Skip to content

[Identity] Deprecate legacy ManagedIdentityCredential constructors #53825

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Nov 12, 2025
Merged

[Identity] Deprecate legacy ManagedIdentityCredential constructors #53825

merged 7 commits into from
Nov 12, 2025

Conversation

Copy link
Contributor

Copilot AI commented Nov 11, 2025
edited
Loading

Description

Deprecates two legacy ManagedIdentityCredential constructors that lack clarity around system-assigned vs. user-assigned managed identity intent. These constructors are already hidden from IntelliSense via [EditorBrowsable(EditorBrowsableState.Never)].

Changes

Azure.Identity

  • Added [Obsolete] to ManagedIdentityCredential(string clientId, TokenCredentialOptions options)
  • Added [Obsolete] to ManagedIdentityCredential(ResourceIdentifier resourceId, TokenCredentialOptions options)
  • Updated CHANGELOG to document deprecation with issue reference (Deprecate legacy ManagedIdentityCredential ctors #53800)
  • Updated API listing files (net8.0 and netstandard2.0) to reflect the Obsolete attributes
  • Updated integration test ManagedIdentityTests.cs to use new constructor pattern

Microsoft.Extensions.Azure

  • Updated ClientFactory.CreateCredential() to use ManagedIdentityId factory methods instead of deprecated constructors
  • Updated AzureClientFactoryTests.cs tests to use new constructor pattern:
    • UsesProvidedCredentialIfOverGlobal test
    • UsesGlobalCredential test

Migration Path

// Before (deprecated)
var cred1 = new ManagedIdentityCredential();
var cred2 = new ManagedIdentityCredential("client-id");
var cred3 = new ManagedIdentityCredential(new ResourceIdentifier("resource-id"));

// After (recommended)
var cred1 = new ManagedIdentityCredential(ManagedIdentityId.SystemAssigned);
var cred2 = new ManagedIdentityCredential(ManagedIdentityId.FromUserAssignedClientId("client-id"));
var cred3 = new ManagedIdentityCredential(ManagedIdentityId.FromUserAssignedResourceId(new ResourceIdentifier("resource-id")));

This checklist is used to make sure that common guidelines for a pull request are followed.

General Guidelines

  • Title of the pull request is clear and informative.
  • There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

  • Pull request includes test coverage for the included changes.

SDK Generation Guidelines

  • If an SDK is being regenerated based on a new swagger spec, a link to the pull request containing these swagger spec changes has been included above.

  • The generate.cmd file for the SDK has been updated with the version of AutoRest, as well as the commitid of your swagger spec or link to the swagger spec, used to generate the code.

  • The *.csproj and AssemblyInfo.cs files have been updated with the new version of the SDK.

  • Fixes Deprecate legacy ManagedIdentityCredential ctors #53800

Original prompt

This section details on the original issue you should resolve

<issue_title>Deprecate legacy ManagedIdentityCredential ctors</issue_title>
<issue_description>## Background

As ManagedIdentityCredential's API surfaced has evolved, the following 2 ctors are no longer recommended:

azure-sdk-for-net/sdk/identity/Azure.Identity/src/Credentials/ManagedIdentityCredential.cs

Lines 46 to 66 in 90a3d59

[EditorBrowsable(EditorBrowsableState.Never)]
public ManagedIdentityCredential(string clientId = null, TokenCredentialOptions options = null)
: this(new ManagedIdentityClient(new ManagedIdentityClientOptions { ManagedIdentityId = string.IsNullOrEmpty(clientId) ? ManagedIdentityId.SystemAssigned : ManagedIdentityId.FromUserAssignedClientId(clientId), Pipeline = CredentialPipeline.GetInstance(options, IsManagedIdentityCredential: true), Options = options }))
{
_logAccountDetails = options?.Diagnostics?.IsAccountIdentifierLoggingEnabled ?? false;
}
/// <summary>
/// Creates an instance of <see cref="ManagedIdentityCredential"/> capable of authenticating a resource with a user-assigned managed identity.
/// </summary>
/// <param name="resourceId">
/// The resource ID to authenticate for a <see href="https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview#how-a-user-assigned-managed-identity-works-with-an-azure-vm">user-assigned managed identity</see>.
/// </param>
/// <param name="options">Options to configure the management of the requests sent to Microsoft Entra ID.</param>
[EditorBrowsable(EditorBrowsableState.Never)]
public ManagedIdentityCredential(ResourceIdentifier resourceId, TokenCredentialOptions options = null)
: this(new ManagedIdentityClient(new ManagedIdentityClientOptions { ManagedIdentityId = ManagedIdentityId.FromUserAssignedResourceId(resourceId), Pipeline = CredentialPipeline.GetInstance(options, IsManagedIdentityCredential: true), Options = options }))
{
_logAccountDetails = options?.Diagnostics?.IsAccountIdentifierLoggingEnabled ?? false;
_clientId = resourceId.ToString();
}

From a behavioral perspective, the following ctors are equivalent:

ManagedIdentityCredential credential1 = new();
ManagedIdentityCredential credential2 = new(ManagedIdentityId.SystemAssigned);
ManagedIdentityCredential credential1 = new("<client_id>");
ManagedIdentityCredential credential2 = new(ManagedIdentityId.FromUserAssignedClientId("<client-id>"));

The same is true for the following 2 ctors:

ManagedIdentityCredential credential1 = new(new ResourceIdentifier("<resource_id>"));
ManagedIdentityCredential credential2 = new(
    ManagedIdentityId.FromUserAssignedResourceId(new ResourceIdentifier("<resource_id>")));

The newer ctors make the intent clear; that is, whether system-assigned or user-assigned managed identity is to be used. Furthermore, the older ctors are already suppressed from display in IntelliSense and Learn API ref docs (thanks to [EditorBrowsable(EditorBrowsableState.Never)].

Proposal

Discourage further use of the 2 older ctors by deprecating them. To accomplish this, apply the following [Obsolete()] attribute to each of them:

[Obsolete("Use constructor ManagedIdentityCredential(ManagedIdentityId id, TokenCredentialOptions options = null) or ManagedIdentityCredential(ManagedIdentityCredentialOptions options).")]

The result is fewer ways to accomplish the same thing and a much clearer intent.

Finally, add a CHANGELOG entry to raise awareness of the deprecated ctors.</issue_description>

Comments on the Issue (you are @copilot in this section)

@scottaddie Heads up there will be minor changes required in Microsoft.Extensions.Azure too. Affected files include:
  • ClientFactory.cs
  • AzureClientFactoryTests.cs</comment_new>

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI changed the title [WIP] Deprecate legacy ManagedIdentityCredential constructors Deprecate legacy ManagedIdentityCredential constructors Nov 11, 2025
Copilot AI requested a review from JonathanCrd November 11, 2025 21:12
Copilot finished work on behalf of JonathanCrd November 11, 2025 21:12
@scottaddie
Copy link
Member

scottaddie commented Nov 12, 2025

@copilot Update these 2 tests too:

azure-sdk-for-net/sdk/extensions/Microsoft.Extensions.Azure/tests/AzureClientFactoryTests.cs

Lines 237 to 258 in 349d2b0

[Test]
public void UsesProvidedCredentialIfOverGlobal()
{
var serviceCollection = new ServiceCollection();
var defaultAzureCredential = new ManagedIdentityCredential();
serviceCollection.AddAzureClients(builder => builder.AddTestClientWithCredentials(new Uri("http://localhost")).WithCredential(defaultAzureCredential));
ServiceProvider provider = serviceCollection.BuildServiceProvider();
TestClientWithCredentials client = provider.GetService<TestClientWithCredentials>();
Assert.AreSame(defaultAzureCredential, client.Credential);
}
[Test]
public void UsesGlobalCredential()
{
var serviceCollection = new ServiceCollection();
var defaultAzureCredential = new ManagedIdentityCredential();
serviceCollection.AddAzureClients(builder => {
builder.AddTestClientWithCredentials(new Uri("http://localhost"));
builder.UseCredential(defaultAzureCredential);
});

Copilot finished work on behalf of scottaddie November 12, 2025 00:11
Copilot AI requested a review from scottaddie November 12, 2025 00:11
@scottaddie
Copy link
Member

scottaddie commented Nov 12, 2025

@copilot Run ./eng/scripts/Export-API.ps1 <service_directory_name> for each changed project. The <service_directory_name> placeholder refers to the name of the directory under the sdk directory, such as "identity" or "extensions".

Copy link
Contributor Author

Copilot AI commented Nov 12, 2025

@copilot Run ./eng/scripts/Export-API.ps1 <service_directory_name> for each changed project. The <service_directory_name> placeholder refers to the name of the directory under the sdk directory, such ...

Ran ./eng/scripts/Export-API.ps1 -ServiceDirectory identity and committed the updated API listing files. The [System.ObsoleteAttribute] is now reflected in both net8.0 and netstandard2.0 API files. Changes in commit ca1a59f.

Copilot finished work on behalf of scottaddie November 12, 2025 15:27
@scottaddie scottaddie marked this pull request as ready for review November 12, 2025 16:23
@scottaddie scottaddie requested a review from jsquire as a code owner November 12, 2025 16:23
Copilot AI review requested due to automatic review settings November 12, 2025 16:23
@scottaddie scottaddie requested review from a team and christothes as code owners November 12, 2025 16:23
Copilot finished reviewing on behalf of scottaddie November 12, 2025 16:28
Copilot AI reviewed Nov 12, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR deprecates two legacy ManagedIdentityCredential constructors that lack clarity around system-assigned vs. user-assigned managed identity intent, replacing them with newer constructors that use explicit ManagedIdentityId parameters for better code clarity.

