blindzero · blindzero · Feb 7, 2026 · Feb 7, 2026 · Feb 7, 2026 · Feb 7, 2026
diff --git a/docs/reference/cmdlets/New-IdleAuthSession.md b/docs/reference/cmdlets/New-IdleAuthSession.md
@@ -13,7 +13,7 @@ Creates a simple AuthSessionBroker for use with IdLE providers.
 ## SYNTAX
 
 ```
-New-IdleAuthSession [-SessionMap] &lt;Hashtable&gt; [[-DefaultCredential] &lt;PSCredential&gt;]
+New-IdleAuthSession [-SessionMap] &lt;Hashtable&gt; [[-DefaultAuthSession] &lt;Object&gt;] [-AuthSessionType] &lt;String&gt;
  [-ProgressAction &lt;ActionPreference&gt;] [&lt;CommonParameters&gt;]
 ```
 
@@ -30,13 +30,13 @@ This is a thin wrapper that delegates to IdLE.Core\New-IdleAuthSessionBroker.
 ```
 $broker = New-IdleAuthSession -SessionMap @{
     @{ Role = 'Tier0' } = $tier0Credential
-}
+} -AuthSessionType 'Credential'
 ```
 
 ## PARAMETERS
 
 ### -SessionMap
-A hashtable that maps session configurations to credentials.
+A hashtable that maps session configurations to auth sessions.
 
 ```yaml
 Type: Hashtable
@@ -50,11 +50,11 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
-### -DefaultCredential
-Optional default credential to return when no session options are provided.
+### -DefaultAuthSession
+Optional default auth session to return when no session options are provided.
 
 ```yaml
-Type: PSCredential
+Type: Object
 Parameter Sets: (All)
 Aliases:
 
@@ -65,6 +65,28 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -AuthSessionType
+Specifies the type of authentication session.
+This determines validation rules,
+lifecycle management, and telemetry behavior.
+
+Valid values:
+- 'OAuth': Token-based authentication (e.g., Microsoft Graph, Exchange Online)
+- 'PSRemoting': PowerShell remoting execution context (e.g., Entra Connect)
+- 'Credential': Credential-based authentication (e.g., Active Directory, mock providers)
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ProgressAction
 TODO: ProgressAction Description
 

diff --git a/docs/reference/providers/provider-ad.md b/docs/reference/providers/provider-ad.md
@@ -1,3 +1,3 @@
 ---
 title: Provider Reference - IdLE.Provider.AD (Active Directory)
 sidebar_label: Active Directory
@@ -95,6 +95,9 @@
   - `null` (integrated authentication / run-as)  
   - `PSCredential` (used for AD cmdlets `-Credential`)
 - **Session options (data-only):** Any hashtable; commonly `@{ Role = 'Tier0' }` / `@{ Role = 'Admin' }`
+- **Required `AuthSessionType`:** `Credential`
+
+The AD provider uses credential-based authentication where the module capabilities exist without requiring explicit session management. When creating the `AuthSessionBroker`, specify `AuthSessionType = 'Credential'` to indicate this authentication pattern.
 
 :::warning
 
@@ -122,10 +125,11 @@
 $tier0Credential = Get-Credential -Message 'Enter Tier0 AD admin credentials'
 $adminCredential = Get-Credential -Message 'Enter AD admin credentials'
 
+# Create broker with Credential session type
 $broker = New-IdleAuthSession -SessionMap @{
   @{ Role = 'Tier0' } = $tier0Credential
   @{ Role = 'Admin' } = $adminCredential
-} -DefaultCredential $adminCredential
+} -DefaultCredential $adminCredential -AuthSessionType 'Credential'
 
 $providers = @{
   Identity         = New-IdleADIdentityProvider
@@ -143,10 +147,11 @@
 $sourceCred = Get-Credential -Message 'Enter credentials for source forest'
 $targetCred = Get-Credential -Message 'Enter credentials for target forest'
 
+# Create broker with Credential session type
 $broker = New-IdleAuthSession -SessionMap @{
   @{ Domain = 'SourceForest' } = $sourceCred
   @{ Domain = 'TargetForest' } = $targetCred
-}
+} -AuthSessionType 'Credential'
 
