[BUG]Azure.Identity 1.13 Breaks DefaultAzureCredential On DevBox

[keggster101020]

Library name and version

Azure.Identity 1.13

Describe the bug

My code is using DefaultAzureCredential(true) to authenticate to remote azure resources. After upgrading Azure.Identity to 1.13 a handful of users are noting that they are getting the following error when running inside of Microsoft DevBox:

'ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present

There are no assigned identities to these DevBoxes (we are using the devbox.microsoft.com instances not selfhosted). Downgrading to 1.12 seems to have resolved this issue but putting this bug here as it seems like the detection logic around DefaultAzureCredential may be incorrect in 1.13.

I was under the impression that DefaultAzureCredential was a chained credential and that any failures in the chain would only be thrown back to the user if none of the credentials in the chain succeeded. However, the interactive popup never showed up, also some users have the VSCredential and the MI credential error happens seemingly as soon as it fails.

Expected behavior

Using DefaultAzureCredential(true) inside a DevBox VM with no managed identity would attempt other credentials in the chain before throwing an exception back to the user.

Actual behavior

DefaultAzureCredential(true) throws an exception on DevBoxes if there is no MSI attached to the devbox and doesn't attempt any further credential operations.

Reproduction Steps

1. Create a DevBox at (https://devbox.microsoft.com/)
2. Create a c# project with Azure.Identity 1.13
3. Make a call to new DefaultAzureCredential(true).GetTokenAsync(<some token request context>)
4. Observe the ManagedIdentity exception

Environment

Microsoft Devbox (https://devbox.microsoft.com/)

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[keggster101020]

This is possibly related to #46653

[rdvanbuuren-gasunie]

We're also running into this error running on our DevBox. We're using the Azure.Identity in combination with the Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder class. Using version Azure.Identity 1.12 there were no problems. Upgrading to 1.13 gives the following error:

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: The configBuilder 'AzureKeyVault' failed while processing the configuration section 'appSettings'.: 'AzureKeyVault' GetValue() Error: ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
x-ms-request-id: 6b9bc649-6a39-4e2d-9e72-a6b8b23abc6d
Date: Thu, 17 Oct 2024 07:21:26 GMT
Server: IMDS/150.870.65.1475

[Managed Identity] Error Code: invalid_request Error Description: Identity not found
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot

And its complete StackTrace:

[MsalServiceException: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
x-ms-request-id: 6b9bc649-6a39-4e2d-9e72-a6b8b23abc6d
Date: Thu, 17 Oct 2024 07:21:26 GMT
Server: IMDS/150.870.65.1475

[Managed Identity] Error Code: invalid_request Error Description: Identity not found ]
   Microsoft.Identity.Client.ManagedIdentity.<HandleResponseAsync>d__9.MoveNext() +593
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Microsoft.Identity.Client.ManagedIdentity.<AuthenticateAsync>d__5.MoveNext() +1751
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Microsoft.Identity.Client.Internal.Requests.<SendTokenRequestForManagedIdentityAsync>d__5.MoveNext() +704
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Microsoft.Identity.Client.Internal.Requests.<GetAccessTokenAsync>d__4.MoveNext() +1709
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Microsoft.Identity.Client.Internal.Requests.<ExecuteAsync>d__3.MoveNext() +2161
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Microsoft.Identity.Client.Internal.Requests.<<RunAsync>b__1>d.MoveNext() +358
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Microsoft.Identity.Client.Utils.<MeasureCodeBlockAsync>d__4.MoveNext() +400
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Microsoft.Identity.Client.Internal.Requests.<RunAsync>d__11.MoveNext() +1085
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Microsoft.Identity.Client.ApiConfig.Executors.<ExecuteAsync>d__2.MoveNext() +725
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Azure.Identity.<AcquireTokenForManagedIdentityAsyncCore>d__26.MoveNext() +1012
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Azure.Identity.<AcquireTokenForManagedIdentityAsync>d__24.MoveNext() +678
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Azure.Identity.<AuthenticateAsync>d__18.MoveNext() +1861
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Azure.Identity.<AuthenticateCoreAsync>d__17.MoveNext() +944
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Azure.Identity.<AuthenticateAsync>d__16.MoveNext() +1676
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Azure.Identity.<GetTokenImplAsync>d__18.MoveNext() +1079

