that stores the password for the PFX certificate.
+        /// Empty string indicates "not configured".
+        /// </summary>
+        public string PfxPasswordSecret { get; }
+    }
+}
diff --git a/src/client/Microsoft.Identity.Client.Labs/Abstractions/Enums.cs b/src/client/Microsoft.Identity.Client.Labs/Abstractions/Enums.cs
new file mode 100644
index 0000000000..81bc29f272
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/Abstractions/Enums.cs
@@ -0,0 +1,134 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Microsoft.Identity.Client.Labs
+{
+    /// <summary>
+    /// Represents the authentication style used by a test user.
+    /// </summary>
+    public enum AuthType
+    {
+        /// <summary>
+        /// A basic username/password account with no federation or multi-factor authentication (MFA).
+        /// </summary>
+        Basic,
+
+        /// <summary>
+        /// A federated account (for example, via ADFS, Ping, or another identity provider).
+        /// </summary>
+        Federated,
+
+        /// <summary>
+        /// An account that requires multi-factor authentication (MFA).
+        /// </summary>
+        Mfa,
+
+        /// <summary>
+        /// A business-to-business (B2B) guest account invited into the tenant.
+        /// </summary>
+        Guest
+    }
+
+    /// <summary>
+    /// Identifies the cloud or sovereign environment where identities and applications are hosted.
+    /// </summary>
+    public enum CloudType
+    {
+        /// <summary>
+        /// Azure Public (global) cloud.
+        /// </summary>
+        Public,
+
+        /// <summary>
+        /// Azure Government (GCC/GCC High) cloud.
+        /// </summary>
+        Gcc,
+
+        /// <summary>
+        /// Azure Government Department of Defense (DoD) environment.
+        /// </summary>
+        Dod,
+
+        /// <summary>
+        /// Azure China cloud (operated by 21Vianet).
+        /// </summary>
+        China,
+
+        /// <summary>
+        /// Microsoft Cloud for Germany / Azure Germany.
+        /// </summary>
+        Germany,
+
+        /// <summary>
+        /// Integration or pre‑production environment used for testing.
+        /// </summary>
+        Canary
+    }
+
+    /// <summary>
+    /// Names the functional test scenario or user pool.
+    /// </summary>
+    public enum Scenario
+    {
+        /// <summary>
+        /// Basic or smoke-test scenarios.
+        /// </summary>
+        Basic,
+
+        /// <summary>
+        /// On‑Behalf‑Of (OBO) flow scenarios.
+        /// </summary>
+        Obo,
+
+        /// <summary>
+        /// Confidential Client Application (CCA) scenarios.
+        /// </summary>
+        Cca,
+
+        /// <summary>
+        /// Device Code flow scenarios.
+        /// </summary>
+        DeviceCode,
+
+        /// <summary>
+        /// Resource Owner Password Credentials (ROPC) flow scenarios.
+        /// </summary>
+        Ropc,
+
+        /// <summary>
+        /// Daemon (application‑only) scenarios without user interaction.
+        /// </summary>
+        Daemon
+    }
+
+    /// <summary>
+    /// Specifies the type of application whose credentials should be resolved.
+    /// </summary>
+    public enum AppKind
+    {
+        /// <summary>
+        /// A public client application (desktop, mobile, or SPA) that does not use a client secret.
+        /// </summary>
+        PublicClient,
+
+        /// <summary>
+        /// A confidential client application (web app/service) that authenticates with a client secret or certificate.
+        /// </summary>
+        ConfidentialClient,
+
+        /// <summary>
+        /// A headless/background application that runs without user interaction.
+        /// </summary>
+        Daemon,
+
+        /// <summary>
+        /// A protected Web API (resource) that validates tokens issued to clients.
+        /// </summary>
+        WebApi,
+
+        /// <summary>
+        /// A web application (confidential client) that signs in users and can call downstream APIs.
+        /// </summary>
+        WebApp
+    }
+}
diff --git a/src/client/Microsoft.Identity.Client.Labs/Abstractions/IAccountMapProvider.cs b/src/client/Microsoft.Identity.Client.Labs/Abstractions/IAccountMapProvider.cs
new file mode 100644
index 0000000000..db7b31abc5
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/Abstractions/IAccountMapProvider.cs
@@ -0,0 +1,25 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Collections.Generic;
+
+namespace Microsoft.Identity.Client.Labs
+{
+    /// <summary>
+    /// Provides a mapping between a user tuple
+    /// (<see cref="AuthType"/>, <see cref="CloudType"/>, <see cref="Scenario"/>) and the
+    /// Key Vault secret name that stores the corresponding username.
+    /// </summary>
+    public interface IAccountMapProvider
+    {
+        /// <summary>
+        /// Gets a map of tuples to username secret names. The value for each key must be a Key Vault
+        /// secret name whose value is the username to use for the tuple.
+        /// </summary>
+        /// <returns>
+        /// A read-only dictionary keyed by <c>(authType, cloudType, scenario)</c> whose values are
+        /// the Key Vault secret names containing usernames.
+        /// </returns>
+        IReadOnlyDictionary<(AuthType auth, CloudType cloud, Scenario scenario), string> GetUsernameMap();
+    }
+}
diff --git a/src/client/Microsoft.Identity.Client.Labs/Abstractions/IAppMapProvider.cs b/src/client/Microsoft.Identity.Client.Labs/Abstractions/IAppMapProvider.cs
new file mode 100644
index 0000000000..8eedcbd9be
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/Abstractions/IAppMapProvider.cs
@@ -0,0 +1,22 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Microsoft.Identity.Client.Labs
+{
+    /// <summary>
+    /// Provides a mapping between an application tuple
+    /// (<see cref="CloudType"/>, <see cref="Scenario"/>, <see cref="AppKind"/>) and the
+    /// Key Vault secret names that store its client ID and credentials.
+    /// </summary>
+    public interface IAppMapProvider
+    {
+        /// <summary>
+        /// Gets a map of tuples to application secret-name sets.
+        /// </summary>
+        /// <returns>
+        /// A read-only dictionary keyed by <c>(cloudType, scenario, appKind)</c> whose values
+        /// describe which Key Vault secret names hold each application credential.
+        /// </returns>
+        IReadOnlyDictionary<(CloudType cloud, Scenario scenario, AppKind kind), AppSecretKeys> GetAppMap();
+    }
+}
diff --git a/src/client/Microsoft.Identity.Client.Labs/Abstractions/Options.cs b/src/client/Microsoft.Identity.Client.Labs/Abstractions/Options.cs
new file mode 100644
index 0000000000..5a1b608635
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/Abstractions/Options.cs
@@ -0,0 +1,46 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Identity.Client.Labs
+{
+    /// <summary>
+    /// Central configuration for the Labs resolver, including Key Vault location and
+    /// the policy used to select the password secret for user accounts.
+    /// </summary>
+    public sealed class LabsOptions
+    {
+        /// <summary>
+        /// Gets or sets the URI of the Azure Key Vault that contains secrets referenced by this package.
+        /// </summary>
+        public Uri KeyVaultUri { get; set; } = default!;
+
+        /// <summary>
+        /// Gets or sets the global password secret name (representing the current "active lab" password)
+        /// to use for most user tuples, for example <c>msidlab1_pwd</c>.
+        /// Use an empty string to indicate that no global value is configured.
+        /// </summary>
+        public string GlobalPasswordSecret { get; set; } = string.Empty;
+
+        /// <summary>
+        /// Gets or sets per-cloud password secret overrides, allowing sovereign clouds to use a
+        /// different active-lab password secret name. Leave empty if not used.
