diff --git a/src/Microsoft.Identity.Web.Certificate/PublicAPI.Unshipped.txt b/src/Microsoft.Identity.Web.Certificate/PublicAPI.Unshipped.txt
index e69de29bb..7dc5c5811 100644
--- a/src/Microsoft.Identity.Web.Certificate/PublicAPI.Unshipped.txt
+++ b/src/Microsoft.Identity.Web.Certificate/PublicAPI.Unshipped.txt
@@ -0,0 +1 @@
+#nullable enable
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/DefaultAuthorizationHeaderProvider.cs b/src/Microsoft.Identity.Web.TokenAcquisition/DefaultAuthorizationHeaderProvider.cs
index 0b478d829..888b652db 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/DefaultAuthorizationHeaderProvider.cs
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/DefaultAuthorizationHeaderProvider.cs
@@ -101,7 +101,9 @@ private static TokenAcquisitionOptions CreateTokenAcquisitionOptionsFromApiOptio
                 CancellationToken = cancellationToken,
                 Claims = downstreamApiOptions?.AcquireTokenOptions.Claims,
                 CorrelationId = downstreamApiOptions?.AcquireTokenOptions.CorrelationId ?? Guid.Empty,
+                ExtraHeadersParameters = downstreamApiOptions?.AcquireTokenOptions.ExtraHeadersParameters,
                 ExtraQueryParameters = downstreamApiOptions?.AcquireTokenOptions.ExtraQueryParameters,
+                ExtraParameters = downstreamApiOptions?.AcquireTokenOptions.ExtraParameters,
                 ForceRefresh = downstreamApiOptions?.AcquireTokenOptions.ForceRefresh ?? false,
                 LongRunningWebApiSessionKey = downstreamApiOptions?.AcquireTokenOptions.LongRunningWebApiSessionKey,
                 ManagedIdentity = downstreamApiOptions?.AcquireTokenOptions.ManagedIdentity,
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net462/InternalAPI.Unshipped.txt b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net462/InternalAPI.Unshipped.txt
index e69de29bb..997694dde 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net462/InternalAPI.Unshipped.txt
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net462/InternalAPI.Unshipped.txt
@@ -0,0 +1,6 @@
+#nullable enable
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnAfterTokenAcquisition(Microsoft.Identity.Client.AuthenticationResult! result, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnBeforeTokenAcquisitionForApp(Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnBuildConfidentialClientApplication(Microsoft.Identity.Client.ConfidentialClientApplicationBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForApp(Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+readonly Microsoft.Identity.Web.TokenAcquisition.tokenAcquisitionExtensionOptionsMonitor -> Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.Identity.Web.TokenAcquisitionExtensionOptions!>?
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net462/PublicAPI.Unshipped.txt b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net462/PublicAPI.Unshipped.txt
index e69de29bb..929635dc2 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net462/PublicAPI.Unshipped.txt
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net462/PublicAPI.Unshipped.txt
@@ -0,0 +1,5 @@
+#nullable enable
+Microsoft.Identity.Web.BeforeTokenAcquisitionForApp
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.OnBeforeTokenAcquisitionForApp -> Microsoft.Identity.Web.BeforeTokenAcquisitionForApp?
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.TokenAcquisitionExtensionOptions() -> void
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net472/InternalAPI.Unshipped.txt b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net472/InternalAPI.Unshipped.txt
index e69de29bb..997694dde 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net472/InternalAPI.Unshipped.txt
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net472/InternalAPI.Unshipped.txt
@@ -0,0 +1,6 @@
+#nullable enable
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnAfterTokenAcquisition(Microsoft.Identity.Client.AuthenticationResult! result, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnBeforeTokenAcquisitionForApp(Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnBuildConfidentialClientApplication(Microsoft.Identity.Client.ConfidentialClientApplicationBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForApp(Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+readonly Microsoft.Identity.Web.TokenAcquisition.tokenAcquisitionExtensionOptionsMonitor -> Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.Identity.Web.TokenAcquisitionExtensionOptions!>?