[AuthenticationFailedException: ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
x-ms-request-id: 6b9bc649-6a39-4e2d-9e72-a6b8b23abc6d
Date: Thu, 17 Oct 2024 07:21:26 GMT
Server: IMDS/150.870.65.1475

[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot]
   Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable) +83
   Azure.Identity.<GetTokenImplAsync>d__18.MoveNext() +2121
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Azure.Identity.ManagedIdentityCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken) +259
   Azure.Identity.<GetTokenFromSourcesAsync>d__14.MoveNext() +1450
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Azure.Identity.<GetTokenImplAsync>d__12.MoveNext() +3236
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable) +72
   Azure.Identity.<GetTokenImplAsync>d__12.MoveNext() +4169
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Azure.Identity.DefaultAzureCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken) +259
   Azure.Core.Pipeline.<SetResultOnTcsFromCredentialAsync>d__9.MoveNext() +1201
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   Azure.Core.Pipeline.<GetAuthHeaderValueAsync>d__6.MoveNext() +2569
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Azure.Core.Pipeline.<GetCurrentHeaderValue>d__19.MoveNext() +905
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   Azure.Core.Pipeline.<GetAuthHeaderValueAsync>d__6.MoveNext() +3674
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequest(HttpMessage message, TokenRequestContext context) +206
   Azure.Security.KeyVault.<AuthorizeRequestOnChallengeAsyncInternal>d__11.MoveNext() +2167
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequestOnChallenge(HttpMessage message) +155
   Azure.Security.KeyVault.<ProcessAsyncInternal>d__14.MoveNext() +2274
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline) +169
   Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline) +391
   Azure.Core.Pipeline.<ProcessAsync>d__7.MoveNext() +603
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Azure.Core.Pipeline.RedirectPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline) +169
   Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline) +391
   Azure.Core.Pipeline.<ProcessAsync>d__5.MoveNext() +1364
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   Azure.Core.Pipeline.<ProcessAsync>d__5.MoveNext() +4246
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62
   Azure.Core.Pipeline.RetryPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline) +169
   Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline) +391
   Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline) +43
   Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline) +391
   Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline) +43
   Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline) +391
   Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline) +43
   Azure.Core.Pipeline.HttpPipeline.Send(HttpMessage message, CancellationToken cancellationToken) +668
   Azure.Core.Pipeline.HttpPipeline.SendRequest(Request request, CancellationToken cancellationToken) +64
   Azure.Security.KeyVault.KeyVaultPipeline.SendRequest(Request request, CancellationToken cancellationToken) +17
   Azure.Security.KeyVault.KeyVaultPipeline.GetPage(Uri firstPageUri, String nextLink, Func`1 itemFactory, String operationName, CancellationToken cancellationToken) +528
   Azure.Security.KeyVault.Secrets.<>c__DisplayClass15_0.<GetPropertiesOfSecrets>b__0(String nextLink) +206
   Azure.Core.<AsPages>d__2.MoveNext() +63
   Azure.<GetEnumerator>d__8.MoveNext() +213
   Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder.GetAllKeys() +160
   System.Lazy`1.CreateValue() +732
   System.Lazy`1.LazyInitValue() +189
   Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder.GetValue(String key) +147
   Microsoft.Configuration.ConfigurationBuilders.KeyValueConfigBuilder.GetValueInternal(String key) +287

[KeyValueConfigBuilderException: 'AzureKeyVault' GetValue() Error: ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
x-ms-request-id: 6b9bc649-6a39-4e2d-9e72-a6b8b23abc6d
Date: Thu, 17 Oct 2024 07:21:26 GMT
Server: IMDS/150.870.65.1475