 # Steps use With.AuthSessionOptions = @{ Domain = 'SourceForest' } etc.
 ```
@@ -179,11 +184,11 @@
 # Create provider
 $provider = New-IdleADIdentityProvider
 
-# Create broker with role-based credential mapping
+# Create broker with role-based credential mapping and Credential session type
 $broker = New-IdleAuthSession -SessionMap @{
     @{ Role = 'Tier0' } = $tier0Credential
     @{ Role = 'Admin' } = $adminCredential
-} -DefaultCredential $adminCredential
+} -DefaultCredential $adminCredential -AuthSessionType 'Credential'
 
 # Use provider with broker
 $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{
@@ -267,7 +272,7 @@
 $broker = New-IdleAuthSession -SessionMap @{
     @{ Domain = 'Source' } = $sourceCred
     @{ Domain = 'Target' } = $targetCred
-}
+} -AuthSessionType 'Credential'
 
 $plan = New-IdlePlan -WorkflowPath './migration.psd1' -Request $request -Providers @{
     SourceAD = $sourceAD

diff --git a/docs/reference/providers/provider-directorysync-entraconnect.md b/docs/reference/providers/provider-directorysync-entraconnect.md
@@ -63,6 +63,9 @@ and pass it to provider methods.
   - `DirectorySync` (see `IdLE.Step.TriggerDirectorySync`)
 - **Session options (data-only):**
   - Forwarded to the host broker for session selection (provider does not interpret option keys).
+- **Required `AuthSessionType`:** `PSRemoting`
+
+The EntraConnect provider uses PowerShell remoting to execute commands on a remote Entra Connect server. When creating the `AuthSessionBroker`, specify `AuthSessionType = 'PSRemoting'` to indicate remote execution context is expected.
 
 :::warning
 

diff --git a/docs/reference/providers/provider-entraID.md b/docs/reference/providers/provider-entraID.md
@@ -1,3 +1,3 @@
 ---
 title: Provider Reference - IdLE.Provider.EntraID
 sidebar_label: Entra ID
@@ -47,10 +47,10 @@
 Connect-AzAccount
 $token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com").Token
 
-# Create broker
+# Create broker with OAuth session type (tokens can be passed directly)
 $broker = New-IdleAuthSession -SessionMap @{
     @{} = $token
-} -DefaultCredential $token
+} -DefaultAuthSession $token -AuthSessionType 'OAuth'
 
 # Create provider
 $provider = New-IdleEntraIDIdentityProvider
@@ -73,10 +73,10 @@
 # Obtain token (pseudo-code - use your preferred auth library)
 $token = Get-GraphAppOnlyToken -ClientId $clientId -ClientSecret $clientSecret -TenantId $tenantId
 
-# Create broker
+# Create broker with OAuth session type (tokens can be passed directly)
 $broker = New-IdleAuthSession -SessionMap @{
     @{} = $token
-} -DefaultCredential $token
+} -DefaultAuthSession $token -AuthSessionType 'OAuth'
 
 # Rest is identical to delegated flow
 ```
@@ -87,14 +87,21 @@
 $tier0Token = Get-GraphToken -Role 'Tier0'
 $adminToken = Get-GraphToken -Role 'Admin'
 
+# Create broker with OAuth session type (tokens can be passed directly)
 $broker = New-IdleAuthSession -SessionMap @{
     @{ Role = 'Tier0' } = $tier0Token
     @{ Role = 'Admin' } = $adminToken
-} -DefaultCredential $adminToken
+} -DefaultAuthSession $adminToken -AuthSessionType 'OAuth'
 