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net472/PublicAPI.Unshipped.txt b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net472/PublicAPI.Unshipped.txt
index e69de29bb..929635dc2 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net472/PublicAPI.Unshipped.txt
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net472/PublicAPI.Unshipped.txt
@@ -0,0 +1,5 @@
+#nullable enable
+Microsoft.Identity.Web.BeforeTokenAcquisitionForApp
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.OnBeforeTokenAcquisitionForApp -> Microsoft.Identity.Web.BeforeTokenAcquisitionForApp?
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.TokenAcquisitionExtensionOptions() -> void
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net6.0/InternalAPI.Unshipped.txt b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net6.0/InternalAPI.Unshipped.txt
index e69de29bb..997694dde 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net6.0/InternalAPI.Unshipped.txt
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net6.0/InternalAPI.Unshipped.txt
@@ -0,0 +1,6 @@
+#nullable enable
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnAfterTokenAcquisition(Microsoft.Identity.Client.AuthenticationResult! result, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnBeforeTokenAcquisitionForApp(Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnBuildConfidentialClientApplication(Microsoft.Identity.Client.ConfidentialClientApplicationBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForApp(Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+readonly Microsoft.Identity.Web.TokenAcquisition.tokenAcquisitionExtensionOptionsMonitor -> Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.Identity.Web.TokenAcquisitionExtensionOptions!>?
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net6.0/PublicAPI.Unshipped.txt b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net6.0/PublicAPI.Unshipped.txt
index e69de29bb..929635dc2 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net6.0/PublicAPI.Unshipped.txt
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net6.0/PublicAPI.Unshipped.txt
@@ -0,0 +1,5 @@
+#nullable enable
+Microsoft.Identity.Web.BeforeTokenAcquisitionForApp
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.OnBeforeTokenAcquisitionForApp -> Microsoft.Identity.Web.BeforeTokenAcquisitionForApp?
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.TokenAcquisitionExtensionOptions() -> void
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net7.0/InternalAPI.Unshipped.txt b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net7.0/InternalAPI.Unshipped.txt
index e69de29bb..997694dde 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net7.0/InternalAPI.Unshipped.txt
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net7.0/InternalAPI.Unshipped.txt
@@ -0,0 +1,6 @@
+#nullable enable
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnAfterTokenAcquisition(Microsoft.Identity.Client.AuthenticationResult! result, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnBeforeTokenAcquisitionForApp(Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnBuildConfidentialClientApplication(Microsoft.Identity.Client.ConfidentialClientApplicationBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForApp(Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+readonly Microsoft.Identity.Web.TokenAcquisition.tokenAcquisitionExtensionOptionsMonitor -> Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.Identity.Web.TokenAcquisitionExtensionOptions!>?
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net7.0/PublicAPI.Unshipped.txt b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net7.0/PublicAPI.Unshipped.txt
index e69de29bb..929635dc2 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net7.0/PublicAPI.Unshipped.txt
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net7.0/PublicAPI.Unshipped.txt
@@ -0,0 +1,5 @@
+#nullable enable
+Microsoft.Identity.Web.BeforeTokenAcquisitionForApp
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.OnBeforeTokenAcquisitionForApp -> Microsoft.Identity.Web.BeforeTokenAcquisitionForApp?
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.TokenAcquisitionExtensionOptions() -> void
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net8.0/InternalAPI.Unshipped.txt b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net8.0/InternalAPI.Unshipped.txt
index e69de29bb..997694dde 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net8.0/InternalAPI.Unshipped.txt
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net8.0/InternalAPI.Unshipped.txt
@@ -0,0 +1,6 @@
+#nullable enable
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnAfterTokenAcquisition(Microsoft.Identity.Client.AuthenticationResult! result, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnBeforeTokenAcquisitionForApp(Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnBuildConfidentialClientApplication(Microsoft.Identity.Client.ConfidentialClientApplicationBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForApp(Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+readonly Microsoft.Identity.Web.TokenAcquisition.tokenAcquisitionExtensionOptionsMonitor -> Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.Identity.Web.TokenAcquisitionExtensionOptions!>?