[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot]
   Microsoft.Configuration.ConfigurationBuilders.KeyValueConfigBuilder.GetValueInternal(String key) +510
   Microsoft.Configuration.ConfigurationBuilders.KeyValueConfigBuilder.ProcessConfigurationSection(ConfigurationSection configSection) +383
   System.Configuration.ConfigurationBuilderChain.ProcessConfigurationSection(ConfigurationSection configSection) +134

[christothes]

Thanks for reporting - I am investigating.

[christothes]

Hi @keggster101020
I am unable to reproduce this. Could you try creating the credential the following way to see if you still do not get prompted for interactive credentials?

Also, could you enable logging and share that with me for the failure scenario? For console output, you would just need to add the following line to your program.

using AzureEventSourceListener listener = AzureEventSourceListener.CreateTraceLogger();

If you need to log the output somewhere other than the console, this is described in these docs.

            var options = new DefaultAzureCredentialOptions
            {
                ExcludeEnvironmentCredential = true,
                ExcludeWorkloadIdentityCredential = false,
                ExcludeManagedIdentityCredential = false,
                ExcludeAzureDeveloperCliCredential = true,
                ExcludeSharedTokenCacheCredential = true,
                ExcludeVisualStudioCredential = true,
                ExcludeVisualStudioCodeCredential = true,
                ExcludeAzureCliCredential = true,
                ExcludeAzurePowerShellCredential = true,
                ExcludeInteractiveBrowserCredential = false
            };
            var cred = new DefaultAzureCredential(options);

[rasitha1]

Same issue is happening from Azure DevOps pipelines while connecting to an Azure SQL Database within an AzureCli@2 task.

Pipeline is executing EF Core SQL migrations executable against Azure SQL connecting as the pipeline identity (federated ARM service connection). Upgrading to 1.13.0 breaks with a very similar error. {"error":"invalid_request","error_description":"Identity not found"}

Downgrading back to 1.12 resolves the issue.

Not sure which token source is being picked up in 1.12 but sounds like it should use WorkloadIdentityCredential before ManagedIdentityCredential?