+        /// </summary>
+        public Dictionary<CloudType, string> PasswordSecretByCloud { get; set; } = new();
+
+        /// <summary>
+        /// Gets or sets per-tuple password secret overrides. The dictionary key must be the
+        /// lowercase string <c>"{auth}.{cloud}.{scenario}"</c> (for example, <c>"basic.public.obo"</c>).
+        /// Leave empty if not used.
+        /// </summary>
+        public Dictionary<string, string> PasswordSecretByTuple { get; set; } = new();
+
+        /// <summary>
+        /// Gets or sets a value indicating whether secret names should be derived by convention
+        /// when a corresponding map entry is missing.
+        /// </summary>
+        public bool EnableConventionFallback { get; set; } = true;
+    }
+}
diff --git a/src/client/Microsoft.Identity.Client.Labs/Abstractions/Resolvers.cs b/src/client/Microsoft.Identity.Client.Labs/Abstractions/Resolvers.cs
new file mode 100644
index 0000000000..7eb6602a1d
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/Abstractions/Resolvers.cs
@@ -0,0 +1,93 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace Microsoft.Identity.Client.Labs
+{
+    /// <summary>
+    /// Resolves user credentials (username and password) for a given tuple
+    /// (<see cref="AuthType"/>, <see cref="CloudType"/>, <see cref="Scenario"/>).
+    /// </summary>
+    public interface IAccountResolver
+    {
+        /// <summary>
+        /// Resolves the user credentials for the specified tuple.
+        /// </summary>
+        /// <param name="auth">The authentication style of the user.</param>
+        /// <param name="cloud">The cloud environment.</param>
+        /// <param name="scenario">The scenario (pool) for which the user is requested.</param>
+        /// <param name="ct">An optional cancellation token.</param>
+        /// <returns>
+        /// A tuple <c>(Username, Password)</c> containing the credential values retrieved from Key Vault.
+        /// </returns>
+        Task<(string Username, string Password)> ResolveUserAsync(
+            AuthType auth, CloudType cloud, Scenario scenario, CancellationToken ct = default);
+    }
+
+    /// <summary>
+    /// Represents application credentials materialized from Key Vault secrets.
+    /// Optional fields use empty strings or empty arrays when not configured.
+    /// </summary>
+    public sealed class AppCredentials
+    {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="AppCredentials"/> class.
+        /// </summary>
+        /// <param name="clientId">The application (client) identifier.</param>
+        /// <param name="clientSecret">The optional client secret used by confidential clients. Use <c>""</c> if not used.</param>
+        /// <param name="pfxBytes">The optional PFX certificate content. Use <see cref="Array.Empty{T}"/> if not used.</param>
+        /// <param name="pfxPassword">The optional password used to load the PFX certificate. Use <c>""</c> if not used.</param>
+        public AppCredentials(
+            string clientId,
+            string clientSecret = "",
+            byte[]? pfxBytes = null,
+            string pfxPassword = "")
+        {
+            ClientId = clientId;
+            ClientSecret = clientSecret ?? string.Empty;
+            PfxBytes = pfxBytes ?? Array.Empty<byte>();
+            PfxPassword = pfxPassword ?? string.Empty;
+        }
+
+        /// <summary>
+        /// Gets the application (client) identifier.
+        /// </summary>
+        public string ClientId { get; }
+
+        /// <summary>
+        /// Gets the client secret. Empty string indicates "not configured".
+        /// </summary>
+        public string ClientSecret { get; }
+
+        /// <summary>
+        /// Gets the PFX certificate content. Empty array indicates "not configured".
+        /// </summary>
+        public byte[] PfxBytes { get; }
+
+        /// <summary>
+        /// Gets the password used to load the PFX certificate. Empty string indicates "not configured".
+        /// </summary>
+        public string PfxPassword { get; }
+    }
+
+    /// <summary>
+    /// Resolves application credentials for a given tuple
+    /// (<see cref="CloudType"/>, <see cref="Scenario"/>, <see cref="AppKind"/>).
+    /// </summary>
+    public interface IAppResolver
+    {
+        /// <summary>
+        /// Resolves the application credentials for the specified tuple.
+        /// </summary>
+        /// <param name="cloud">The cloud environment.</param>
+        /// <param name="scenario">The scenario (pool) for which the application is requested.</param>
+        /// <param name="kind">The type of application to resolve.</param>
+        /// <param name="ct">An optional cancellation token.</param>
+        /// <returns>An <see cref="AppCredentials"/> instance containing the resolved values.</returns>
+        Task<AppCredentials> ResolveAppAsync(
+            CloudType cloud, Scenario scenario, AppKind kind, CancellationToken ct = default);
+    }
+}
diff --git a/src/client/Microsoft.Identity.Client.Labs/DependencyInjection/LabsServiceCollectionExtensions.cs b/src/client/Microsoft.Identity.Client.Labs/DependencyInjection/LabsServiceCollectionExtensions.cs
new file mode 100644
index 0000000000..6eef3e6da1
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/DependencyInjection/LabsServiceCollectionExtensions.cs
@@ -0,0 +1,74 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using Microsoft.Identity.Client.Labs.Internal;
+
+namespace Microsoft.Identity.Client.Labs
+{
+    /// <summary>
+    /// Extension methods for registering Labs services in a dependency injection container.
+    /// </summary>
+    public static class LabsServiceCollectionExtensions
+    {
+        /// <summary>
+        /// Registers the Labs resolvers and configuration with the provided service collection.
+        /// </summary>
+        /// <param name="services">The target service collection.</param>
+        /// <param name="configure">A delegate used to configure <see cref="LabsOptions"/>.</param>
+        /// <returns>The same service collection for chaining.</returns>
+        /// <exception cref="ArgumentNullException">Thrown if <paramref name="services"/> or <paramref name="configure"/> is <c>null</c>.</exception>
+        public static IServiceCollection AddLabsIdentity(
+            this IServiceCollection services,
+            Action<LabsOptions> configure)
+        {
+            if (services is null)
+                throw new ArgumentNullException(nameof(services));
+            if (configure is null)
+                throw new ArgumentNullException(nameof(configure));
+
+            services.Configure(configure);
+
+            services.AddSingleton<AccountMapAggregator>();
+            services.AddSingleton<AppMapAggregator>();
+
+            services.AddSingleton<ISecretStore>(sp =>
+            {
+                var opt = sp.GetRequiredService<IOptions<LabsOptions>>().Value;
+                if (opt.KeyVaultUri is null)
+                {
+                    throw new InvalidOperationException("LabsOptions.KeyVaultUri must be set.");
+                }
+
+                return new KeyVaultSecretStore(opt.KeyVaultUri);
+            });
+
+            services.AddSingleton<IAccountResolver, AccountResolver>();
+            services.AddSingleton<IAppResolver, AppResolver>();
+
+            return services;
+        }
+
+        /// <summary>
+        /// Registers an SDK-specific account map provider with the service collection.
+        /// </summary>
+        /// <typeparam name="T">The type that implements <see cref="IAccountMapProvider"/>.</typeparam>
+        /// <param name="services">The target service collection.</param>
+        /// <returns>The same service collection for chaining.</returns>
+        public static IServiceCollection AddAccountMapProvider<T>(this IServiceCollection services)
+            where T : class, IAccountMapProvider
+            => services.AddSingleton<IAccountMapProvider, T>();
+
+        /// <summary>
+        /// Registers an SDK-specific app map provider with the service collection.