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net8.0/PublicAPI.Unshipped.txt b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net8.0/PublicAPI.Unshipped.txt
index e69de29bb..929635dc2 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net8.0/PublicAPI.Unshipped.txt
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net8.0/PublicAPI.Unshipped.txt
@@ -0,0 +1,5 @@
+#nullable enable
+Microsoft.Identity.Web.BeforeTokenAcquisitionForApp
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.OnBeforeTokenAcquisitionForApp -> Microsoft.Identity.Web.BeforeTokenAcquisitionForApp?
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.TokenAcquisitionExtensionOptions() -> void
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net9.0/InternalAPI.Unshipped.txt b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net9.0/InternalAPI.Unshipped.txt
index e69de29bb..997694dde 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net9.0/InternalAPI.Unshipped.txt
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net9.0/InternalAPI.Unshipped.txt
@@ -0,0 +1,6 @@
+#nullable enable
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnAfterTokenAcquisition(Microsoft.Identity.Client.AuthenticationResult! result, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnBeforeTokenAcquisitionForApp(Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnBuildConfidentialClientApplication(Microsoft.Identity.Client.ConfidentialClientApplicationBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForApp(Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+readonly Microsoft.Identity.Web.TokenAcquisition.tokenAcquisitionExtensionOptionsMonitor -> Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.Identity.Web.TokenAcquisitionExtensionOptions!>?
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net9.0/PublicAPI.Unshipped.txt b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net9.0/PublicAPI.Unshipped.txt
index e69de29bb..929635dc2 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net9.0/PublicAPI.Unshipped.txt
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/net9.0/PublicAPI.Unshipped.txt
@@ -0,0 +1,5 @@
+#nullable enable
+Microsoft.Identity.Web.BeforeTokenAcquisitionForApp
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.OnBeforeTokenAcquisitionForApp -> Microsoft.Identity.Web.BeforeTokenAcquisitionForApp?
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.TokenAcquisitionExtensionOptions() -> void
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/netstandard2.0/InternalAPI.Unshipped.txt b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/netstandard2.0/InternalAPI.Unshipped.txt
index e69de29bb..985750de1 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/netstandard2.0/InternalAPI.Unshipped.txt
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/netstandard2.0/InternalAPI.Unshipped.txt
@@ -0,0 +1,5 @@
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnAfterTokenAcquisition(Microsoft.Identity.Client.AuthenticationResult! result, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnBeforeTokenAcquisitionForApp(Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionAddInOptions.InvokeOnBuildConfidentialClientApplication(Microsoft.Identity.Client.ConfidentialClientApplicationBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.InvokeOnBeforeTokenAcquisitionForApp(Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder! builder, Microsoft.Identity.Abstractions.AcquireTokenOptions? acquireTokenOptions) -> void
+readonly Microsoft.Identity.Web.TokenAcquisition.tokenAcquisitionExtensionOptionsMonitor -> Microsoft.Extensions.Options.IOptionsMonitor<Microsoft.Identity.Web.TokenAcquisitionExtensionOptions!>?
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt
index e69de29bb..30834cec9 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt
@@ -0,0 +1,4 @@
+Microsoft.Identity.Web.BeforeTokenAcquisitionForApp
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.OnBeforeTokenAcquisitionForApp -> Microsoft.Identity.Web.BeforeTokenAcquisitionForApp?