2024-10-17T14:01:54.5569573Z Status: BadRequest
2024-10-17T14:01:54.5569889Z Content:
2024-10-17T14:01:54.5570233Z {"error":"invalid_request","error_description":"Identity not found"}
2024-10-17T14:01:54.5570484Z 
2024-10-17T14:01:54.5570793Z Headers:
2024-10-17T14:01:54.5571125Z Server: IMDS/150.870.65.1475
2024-10-17T14:01:54.5572761Z x-ms-request-id: 0778ae6f-ee8f-480c-bf61-f6b9baace128
2024-10-17T14:01:54.5573303Z Date: Thu, 17 Oct 2024 14:01:52 GMT
2024-10-17T14:01:54.5573518Z 
2024-10-17T14:01:54.5573849Z [Managed Identity] Error Code: invalid_request Error Description: Identity not found 
2024-10-17T14:01:54.5574524Z    at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
2024-10-17T14:01:54.5575130Z    at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
2024-10-17T14:01:54.5575688Z    at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
2024-10-17T14:01:54.5576253Z    at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
2024-10-17T14:01:54.5576752Z    at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
2024-10-17T14:01:54.5577398Z    at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
2024-10-17T14:01:54.5578181Z --- End of stack trace from previous location ---
2024-10-17T14:01:54.5578616Z    at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
2024-10-17T14:01:54.5579228Z    at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
2024-10-17T14:01:54.5579838Z    at Microsoft.Identity.Client.ApiConfig.Executors.ManagedIdentityExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForManagedIdentityParameters managedIdentityParameters, CancellationToken cancellationToken)
2024-10-17T14:01:54.5583764Z    at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsyncCore(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5585033Z    at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5585841Z    at Azure.Identity.ImdsManagedIdentityProbeSource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
2024-10-17T14:01:54.5587148Z    at Azure.Identity.ManagedIdentityClient.AuthenticateCoreAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
2024-10-17T14:01:54.5587757Z    at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
2024-10-17T14:01:54.5588623Z    at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5589250Z 	StatusCode: 0 
2024-10-17T14:01:54.5589606Z 	ResponseBody:  
2024-10-17T14:01:54.5589931Z 	Headers: 
2024-10-17T14:01:54.5590858Z    --- End of inner exception stack trace ---
2024-10-17T14:01:54.5591497Z    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
2024-10-17T14:01:54.5592044Z    at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5592606Z    at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5593429Z    at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
2024-10-17T14:01:54.5595453Z    at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5596006Z    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
2024-10-17T14:01:54.5601350Z    at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5603146Z    at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5604000Z    at Microsoft.Data.SqlClient.ActiveDirectoryAuthenticationProvider.GetTokenAsync(TokenCredentialKey tokenCredentialKey, String secret, TokenRequestContext tokenRequestContext, CancellationToken cancellationToken)
2024-10-17T14:01:54.5604610Z    at Microsoft.Data.SqlClient.ActiveDirectoryAuthenticationProvider.AcquireTokenAsync(SqlAuthenticationParameters parameters)
2024-10-17T14:01:54.5605321Z    at Microsoft.Data.SqlClient.SqlInternalConnectionTds.<>c__DisplayClass148_1.<<GetFedAuthToken>b__1>d.MoveNext()
2024-10-17T14:01:54.5606264Z --- End of stack trace from previous location ---
2024-10-17T14:01:54.5606886Z    at Microsoft.Data.SqlClient.SqlInternalConnectionTds.GetFedAuthToken(SqlFedAuthInfo fedAuthInfo)
2024-10-17T14:01:54.5607569Z    at Microsoft.Data.SqlClient.SqlInternalConnectionTds.GetFedAuthToken(SqlFedAuthInfo fedAuthInfo)
2024-10-17T14:01:54.5608044Z    at Microsoft.Data.SqlClient.SqlInternalConnectionTds.OnFedAuthInfo(SqlFedAuthInfo fedAuthInfo)
2024-10-17T14:01:54.5609251Z    at Microsoft.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
2024-10-17T14:01:54.5610134Z    at Microsoft.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
2024-10-17T14:01:54.5611372Z    at Microsoft.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
2024-10-17T14:01:54.5612107Z    at Microsoft.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, TimeoutTimer timeout, Boolean withFailover)
2024-10-17T14:01:54.5613420Z    at Microsoft.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer timeout)
2024-10-17T14:01:54.5614565Z    at Microsoft.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance)
2024-10-17T14:01:54.5615832Z    at Microsoft.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, Boolean applyTransientFaultHandling, String accessToken, DbConnectionPool pool, Func`3 accessTokenCallback)
2024-10-17T14:01:54.5617153Z    at Microsoft.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)
2024-10-17T14:01:54.5617819Z    at Microsoft.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions)
2024-10-17T14:01:54.5618544Z    at Microsoft.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection)
2024-10-17T14:01:54.5619089Z    at Microsoft.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection)
2024-10-17T14:01:54.5619904Z    at Microsoft.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection)
2024-10-17T14:01:54.5620581Z    at Microsoft.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection)
2024-10-17T14:01:54.5621265Z    at Microsoft.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)
2024-10-17T14:01:54.5621967Z    at Microsoft.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
2024-10-17T14:01:54.5622649Z    at Microsoft.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
2024-10-17T14:01:54.5623221Z    at Microsoft.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry, SqlConnectionOverrides overrides)
2024-10-17T14:01:54.5623663Z    at Microsoft.Data.SqlClient.SqlConnection.Open(SqlConnectionOverrides overrides)
2024-10-17T14:01:54.5624077Z    at Microsoft.Data.SqlClient.SqlConnection.Open()

[keggster101020]

@christothes I can look to grab a more official repro when I get some time (I tore down the devbox as part of the testing). However, part of my scenario was also access key vault using configuration builder extensions and the error @rdvanbuuren-gasunie posted above should be reflective of the error that I saw as well.