+        /// </summary>
+        /// <typeparam name="T">The type that implements <see cref="IAppMapProvider"/>.</typeparam>
+        /// <param name="services">The target service collection.</param>
+        /// <returns>The same service collection for chaining.</returns>
+        public static IServiceCollection AddAppMapProvider<T>(this IServiceCollection services)
+            where T : class, IAppMapProvider
+            => services.AddSingleton<IAppMapProvider, T>();
+    }
+}
diff --git a/src/client/Microsoft.Identity.Client.Labs/Internal/AccountMapAggregator.cs b/src/client/Microsoft.Identity.Client.Labs/Internal/AccountMapAggregator.cs
new file mode 100644
index 0000000000..8191915d1d
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/Internal/AccountMapAggregator.cs
@@ -0,0 +1,80 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Extensions.Options;
+
+namespace Microsoft.Identity.Client.Labs.Internal
+{
+    /// <summary>
+    /// Aggregates username maps from multiple providers and applies the password-secret selection policy.
+    /// </summary>
+    internal sealed class AccountMapAggregator
+    {
+        private readonly Dictionary<(AuthType, CloudType, Scenario), string> _usernames;
+        private readonly LabsOptions _opt;
+
+        public AccountMapAggregator(IEnumerable<IAccountMapProvider> providers, IOptions<LabsOptions> opt)
+        {
+            _opt = opt?.Value ?? throw new ArgumentNullException(nameof(opt));
+            _usernames = new();
+
+            foreach (var p in providers)
+            {
+                var map = p.GetUsernameMap();
+                if (map is null)
+                    continue;
+
+                foreach (var kv in map)
+                {
+                    // last registered wins
+                    _usernames[kv.Key] = kv.Value;
+                }
+            }
+        }
+
+        public string GetUsernameSecret(AuthType a, CloudType c, Scenario s)
+        {
+            if (_usernames.TryGetValue((a, c, s), out var name))
+                return name;
+
+            if (!_opt.EnableConventionFallback)
+                throw new KeyNotFoundException($"No username secret mapping for ({a},{c},{s}).");
+
+            return $"cld_{a.ToString().ToLowerInvariant()}_{c.ToString().ToLowerInvariant()}_{s.ToString().ToLowerInvariant()}_uname";
+        }
+
+        public string GetPasswordSecret(AuthType a, CloudType c, Scenario s)
+        {
+            // tuple override
+            var tupleKey = $"{a}.{c}.{s}".ToLowerInvariant();
+            if (_opt.PasswordSecretByTuple.TryGetValue(tupleKey, out var tupleSecret) &&
+                !string.IsNullOrWhiteSpace(tupleSecret))
+            {
+                return tupleSecret;
+            }
+
+            // cloud override
+            if (_opt.PasswordSecretByCloud.TryGetValue(c, out var cloudSecret) &&
+                !string.IsNullOrWhiteSpace(cloudSecret))
+            {
+                return cloudSecret;
+            }
+
+            // global
+            if (!string.IsNullOrWhiteSpace(_opt.GlobalPasswordSecret))
+            {
+                return _opt.GlobalPasswordSecret;
+            }
+
+            // convention
+            if (_opt.EnableConventionFallback)
+            {
+                return $"cld_{a.ToString().ToLowerInvariant()}_{c.ToString().ToLowerInvariant()}_{s.ToString().ToLowerInvariant()}_pwd";
+            }
+
+            throw new KeyNotFoundException($"No password secret configured for ({a},{c},{s}).");
+        }
+    }
+}
diff --git a/src/client/Microsoft.Identity.Client.Labs/Internal/AccountResolver.cs b/src/client/Microsoft.Identity.Client.Labs/Internal/AccountResolver.cs
new file mode 100644
index 0000000000..76a58b75ba
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/Internal/AccountResolver.cs
@@ -0,0 +1,39 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace Microsoft.Identity.Client.Labs.Internal
+{
+    /// <summary>
+    /// Default implementation of <see cref="IAccountResolver"/> that uses map providers and Key Vault.
+    /// </summary>
+    internal sealed class AccountResolver : IAccountResolver
+    {
+        private readonly AccountMapAggregator _agg;
+        private readonly ISecretStore _store;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="AccountResolver"/> class.
+        /// </summary>
+        public AccountResolver(AccountMapAggregator agg, ISecretStore store)
+        {
+            _agg = agg;
+            _store = store;
+        }
+
+        /// <inheritdoc />
+        public async Task<(string Username, string Password)> ResolveUserAsync(
+            AuthType auth, CloudType cloud, Scenario scenario, CancellationToken ct = default)
+        {
+            var unameSecret = _agg.GetUsernameSecret(auth, cloud, scenario);
+            var pwdSecret = _agg.GetPasswordSecret(auth, cloud, scenario);
+
+            var username = await _store.GetAsync(unameSecret, ct).ConfigureAwait(false);
+            var password = await _store.GetAsync(pwdSecret, ct).ConfigureAwait(false);
+
+            return (username, password);
+        }
+    }
+}
diff --git a/src/client/Microsoft.Identity.Client.Labs/Internal/AppMapAggregator.cs b/src/client/Microsoft.Identity.Client.Labs/Internal/AppMapAggregator.cs
new file mode 100644
index 0000000000..9b1c6953ec
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/Internal/AppMapAggregator.cs
@@ -0,0 +1,38 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Collections.Generic;
+
+namespace Microsoft.Identity.Client.Labs.Internal
+{
+    /// <summary>
+    /// Aggregates application maps from multiple providers.
+    /// </summary>
+    internal sealed class AppMapAggregator
+    {
+        private readonly Dictionary<(CloudType, Scenario, AppKind), AppSecretKeys> _apps;
+
+        public AppMapAggregator(IEnumerable<IAppMapProvider> providers)
+        {
+            _apps = new();
+
+            foreach (var p in providers)
+            {
+                var map = p.GetAppMap();
+                if (map is null)
+                    continue;
+
+                foreach (var kv in map)
+                {
+                    // last registered wins
+                    _apps[kv.Key] = kv.Value;
+                }
+            }
+        }
+
+        public AppSecretKeys ResolveKeys(CloudType c, Scenario s, AppKind k)
+            => _apps.TryGetValue((c, s, k), out var keys)
+                ? keys
+                : throw new KeyNotFoundException($"No app mapping for ({c},{s},{k}).");
+    }
+}
diff --git a/src/client/Microsoft.Identity.Client.Labs/Internal/AppResolver.cs b/src/client/Microsoft.Identity.Client.Labs/Internal/AppResolver.cs
new file mode 100644
index 0000000000..0bf45c674d
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/Internal/AppResolver.cs
@@ -0,0 +1,67 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace Microsoft.Identity.Client.Labs.Internal
+{
+    /// <summary>
+    /// Default implementation of <see cref="IAppResolver"/> that uses map providers and Key Vault.
+    /// </summary>
+    internal sealed class AppResolver : IAppResolver
+    {
+        private readonly AppMapAggregator _agg;
+        private readonly ISecretStore _store;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="AppResolver"/> class.
