diff --git a/Directory.Build.props b/Directory.Build.props
index 0e52a6ed0..b4bf05d87 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -2,12 +2,12 @@
   <PropertyGroup>
     <!--This should be passed from the VSTS build-->
     <!-- This needs to be greater than or equal to the validation baseline version -->
-    <MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">3.14.1</MicrosoftIdentityWebVersion>
+    <MicrosoftIdentityWebVersion Condition="'$(MicrosoftIdentityWebVersion)' == ''">4.0.0</MicrosoftIdentityWebVersion>
     <!--This will generate AssemblyVersion, AssemblyFileVersion and AssemblyInformationVersion-->
     <Version>$(MicrosoftIdentityWebVersion)</Version>
 
     <EnablePackageValidation>true</EnablePackageValidation>
-    <PackageValidationBaselineVersion>2.7.0</PackageValidationBaselineVersion>
+    <PackageValidationBaselineVersion>3.14.1</PackageValidationBaselineVersion>
 
     <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)\build\35MSSharedLib1024.snk</AssemblyOriginatorKeyFile>
     <RepositoryType>git</RepositoryType>
@@ -82,8 +82,8 @@
 
   <PropertyGroup Label="Common dependency versions">
     <MicrosoftIdentityModelVersion Condition="'$(MicrosoftIdentityModelVersion)' == ''">8.14.0</MicrosoftIdentityModelVersion>
-    <MicrosoftIdentityClientVersion Condition="'$(MicrosoftIdentityClientVersion)' == ''">4.77.0</MicrosoftIdentityClientVersion>
-    <MicrosoftIdentityAbstractionsVersion Condition="'$(MicrosoftIdentityAbstractionsVersion)' == ''">9.4.0</MicrosoftIdentityAbstractionsVersion>
+    <MicrosoftIdentityClientVersion Condition="'$(MicrosoftIdentityClientVersion)' == ''">4.77.1</MicrosoftIdentityClientVersion>
+    <MicrosoftIdentityAbstractionsVersion Condition="'$(MicrosoftIdentityAbstractionsVersion)' == ''">9.5.0</MicrosoftIdentityAbstractionsVersion>
     <FxCopAnalyzersVersion>3.3.0</FxCopAnalyzersVersion>
     <SystemTextEncodingsWebVersion>4.7.2</SystemTextEncodingsWebVersion>
     <AzureSecurityKeyVaultSecretsVersion>4.6.0</AzureSecurityKeyVaultSecretsVersion>
diff --git a/changelog.md b/changelog.md
index ef18e35e9..52e19f0c2 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,3 +1,22 @@
+4.0.0
+=========
+### Breaking Changes
+**Removed support for .NET 6.0 and .NET 7.0** - Microsoft Identity Web 4.0.0 no longer targets .NET 6.0 and .NET 7.0, following Microsoft's support lifecycle. The supported target frameworks are now .NET 8.0, .NET 9.0, .NET Framework 4.6.2, .NET Framework 4.7.2, and .NET Standard 2.0.
+
+### New features
+- Various improvements to performance logging, authentication, and credential loading capabilities.
+- Bumped MSAL.NET to 4.77.1
+- Added credential description extensibility. For details, see [#3487](https://github.com/AzureAD/microsoft-identity-web/pull/3487)
+- Added a new CerticateObserverAction type: SuccessfullyUsed. See [#3505](https://github.com/AzureAD/microsoft-identity-web/pull/3505)
+- Add specification of OID (in addition to upn) for Agent User Identity. See [#3513](https://github.com/AzureAD/microsoft-identity-web/pull/3513)
+
+### Fundamentals
+- Various improvements to .NET support and dependency optimizations.
+- Added doc for Agent identities. See [Agent identities](src/Microsoft.Identity.Web.AgentIdentities/README.AgentIdentities.md)
+- Combined and fixed test collections. See [#3472](https://github.com/AzureAD/microsoft-identity-web/pull/3472)
+- Migrate repository agent rules from .clinerules to agents.md. See [#3475](https://github.com/AzureAD/microsoft-identity-web/pull/3475)
+- Add .NET 6.x setup step to dotnetcore.yml workflow, as the default build agents don't have it any longer. See [#3489](https://github.com/AzureAD/microsoft-identity-web/pull/3489)
+
 3.14.1
 =======
 ##  Bug fix
diff --git a/src/Microsoft.Identity.Web.Certificate/CompatibilitySuppressions.xml b/src/Microsoft.Identity.Web.Certificate/CompatibilitySuppressions.xml
new file mode 100644
index 000000000..e1dce63c7
--- /dev/null
+++ b/src/Microsoft.Identity.Web.Certificate/CompatibilitySuppressions.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- https://learn.microsoft.com/dotnet/fundamentals/package-validation/diagnostic-ids -->
+<Suppressions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+  <Suppression>
+    <DiagnosticId>CP0008</DiagnosticId>
+    <Target>T:Microsoft.Identity.Web.CertificateSource</Target>
+    <Left>lib/net6.0/Microsoft.Identity.Web.Certificate.dll</Left>
+    <Right>lib/netstandard2.0/Microsoft.Identity.Web.Certificate.dll</Right>
+    <IsBaselineSuppression>true</IsBaselineSuppression>
+  </Suppression>
+  <Suppression>
+    <DiagnosticId>CP0008</DiagnosticId>
+    <Target>T:Microsoft.Identity.Web.CertificateSource</Target>
+    <Left>lib/net7.0/Microsoft.Identity.Web.Certificate.dll</Left>
+    <Right>lib/netstandard2.0/Microsoft.Identity.Web.Certificate.dll</Right>
+    <IsBaselineSuppression>true</IsBaselineSuppression>
+  </Suppression>
+</Suppressions>
\ No newline at end of file
diff --git a/src/Microsoft.Identity.Web.Sidecar/Endpoints/AuthorizationHeaderEndpoint.cs b/src/Microsoft.Identity.Web.Sidecar/Endpoints/AuthorizationHeaderEndpoint.cs
index ab3ad1229..b34abc246 100644
--- a/src/Microsoft.Identity.Web.Sidecar/Endpoints/AuthorizationHeaderEndpoint.cs
+++ b/src/Microsoft.Identity.Web.Sidecar/Endpoints/AuthorizationHeaderEndpoint.cs
@@ -47,7 +47,7 @@ public static void AddAuthorizationHeaderRequestEndpoints(this WebApplication ap
                 "Repeat parameters like 'optionsOverride.Scopes' to add multiple scopes.");
     }
 
