AzureAD · trwalke · May 21, 2025 · May 22, 2025 · May 22, 2025 · May 22, 2025
diff --git a/src/client/Microsoft.Identity.Client/AppConfig/ApplicationConfiguration.cs b/src/client/Microsoft.Identity.Client/AppConfig/ApplicationConfiguration.cs
@@ -123,6 +123,7 @@ public string ClientVersion
         public string CertificateIdToAssociateWithToken { get; set; }
 
         public Func<AppTokenProviderParameters, Task<AppTokenProviderResult>> AppTokenProvider;
+        public bool IsFmiServiceFabric { get; set; }
 
         #region ClientCredentials
 

diff --git a/src/client/Microsoft.Identity.Client/AppConfig/ManagedIdentityApplicationBuilder.cs b/src/client/Microsoft.Identity.Client/AppConfig/ManagedIdentityApplicationBuilder.cs
@@ -102,6 +102,18 @@ public ManagedIdentityApplicationBuilder WithClientCapabilities(IEnumerable<stri
             return this;
         }
 
+        /// <summary>
+        /// Configures the application to use the FMI service fabric managed identity endpoint.
+        /// </summary>
+        /// <remarks>
+        /// This is used only for Service Fabric applications that are using the FMI managed identity endpoint.
+        /// </remarks>
+        public ManagedIdentityApplicationBuilder WithServiceFabricFmi()
+        {
+            Config.IsFmiServiceFabric = true;
+            return this;
+        }
+
         /// <summary>
         /// Builds an instance of <see cref="IManagedIdentityApplication"/> 
         /// from the parameters set in the <see cref="ManagedIdentityApplicationBuilder"/>.

@@ -8,6 +8,7 @@ namespace Microsoft.Identity.Client.ManagedIdentity
     internal class EnvironmentVariables
     {
         public static string IdentityEndpoint => Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT");
+        public static string FmiServiceFabricEndpoint => Environment.GetEnvironmentVariable("APP_IDENTITY_ENDPOINT");
         public static string IdentityHeader => Environment.GetEnvironmentVariable("IDENTITY_HEADER");
         public static string PodIdentityEndpoint => Environment.GetEnvironmentVariable("AZURE_POD_IDENTITY_AUTHORITY_HOST");
         public static string ImdsEndpoint => Environment.GetEnvironmentVariable("IMDS_ENDPOINT");

@@ -21,11 +21,33 @@ internal class ServiceFabricManagedIdentitySource : AbstractManagedIdentity
 
         public static AbstractManagedIdentity Create(RequestContext requestContext)
         {
+            Uri endpointUri;
             string identityEndpoint = EnvironmentVariables.IdentityEndpoint;
 
             requestContext.Logger.Info(() => "[Managed Identity] Service fabric managed identity is available.");
 
-            if (!Uri.TryCreate(identityEndpoint, UriKind.Absolute, out Uri endpointUri))
+            if (requestContext.ServiceBundle.Config.IsFmiServiceFabric)
+            {
+                identityEndpoint = EnvironmentVariables.FmiServiceFabricEndpoint;
+                requestContext.Logger.Info(() => "[Managed Identity] Using FMI Service fabric endpoint.");
+
+                if (!Uri.TryCreate(identityEndpoint, UriKind.Absolute, out endpointUri))
+                {
+                    string errorMessage = string.Format(CultureInfo.InvariantCulture, MsalErrorMessage.ManagedIdentityEndpointInvalidUriError,
+                            "APP_IDENTITY_ENDPOINT", identityEndpoint, "FMI Service Fabric");
+
+                    // Use the factory to create and throw the exception
+                    var exception = MsalServiceExceptionFactory.CreateManagedIdentityException(
+                        MsalError.InvalidManagedIdentityEndpoint,
+                        errorMessage,
+                        null,
+                        ManagedIdentitySource.ServiceFabric,
+                        null);
+
+                    throw exception;
+                }
+            }
+            else if (!Uri.TryCreate(identityEndpoint, UriKind.Absolute, out endpointUri))
             {
                 string errorMessage = string.Format(CultureInfo.InvariantCulture, MsalErrorMessage.ManagedIdentityEndpointInvalidUriError,
                         "IDENTITY_ENDPOINT", identityEndpoint, "Service Fabric");
@@ -103,5 +125,10 @@ protected override ManagedIdentityRequest CreateRequest(string resource)
 