 # Workflow steps specify: With.AuthSessionOptions = @{ Role = 'Tier0' }
 ```
 
+### Auth Session Type
+
+**Required `AuthSessionType`:** `OAuth`
+
+The EntraID provider uses OAuth-based authentication via Microsoft Graph API tokens. When creating the `AuthSessionBroker`, specify `AuthSessionType = 'OAuth'` to indicate token-based authentication is expected.
+
 
 
 > Providers must not prompt for auth. Use the host-provided broker contract.

diff --git a/docs/reference/providers/provider-exchangeonline.md b/docs/reference/providers/provider-exchangeonline.md
@@ -58,6 +58,9 @@ sidebar_label: ExchangeOnline
   - Typically the step passes `With.AuthSessionName` (if present). For built-in mailbox steps, if `With.AuthSessionName` is absent, it defaults to the provider alias (commonly `ExchangeOnline`).
 - **Session options (data-only):**
   - The provider does not interpret options; they are used by the host/broker to select credentials/route to a tenant/session.
+- **Required `AuthSessionType`:** `OAuth`
+
+The ExchangeOnline provider uses OAuth-based authentication via Exchange Online PowerShell. When creating the `AuthSessionBroker`, specify `AuthSessionType = 'OAuth'` to indicate token-based authentication is expected.
 
 :::warning
 

diff --git a/docs/reference/providers/provider-mock.md b/docs/reference/providers/provider-mock.md
@@ -59,6 +59,10 @@ sidebar_label: Mock
 
 This provider does not require authentication.
 
+- **AuthSessionType usage:** Not applicable
+
+The Mock provider does not acquire or require auth sessions. You do not need to configure an `AuthSessionBroker` when using this provider. If a broker is supplied for broader test scaffolding, this provider will ignore any acquired auth session.
+
 :::warning
 
 **Security notes**

diff --git a/docs/use/providers.md b/docs/use/providers.md
@@ -112,6 +112,18 @@ Many providers require authenticated connections (tokens, API clients, remote se
 IdLE keeps authentication out of the engine and out of individual providers by using a
 host-supplied broker. Using the **AuthSessionBroker** is in particular helpful for scenarios that use different providers or different authentications for one provider in one workflow.
 
+### AuthSessionType
+
+Each `AuthSessionBroker` must specify an `AuthSessionType` that determines validation rules, lifecycle management, and telemetry behavior:
+
+- **`OAuth`** - Token-based authentication (e.g., Microsoft Graph, Exchange Online)
+- **`PSRemoting`** - PowerShell remoting execution context (e.g., Entra Connect)
+- **`Credential`** - Credential-based authentication (e.g., Active Directory, mock providers)
+
+Each provider documents its required `AuthSessionType` in its reference documentation.
+
+### Example: Active Directory with Credential Auth
+
 ```powershell
 # Assuming you have credentials available (e.g., from a secure vault or credential manager)
 $tier0Credential = Get-Credential -Message "Enter Tier0 admin credentials"
@@ -120,11 +132,11 @@ $adminCredential = Get-Credential -Message "Enter regular admin credentials"
 # Create provider
 $provider = New-IdleADIdentityProvider
 
-# Create broker with role-based credential mapping
+# Create broker with role-based credential mapping and Credential session type
 $broker = New-IdleAuthSession -SessionMap @{
     @{ Role = 'Tier0' } = $tier0Credential
     @{ Role = 'Admin' } = $adminCredential
-} -DefaultCredential $adminCredential
+} -DefaultAuthSession $adminCredential -AuthSessionType 'Credential'
 
 # Use provider with broker
 $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{
@@ -133,6 +145,28 @@ $plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Provider
 }
 ```
 
+### Example: Entra ID with OAuth
+
+```powershell
+# Host obtains token (example using Azure PowerShell)
+Connect-AzAccount
+$token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com").Token
+
+# Create broker with OAuth session type (tokens can be passed directly)
+$broker = New-IdleAuthSession -SessionMap @{
+    @{} = $token
+} -DefaultAuthSession $token -AuthSessionType 'OAuth'
+
+# Create provider
+$provider = New-IdleEntraIDIdentityProvider
+
+# Use in plan
+$plan = New-IdlePlan -WorkflowPath './workflow.psd1' -Request $request -Providers @{
+    Identity = $provider
+    AuthSessionBroker = $broker
+}
+```
+
 The different authentication sessions are used by the workflow definition by the steps via `AuthSessionOptions`.
 ```powershell
 With = @{