microsoft · RoshanKumarMicrosoft · Apr 15, 2018 · Mar 9, 2018 · Mar 27, 2018 · Mar 29, 2018
diff --git a/Tasks/AzurePowerShell/Utility.ps1 b/Tasks/AzurePowerShell/Utility.ps1
@@ -30,7 +30,7 @@ function Update-PSModulePathForHostedAgent {
             $hostedAgentAzureModulePath  =  Get-LatestModule -patternToMatch "^azure_[0-9]+\.[0-9]+\.[0-9]+$"   -patternToExtract "[0-9]+\.[0-9]+\.[0-9]+$" -Classic:$true
         }
 
-        if($authScheme -eq 'ServicePrincipal' -or $authScheme -eq '')
+        if($authScheme -eq 'ServicePrincipal' -or $authScheme -eq '' -or $authScheme -eq 'ManagedServiceIdentity')
         {
             $env:PSModulePath = $hostedAgentAzureModulePath + ";" + $env:PSModulePath
             $env:PSModulePath = $env:PSModulePath.TrimStart(';')

diff --git a/Tasks/Common/VstsAzureHelpers_/InitializeFunctions.ps1 b/Tasks/Common/VstsAzureHelpers_/InitializeFunctions.ps1
@@ -161,7 +161,32 @@ function Initialize-AzureSubscription {
 
             Set-CurrentAzureRMSubscription -SubscriptionId $Endpoint.Data.SubscriptionId -TenantId $Endpoint.Auth.Parameters.TenantId
         }
-    } else {
+    } elseif ($Endpoint.Auth.Scheme -eq 'ManagedServiceIdentity') {
+        $accountId = $env:BUILD_BUILDID 
+        if($env:RELEASE_RELEASEID){
+            $accountId = $env:RELEASE_RELEASEID 
+        }
+        $date = Get-Date -Format o
+        $accountId = -join($accountId, "-", $date)
+        $port = 50342
+        if($Endpoint.Data.MsiPort){
+            $port = $Endpoint.Data.MsiPort
+        }
+        $msiUri =  "http://localhost:$port/oauth2/token"
+        $response = Invoke-WebRequest -Uri $msiUri -Method GET -Body @{resource= $Endpoint.Url} -Headers @{Metadata="true"} -UseBasicParsing
+        $content =$response.Content | ConvertFrom-Json
+        $access_token = $content.access_token
+        try {
+            Write-Host "##[command]Add-AzureRmAccount  -AccessToken ****** -AccountId $accountId "
+            $null = Add-AzureRmAccount -AccessToken $access_token -AccountId $accountId
+        } catch {
+            # Provide an additional, custom, credentials-related error message.
+            Write-VstsTaskError -Message $_.Exception.Message
+            throw (New-Object System.Exception((Get-VstsLocString -Key AZ_ManagedServiceIdentityError), $_.Exception))
+        }
+
+        Set-CurrentAzureRMSubscription -SubscriptionId $Endpoint.Data.SubscriptionId -TenantId $Endpoint.Auth.Parameters.TenantId
+    }else {
         throw (Get-VstsLocString -Key AZ_UnsupportedAuthScheme0 -ArgumentList $Endpoint.Auth.Scheme)
     }
 }