+        /// </summary>
+        public AppResolver(AppMapAggregator agg, ISecretStore store)
+        {
+            _agg = agg;
+            _store = store;
+        }
+
+        /// <inheritdoc />
+        public async Task<AppCredentials> ResolveAppAsync(CloudType cloud, Scenario scenario, AppKind kind, CancellationToken ct = default)
+        {
+            var keys = _agg.ResolveKeys(cloud, scenario, kind);
+
+            var clientId = await _store.GetAsync(keys.ClientIdSecret, ct).ConfigureAwait(false);
+
+            string clientSecret = string.Empty;
+            byte[] pfxBytes = Array.Empty<byte>();
+            string pfxPwd = string.Empty;
+
+            if (!string.IsNullOrEmpty(keys.ClientSecretSecret))
+            {
+                clientSecret = await _store.GetAsync(keys.ClientSecretSecret, ct).ConfigureAwait(false);
+            }
+
+            if (!string.IsNullOrEmpty(keys.PfxSecret))
+            {
+                var b64 = await _store.GetAsync(keys.PfxSecret, ct).ConfigureAwait(false);
+                if (!string.IsNullOrWhiteSpace(b64))
+                {
+                    try
+                    {
+                        pfxBytes = Convert.FromBase64String(b64);
+                    }
+                    catch (FormatException ex)
+                    {
+                        throw new InvalidOperationException($"Secret '{keys.PfxSecret}' is not valid Base64.", ex);
+                    }
+                }
+            }
+
+            if (!string.IsNullOrEmpty(keys.PfxPasswordSecret))
+            {
+                pfxPwd = await _store.GetAsync(keys.PfxPasswordSecret, ct).ConfigureAwait(false);
+            }
+
+            return new AppCredentials(clientId, clientSecret, pfxBytes, pfxPwd);
+        }
+    }
+}
diff --git a/src/client/Microsoft.Identity.Client.Labs/Internal/ISecretStore.cs b/src/client/Microsoft.Identity.Client.Labs/Internal/ISecretStore.cs
new file mode 100644
index 0000000000..fa0ae38983
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/Internal/ISecretStore.cs
@@ -0,0 +1,22 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace Microsoft.Identity.Client.Labs.Internal
+{
+    /// <summary>
+    /// Abstraction of a secret store (Azure Key Vault by default).
+    /// </summary>
+    internal interface ISecretStore
+    {
+        /// <summary>
+        /// Retrieves the value of the specified secret.
+        /// </summary>
+        /// <param name="secretName">The name of the secret to read.</param>
+        /// <param name="ct">An optional cancellation token.</param>
+        /// <returns>The secret value.</returns>
+        Task<string> GetAsync(string secretName, CancellationToken ct = default);
+    }
+}
diff --git a/src/client/Microsoft.Identity.Client.Labs/Internal/KeyVaultSecretStore.cs b/src/client/Microsoft.Identity.Client.Labs/Internal/KeyVaultSecretStore.cs
new file mode 100644
index 0000000000..cc78c34f24
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/Internal/KeyVaultSecretStore.cs
@@ -0,0 +1,44 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure.Identity;
+using Azure.Security.KeyVault.Secrets;
+
+namespace Microsoft.Identity.Client.Labs.Internal
+{
+    /// <summary>
+    /// Secret store implementation backed by Azure Key Vault.
+    /// </summary>
+    internal sealed class KeyVaultSecretStore : ISecretStore
+    {
+        private readonly SecretClient _kv;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="KeyVaultSecretStore"/> class.
+        /// </summary>
+        /// <param name="keyVaultUri">The Key Vault URI.</param>
+        public KeyVaultSecretStore(Uri keyVaultUri)
+        {
+            if (keyVaultUri is null)
+                throw new ArgumentNullException(nameof(keyVaultUri));
+            _kv = new SecretClient(keyVaultUri, new DefaultAzureCredential());
+        }
+
+        /// <inheritdoc />
+        public async Task<string> GetAsync(string secretName, CancellationToken ct = default)
+        {
+            if (string.IsNullOrWhiteSpace(secretName))
+                throw new ArgumentException("Secret name cannot be null or empty.", nameof(secretName));
+
+            // IMPORTANT: specify the cancellation token by name to avoid the 'version' parameter
+            var response = await _kv
+                .GetSecretAsync(secretName, version: null, cancellationToken: ct)
+                .ConfigureAwait(false);
+
+            return response.Value.Value;
+        }
+    }
+}
diff --git a/src/client/Microsoft.Identity.Client.Labs/InternalsVisibleTo.cs b/src/client/Microsoft.Identity.Client.Labs/InternalsVisibleTo.cs
new file mode 100644
index 0000000000..b3cee18deb
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/InternalsVisibleTo.cs
@@ -0,0 +1,6 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Runtime.CompilerServices;
+
+[assembly: InternalsVisibleTo("Microsoft.Identity.Client.Labs.Tests")]
diff --git a/src/client/Microsoft.Identity.Client.Labs/Microsoft.Identity.Client.Labs.csproj b/src/client/Microsoft.Identity.Client.Labs/Microsoft.Identity.Client.Labs.csproj
new file mode 100644
index 0000000000..d6dc746142
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/Microsoft.Identity.Client.Labs.csproj
@@ -0,0 +1,42 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFrameworks>net8.0;netstandard2.0</TargetFrameworks>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+
+    <!-- NuGet -->
+    <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
+    <PackageId>Microsoft.Identity.Client.Labs</PackageId>
+    <Authors>Microsoft</Authors>
+    <Company>Microsoft</Company>
+    <RepositoryUrl>https://github.com/AzureAD/microsoft-authentication-library-for-dotnet</RepositoryUrl>
+    <PackageLicenseExpression>MIT</PackageLicenseExpression>
+    <Description>Shared test identity resolver for MSAL, IDWEB and related SDKs (Key Vault based).</Description>
+    <IncludeSymbols>true</IncludeSymbols>
+    <SymbolPackageFormat>snupkg</SymbolPackageFormat>
+
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <LangVersion>latest</LangVersion>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <SignAssembly>false</SignAssembly>
+    <DelaySign>false</DelaySign>
+    <PublicSign>false</PublicSign>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Azure.Identity" />
+    <PackageReference Include="Azure.Security.KeyVault.Secrets" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
+    <PackageReference Include="Microsoft.Extensions.Options" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <AdditionalFiles Include="PublicAPI/PublicAPI.Shipped.txt" />
+    <AdditionalFiles Include="PublicAPI/PublicAPI.Unshipped.txt" />
+  </ItemGroup>
+
+</Project>
diff --git a/src/client/Microsoft.Identity.Client.Labs/PublicApi/PublicAPI.Shipped.txt b/src/client/Microsoft.Identity.Client.Labs/PublicApi/PublicAPI.Shipped.txt
new file mode 100644
index 0000000000..7dc5c58110
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/PublicApi/PublicAPI.Shipped.txt
@@ -0,0 +1 @@
+#nullable enable
diff --git a/src/client/Microsoft.Identity.Client.Labs/PublicApi/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client.Labs/PublicApi/PublicAPI.Unshipped.txt
new file mode 100644
index 0000000000..b4cfc52ffe
--- /dev/null
+++ b/src/client/Microsoft.Identity.Client.Labs/PublicApi/PublicAPI.Unshipped.txt
@@ -0,0 +1,61 @@
+Microsoft.Identity.Client.Labs.AppCredentials
+Microsoft.Identity.Client.Labs.AppCredentials.AppCredentials(string! clientId, string! clientSecret = "", byte[]? pfxBytes = null, string! pfxPassword = "") -> void
+Microsoft.Identity.Client.Labs.AppCredentials.ClientId.get -> string!
+Microsoft.Identity.Client.Labs.AppCredentials.ClientSecret.get -> string!
+Microsoft.Identity.Client.Labs.AppCredentials.PfxBytes.get -> byte[]!
+Microsoft.Identity.Client.Labs.AppCredentials.PfxPassword.get -> string!
