ManagedIdentityObjectId property of CertificatelessOptions should be renamed ManagedIdentityClientId

Microsoft.Identity.Web Library

Microsoft.Identity.Web.CertificateLess

Microsoft.Identity.Web version

1.25.10

Web app

Sign-in users and call web APIs

Web API

Protected web APIs call downstream web APIs

Token cache serialization

Not Applicable

Description

The ManagedIdentityObjectId property in CertificatelessOptions should actually be named “ManagedIdentityClientId”.

It is passed in the TokenAquisition class to the managedIdentityClientId constructor parameter for ManagedIdentityClientAssertion.

builder.WithClientAssertion(new ManagedIdentityClientAssertion(mergedOptions.ClientCredentialsUsingManagedIdentity.ManagedIdentityObjectId).GetSignedAssertion);

This value is then in turn passed to the ManagedIdentityClientId property of the DefaultAzureCredentialOptions:

var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = _managedIdentityClientId });

This option required the use of the clientId for the managed identity, and not the objectId.

Reproduction steps

1. Configure Certless app authentication with Managed Identity using CertificateLessOptions
2. Provide the objectId of the managed identity to the AzureAd -> ClientCredentialsUsingManagedIdentity -> ManagedIdentityObjectIdentity config property
3. Attempt to request a token

Error message

compute platform returns error indicating that the requested managed identity is not available,

[Error] JWT Token exception: Azure.Identity.AuthenticationFailedException: ManagedIdentityCredential authentication failed: Service request failed. Status: 400 (Bad Request)

Content: {“statusCode”:400,“message”:“Unable to load the proper Managed Identity.”,“correlationId”:“3f54e937-2426-4ac6-8b3b-e11f7ff28c02”}

Id Web logs

No response

Relevant code snippets

{
  "AzureAd": { 
    "Instance": "https://login.windows-ppe.net/", 
    "ClientId": "[Client_id-of-web-app-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]", 
    "TenantId": "common", 
   // To call an API 
    "ClientCredentialsUsingManagedIdentity": { 
      "IsEnabled": true, 
      "ManagedIdentityObjectIdentity": "2387ff05-c838-43cd-b072-63de4be15119" 
    },
  }, 
  "GraphBeta": { 
    "BaseUrl": "https://graph.microsoft-ppe.com/beta", 
    "Scopes": "user.read" 
  } 
}

Regression

No response

Expected behavior

Developer would expect the system to request tokens using the provided ObjectID (as is available at the MSI Rest layer here)

As the DefaultAzureCredential dependency here does not support requesting tokens by objectId, but only by ClientId, the developer should be asked to provide the clientId instead.

Renaming this parameter with a breaking change in the next major version of the library would be appropriate.

Documentation updates pointing out the need to pass a clientId to this parameter for the current version would help prevent developer confusion.