diff --git a/Tasks/Common/VstsAzureHelpers_/Strings/resources.resjson/en-US/resources.resjson b/Tasks/Common/VstsAzureHelpers_/Strings/resources.resjson/en-US/resources.resjson
@@ -8,5 +8,6 @@
   "loc.messages.AZ_ServicePrincipalAuthNotSupportedAzureVersion0": "Service principal authentication is not supported in version '{0}' of the Azure module.",
   "loc.messages.AZ_UnsupportedAuthScheme0": "Unsupported authentication scheme '{0}' for Azure endpoint.",
   "loc.messages.AZ_AvailableModules": "The list of available {0} modules:",
-  "loc.messages.AZ_InvalidARMEndpoint": "Specified AzureRM endpoint is invalid."
+  "loc.messages.AZ_InvalidARMEndpoint": "Specified AzureRM endpoint is invalid.",
+  "loc.messages.AZ_ManagedServiceIdentityError": "There was an error with the Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'"
 }
diff --git a/Tasks/Common/VstsAzureHelpers_/Tests/Initialize-AzureSubscription.ManagedServiceIdentity.ps1 b/Tasks/Common/VstsAzureHelpers_/Tests/Initialize-AzureSubscription.ManagedServiceIdentity.ps1
@@ -0,0 +1,49 @@
+[CmdletBinding()]
+param()
+
+# Arrange.
+. $PSScriptRoot\..\..\..\..\Tests\lib\Initialize-Test.ps1
+Microsoft.PowerShell.Core\Import-Module Microsoft.PowerShell.Security
+Unregister-Mock Import-Module
+Register-Mock Write-VstsTaskError
+$module = Microsoft.PowerShell.Core\Import-Module $PSScriptRoot\.. -PassThru
+
+$endpoint = @{
+    Auth = @{
+        Parameters = @{
+            ServicePrincipalId = 'Some service principal ID'
+            ServicePrincipalKey = 'Some service principal key'
+            TenantId = 'Some tenant ID'
+        }
+        Scheme = 'ManagedServiceIdentity'
+    }
+    Data = @{
+        SubscriptionId = 'Some subscription ID'
+        SubscriptionName = 'Some subscription name'
+    }
+}
+
+$content = @"
+           {"access_token" : "Dummy Token" }
+"@
+
+$variableSets = @(
+    @{ StorageAccount = 'Some storage account' }
+)
+foreach ($variableSet in $variableSets) {
+    Write-Verbose ('-' * 80)
+    Unregister-Mock Add-AzureRMAccount
+    Unregister-Mock Set-CurrentAzureRMSubscription
+    Unregister-Mock Invoke-WebRequest
+    Unregister-Mock Set-UserAgent
+    Register-Mock Add-AzureRMAccount { 'some output' }
+    Register-Mock Set-CurrentAzureRMSubscription
+    Register-Mock Set-UserAgent
+    Register-Mock Invoke-WebRequest { @{Content = $content} }
+
+    # Act.
+    $result = & $module Initialize-AzureSubscription -Endpoint $endpoint -StorageAccount $variableSet.StorageAccount
+
+    Assert-AreEqual $null $result
+    Assert-WasCalled Set-CurrentAzureRMSubscription -- -SubscriptionId $endpoint.Data.SubscriptionId -TenantId $endpoint.Auth.Parameters.TenantId
+}
diff --git a/Tasks/Common/VstsAzureHelpers_/Tests/L0.ts b/Tasks/Common/VstsAzureHelpers_/Tests/L0.ts
@@ -63,6 +63,9 @@ describe('Common-VstsAzureHelpers_ Suite', function () {
         it('(Initialize-Azure) throws when service name is null', (done) => {
             psr.run(path.join(__dirname, 'Initialize-Azure.ThrowsWhenServiceNameIsNull.ps1'), done);
         })
+        it('(Initialize-AzureSubscription) manged service identity should pass ', (done) => {
+            psr.run(path.join(__dirname, 'Initialize-AzureSubscription.ManagedServiceIdentity.ps1'), done);
+        })
         it('(Initialize-AzureSubscription) passes values when cert auth', (done) => {
             psr.run(path.join(__dirname, 'Initialize-AzureSubscription.PassesValuesWhenCertAuth.ps1'), done);
         })

diff --git a/Tasks/Common/VstsAzureHelpers_/VstsAzureHelpers_.psm1 b/Tasks/Common/VstsAzureHelpers_/VstsAzureHelpers_.psm1
@@ -38,7 +38,7 @@ function Initialize-Azure {
 
         # Determine which modules are preferred.
         $preferredModules = @( )
-        if ($endpoint.Auth.Scheme -eq 'ServicePrincipal') {
+        if (($endpoint.Auth.Scheme -eq 'ServicePrincipal') -or ($endpoint.Auth.Scheme -eq 'ManagedServiceIdentity')) {
             $preferredModules += 'AzureRM'
         } elseif ($endpoint.Auth.Scheme -eq 'UserNamePassword' -and $strict -eq $false) {
             $preferredModules += 'Azure'

diff --git a/Tasks/Common/VstsAzureHelpers_/module.json b/Tasks/Common/VstsAzureHelpers_/module.json
@@ -9,6 +9,7 @@
         "AZ_ServicePrincipalAuthNotSupportedAzureVersion0": "Service principal authentication is not supported in version '{0}' of the Azure module.",
         "AZ_UnsupportedAuthScheme0": "Unsupported authentication scheme '{0}' for Azure endpoint.",
         "AZ_AvailableModules": "The list of available {0} modules:",
-        "AZ_InvalidARMEndpoint": "Specified AzureRM endpoint is invalid."
+        "AZ_InvalidARMEndpoint": "Specified AzureRM endpoint is invalid.",
+        "AZ_ManagedServiceIdentityError": "There was an error with the Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'"
     }
 }