Skip to content

Deprecate legacy ManagedIdentityCredential ctors #53800

New issue
New issue
Closed
Task
#53825
Closed
Deprecate legacy ManagedIdentityCredential ctors#53800
Task
#53825
Assignees
JonathanCrdcopilot-swe-agent
Labels
Azure.IdentityClientThis issue is related to a non-management package
Milestone
2025-12
@scottaddie

Description

@scottaddie
scottaddie
opened on Nov 10, 2025

Background

As ManagedIdentityCredential's API surfaced has evolved, the following 2 ctors are no longer recommended:

azure-sdk-for-net/sdk/identity/Azure.Identity/src/Credentials/ManagedIdentityCredential.cs

Lines 46 to 66 in 90a3d59

[EditorBrowsable(EditorBrowsableState.Never)]
public ManagedIdentityCredential(string clientId = null, TokenCredentialOptions options = null)
: this(new ManagedIdentityClient(new ManagedIdentityClientOptions { ManagedIdentityId = string.IsNullOrEmpty(clientId) ? ManagedIdentityId.SystemAssigned : ManagedIdentityId.FromUserAssignedClientId(clientId), Pipeline = CredentialPipeline.GetInstance(options, IsManagedIdentityCredential: true), Options = options }))
{
_logAccountDetails = options?.Diagnostics?.IsAccountIdentifierLoggingEnabled ?? false;
}
/// <summary>
/// Creates an instance of <see cref="ManagedIdentityCredential"/> capable of authenticating a resource with a user-assigned managed identity.
/// </summary>
/// <param name="resourceId">
/// The resource ID to authenticate for a <see href="https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview#how-a-user-assigned-managed-identity-works-with-an-azure-vm">user-assigned managed identity</see>.
/// </param>
/// <param name="options">Options to configure the management of the requests sent to Microsoft Entra ID.</param>
[EditorBrowsable(EditorBrowsableState.Never)]
public ManagedIdentityCredential(ResourceIdentifier resourceId, TokenCredentialOptions options = null)
: this(new ManagedIdentityClient(new ManagedIdentityClientOptions { ManagedIdentityId = ManagedIdentityId.FromUserAssignedResourceId(resourceId), Pipeline = CredentialPipeline.GetInstance(options, IsManagedIdentityCredential: true), Options = options }))
{
_logAccountDetails = options?.Diagnostics?.IsAccountIdentifierLoggingEnabled ?? false;
_clientId = resourceId.ToString();
}

From a behavioral perspective, the following ctors are equivalent:

ManagedIdentityCredential credential1 = new();
ManagedIdentityCredential credential2 = new(ManagedIdentityId.SystemAssigned);
ManagedIdentityCredential credential1 = new("<client_id>");
ManagedIdentityCredential credential2 = new(ManagedIdentityId.FromUserAssignedClientId("<client-id>"));

The same is true for the following 2 ctors:

ManagedIdentityCredential credential1 = new(new ResourceIdentifier("<resource_id>"));
ManagedIdentityCredential credential2 = new(
    ManagedIdentityId.FromUserAssignedResourceId(new ResourceIdentifier("<resource_id>")));

The newer ctors make the intent clear; that is, whether system-assigned or user-assigned managed identity is to be used. Furthermore, the older ctors are already suppressed from display in IntelliSense and Learn API ref docs (thanks to [EditorBrowsable(EditorBrowsableState.Never)].

Proposal

Discourage further use of the 2 older ctors by deprecating them. To accomplish this, apply the following [Obsolete()] attribute to each of them:

[Obsolete("Use constructor ManagedIdentityCredential(ManagedIdentityId id, TokenCredentialOptions options = null) or ManagedIdentityCredential(ManagedIdentityCredentialOptions options).")]

The result is fewer ways to accomplish the same thing and a much clearer intent.

Finally, add a CHANGELOG entry to raise awareness of the deprecated ctors.

Metadata

Metadata

Assignees

Labels

Azure.IdentityClientThis issue is related to a non-management package

Type

Task

Projects

Azure Identity SDK Improvements

Status

Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions