From f30d633d473678ca7a9ac324dc3139a6e81d6028 Mon Sep 17 00:00:00 2001 From: Scott Addie Date: Fri, 13 Jun 2025 12:52:40 -0500 Subject: [PATCH 1/4] Document new MI as FIC feature in Microsoft.Extensions.Azure --- ...te-token-credentials-from-configuration.md | 71 +++++++++++++++++-- 1 file changed, 64 insertions(+), 7 deletions(-) diff --git a/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md b/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md index 34251e6061cda..ce0b5829e95e4 100644 --- a/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md +++ b/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md @@ -3,7 +3,7 @@ title: Create Azure Identity library credentials via configuration files description: Learn how to create token credentials from configuration files. ms.topic: how-to ms.custom: devx-track-dotnet, engagement-fy23 -ms.date: 03/14/2025 +ms.date: 06/13/2025 --- # Create Azure Identity library credentials via configuration files @@ -67,9 +67,23 @@ Add the wildcard value `*` to allow the credential to acquire tokens for any Mic ### Create an instance of `ManagedIdentityCredential` -You can create both user-assigned and system-assigned managed identities using configuration values. To create an instance of , add the following key-value pairs to your _appsettings.json_ file. +You can use a managed identity in the following ways using configuration values: -#### User-assigned managed identities +- System-assigned managed identity +- User-assigned managed identity +- Managed identity as a federated identity credential + +To create an instance of , add the following key-value pairs to your _appsettings.json_ file. + +#### System-assigned managed identity + +```json +{ + "credential": "managedidentity" +} +``` + +#### User-assigned managed identity A user-assigned managed identity can be used by providing a client ID, resource ID, or object ID. @@ -78,7 +92,7 @@ A user-assigned managed identity can be used by providing a client ID, resource ```json { "credential": "managedidentity", - "clientId": "" + "managedIdentityClientId": "" } ``` @@ -91,7 +105,7 @@ A user-assigned managed identity can be used by providing a client ID, resource } ``` -The resource ID takes the form: +The resource ID takes the form `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}` ## [Object ID](#tab/object-id) @@ -108,14 +122,57 @@ The resource ID takes the form: --- -#### System-assigned managed identities +#### Managed identity as a federated identity credential + +This [managed identity as a federated identity credential](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity?tabs=microsoft-entra-admin-center%2Cdotnet) feature is supported in `Microsoft.Extensions.Azure` versions 1.12.0 and later. The feature doesn't work with system-assigned managed identity. A user-assigned managed identity can be used by providing a client ID, resource ID, or object ID. + +## [Client ID](#tab/client-id) ```json { - "credential": "managedidentity" + "credential": "managedidentityasfederatedidentity", + "azureCloud": "", + "tenantId": "", + "clientId": "", + "managedIdentityClientId": "" +} +``` + +## [Resource ID](#tab/resource-id) + +```json +{ + "credential": "managedidentityasfederatedidentity", + "azureCloud": "", + "tenantId": "", + "clientId": "", + "managedIdentityResourceId": "" } ``` +The resource ID takes the form +`/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}` + +## [Object ID](#tab/object-id) + +```json +{ + "credential": "managedidentityasfederatedidentity", + "azureCloud": "", + "tenantId": "", + "clientId": "", + "managedIdentityObjectId": "" +} +``` + +--- + +The `azureCloud` key value is used to set the Microsoft Entra token scope. It can be one of the following values: + +- `public` for Azure Public Cloud +- `usgov` for Azure US Government Cloud +- `china` for Azure operated by 21Vianet + ### Create an instance of `AzurePipelinesCredential` To create an instance of , add the following key-value pairs to your _appsettings.json_ file: From 4021be25ba93a69ac4a6ceac39b8b46cc4e1e58e Mon Sep 17 00:00:00 2001 From: Scott Addie Date: Fri, 13 Jun 2025 13:53:02 -0500 Subject: [PATCH 2/4] Add missing word --- .../create-token-credentials-from-configuration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md b/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md index ce0b5829e95e4..e371277991e79 100644 --- a/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md +++ b/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md @@ -124,7 +124,7 @@ The resource ID takes the form #### Managed identity as a federated identity credential -This [managed identity as a federated identity credential](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity?tabs=microsoft-entra-admin-center%2Cdotnet) feature is supported in `Microsoft.Extensions.Azure` versions 1.12.0 and later. The feature doesn't work with system-assigned managed identity. A user-assigned managed identity can be used by providing a client ID, resource ID, or object ID. +The [managed identity as a federated identity credential](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity?tabs=microsoft-entra-admin-center%2Cdotnet) feature is supported in `Microsoft.Extensions.Azure` versions 1.12.0 and later. The feature doesn't work with system-assigned managed identity. A user-assigned managed identity can be used by providing a client ID, resource ID, or object ID. ## [Client ID](#tab/client-id) @@ -167,7 +167,7 @@ The resource ID takes the form --- -The `azureCloud` key value is used to set the Microsoft Entra token scope. It can be one of the following values: +The `azureCloud` key value is used to set the Microsoft Entra access token scope. It can be one of the following values: - `public` for Azure Public Cloud - `usgov` for Azure US Government Cloud From 5b9fc9067d0e89d7eabfa87e6cdfb0c3bdf65f1f Mon Sep 17 00:00:00 2001 From: Scott Addie <10702007+scottaddie@users.noreply.github.com> Date: Fri, 13 Jun 2025 14:05:20 -0500 Subject: [PATCH 3/4] Update docs/azure/sdk/authentication/create-token-credentials-from-configuration.md Co-authored-by: Christopher Scott --- .../create-token-credentials-from-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md b/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md index e371277991e79..daa593bdca93e 100644 --- a/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md +++ b/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md @@ -67,7 +67,7 @@ Add the wildcard value `*` to allow the credential to acquire tokens for any Mic ### Create an instance of `ManagedIdentityCredential` -You can use a managed identity in the following ways using configuration values: +You can configure a credential to utilize a managed identity in the following ways using configuration values: - System-assigned managed identity - User-assigned managed identity From b11156851c4aba03f593b1023f97899b2bddf5db Mon Sep 17 00:00:00 2001 From: Scott Addie <10702007+scottaddie@users.noreply.github.com> Date: Fri, 13 Jun 2025 14:10:28 -0500 Subject: [PATCH 4/4] Update docs/azure/sdk/authentication/create-token-credentials-from-configuration.md Co-authored-by: Christopher Scott --- .../create-token-credentials-from-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md b/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md index daa593bdca93e..58112c00ed7bd 100644 --- a/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md +++ b/docs/azure/sdk/authentication/create-token-credentials-from-configuration.md @@ -124,7 +124,7 @@ The resource ID takes the form #### Managed identity as a federated identity credential -The [managed identity as a federated identity credential](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity?tabs=microsoft-entra-admin-center%2Cdotnet) feature is supported in `Microsoft.Extensions.Azure` versions 1.12.0 and later. The feature doesn't work with system-assigned managed identity. A user-assigned managed identity can be used by providing a client ID, resource ID, or object ID. +The [managed identity as a federated identity credential](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity?tabs=microsoft-entra-admin-center%2Cdotnet) feature is supported in `Microsoft.Extensions.Azure` versions 1.12.0 and later. The feature doesn't work with system-assigned managed identity. The credential can be configured with a user-assigned managed identity by providing a client ID, resource ID, or object ID. ## [Client ID](#tab/client-id)