-    private static async Task<Results<Ok<AuthorizationHeaderResult>, ProblemHttpResult>> AuthorizationHeaderAsync(
+    private static async Task<Results<Ok<Models.AuthorizationHeaderResult>, ProblemHttpResult>> AuthorizationHeaderAsync(
         HttpContext httpContext,
         [Description("The downstream API to acquire an authorization header for.")]
         [FromRoute]
@@ -114,6 +114,6 @@ private static async Task<Results<Ok<AuthorizationHeaderResult>, ProblemHttpResu
                 statusCode: StatusCodes.Status500InternalServerError);
         }
 
-        return TypedResults.Ok(new AuthorizationHeaderResult(authorizationHeader));
+        return TypedResults.Ok(new Models.AuthorizationHeaderResult(authorizationHeader));
     }
 }
diff --git a/src/Microsoft.Identity.Web.TokenAcquisition/CompatibilitySuppressions.xml b/src/Microsoft.Identity.Web.TokenAcquisition/CompatibilitySuppressions.xml
index e69ba63e4..1d9cb4dea 100644
--- a/src/Microsoft.Identity.Web.TokenAcquisition/CompatibilitySuppressions.xml
+++ b/src/Microsoft.Identity.Web.TokenAcquisition/CompatibilitySuppressions.xml
@@ -1,40 +1,46 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- https://learn.microsoft.com/dotnet/fundamentals/package-validation/diagnostic-ids -->
-<Suppressions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
-  <Suppression>
-    <DiagnosticId>CP0001</DiagnosticId>
-    <Target>T:Microsoft.Identity.Web.OpenIdConnectOptions</Target>
-    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
-    <Right>lib/net8.0/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
-  </Suppression>
-  <Suppression>
-    <DiagnosticId>CP0002</DiagnosticId>
-    <Target>M:Microsoft.Identity.Web.MicrosoftIdentityOptions.get_ErrorPath</Target>
-    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
-    <Right>lib/net8.0/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
-  </Suppression>
-  <Suppression>
-    <DiagnosticId>CP0002</DiagnosticId>
-    <Target>M:Microsoft.Identity.Web.MicrosoftIdentityOptions.get_ResetPasswordPath</Target>
-    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
-    <Right>lib/net8.0/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
-  </Suppression>
-  <Suppression>
-    <DiagnosticId>CP0006</DiagnosticId>
-    <Target>M:Microsoft.Identity.Web.ITokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeader(System.Collections.Generic.IEnumerable{System.String},Microsoft.Identity.Client.MsalUiRequiredException,System.String,Microsoft.AspNetCore.Http.HttpResponse)</Target>
-    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
-    <Right>lib/net8.0/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
-  </Suppression>
-  <Suppression>
-    <DiagnosticId>CP0006</DiagnosticId>
-    <Target>M:Microsoft.Identity.Web.ITokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeaderAsync(System.Collections.Generic.IEnumerable{System.String},Microsoft.Identity.Client.MsalUiRequiredException,Microsoft.AspNetCore.Http.HttpResponse)</Target>
-    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
-    <Right>lib/net8.0/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
-  </Suppression>
-  <Suppression>
-    <DiagnosticId>CP0007</DiagnosticId>
-    <Target>T:Microsoft.Identity.Web.MicrosoftIdentityOptions</Target>
-    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
-    <Right>lib/net8.0/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
-  </Suppression>
+<?xml version="1.0" encoding="utf-8"?>
+<!-- https://learn.microsoft.com/dotnet/fundamentals/package-validation/diagnostic-ids -->
+<Suppressions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+  <Suppression>
+    <DiagnosticId>CP0001</DiagnosticId>
+    <Target>T:Microsoft.Identity.Web.OpenIdConnectOptions</Target>
+    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
+    <Right>lib/net8.0/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
+  </Suppression>
+  <Suppression>