+Microsoft.Identity.Web.TokenAcquisitionExtensionOptions.TokenAcquisitionExtensionOptions() -> void
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquirer.cs b/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquirer.cs
index fd2bd5042..614e53efa 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquirer.cs
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquirer.cs
@@ -83,6 +83,7 @@ async Task<AcquireTokenResult> ITokenAcquirer.GetTokenForAppAsync(string scope,
                 UserFlow = tokenAcquisitionOptions.UserFlow,
                 PopPublicKey = tokenAcquisitionOptions.PopPublicKey,
                 PopClaim = tokenAcquisitionOptions.PopClaim,
+                ExtraParameters = tokenAcquisitionOptions.ExtraParameters,
             };
         }
     }
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs b/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
index 4db45fb6e..721772528 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs
@@ -15,6 +15,7 @@
 using System.Threading.Tasks;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using Microsoft.Identity.Abstractions;
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Client.Advanced;
@@ -57,6 +58,7 @@ class OAuthConstants
         protected readonly ITokenAcquisitionHost _tokenAcquisitionHost;
         protected readonly ICredentialsLoader _credentialsLoader;
         protected readonly ICertificatesObserver? _certificatesObserver;
+        protected readonly IOptionsMonitor<TokenAcquisitionExtensionOptions>? tokenAcquisitionExtensionOptionsMonitor;
 
         /// <summary>
         /// Scopes which are already requested by MSAL.NET. They should not be re-requested;.
@@ -104,6 +106,7 @@ public TokenAcquisition(
             _tokenAcquisitionHost = tokenAcquisitionHost;
             _credentialsLoader = credentialsLoader;
             _certificatesObserver = serviceProvider.GetService<ICertificatesObserver>();
+            tokenAcquisitionExtensionOptionsMonitor = serviceProvider.GetService<IOptionsMonitor<TokenAcquisitionExtensionOptions>>();
         }
 
 #if NET6_0_OR_GREATER
@@ -384,6 +387,9 @@ public async Task<AuthenticationResult> GetAuthenticationResultForAppAsync(
                 }
             }
 
+            TokenAcquisitionExtensionOptions? addInOptions = tokenAcquisitionExtensionOptionsMonitor?.CurrentValue;
+
+
             // Use MSAL to get the right token to call the API
             var application = await GetOrBuildConfidentialClientApplicationAsync(mergedOptions);
 
@@ -391,6 +397,11 @@ public async Task<AuthenticationResult> GetAuthenticationResultForAppAsync(
                    .AcquireTokenForClient(new[] { scope }.Except(_scopesRequestedByMsal))
                    .WithSendX5C(mergedOptions.SendX5C);
 
+            if (addInOptions!=null)
+            {
+                addInOptions.InvokeOnBeforeTokenAcquisitionForApp(builder, tokenAcquisitionOptions);
+            }
+
             // MSAL.net only allows .WithTenantId for AAD authorities. This makes sense as there should
             // not be cross tenant operations with such an authority.
             if (!mergedOptions.Instance.Contains(Constants.CiamAuthoritySuffix
@@ -414,6 +425,9 @@ public async Task<AuthenticationResult> GetAuthenticationResultForAppAsync(
                 {
                     builder.WithExtraHttpHeaders(tokenAcquisitionOptions.ExtraHeadersParameters);
                 }
+
+                // Extra Parameters are not meant to be used by Token but by extensions
+
                 if (tokenAcquisitionOptions.CorrelationId != null)
                 {
                     builder.WithCorrelationId(tokenAcquisitionOptions.CorrelationId.Value);
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisitionExtensionOptions.cs b/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisitionExtensionOptions.cs
new file mode 100644
index 000000000..5fae6f6d0
--- /dev/null
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisitionExtensionOptions.cs
@@ -0,0 +1,66 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Client;
+
+namespace Microsoft.Identity.Web
+{
+    /// <summary>
+    /// Options for TokenAcquisition add-ins. These options consist in a set of events, that can be subscribed to by add-ins
+    /// or parts of the add-ins.
+    /// </summary>
+    public partial class TokenAcquisitionExtensionOptions
+    {
+        /// <summary>
+        /// Event fired when the MSAL application needs to be built.
+        /// </summary>
+        public event BuildApplication? OnBuildConfidentialClientApplication;
+
+        /// <summary>
+        /// Event fired when a client credential flow request is being built.
+        /// </summary>        
+        public event BeforeTokenAcquisitionForApp? OnBeforeTokenAcquisitionForApp;
+
+        /// <summary>
+        /// Event fired when an authentication result is available.
+        /// </summary>
+        public event AfterTokenAcquisition? OnAfterTokenAcquisition;
+
+        /// <summary>
+        /// Invoke the OnBuildConfidentialClientApplication event.