Also, I did test the DefaultAzureCredential scenario disabling all providers except VS and interactive and I can confirm that that did resolve my issue. However, I still see this as a regression since prior to 1.13.0 the logic was as I described above: failures wouldn't break the entire chain they would only be thrown back if nothing in the chain resolved.

[christothes]

@keggster101020 I totally agree that a change of behavior would be a regression, I was only asking about the alternative config for troubleshooting purposes since I cannot reproduce this locally. When I fetch a token using new DefaultAzureCredential(true) it makes it past the ManagedIdentityCredential and selects the VisualStudioCredential. I presume it would continue on past that to the interactive credential if I wasn't running it from VS.

[github-actions]

Hi @keggster101020. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[christothes]

@keggster101020 or @rdvanbuuren-gasunie - could you share the relevant parts of your configuration for the credential that reproduces the error in that scenario?

[rdvanbuuren-gasunie]

@keggster101020 or @rdvanbuuren-gasunie - could you share the relevant parts of your configuration for the credential that reproduces the error in that scenario?

Yes, of course!

We're runnig a .NET 4.8 website using IISExpress on a DevBox, with the following configuration in the Web.config:

<configuration>
  <configSections>
    <section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false" />
  </configSections>
  <configBuilders>
    <builders>
      <add name="AzureKeyVault" vaultName="${KEY_VAULT_NAME}" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </builders>
  </configBuilders>
  <appSettings configBuilders="AzureKeyVault">
    <!-- From KeyVault -->
    <add key="ClientSecret" value="" />
  </appSettings>
</configuration>

This should load the ClientSecret from the KeyVault secrets into the appSetting. If you need anymore information, I'm happy to help!

[rasitha1]

@christothes for the Azure DevOps Workload/Federated Identity issue (see my comment above), shall I open a new issue or keep it in this thread?

[christothes]

@christothes for the Azure DevOps Workload/Federated Identity issue (see my comment above), shall I open a new issue or keep it in this thread?

I believe that issue is fixed by #46711

[aherrick]

seeing the same issue with 13 in devbox

[christothes]

seeing the same issue with 13 in devbox

Hi @aherrick - Could you clarify which issue specifically?

[TobiasBreuer]

We are seeing a similar issue currently within an Azure DevOps pipeline.
As part of the pipeline an integration test is running which connects to AzureAppConfiguration service.
To make sure we are authenticated to read the AzureAppConfiguration resource, we perform an az login ... first, using a service principal dedicated for these integration tests.

Within the TestFixture, the connection to AzureAppConfiguration is authenticated using new DefaultAzureCredential()
With Azure.Identity.1.12.0 this process is running fine.

After updating to 1.13.0 it is failing at

Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)

with

Azure.Identity.AuthenticationFailedException : ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable.

The issue is, we are not using ManagedIdentity Authentication anywhere in the devops pipeline, but instead rely on Azure CLI Credentials.

I assume that these mentioned breaking changes are somewhat related, but I really cannot find any EnvironmentVariable or other parameter in the pipeline that would match any of these...

1.13.0 (2024-10-14)
Breaking Changes
Previously, if a clientID or ResourceID was specified for Cloud Shell managed identity, which is not supported, the clientID or resourceID would be silently ignored. Now, an exception will be thrown if a clientID or resourceID is specified for Cloud Shell managed identity.
Previously, if a clientID or ResourceID was specified for Service Fabric managed identity, which is not supported, the clientID or resourceID would be silently ignored. Now, an exception will be thrown if a clientID or resourceID is specified for Service Fabric managed identity.