+Microsoft.Identity.Client.Labs.AppKind
+Microsoft.Identity.Client.Labs.AppKind.ConfidentialClient = 1 -> Microsoft.Identity.Client.Labs.AppKind
+Microsoft.Identity.Client.Labs.AppKind.Daemon = 2 -> Microsoft.Identity.Client.Labs.AppKind
+Microsoft.Identity.Client.Labs.AppKind.PublicClient = 0 -> Microsoft.Identity.Client.Labs.AppKind
+Microsoft.Identity.Client.Labs.AppKind.WebApi = 3 -> Microsoft.Identity.Client.Labs.AppKind
+Microsoft.Identity.Client.Labs.AppKind.WebApp = 4 -> Microsoft.Identity.Client.Labs.AppKind
+Microsoft.Identity.Client.Labs.AppSecretKeys
+Microsoft.Identity.Client.Labs.AppSecretKeys.AppSecretKeys(string! clientIdSecret, string! clientSecretSecret = "", string! pfxSecret = "", string! pfxPasswordSecret = "") -> void
+Microsoft.Identity.Client.Labs.AppSecretKeys.ClientIdSecret.get -> string!
+Microsoft.Identity.Client.Labs.AppSecretKeys.ClientSecretSecret.get -> string!
+Microsoft.Identity.Client.Labs.AppSecretKeys.PfxPasswordSecret.get -> string!
+Microsoft.Identity.Client.Labs.AppSecretKeys.PfxSecret.get -> string!
+Microsoft.Identity.Client.Labs.AuthType
+Microsoft.Identity.Client.Labs.AuthType.Basic = 0 -> Microsoft.Identity.Client.Labs.AuthType
+Microsoft.Identity.Client.Labs.AuthType.Federated = 1 -> Microsoft.Identity.Client.Labs.AuthType
+Microsoft.Identity.Client.Labs.AuthType.Guest = 3 -> Microsoft.Identity.Client.Labs.AuthType
+Microsoft.Identity.Client.Labs.AuthType.Mfa = 2 -> Microsoft.Identity.Client.Labs.AuthType
+Microsoft.Identity.Client.Labs.CloudType
+Microsoft.Identity.Client.Labs.CloudType.Canary = 5 -> Microsoft.Identity.Client.Labs.CloudType
+Microsoft.Identity.Client.Labs.CloudType.China = 3 -> Microsoft.Identity.Client.Labs.CloudType
+Microsoft.Identity.Client.Labs.CloudType.Dod = 2 -> Microsoft.Identity.Client.Labs.CloudType
+Microsoft.Identity.Client.Labs.CloudType.Gcc = 1 -> Microsoft.Identity.Client.Labs.CloudType
+Microsoft.Identity.Client.Labs.CloudType.Germany = 4 -> Microsoft.Identity.Client.Labs.CloudType
+Microsoft.Identity.Client.Labs.CloudType.Public = 0 -> Microsoft.Identity.Client.Labs.CloudType
+Microsoft.Identity.Client.Labs.IAccountMapProvider
+Microsoft.Identity.Client.Labs.IAccountMapProvider.GetUsernameMap() -> System.Collections.Generic.IReadOnlyDictionary<(Microsoft.Identity.Client.Labs.AuthType auth, Microsoft.Identity.Client.Labs.CloudType cloud, Microsoft.Identity.Client.Labs.Scenario scenario), string!>!
+Microsoft.Identity.Client.Labs.IAccountResolver
+Microsoft.Identity.Client.Labs.IAccountResolver.ResolveUserAsync(Microsoft.Identity.Client.Labs.AuthType auth, Microsoft.Identity.Client.Labs.CloudType cloud, Microsoft.Identity.Client.Labs.Scenario scenario, System.Threading.CancellationToken ct = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<(string! Username, string! Password)>!
+Microsoft.Identity.Client.Labs.IAppMapProvider
+Microsoft.Identity.Client.Labs.IAppMapProvider.GetAppMap() -> System.Collections.Generic.IReadOnlyDictionary<(Microsoft.Identity.Client.Labs.CloudType cloud, Microsoft.Identity.Client.Labs.Scenario scenario, Microsoft.Identity.Client.Labs.AppKind kind), Microsoft.Identity.Client.Labs.AppSecretKeys!>!
+Microsoft.Identity.Client.Labs.IAppResolver
+Microsoft.Identity.Client.Labs.IAppResolver.ResolveAppAsync(Microsoft.Identity.Client.Labs.CloudType cloud, Microsoft.Identity.Client.Labs.Scenario scenario, Microsoft.Identity.Client.Labs.AppKind kind, System.Threading.CancellationToken ct = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<Microsoft.Identity.Client.Labs.AppCredentials!>!
+Microsoft.Identity.Client.Labs.LabsOptions
+Microsoft.Identity.Client.Labs.LabsOptions.EnableConventionFallback.get -> bool
+Microsoft.Identity.Client.Labs.LabsOptions.EnableConventionFallback.set -> void
+Microsoft.Identity.Client.Labs.LabsOptions.GlobalPasswordSecret.get -> string!
+Microsoft.Identity.Client.Labs.LabsOptions.GlobalPasswordSecret.set -> void
+Microsoft.Identity.Client.Labs.LabsOptions.KeyVaultUri.get -> System.Uri!
+Microsoft.Identity.Client.Labs.LabsOptions.KeyVaultUri.set -> void
+Microsoft.Identity.Client.Labs.LabsOptions.LabsOptions() -> void
+Microsoft.Identity.Client.Labs.LabsOptions.PasswordSecretByCloud.get -> System.Collections.Generic.Dictionary<Microsoft.Identity.Client.Labs.CloudType, string!>!
+Microsoft.Identity.Client.Labs.LabsOptions.PasswordSecretByCloud.set -> void
+Microsoft.Identity.Client.Labs.LabsOptions.PasswordSecretByTuple.get -> System.Collections.Generic.Dictionary<string!, string!>!