+        /// </summary>
+        internal void InvokeOnBuildConfidentialClientApplication(ConfidentialClientApplicationBuilder builder,
+                                                                 AcquireTokenOptions? acquireTokenOptions)
+        {
+            if (OnBuildConfidentialClientApplication != null)
+            {
+                OnBuildConfidentialClientApplication(builder, acquireTokenOptions);
+            }
+        }
+
+        /// <summary>
+        /// Invoke the OnBeforeTokenAcquisitionForApp event.
+        /// </summary>
+        internal void InvokeOnBeforeTokenAcquisitionForApp(AcquireTokenForClientParameterBuilder builder,
+                                                           AcquireTokenOptions? acquireTokenOptions)
+        {
+            if (OnBeforeTokenAcquisitionForApp != null)
+            {
+                OnBeforeTokenAcquisitionForApp(builder, acquireTokenOptions);
+            }
+        }
+
+        /// <summary>
+        /// Invoke the OnAfterTokenAcquisition event.
+        /// </summary>
+        internal void InvokeOnAfterTokenAcquisition(AuthenticationResult result,
+                                                    AcquireTokenOptions? acquireTokenOptions)
+        {
+            if (OnAfterTokenAcquisition != null)
+            {
+                OnAfterTokenAcquisition(result, acquireTokenOptions);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisitionExtensions.cs b/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisitionExtensions.cs
new file mode 100644
index 000000000..f43d4b2b9
--- /dev/null
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisitionExtensions.cs
@@ -0,0 +1,30 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Client;
+
+namespace Microsoft.Identity.Web
+{
+    /// <summary>
+    /// Signature for token acquisition extensions that act on the application builder.
+    /// </summary>
+    /// <param name="confidentialClientApplicationBuilder">Application builder.</param>
+    /// <param name="acquireTokenOptions">Token acquisition options for the request. Can be null.</param>
+    public delegate void BuildApplication(ConfidentialClientApplicationBuilder confidentialClientApplicationBuilder, AcquireTokenOptions? acquireTokenOptions);
+
+    /// <summary>
+    /// Signature for token acquisition extensions that act on the request builder, for an app token
+    /// </summary>
+    /// <param name="builder">Builder</param>
+    /// <param name="acquireTokenOptions">Token acquisition options for the request. Can be null.</param>
+    public delegate void BeforeTokenAcquisitionForApp(AcquireTokenForClientParameterBuilder builder, AcquireTokenOptions? acquireTokenOptions);
+
+    /// <summary>
+    /// Signature for token acquisition extensions that act on the application builder.
+    /// </summary>
+    /// <param name="authResult">MSAL.NET authentication result</param>
+    /// <param name="acquireTokenOptions">Token acquisition options for the request. Can be null.</param>
+    public delegate void AfterTokenAcquisition(AuthenticationResult authResult, AcquireTokenOptions? acquireTokenOptions);
+}
diff --git a/tests/DevApps/aspnet-mvc/OwinWebApi/Web.config b/tests/DevApps/aspnet-mvc/OwinWebApi/Web.config
index 8f5a96f61..a2957522a 100644
--- a/tests/DevApps/aspnet-mvc/OwinWebApi/Web.config
+++ b/tests/DevApps/aspnet-mvc/OwinWebApi/Web.config
@@ -62,7 +62,7 @@
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="System.IdentityModel.Tokens.Jwt" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-8.0.2.0" newVersion="8.0.2.0"/>
+				<bindingRedirect oldVersion="0.0.0.0-8.1.0.0" newVersion="8.1.0.0"/>
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="CC7B13FFCD2DDD51" culture="neutral"/>
@@ -78,7 +78,7 @@
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.IdentityModel.Tokens" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-8.0.2.0" newVersion="8.0.2.0"/>
+				<bindingRedirect oldVersion="0.0.0.0-8.1.0.0" newVersion="8.1.0.0"/>