             return request;
         }
+
+        internal string GetEndpointForTesting()
+        {
+            return _endpoint.ToString();
+        }
     }
 }
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Unshipped.txt
@@ -0,0 +1 @@
+Microsoft.Identity.Client.ManagedIdentityApplicationBuilder.WithServiceFabricFmi() -> Microsoft.Identity.Client.ManagedIdentityApplicationBuilder
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Unshipped.txt
@@ -0,0 +1 @@
+Microsoft.Identity.Client.ManagedIdentityApplicationBuilder.WithServiceFabricFmi() -> Microsoft.Identity.Client.ManagedIdentityApplicationBuilder
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/net8.0-android/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/net8.0-android/PublicAPI.Unshipped.txt
@@ -0,0 +1 @@
+Microsoft.Identity.Client.ManagedIdentityApplicationBuilder.WithServiceFabricFmi() -> Microsoft.Identity.Client.ManagedIdentityApplicationBuilder
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/net8.0-ios/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/net8.0-ios/PublicAPI.Unshipped.txt
@@ -0,0 +1 @@
+Microsoft.Identity.Client.ManagedIdentityApplicationBuilder.WithServiceFabricFmi() -> Microsoft.Identity.Client.ManagedIdentityApplicationBuilder
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/net8.0/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/net8.0/PublicAPI.Unshipped.txt
@@ -0,0 +1 @@
+Microsoft.Identity.Client.ManagedIdentityApplicationBuilder.WithServiceFabricFmi() -> Microsoft.Identity.Client.ManagedIdentityApplicationBuilder
diff --git a/src/client/Microsoft.Identity.Client/PublicApi/netstandard2.0/PublicAPI.Unshipped.txt b/src/client/Microsoft.Identity.Client/PublicApi/netstandard2.0/PublicAPI.Unshipped.txt
@@ -0,0 +1 @@
+Microsoft.Identity.Client.ManagedIdentityApplicationBuilder.WithServiceFabricFmi() -> Microsoft.Identity.Client.ManagedIdentityApplicationBuilder
@@ -32,7 +32,7 @@ public enum MsiAzureResource
             ServiceFabric
         }
 
-        public static void SetEnvironmentVariables(ManagedIdentitySource managedIdentitySource, string endpoint, string secret = "secret", string thumbprint = "thumbprint")
+        public static void SetEnvironmentVariables(ManagedIdentitySource managedIdentitySource, string endpoint, string secret = "secret", string thumbprint = "thumbprint", string fmiEndpoint = "")
         {
             switch (managedIdentitySource)
             {
@@ -56,6 +56,7 @@ public static void SetEnvironmentVariables(ManagedIdentitySource managedIdentity
 
                 case ManagedIdentitySource.ServiceFabric:
                     Environment.SetEnvironmentVariable("IDENTITY_ENDPOINT", endpoint);
+                    Environment.SetEnvironmentVariable("APP_IDENTITY_ENDPOINT", fmiEndpoint);
                     Environment.SetEnvironmentVariable("IDENTITY_HEADER", secret);
                     Environment.SetEnvironmentVariable("IDENTITY_SERVER_THUMBPRINT", thumbprint);
                     break;

@@ -91,6 +91,29 @@ public void ValidateServerCertificateCallback_ServerCertificateValidationCallbac
             }
         }
 
+        [TestMethod]
+        public void ValidateThatFmiEndpointIsUsed()
+        {
+            using (new EnvVariableContext())
+            using (var httpManager = new MockHttpManager())
+            {
+                SetEnvironmentVariables(ManagedIdentitySource.ServiceFabric, "http://localhost:40342/metadata/identity/oauth2/token", fmiEndpoint: "http://localhost:40343/metadata/identity/oauth2/token");
+
+                var miBuilder = ManagedIdentityApplicationBuilder.Create(ManagedIdentityId.SystemAssigned)
+                    .WithServiceFabricFmi()
+                    .WithHttpManager(httpManager);
+
+                var mi = miBuilder.BuildConcrete();
+
+                RequestContext requestContext = new RequestContext(mi.ServiceBundle, Guid.NewGuid(), null);
+
+                ServiceFabricManagedIdentitySource sf = ServiceFabricManagedIdentitySource.Create(requestContext) as ServiceFabricManagedIdentitySource;
+
+                Assert.IsInstanceOfType(sf, typeof(ServiceFabricManagedIdentitySource));
+                Assert.AreEqual("http://localhost:40343/metadata/identity/oauth2/token", sf.GetEndpointForTesting());
+            }
+        }
+
         [TestMethod]
         public async Task SFThrowsWhenGetHttpClientWithValidationIsNotImplementedAsync()
         {
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Microsoft.Identity.Client.ManagedIdentityApplicationBuilder.WithServiceFabricFmi() -> Microsoft.Identity.Client.ManagedIdentityApplicationBuilder