+Microsoft.Identity.Client.Labs.LabsOptions.PasswordSecretByTuple.set -> void
+Microsoft.Identity.Client.Labs.LabsServiceCollectionExtensions
+Microsoft.Identity.Client.Labs.Scenario
+Microsoft.Identity.Client.Labs.Scenario.Basic = 0 -> Microsoft.Identity.Client.Labs.Scenario
+Microsoft.Identity.Client.Labs.Scenario.Cca = 2 -> Microsoft.Identity.Client.Labs.Scenario
+Microsoft.Identity.Client.Labs.Scenario.Daemon = 5 -> Microsoft.Identity.Client.Labs.Scenario
+Microsoft.Identity.Client.Labs.Scenario.DeviceCode = 3 -> Microsoft.Identity.Client.Labs.Scenario
+Microsoft.Identity.Client.Labs.Scenario.Obo = 1 -> Microsoft.Identity.Client.Labs.Scenario
+Microsoft.Identity.Client.Labs.Scenario.Ropc = 4 -> Microsoft.Identity.Client.Labs.Scenario
+static Microsoft.Identity.Client.Labs.LabsServiceCollectionExtensions.AddAccountMapProvider<T>(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
+static Microsoft.Identity.Client.Labs.LabsServiceCollectionExtensions.AddAppMapProvider<T>(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
+static Microsoft.Identity.Client.Labs.LabsServiceCollectionExtensions.AddLabsIdentity(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Microsoft.Identity.Client.Labs.LabsOptions!>! configure) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
diff --git a/tests/Microsoft.Identity.Client.Labs.Tests/AccountMapAggregatorTests.cs b/tests/Microsoft.Identity.Client.Labs.Tests/AccountMapAggregatorTests.cs
new file mode 100644
index 0000000000..a1f20b843e
--- /dev/null
+++ b/tests/Microsoft.Identity.Client.Labs.Tests/AccountMapAggregatorTests.cs
@@ -0,0 +1,53 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Extensions.Options;
+using Microsoft.Identity.Client.Labs;
+using Microsoft.Identity.Client.Labs.Internal;
+using Microsoft.Identity.Client.Labs.Tests.TestDoubles;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+namespace Microsoft.Identity.Client.Labs.Tests.Unit
+{
+    [TestClass]
+    public class AccountMapAggregatorTests
+    {
+        // Renamed to avoid hiding Microsoft.Extensions.Options.Options
+        private static IOptions<LabsOptions> CreateOpts(bool enableConvention = true) =>
+            Microsoft.Extensions.Options.Options.Create(
+                new LabsOptions { EnableConventionFallback = enableConvention });
+
+        [TestMethod]
+        public void Username_From_Provider_Is_Used()
+        {
+            var provider = new FakeAccountMapProvider(new Dictionary<(AuthType, CloudType, Scenario), string>
+            {
+                { (AuthType.Basic, CloudType.Public, Scenario.Basic), "cld_basic_public_basic_uname" }
+            });
+
+            var agg = new AccountMapAggregator(new[] { provider }, CreateOpts());
+            var name = agg.GetUsernameSecret(AuthType.Basic, CloudType.Public, Scenario.Basic);
+
+            Assert.AreEqual("cld_basic_public_basic_uname", name);
+        }
+
+        [TestMethod]
+        public void Username_Convention_When_Missing_And_Enabled()
+        {
+            var agg = new AccountMapAggregator(Array.Empty<IAccountMapProvider>(), CreateOpts(enableConvention: true));
+            var name = agg.GetUsernameSecret(AuthType.Federated, CloudType.Public, Scenario.Obo);
+
+            Assert.AreEqual("cld_federated_public_obo_uname", name);
+        }
+
+        [TestMethod]
+        public void Username_Throws_When_Missing_And_Convention_Disabled()
+        {
+            var agg = new AccountMapAggregator(Array.Empty<IAccountMapProvider>(), CreateOpts(enableConvention: false));
+            Assert.ThrowsException<KeyNotFoundException>(() =>
+                agg.GetUsernameSecret(AuthType.Basic, CloudType.Public, Scenario.Obo));
+        }
+    }
+}
diff --git a/tests/Microsoft.Identity.Client.Labs.Tests/AccountResolverTests.cs b/tests/Microsoft.Identity.Client.Labs.Tests/AccountResolverTests.cs
new file mode 100644
index 0000000000..b431568df7
--- /dev/null
+++ b/tests/Microsoft.Identity.Client.Labs.Tests/AccountResolverTests.cs
@@ -0,0 +1,78 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Options;
+using Microsoft.Identity.Client.Labs;
+using Microsoft.Identity.Client.Labs.Internal;
+using Microsoft.Identity.Client.Labs.Tests.TestDoubles;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+namespace Microsoft.Identity.Client.Labs.Tests.Unit
+{
+    [TestClass]
+    public class AccountResolverTests
+    {
+        [TestMethod]
+        public async Task Resolves_User_From_Store_And_Policy()
+        {
+            var acctMap = new FakeAccountMapProvider(new Dictionary<(AuthType, CloudType, Scenario), string>
+            {
+                { (AuthType.Basic, CloudType.Public, Scenario.Obo), "cld_basic_public_obo_uname" }
+            });
+
+            var opts = Options.Create(new LabsOptions { GlobalPasswordSecret = "msidlab1_pwd" });
+            var agg = new AccountMapAggregator(new[] { acctMap }, opts);
+
+            // Use a non-sensitive, generated test value (prevents CredScan false positives)
+            var expectedPassword = $"UT_{Guid.NewGuid():N}";
+
+            var store = new FakeSecretStore(new Dictionary<string, string>
+            {
+                ["cld_basic_public_obo_uname"] = "ci-user@contoso.onmicrosoft.com",
+                ["msidlab1_pwd"] = expectedPassword
+            });
+
+            var resolver = new AccountResolver(agg, store);
+
+            var (u, p) = await resolver
+                .ResolveUserAsync(AuthType.Basic, CloudType.Public, Scenario.Obo)
+                .ConfigureAwait(false);
+
+            Assert.AreEqual("ci-user@contoso.onmicrosoft.com", u);
+            Assert.AreEqual(expectedPassword, p);
+        }
+
+        [TestMethod]
+        public async Task Uses_Convention_For_Username_When_Missing()
+        {
+            var acctMap = new FakeAccountMapProvider(new Dictionary<(AuthType, CloudType, Scenario), string>());
+            var opts = Options.Create(new LabsOptions
+            {
+                GlobalPasswordSecret = "msidlab1_pwd",
+                EnableConventionFallback = true
+            });
+
+            var agg = new AccountMapAggregator(new[] { acctMap }, opts);
+
+            var expectedPassword = $"UT_{Guid.NewGuid():N}";
+
+            var store = new FakeSecretStore(new Dictionary<string, string>
+            {
+                ["cld_basic_public_basic_uname"] = "ci-basic@contoso.onmicrosoft.com",
+                ["msidlab1_pwd"] = expectedPassword
+            });
+
+            var resolver = new AccountResolver(agg, store);
+
+            var (u, p) = await resolver
+                .ResolveUserAsync(AuthType.Basic, CloudType.Public, Scenario.Basic)
+                .ConfigureAwait(false);
+
+            Assert.AreEqual("ci-basic@contoso.onmicrosoft.com", u);
+            Assert.AreEqual(expectedPassword, p);
+        }
+    }
+}
diff --git a/tests/Microsoft.Identity.Client.Labs.Tests/AppMapAggregatorTests.cs b/tests/Microsoft.Identity.Client.Labs.Tests/AppMapAggregatorTests.cs
new file mode 100644
index 0000000000..01b06223dc
--- /dev/null
+++ b/tests/Microsoft.Identity.Client.Labs.Tests/AppMapAggregatorTests.cs
@@ -0,0 +1,45 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Collections.Generic;
