[Identity] Deprecate legacy ManagedIdentityCredential constructors (#53825)

* Initial plan

* Add Obsolete attributes to legacy ManagedIdentityCredential constructors and update usages

Co-authored-by: JonathanCrd <[email protected]>

* Fix Obsolete attribute message to use correct constructor signature

Co-authored-by: JonathanCrd <[email protected]>

* Update AzureClientFactoryTests to use new ManagedIdentityCredential constructor

Co-authored-by: scottaddie <[email protected]>

* Update API listing files after adding Obsolete attributes

Co-authored-by: scottaddie <[email protected]>

* Update ManagedIdentityTests to use new constructor pattern

Co-authored-by: JonathanCrd <[email protected]>

* Add issue reference to CHANGELOG entry

Co-authored-by: scottaddie <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: JonathanCrd <[email protected]>
Co-authored-by: scottaddie <[email protected]>

Author: 3 people

sdk/extensions/Microsoft.Extensions.Azure/src/Internal/ClientFactory.cs

@@ -126,7 +126,7 @@ internal static TokenCredential CreateCredential(IConfiguration configuration)
 
                 if (!string.IsNullOrWhiteSpace(resourceId))
                 {
-                    return new ManagedIdentityCredential(new ResourceIdentifier(resourceId));
+                    return new ManagedIdentityCredential(ManagedIdentityId.FromUserAssignedResourceId(new ResourceIdentifier(resourceId)));
                 }
 
                 if (!string.IsNullOrWhiteSpace(objectId))
@@ -136,10 +136,15 @@ internal static TokenCredential CreateCredential(IConfiguration configuration)
 
                 if (!string.IsNullOrWhiteSpace(managedIdentityClientId))
                 {
-                    return new ManagedIdentityCredential(managedIdentityClientId);
+                    return new ManagedIdentityCredential(ManagedIdentityId.FromUserAssignedClientId(managedIdentityClientId));
                 }
 
-                return new ManagedIdentityCredential(clientId);
+                if (!string.IsNullOrWhiteSpace(clientId))
+                {
+                    return new ManagedIdentityCredential(ManagedIdentityId.FromUserAssignedClientId(clientId));
+                }
+
+                return new ManagedIdentityCredential(ManagedIdentityId.SystemAssigned);
             }
 
             if (string.Equals(credentialType, "workloadidentity", StringComparison.OrdinalIgnoreCase))

sdk/extensions/Microsoft.Extensions.Azure/tests/AzureClientFactoryTests.cs

@@ -238,7 +238,7 @@ public void ResolvesDefaultClientByDefault()
         public void UsesProvidedCredentialIfOverGlobal()
         {
             var serviceCollection = new ServiceCollection();
-            var defaultAzureCredential = new ManagedIdentityCredential();
+            var defaultAzureCredential = new ManagedIdentityCredential(ManagedIdentityId.SystemAssigned);
             serviceCollection.AddAzureClients(builder => builder.AddTestClientWithCredentials(new Uri("http://localhost")).WithCredential(defaultAzureCredential));
 
             ServiceProvider provider = serviceCollection.BuildServiceProvider();
@@ -251,7 +251,7 @@ public void UsesProvidedCredentialIfOverGlobal()
         public void UsesGlobalCredential()
         {
             var serviceCollection = new ServiceCollection();
-            var defaultAzureCredential = new ManagedIdentityCredential();
+            var defaultAzureCredential = new ManagedIdentityCredential(ManagedIdentityId.SystemAssigned);
             serviceCollection.AddAzureClients(builder => {
                 builder.AddTestClientWithCredentials(new Uri("http://localhost"));
                 builder.UseCredential(defaultAzureCredential);

sdk/identity/Azure.Identity/CHANGELOG.md

@@ -10,6 +10,8 @@
 
 ### Other Changes
 
+- Deprecated legacy `ManagedIdentityCredential` constructors. Use `ManagedIdentityCredential(ManagedIdentityId id)` or `ManagedIdentityCredential(ManagedIdentityCredentialOptions options)` instead for clearer intent when specifying system-assigned or user-assigned managed identity. ([#53800](https://github.com/Azure/azure-sdk-for-net/issues/53800))
+
 ## 1.17.0 (2025-10-07)
 