  • Adds [Obsolete] attributes to legacy constructors in ManagedIdentityCredential
  • Updates API listing files to reflect deprecation
  • Migrates Microsoft.Extensions.Azure code to use the new constructor pattern

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
sdk/identity/Azure.Identity/src/Credentials/ManagedIdentityCredential.cs Added Obsolete attributes to two legacy constructors with guidance messages
sdk/identity/Azure.Identity/api/Azure.Identity.netstandard2.0.cs Updated API listing to reflect Obsolete attributes for netstandard2.0 target
sdk/identity/Azure.Identity/api/Azure.Identity.net8.0.cs Updated API listing to reflect Obsolete attributes for net8.0 target
sdk/identity/Azure.Identity/CHANGELOG.md Documented the deprecation in the changelog
sdk/extensions/Microsoft.Extensions.Azure/src/Internal/ClientFactory.cs Migrated from deprecated constructors to new ManagedIdentityId factory methods while preserving existing behavior
sdk/extensions/Microsoft.Extensions.Azure/tests/AzureClientFactoryTests.cs Updated tests to use explicit ManagedIdentityId.SystemAssigned instead of parameterless constructor

@JonathanCrd
Copy link
Member

JonathanCrd commented Nov 12, 2025

@copilot update these references too:

azure-sdk-for-net/sdk/identity/Azure.Identity/integration/Integration.Identity.Common/ManagedIdentityTests.cs

Lines 24 to 25 in 349d2b0

var credential1 = new ManagedIdentityCredential();
var credential2 = new ManagedIdentityCredential(new ResourceIdentifier(resourceId));

Copy link
Contributor Author

Copilot AI commented Nov 12, 2025

@copilot update these references too:
https://github.com/Azure/azure-sdk-for-net/blob/349d2b02224fdc1545ddaa6ac0ddbe84304f4cf5/sdk/identity/Azure.Identity/integration/Integration.Identity.Common/Mana...

Updated the integration test to use the new constructor patterns:

  • Line 24: Changed to ManagedIdentityId.SystemAssigned
  • Line 25: Changed to ManagedIdentityId.FromUserAssignedResourceId(new ResourceIdentifier(resourceId))

Changes in commit 18a3672.

Copilot finished work on behalf of JonathanCrd November 12, 2025 19:28
@scottaddie
Copy link
Member

scottaddie commented Nov 12, 2025

@copilot At the end of the CHANGELOG entry text, include a reference to the issue that was fixed (#53800).

Copy link
Contributor Author

Copilot AI commented Nov 12, 2025

@copilot At the end of the CHANGELOG entry text, include a reference to the issue that was fixed (#53800).

Added issue reference (#53800) to the CHANGELOG entry. Changes in commit cfeb996.

Copilot AI requested a review from scottaddie November 12, 2025 21:22
Copilot finished work on behalf of scottaddie November 12, 2025 21:22
@JonathanCrd JonathanCrd changed the title Deprecate legacy ManagedIdentityCredential constructors [Identity] Deprecate legacy ManagedIdentityCredential constructors Nov 12, 2025
jsquire
jsquire approved these changes Nov 12, 2025
View reviewed changes
Copy link
Member

@jsquire jsquire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extensions package looks good.

@JonathanCrd
Copy link
Member

JonathanCrd commented Nov 12, 2025

/check-enforcer evaluate

@JonathanCrd JonathanCrd merged commit 381cde6 into main Nov 12, 2025
19 checks passed
@JonathanCrd JonathanCrd deleted the copilot/deprecate-legacy-credential-ctors branch November 12, 2025 23:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jsquire jsquire jsquire approved these changes

@christothes christothes christothes approved these changes

@scottaddie scottaddie scottaddie approved these changes

@maorleger maorleger Awaiting requested review from maorleger maorleger is a code owner automatically assigned from Azure/azure-sdk-write-identity

@joshfree joshfree Awaiting requested review from joshfree joshfree is a code owner automatically assigned from Azure/azure-sdk-write-identity

@pvaneck pvaneck Awaiting requested review from pvaneck pvaneck is a code owner automatically assigned from Azure/azure-sdk-write-identity

@g2vinay g2vinay Awaiting requested review from g2vinay g2vinay is a code owner automatically assigned from Azure/azure-sdk-write-identity

@anannya03 anannya03 Awaiting requested review from anannya03 anannya03 is a code owner automatically assigned from Azure/azure-sdk-write-identity

+1 more reviewer

@JonathanCrd JonathanCrd JonathanCrd approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@JonathanCrd JonathanCrd

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Deprecate legacy ManagedIdentityCredential ctors

5 participants

@scottaddie @JonathanCrd @jsquire @christothes