+using Microsoft.Identity.Client.Labs;
+using Microsoft.Identity.Client.Labs.Internal;
+using Microsoft.Identity.Client.Labs.Tests.TestDoubles;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+namespace Microsoft.Identity.Client.Labs.Tests.Unit
+{
+    [TestClass]
+    public class AppMapAggregatorTests
+    {
+        [TestMethod]
+        public void Resolves_App_Keys()
+        {
+            var map = new Dictionary<(CloudType, Scenario, AppKind), AppSecretKeys>
+            {
+                { (CloudType.Public, Scenario.Obo, AppKind.ConfidentialClient),
+                  new AppSecretKeys("cid", "csec", "pfx", "pfxpwd") }
+            };
+
+            var provider = new FakeAppMapProvider(map);
+            var agg = new AppMapAggregator(new[] { provider });
+
+            var keys = agg.ResolveKeys(CloudType.Public, Scenario.Obo, AppKind.ConfidentialClient);
+
+            Assert.AreEqual("cid", keys.ClientIdSecret);
+            Assert.AreEqual("csec", keys.ClientSecretSecret);
+            Assert.AreEqual("pfx", keys.PfxSecret);
+            Assert.AreEqual("pfxpwd", keys.PfxPasswordSecret);
+        }
+
+        [TestMethod]
+        public void Throws_When_App_Key_Missing()
+        {
+            var provider = new FakeAppMapProvider(new Dictionary<(CloudType, Scenario, AppKind), AppSecretKeys>());
+            var agg = new AppMapAggregator(new[] { provider });
+
+            Assert.ThrowsException<KeyNotFoundException>(() =>
+                agg.ResolveKeys(CloudType.Public, Scenario.Cca, AppKind.ConfidentialClient));
+        }
+    }
+}
diff --git a/tests/Microsoft.Identity.Client.Labs.Tests/AppResolverTests.cs b/tests/Microsoft.Identity.Client.Labs.Tests/AppResolverTests.cs
new file mode 100644
index 0000000000..1aae6466ff
--- /dev/null
+++ b/tests/Microsoft.Identity.Client.Labs.Tests/AppResolverTests.cs
@@ -0,0 +1,103 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Microsoft.Identity.Client.Labs;
+using Microsoft.Identity.Client.Labs.Internal;
+using Microsoft.Identity.Client.Labs.Tests.TestDoubles;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+namespace Microsoft.Identity.Client.Labs.Tests.Unit
+{
+    [TestClass]
+    public class AppResolverTests
+    {
+        [TestMethod]
+        public async Task Resolves_App_With_Secret()
+        {
+            var appMap = new FakeAppMapProvider(new Dictionary<(CloudType, Scenario, AppKind), AppSecretKeys>
+            {
+                { (CloudType.Public, Scenario.Obo, AppKind.ConfidentialClient),
+                  new AppSecretKeys("cid", "csec") }
+            });
+
+            // Generate a non-sensitive test value
+            var expectedClientSecret = $"UT_{Guid.NewGuid():N}";
+
+            var store = new FakeSecretStore(new Dictionary<string, string>
+            {
+                ["cid"] = "11111111-1111-1111-1111-111111111111",
+                ["csec"] = expectedClientSecret
+            });
+
+            var agg = new AppMapAggregator(new[] { appMap });
+            var resolver = new AppResolver(agg, store);
+
+            var app = await resolver.ResolveAppAsync(CloudType.Public, Scenario.Obo, AppKind.ConfidentialClient)
+                .ConfigureAwait(false);
+
+            Assert.AreEqual("11111111-1111-1111-1111-111111111111", app.ClientId);
+            Assert.AreEqual(expectedClientSecret, app.ClientSecret);
+            CollectionAssert.AreEqual(Array.Empty<byte>(), app.PfxBytes);
+            Assert.AreEqual(string.Empty, app.PfxPassword);
+        }
+
+        [TestMethod]
+        public async Task Resolves_App_With_Pfx()
+        {
+            var pfxBytes = new byte[] { 1, 2, 3, 4, 5 };
+            var b64 = Convert.ToBase64String(pfxBytes);
+
+            var appMap = new FakeAppMapProvider(new Dictionary<(CloudType, Scenario, AppKind), AppSecretKeys>
+            {
+                { (CloudType.Public, Scenario.Obo, AppKind.WebApi),
+                  new AppSecretKeys("api_cid", "", "api_pfx", "api_pfxpwd") }
+            });
+
+            var expectedPfxPassword = $"UTPFX_{Guid.NewGuid():N}";
+
+            var store = new FakeSecretStore(new Dictionary<string, string>
+            {
+                ["api_cid"] = "22222222-2222-2222-2222-222222222222",
+                ["api_pfx"] = b64,
+                ["api_pfxpwd"] = expectedPfxPassword
+            });
+
+            var agg = new AppMapAggregator(new[] { appMap });
+            var resolver = new AppResolver(agg, store);
+
+            var app = await resolver.ResolveAppAsync(CloudType.Public, Scenario.Obo, AppKind.WebApi)
+                .ConfigureAwait(false);
+
+            Assert.AreEqual("22222222-2222-2222-2222-222222222222", app.ClientId);
+            CollectionAssert.AreEqual(pfxBytes, app.PfxBytes);
+            Assert.AreEqual(expectedPfxPassword, app.PfxPassword);
+        }
+
+        [TestMethod]
+        public async Task Throws_On_Invalid_Base64_Pfx()
+        {
+            var appMap = new FakeAppMapProvider(new Dictionary<(CloudType, Scenario, AppKind), AppSecretKeys>
+            {
+                { (CloudType.Public, Scenario.Obo, AppKind.WebApi),
+                  new AppSecretKeys("api_cid", "", "api_pfx", "api_pfxpwd") }
+            });
+
+            var store = new FakeSecretStore(new Dictionary<string, string>
+            {
+                ["api_cid"] = "cid",
+                ["api_pfx"] = "NOT-BASE64",
+                ["api_pfxpwd"] = "UT_IGNORE_THIS_VALUE" // benign literal
+            });
+
+            var agg = new AppMapAggregator(new[] { appMap });
+            var resolver = new AppResolver(agg, store);
+
+            await Assert.ThrowsExceptionAsync<InvalidOperationException>(async () =>
+                await resolver.ResolveAppAsync(CloudType.Public, Scenario.Obo, AppKind.WebApi).ConfigureAwait(false))
+                .ConfigureAwait(false);
+        }
+    }
+}
diff --git a/tests/Microsoft.Identity.Client.Labs.Tests/DiRegistrationTests.cs b/tests/Microsoft.Identity.Client.Labs.Tests/DiRegistrationTests.cs
new file mode 100644
index 0000000000..c609a5241c
--- /dev/null
+++ b/tests/Microsoft.Identity.Client.Labs.Tests/DiRegistrationTests.cs
@@ -0,0 +1,69 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Identity.Client.Labs;
+using Microsoft.Identity.Client.Labs.Internal;
+using Microsoft.Identity.Client.Labs.Tests.TestDoubles;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+namespace Microsoft.Identity.Client.Labs.Tests.Unit
+{
+    [TestClass]
+    public class DiRegistrationTests
+    {
+        [TestMethod]
+        public void Registers_Services_And_Allows_Store_Override()
+        {
+            var services = new ServiceCollection();
+
+            // Neutral secret-name placeholders (avoid "secret/password/pwd" keywords)
+            const string NameUser = "UT_NAME_USER";
+            const string NameGlobal = "UT_NAME_GLOBAL";
+            const string NameClientId = "UT_NAME_CLIENTID";
+
+            services.AddLabsIdentity(o =>
+            {
+                o.KeyVaultUri = new Uri("https://example.vault.azure.net/");
+                // This is a *secret name* (key), not a secret value.