An alternative explanation would be that, some other errors in the authentication flow of ManagedIdentityCredential that were silently caught in the previous version, eventually leading to the factory to traverse further through the configured identity providers, now actually make the process fail early, and not providing the factory with the chance to continue...

From my local dev-machine everything is running as expected, so there must be something on the MS Hosted agent in devops, that now make the library think it should use ManagedIdentity...

[TobiasBreuer]

Ok, looks like, this is also being solved by #46711
as the case I described above also leads to {"error":"invalid_request","error_description":"Identity not found"}

Still I would be curious to understand what is making the lib in 1.13.0 assume that it has to try ManagedIdentity in the first place 🤔

[phelm1-landolakes]

I can confirm this issue.

Create a simple console application

IdentityTest.csproj

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net8.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Azure.Identity" Version="1.12.1" />
  </ItemGroup>

</Project>

Program.cs

Console.WriteLine((await new Azure.Identity.DefaultAzureCredential(false).GetTokenAsync(new Azure.Core.TokenRequestContext(["<Valid scope for your tenant>"], null))).Token);

Run in a pipeline using AzureCLI@2 task;

Pipeline:

pool:
  name: Azure Pipelines
  vmImage: "ubuntu-latest"

trigger: none

steps:
- task: AzureCLI@2
  displayName: Get credentials for pipeline agent principal
  inputs:
    azureSubscription: <Name of Azure Resource Manager Service Connection>
    scriptType: pscore
    scriptLocation: inlineScript
    addSpnToEnvironment: true
    inlineScript: dotnet run --project IdentityTest.csproj

The pipeline will succeed when using Azure Identity 1.12.1

When using Azure Identity 1.13.0 will produce this error:

Unhandled exception. Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: 85ec817c-d0b7-42f6-892d-c13b6c136982
Date: Wed, 23 Oct 2024 13:20:55 GMT

[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
 ---> MSAL.NetCore.4.65.0.0.MsalServiceException:
	ErrorCode: managed_identity_request_failed
Microsoft.Identity.Client.MsalServiceException: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
Server: IMDS/150.870.65.1475
x-ms-request-id: 85ec817c-d0b7-42f6-892d-c13b6c136982
Date: Wed, 23 Oct 2024 13:20:55 GMT

[Managed Identity] Error Code: invalid_request Error Description: Identity not found 
   at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
   at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.ManagedIdentityExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForManagedIdentityParameters managedIdentityParameters, CancellationToken cancellationToken)
   at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsyncCore(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.MsalManagedIdentityClient.AcquireTokenForManagedIdentityAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ImdsManagedIdentityProbeSource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateCoreAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
	StatusCode: 0 
	ResponseBody:  
	Headers: 
   --- End of inner exception stack trace ---
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenFromSourcesAsync(TokenCredential[] sources, TokenRequestContext requestContext, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.DefaultAzureCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Program.<Main>$(String[] args) in /home/vsts/work/1/s/Program.cs:line 1
   at Program.<Main>(String[] args)

[christothes]

Thanks @phelm1-landolakes - I have a local repro now and I have a fix.

[christothes]

@phelm1-landolakes Would you mind verifying with your repro also using this latest build? 1.14.0-alpha.20241023.3

[phelm1-landolakes]

@christothes Using package version 1.14.0-alpha.20241023.3 succeeds.

[christothes]

This is now available on the public nuget as 1.13.1

[MHDBST]

Can someone please confirm if this problem is resolved in version 1.13.1? I have recently gotten this error and my Azure.Identity is updated to version 1.13.1. I tried the latest version as well Install-Package Azure.Identity -version 1.14.0-alpha.20241023.3 but still getting the same error.

[christothes]

@MHDBST - If you are seeing the same error with 1.13.1, please open a new issue with the specific details of your issue. It may be a different problem.