[BUG] DefaultAzureCredential throws exception when ManagedIdentityCredential failed

[Yao725]

Library name and version

Azure.Identity 1.13.0-beta.1

Describe the bug

When upgrading the package from 1.12.0 to 1.13.0-beta.1, if DefaultAzureCredential is used and the ManagedIdentityCredential failed, the exception will be directly thrown instead of trying using next credential type.

Expected behavior

This exception can be well handled and the auth should finally succeed just like Azure.Identity 1.12.0.

Actual behavior

Below exception is thrown.

System.AggregateException: One or more errors occurred. ---> Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
Date: Thu, 05 Sep 2024 04:25:15 GMT
Server: IMDS/150.870.65.1391

[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot ---> Microsoft.Identity.Client.MsalServiceException: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
Date: Thu, 05 Sep 2024 04:25:15 GMT
Server: IMDS/150.870.65.1391

[Managed Identity] Error Code: invalid_request Error Description: Identity not found

Reproduction Steps

Use Azure.Identity 1.13.0-beta.1 and DefaultAzureCredential
Sample code:

var credential = new DefaultAzureCredential();
var secretClient = new SecretClient(new Uri(keyVaultUri), credential);

Environment

OS Name: Windows
OS Version: 10.0.22631
OS Platform: Windows

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[christothes]

Hi @Yao725 -
In which environment are you running the above code - on your local dev machine or deployed to a resource. If deployed what type of resource is it (VM, App Service, etc)?

Would you mind providing the logging output (with any secrets redacted) after reproducing this with logging enabled?

[github-actions]

Hi @Yao725. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[github-actions]

Hi @Yao725, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

[Jonny-Freemarket]

Hi We're also seeing this issue when code is running in a GitHub Actions pipeline running integration tests that rely on a WebApplicationFactory instance.

We're seeing it with version 1.13.0 of Azure.Identity.

[seesharprun]

I'm also seeing this issue in a GitHub Codespace. It will stop trying further credentials after ManagedIdentity, even if I'm logged in to Azure CLI or Azure Developer CLI. This is definitely a regression in previous working behavior.

If I wasn't logged in, I would expect an error from DefaultAzureCredential that it exhausted all options and can't find an identity (I've seen this error before). But, in the GitHub Codespaces environment using the .NET 9 devcontainer base image, it short circuits and errors out at ManagedIdentityCredential and never tries any downstream options in the token chain.

Repro steps:

1. Open this repo in a GitHub Codespace (https://github.com/Azure-Samples/cosmos-db-nosql-dotnet-quickstart)
2. Use Azure Developer CLI to deploy Azure resources and a user-assigned managed identity (azd auth login, azd init, azd up)
3. After deploying to Azure (which works as expected), try to debug the local web application (cd src/web & dotnet run)
4. The application will throw a MsalServiceException: [Managed Identity] Authentication unavailable. exception. It won't try Azure Developer CLI credentials

Alternatives:

• I tried logging in to Azure CLI. It never tries Azure CLI or Azure Developer CLI

Temporary workarounds:

• Downgrading Azure.Identity to 1.12.1 works with DefaultAzureCredential
• Manually using AzureCliCredential or AzureDeveloperCliCredential works if Azure.Identity is set to 1.13+

[christothes]

Hi @seesharprun - would you be willing to validate that this version dev build from our public dev NuGet feed of Azure.Identity resolves the {"error":"invalid_request","error_description":"Identity not found"} issue?

dev build package link

[seesharprun]

[...] (https://github.com/seesharprun) - would you be willing to validate that this version dev build from our public dev NuGet feed of Azure.Identity resolves the {"error":"invalid_request","error_description":"Identity not found"} issue?

dev build package link

@christothes, here's what I just tried:

• First, I used <PackageReference Include="Azure.Identity" Version="1.*" /> in my .csproj which would have pulled in the published 1.13 version. This failed.

• Then, I used <PackageReference Include="Azure.Identity" Version="1.12.*" /> in my .csproj. This used 1.12 which worked.

• Finally, I added this Nuget config to my project and pulled in the package using the command line. I was able to download the package, but I got the same MsalServiceException: [Managed Identity] Authentication unavailable. exception.

  <?xml version="1.0" encoding="utf-8"?>
  <configuration>
    <packageSources>
      <add key="azure-sdk-for-net" value="https://pkgs.dev.azure.com/azure-sdk/public/_packaging/azure-sdk-for-net/nuget/v3/index.json" />
    </packageSources>
  </configuration>

  dotnet add package Azure.Identity --version 1.14.0-alpha.20241022.1

  [...]    
  <ItemGroup>
    <PackageReference Include="Azure.Identity" Version="1.14.0-alpha.20241022.1" />
    [...]

I'll try again tomorrow.

[christothes]

I believe this is now fixed with #46787

[seesharprun]

I just tested everything again. Here's my results:

*.csproj reference	Worked
<PackageReference Include="Azure.Identity" Version="1.12.*" />	✔
<PackageReference Include="Azure.Identity" Version="1.13.*" />	❌ Failed with Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed
<PackageReference Include="Azure.Identity" Version="1.14.0-alpha.20241023.3" />	✔

Thanks @christothes for the assist! I'll wait for 1.14 to move into beta (--prerelease).