+                o.GlobalPasswordSecret = NameGlobal;
+            });
+
+            // Minimal maps so resolvers have something to resolve
+            services.AddSingleton<IAccountMapProvider>(sp =>
+                new FakeAccountMapProvider(new Dictionary<(AuthType, CloudType, Scenario), string>
+                {
+                    { (AuthType.Basic, CloudType.Public, Scenario.Basic), NameUser }
+                }));
+
+            services.AddSingleton<IAppMapProvider>(sp =>
+                new FakeAppMapProvider(new Dictionary<(CloudType, Scenario, AppKind), AppSecretKeys>
+                {
+                    { (CloudType.Public, Scenario.Basic, AppKind.PublicClient),
+                      new AppSecretKeys(NameClientId) }
+                }));
+
+            // Generate a benign placeholder for secret *values*
+            var placeholderValue = $"UT_{Guid.NewGuid():N}";
+
+            // Register a fake store: keys are secret *names*; values are placeholders
+            services.AddSingleton<ISecretStore>(sp =>
+                new FakeSecretStore(new Dictionary<string, string>
+                {
+                    [NameUser] = "user@example.com",
+                    [NameGlobal] = placeholderValue,
+                    [NameClientId] = "33333333-3333-3333-3333-333333333333"
+                }));
+
+            var sp = services.BuildServiceProvider();
+
+            var acct = sp.GetRequiredService<IAccountResolver>();
+            var app = sp.GetRequiredService<IAppResolver>();
+
+            Assert.IsNotNull(acct);
+            Assert.IsNotNull(app);
+        }
+    }
+}
diff --git a/tests/Microsoft.Identity.Client.Labs.Tests/Microsoft.Identity.Client.Labs.Tests.csproj b/tests/Microsoft.Identity.Client.Labs.Tests/Microsoft.Identity.Client.Labs.Tests.csproj
new file mode 100644
index 0000000000..0b1991fbe4
--- /dev/null
+++ b/tests/Microsoft.Identity.Client.Labs.Tests/Microsoft.Identity.Client.Labs.Tests.csproj
@@ -0,0 +1,27 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <IsPackable>false</IsPackable>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <SignAssembly>false</SignAssembly>
+    <PublicSign>false</PublicSign>
+    <DelaySign>false</DelaySign>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="MSTest.TestAdapter" />
+    <PackageReference Include="MSTest.TestFramework" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
+    <PackageReference Include="Microsoft.Extensions.Options" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\client\Microsoft.Identity.Client.Labs\Microsoft.Identity.Client.Labs.csproj" />
+  </ItemGroup>
+
+</Project>
diff --git a/tests/Microsoft.Identity.Client.Labs.Tests/PasswordSelectionPolicyTests.cs b/tests/Microsoft.Identity.Client.Labs.Tests/PasswordSelectionPolicyTests.cs
new file mode 100644
index 0000000000..965a8249a9
--- /dev/null
+++ b/tests/Microsoft.Identity.Client.Labs.Tests/PasswordSelectionPolicyTests.cs
@@ -0,0 +1,89 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Collections.Generic;
+using Microsoft.Extensions.Options;
+using Microsoft.Identity.Client.Labs;
+using Microsoft.Identity.Client.Labs.Internal;
+using Microsoft.Identity.Client.Labs.Tests.TestDoubles;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+namespace Microsoft.Identity.Client.Labs.Tests.Unit
+{
+    [TestClass]
+    public class PasswordSelectionPolicyTests
+    {
+        private static AccountMapAggregator MakeAgg(LabsOptions options)
+        {
+            var provider = new FakeAccountMapProvider(new Dictionary<(AuthType, CloudType, Scenario), string>
+            {
+                { (AuthType.Basic, CloudType.Public, Scenario.Obo), "cld_basic_public_obo_uname" }
+            });
+
+            return new AccountMapAggregator(new[] { provider }, Options.Create(options));
+        }
+
+        [TestMethod]
+        public void Tuple_Override_Wins_Over_Cloud_And_Global()
+        {
+            var options = new LabsOptions
+            {
+                GlobalPasswordSecret = "global_pwd",
+                PasswordSecretByCloud = new() { [CloudType.Public] = "cloud_pwd" },
+                PasswordSecretByTuple = new() { ["basic.public.obo"] = "tuple_pwd" }
+            };
+
+            var agg = MakeAgg(options);
+            var pwd = agg.GetPasswordSecret(AuthType.Basic, CloudType.Public, Scenario.Obo);
+
+            Assert.AreEqual("tuple_pwd", pwd);
+        }
+
+        [TestMethod]
+        public void Cloud_Override_Wins_Over_Global()
+        {
+            var options = new LabsOptions
+            {
+                GlobalPasswordSecret = "global_pwd",
+                PasswordSecretByCloud = new() { [CloudType.Public] = "cloud_pwd" }
+            };
+
+            var agg = MakeAgg(options);
+            var pwd = agg.GetPasswordSecret(AuthType.Basic, CloudType.Public, Scenario.Obo);
+
+            Assert.AreEqual("cloud_pwd", pwd);
+        }
+
+        [TestMethod]
+        public void Global_Is_Used_When_No_Overrides()
+        {
+            var options = new LabsOptions { GlobalPasswordSecret = "global_pwd" };
+
+            var agg = MakeAgg(options);
+            var pwd = agg.GetPasswordSecret(AuthType.Basic, CloudType.Public, Scenario.Obo);
+
+            Assert.AreEqual("global_pwd", pwd);
+        }
+
+        [TestMethod]
+        public void Convention_Used_When_No_Config_And_Enabled()
+        {
+            var options = new LabsOptions { EnableConventionFallback = true };
+
+            var agg = MakeAgg(options);
+            var pwd = agg.GetPasswordSecret(AuthType.Basic, CloudType.Public, Scenario.Obo);
+
+            Assert.AreEqual("cld_basic_public_obo_pwd", pwd);
+        }
+
+        [TestMethod]
+        public void Throws_When_No_Config_And_Convention_Disabled()
+        {
+            var options = new LabsOptions { EnableConventionFallback = false };
+            var agg = MakeAgg(options);
+
+            Assert.ThrowsException<KeyNotFoundException>(() =>
+                agg.GetPasswordSecret(AuthType.Basic, CloudType.Public, Scenario.Obo));
+        }
+    }
+}
diff --git a/tests/Microsoft.Identity.Client.Labs.Tests/TestDoubles/Fakes.cs b/tests/Microsoft.Identity.Client.Labs.Tests/TestDoubles/Fakes.cs
new file mode 100644
index 0000000000..9423cf08d0
--- /dev/null
+++ b/tests/Microsoft.Identity.Client.Labs.Tests/TestDoubles/Fakes.cs
@@ -0,0 +1,50 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Identity.Client.Labs;
+using Microsoft.Identity.Client.Labs.Internal;
+
+namespace Microsoft.Identity.Client.Labs.Tests.TestDoubles
+{
+    internal sealed class FakeAccountMapProvider : IAccountMapProvider
+    {
+        private readonly IReadOnlyDictionary<(AuthType, CloudType, Scenario), string> _map;
+
+        public FakeAccountMapProvider(IReadOnlyDictionary<(AuthType, CloudType, Scenario), string> map)
+            => _map = map;
+
+        public IReadOnlyDictionary<(AuthType auth, CloudType cloud, Scenario scenario), string> GetUsernameMap() => _map;
+    }
+
+    internal sealed class FakeAppMapProvider : IAppMapProvider
+    {
+        private readonly IReadOnlyDictionary<(CloudType, Scenario, AppKind), AppSecretKeys> _map;
+
+        public FakeAppMapProvider(IReadOnlyDictionary<(CloudType, Scenario, AppKind), AppSecretKeys> map)
+            => _map = map;
+
+        public IReadOnlyDictionary<(CloudType cloud, Scenario scenario, AppKind kind), AppSecretKeys> GetAppMap() => _map;
+    }
+
+    internal sealed class FakeSecretStore : ISecretStore
+    {
+        private readonly Dictionary<string, string> _secrets = new();
+
+        public FakeSecretStore(IDictionary<string, string>? initial = null)
+        {
+            if (initial != null)
+            {
+                foreach (var kv in initial)
+                    _secrets[kv.Key] = kv.Value;
+            }
+        }
+
+        public Task<string> GetAsync(string secretName, CancellationToken ct = default)
+            => Task.FromResult(_secrets.TryGetValue(secretName, out var v) ? v : string.Empty);
+
+        public void Set(string name, string value) => _secrets[name] = value;
+    }
+}