 ### Bugs Fixed

sdk/identity/Azure.Identity/api/Azure.Identity.net8.0.cs

@@ -325,10 +325,12 @@ public partial class ManagedIdentityCredential : Azure.Core.TokenCredential
     {
         protected ManagedIdentityCredential() { }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        [System.ObsoleteAttribute("Use constructor ManagedIdentityCredential(ManagedIdentityId id) or ManagedIdentityCredential(ManagedIdentityCredentialOptions options).")]
         public ManagedIdentityCredential(Azure.Core.ResourceIdentifier resourceId, Azure.Identity.TokenCredentialOptions options = null) { }
         public ManagedIdentityCredential(Azure.Identity.ManagedIdentityCredentialOptions options) { }
         public ManagedIdentityCredential(Azure.Identity.ManagedIdentityId id) { }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        [System.ObsoleteAttribute("Use constructor ManagedIdentityCredential(ManagedIdentityId id) or ManagedIdentityCredential(ManagedIdentityCredentialOptions options).")]
         public ManagedIdentityCredential(string clientId = null, Azure.Identity.TokenCredentialOptions options = null) { }
         public override Azure.Core.AccessToken GetToken(Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public override System.Threading.Tasks.ValueTask<Azure.Core.AccessToken> GetTokenAsync(Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }

sdk/identity/Azure.Identity/api/Azure.Identity.netstandard2.0.cs

@@ -322,10 +322,12 @@ public partial class ManagedIdentityCredential : Azure.Core.TokenCredential
     {
         protected ManagedIdentityCredential() { }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        [System.ObsoleteAttribute("Use constructor ManagedIdentityCredential(ManagedIdentityId id) or ManagedIdentityCredential(ManagedIdentityCredentialOptions options).")]
         public ManagedIdentityCredential(Azure.Core.ResourceIdentifier resourceId, Azure.Identity.TokenCredentialOptions options = null) { }
         public ManagedIdentityCredential(Azure.Identity.ManagedIdentityCredentialOptions options) { }
         public ManagedIdentityCredential(Azure.Identity.ManagedIdentityId id) { }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+        [System.ObsoleteAttribute("Use constructor ManagedIdentityCredential(ManagedIdentityId id) or ManagedIdentityCredential(ManagedIdentityCredentialOptions options).")]
         public ManagedIdentityCredential(string clientId = null, Azure.Identity.TokenCredentialOptions options = null) { }
         public override Azure.Core.AccessToken GetToken(Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public override System.Threading.Tasks.ValueTask<Azure.Core.AccessToken> GetTokenAsync(Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }

sdk/identity/Azure.Identity/integration/Integration.Identity.Common/ManagedIdentityTests.cs

@@ -21,8 +21,8 @@ public static void AuthToStorage()
         string account1 = Environment.GetEnvironmentVariable("IDENTITY_STORAGE_NAME_1")!;
         string account2 = Environment.GetEnvironmentVariable("IDENTITY_STORAGE_NAME_2")!;
 
-        var credential1 = new ManagedIdentityCredential();
-        var credential2 = new ManagedIdentityCredential(new ResourceIdentifier(resourceId));
+        var credential1 = new ManagedIdentityCredential(ManagedIdentityId.SystemAssigned);
+        var credential2 = new ManagedIdentityCredential(ManagedIdentityId.FromUserAssignedResourceId(new ResourceIdentifier(resourceId)));
         var client1 = new BlobServiceClient(new Uri($"https://{account1}.blob.core.windows.net/"), credential1);
         var client2 = new BlobServiceClient(new Uri($"https://{account2}.blob.core.windows.net/"), credential2);
         client1.GetBlobContainers().ToList();

sdk/identity/Azure.Identity/src/Credentials/ManagedIdentityCredential.cs

@@ -44,6 +44,7 @@ protected ManagedIdentityCredential()
         /// </param>
         /// <param name="options">Options to configure the management of the requests sent to Microsoft Entra ID.</param>
         [EditorBrowsable(EditorBrowsableState.Never)]
+        [Obsolete("Use constructor ManagedIdentityCredential(ManagedIdentityId id) or ManagedIdentityCredential(ManagedIdentityCredentialOptions options).")]
         public ManagedIdentityCredential(string clientId = null, TokenCredentialOptions options = null)
             : this(new ManagedIdentityClient(new ManagedIdentityClientOptions { ManagedIdentityId = string.IsNullOrEmpty(clientId) ? ManagedIdentityId.SystemAssigned : ManagedIdentityId.FromUserAssignedClientId(clientId), Pipeline = CredentialPipeline.GetInstance(options, IsManagedIdentityCredential: true), Options = options }))
         {
@@ -58,6 +59,7 @@ public ManagedIdentityCredential(string clientId = null, TokenCredentialOptions
         /// </param>
         /// <param name="options">Options to configure the management of the requests sent to Microsoft Entra ID.</param>
         [EditorBrowsable(EditorBrowsableState.Never)]
+        [Obsolete("Use constructor ManagedIdentityCredential(ManagedIdentityId id) or ManagedIdentityCredential(ManagedIdentityCredentialOptions options).")]
         public ManagedIdentityCredential(ResourceIdentifier resourceId, TokenCredentialOptions options = null)
             : this(new ManagedIdentityClient(new ManagedIdentityClientOptions { ManagedIdentityId = ManagedIdentityId.FromUserAssignedResourceId(resourceId), Pipeline = CredentialPipeline.GetInstance(options, IsManagedIdentityCredential: true), Options = options }))
         {