+    <DiagnosticId>CP0002</DiagnosticId>
+    <Target>M:Microsoft.Identity.Web.MicrosoftIdentityAuthenticationException.#ctor(System.Runtime.Serialization.SerializationInfo,System.Runtime.Serialization.StreamingContext)</Target>
+    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
+    <Right>lib/net8.0/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
+  </Suppression>
+  <Suppression>
+    <DiagnosticId>CP0002</DiagnosticId>
+    <Target>M:Microsoft.Identity.Web.MicrosoftIdentityOptions.get_ErrorPath</Target>
+    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
+    <Right>lib/net8.0/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
+  </Suppression>
+  <Suppression>
+    <DiagnosticId>CP0002</DiagnosticId>
+    <Target>M:Microsoft.Identity.Web.MicrosoftIdentityOptions.get_ResetPasswordPath</Target>
+    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
+    <Right>lib/net8.0/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
+  </Suppression>
+  <Suppression>
+    <DiagnosticId>CP0006</DiagnosticId>
+    <Target>M:Microsoft.Identity.Web.ITokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeader(System.Collections.Generic.IEnumerable{System.String},Microsoft.Identity.Client.MsalUiRequiredException,System.String,Microsoft.AspNetCore.Http.HttpResponse)</Target>
+    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
+    <Right>lib/net8.0/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
+  </Suppression>
+  <Suppression>
+    <DiagnosticId>CP0006</DiagnosticId>
+    <Target>M:Microsoft.Identity.Web.ITokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeaderAsync(System.Collections.Generic.IEnumerable{System.String},Microsoft.Identity.Client.MsalUiRequiredException,Microsoft.AspNetCore.Http.HttpResponse)</Target>
+    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
+    <Right>lib/net8.0/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
+  </Suppression>
+  <Suppression>
+    <DiagnosticId>CP0007</DiagnosticId>
+    <Target>T:Microsoft.Identity.Web.MicrosoftIdentityOptions</Target>
+    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
+    <Right>lib/net8.0/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
+  </Suppression>
 </Suppressions>
\ No newline at end of file
diff --git a/tests/E2E Tests/Sidecar.Tests/MockedEndToEndTests.cs b/tests/E2E Tests/Sidecar.Tests/MockedEndToEndTests.cs
index 80dc086e8..b7de9e91c 100644
--- a/tests/E2E Tests/Sidecar.Tests/MockedEndToEndTests.cs	
+++ b/tests/E2E Tests/Sidecar.Tests/MockedEndToEndTests.cs	
@@ -62,7 +62,7 @@ public async Task MockedAuthorizationFlow_WithValidConfiguration_ReturnsAuthoriz
         }
 
         Assert.Equal(HttpStatusCode.OK, response.StatusCode);
-        var result = JsonSerializer.Deserialize<AuthorizationHeaderResult>(content, new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
+        var result = JsonSerializer.Deserialize<Microsoft.Identity.Web.Sidecar.Models.AuthorizationHeaderResult>(content, new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
         Assert.NotNull(result);
         Assert.Equal(expectedAuthHeader, result.AuthorizationHeader);
     }
diff --git a/tests/E2E Tests/Sidecar.Tests/SidecarEndpointsE2ETests.cs b/tests/E2E Tests/Sidecar.Tests/SidecarEndpointsE2ETests.cs
index d06e93c86..a89b5b1e9 100644
--- a/tests/E2E Tests/Sidecar.Tests/SidecarEndpointsE2ETests.cs	
+++ b/tests/E2E Tests/Sidecar.Tests/SidecarEndpointsE2ETests.cs	
@@ -133,7 +133,7 @@ public async Task GetAuthorizationHeaderForAgentUserIdentityUnauthenticated_With
 
         Assert.True(result.IsSuccessStatusCode);
 
-        var response = await result.Content.ReadFromJsonAsync<AuthorizationHeaderResult>();
+        var response = await result.Content.ReadFromJsonAsync<Microsoft.Identity.Web.Sidecar.Models.AuthorizationHeaderResult>();
 
         Assert.NotNull(response?.AuthorizationHeader);
         Assert.StartsWith("Bearer ey", response.AuthorizationHeader, StringComparison.Ordinal);