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.IdentityModel.Protocols.WsFederation" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
@@ -86,23 +86,23 @@
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.IdentityModel.Protocols.OpenIdConnect" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-8.0.2.0" newVersion="8.0.2.0"/>
+				<bindingRedirect oldVersion="0.0.0.0-8.1.0.0" newVersion="8.1.0.0"/>
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.IdentityModel.Protocols" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-8.0.2.0" newVersion="8.0.2.0"/>
+				<bindingRedirect oldVersion="0.0.0.0-8.1.0.0" newVersion="8.1.0.0"/>
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.IdentityModel.Logging" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-8.0.2.0" newVersion="8.0.2.0"/>
+				<bindingRedirect oldVersion="0.0.0.0-8.1.0.0" newVersion="8.1.0.0"/>
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.IdentityModel.Abstractions" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-8.0.2.0" newVersion="8.0.2.0"/>
+				<bindingRedirect oldVersion="0.0.0.0-8.1.0.0" newVersion="8.1.0.0"/>
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.Identity.Client" publicKeyToken="0A613F4DD989E8AE" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-4.64.1.0" newVersion="4.64.1.0"/>
+				<bindingRedirect oldVersion="0.0.0.0-4.65.2.0" newVersion="4.65.2.0"/>
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.Extensions.Primitives" publicKeyToken="ADB9793829DDAE60" culture="neutral"/>
diff --git a/tests/DevApps/aspnet-mvc/OwinWebApp/Web.config b/tests/DevApps/aspnet-mvc/OwinWebApp/Web.config
index abb766264..65c360704 100644
--- a/tests/DevApps/aspnet-mvc/OwinWebApp/Web.config
+++ b/tests/DevApps/aspnet-mvc/OwinWebApp/Web.config
@@ -59,7 +59,7 @@
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="System.IdentityModel.Tokens.Jwt" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-8.0.2.0" newVersion="8.0.2.0"/>
+				<bindingRedirect oldVersion="0.0.0.0-8.1.0.0" newVersion="8.1.0.0"/>
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="CC7B13FFCD2DDD51" culture="neutral"/>
@@ -75,7 +75,7 @@
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.IdentityModel.Tokens" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-8.0.2.0" newVersion="8.0.2.0"/>
+				<bindingRedirect oldVersion="0.0.0.0-8.1.0.0" newVersion="8.1.0.0"/>
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.IdentityModel.Protocols.WsFederation" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
@@ -83,23 +83,23 @@
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.IdentityModel.Protocols.OpenIdConnect" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-8.0.2.0" newVersion="8.0.2.0"/>
+				<bindingRedirect oldVersion="0.0.0.0-8.1.0.0" newVersion="8.1.0.0"/>
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.IdentityModel.Protocols" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-8.0.2.0" newVersion="8.0.2.0"/>
+				<bindingRedirect oldVersion="0.0.0.0-8.1.0.0" newVersion="8.1.0.0"/>
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.IdentityModel.Logging" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-8.0.2.0" newVersion="8.0.2.0"/>
+				<bindingRedirect oldVersion="0.0.0.0-8.1.0.0" newVersion="8.1.0.0"/>
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.IdentityModel.Abstractions" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-8.0.2.0" newVersion="8.0.2.0"/>
+				<bindingRedirect oldVersion="0.0.0.0-8.1.0.0" newVersion="8.1.0.0"/>
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.Identity.Client" publicKeyToken="0A613F4DD989E8AE" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-4.64.1.0" newVersion="4.64.1.0"/>
+				<bindingRedirect oldVersion="0.0.0.0-4.65.2.0" newVersion="4.65.2.0"/>
 			</dependentAssembly>
 			<dependentAssembly>
 				<assemblyIdentity name="Microsoft.Extensions.Primitives" publicKeyToken="ADB9793829DDAE60" culture="neutral"/>
diff --git a/tests/Microsoft.Identity.Web.Test/TokenAcquisitionAddInTests.cs b/tests/Microsoft.Identity.Web.Test/TokenAcquisitionAddInTests.cs
new file mode 100644
index 000000000..deb0a79df
--- /dev/null
+++ b/tests/Microsoft.Identity.Web.Test/TokenAcquisitionAddInTests.cs
@@ -0,0 +1,108 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Client;
+using Microsoft.Identity.Web.Test.Common.Mocks;
+using Microsoft.Identity.Web.Test.Common;
+using Xunit;
+using System.Threading.Tasks;
+using NSubstitute;
+
+namespace Microsoft.Identity.Web.Tests
+{
+    public class TokenAcquisitionAddInTests
+    {
+        [Fact]
+        public void InvokeOnBuildConfidentialClientApplication_InvokesEvent()
+        {
+            // Arrange
+            var options = new TokenAcquisitionExtensionOptions();
+            var acquireTokenOptions = new AcquireTokenOptions();
+            ConfidentialClientApplicationBuilder builderMock = null!;
+
+            bool eventInvoked = false;
+            options.OnBuildConfidentialClientApplication += (builder, options) =>
+            {
+                eventInvoked = true;
+            };
+
+            // Act
+            options.InvokeOnBuildConfidentialClientApplication(builderMock, acquireTokenOptions);
+
+            // Assert
+            Assert.True(eventInvoked);
+        }
+
+        [Fact]
+        public async Task InvokeOnBeforeTokenAcquisitionForApp_InvokesEvent()
+        {
+            // Arrange
+            var options = new TokenAcquisitionExtensionOptions();
+            var acquireTokenOptions = new AcquireTokenOptions();
+            acquireTokenOptions.ForceRefresh = true;
+
+            //Configure mocks
+            using MockHttpClientFactory mockHttpClient = new();
+            mockHttpClient.AddMockHandler(MockHttpCreator.CreateClientCredentialTokenHandler());
+            mockHttpClient.AddMockHandler(MockHttpCreator.CreateClientCredentialTokenHandler());
+
+            var confidentialApp = ConfidentialClientApplicationBuilder
+                           .Create(TestConstants.ClientId)
+                           .WithAuthority(TestConstants.AuthorityCommonTenant)
+                           .WithHttpClientFactory(mockHttpClient)
+                           .WithInstanceDiscovery(false)
+                           .WithClientSecret(TestConstants.ClientSecret)
+                           .Build();
+
+            AcquireTokenForClientParameterBuilder builder = confidentialApp.AcquireTokenForClient(new string[] { "scope" });
+
+            //Populate Cache
+            var result = await builder.ExecuteAsync();
+            Assert.NotNull(result);
+            Assert.True(result.AuthenticationResultMetadata.TokenSource == TokenSource.IdentityProvider);
+
+            bool eventInvoked = false;
+            options.OnBeforeTokenAcquisitionForApp += (builder, options) =>
+            {
+                eventInvoked = true;
+
+                //Set ForceRefresh on the builder
+                builder.WithForceRefresh(options!.ForceRefresh);
+            };
+
+            // Act
+            options.InvokeOnBeforeTokenAcquisitionForApp(builder, acquireTokenOptions);
+
+            //Ensure ForceRefresh is set on the builder
+            result = await builder.ExecuteAsync();
+
+            // Assert
+            Assert.True(eventInvoked);
+            Assert.NotNull(result);
+            Assert.Equal(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
+        }
+
+        [Fact]
+        public void InvokeOnAfterTokenAcquisition_InvokesEvent()
+        {
+            // Arrange
+            var options = new TokenAcquisitionExtensionOptions();
+            ConfidentialClientApplicationBuilder builderMock = null!;
+            var resultMock = Substitute.For<AuthenticationResult>();
+            var acquireTokenOptions = new AcquireTokenOptions();
+
+            bool eventInvoked = false;
+            options.OnAfterTokenAcquisition += (result, options) =>
+            {
+                eventInvoked = true;
+            };
+
+            // Act
+            options.InvokeOnAfterTokenAcquisition(resultMock, acquireTokenOptions);
+
+            // Assert
+            Assert.True(eventInvoked);
+        }
+    }
+}