From 10c45e18f7199d2ed8eafe1d550c83710288c6d2 Mon Sep 17 00:00:00 2001 From: Ryan Auld Date: Thu, 16 Oct 2025 14:47:27 -0700 Subject: [PATCH 1/4] Update managed identity references to new MI - Replace old MI client ID (3b57c42c-3201-4295-ae27-d6baec5b7027) with new MI (45344e7d-c562-4be6-868f-18dac789c021) - Replace old MI object ID (9fc6a41b-e161-43ba-90ba-12f172141c23) with new MI (a38637b6-b365-4652-af1f-cf5d8cf829ad) - Update resource ID from MSAL_MSI_USERID to Msal_Integration_tests - Update location from East US 2 to East US - Update readme.md documentation with new MI details and Azure portal links - All tests passing with new managed identity configuration --- .../ManagedIdentityImdsTests.cs | 6 +++--- .../HeadlessTests/ManagedIdentityTests.NetFwk.cs | 6 +++--- .../Managed Identity apps/MSIHelperService/readme.md | 12 ++++++------ 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tests/Microsoft.Identity.Test.E2e/ManagedIdentityImdsTests.cs b/tests/Microsoft.Identity.Test.E2e/ManagedIdentityImdsTests.cs index 1dd068de26..f67274bfe9 100644 --- a/tests/Microsoft.Identity.Test.E2e/ManagedIdentityImdsTests.cs +++ b/tests/Microsoft.Identity.Test.E2e/ManagedIdentityImdsTests.cs @@ -38,10 +38,10 @@ private static IManagedIdentityApplication BuildMi( [TestCategory("MI_E2E_Imds")] [DataTestMethod] [DataRow(null /*SAMI*/, null, DisplayName = "SAMI")] - [DataRow("4b7a4b0b-ecb2-409e-879a-1e21a15ddaf6", "clientid", DisplayName = "UAMI-ClientId")] - [DataRow("/subscriptions/c1686c51-b717-4fe0-9af3-24a20a41fb0c/resourcegroups/MSAL_MSI/providers/Microsoft.ManagedIdentity/userAssignedIdentities/LabVaultAccess_UAMI", + [DataRow("45344e7d-c562-4be6-868f-18dac789c021", "clientid", DisplayName = "UAMI-ClientId")] + [DataRow("/subscriptions/c1686c51-b717-4fe0-9af3-24a20a41fb0c/resourcegroups/MSAL_MSI/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Msal_Integration_tests", "resourceid", DisplayName = "UAMI-ResourceId")] - [DataRow("1eee55b7-168a-46be-8d19-30e830ee9611", "objectid", DisplayName = "UAMI-ObjectId")] + [DataRow("a38637b6-b365-4652-af1f-cf5d8cf829ad", "objectid", DisplayName = "UAMI-ObjectId")] public async Task AcquireToken_OnImds_Succeeds(string id, string idType) { var mi = BuildMi(id, idType); diff --git a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs index cfb1c04af3..d73b07b3f9 100644 --- a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs +++ b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs @@ -37,13 +37,13 @@ public class ManagedIdentityTests private static readonly string s_baseURL = "https://service.msidlab.com/"; //Shared User Assigned Client ID - private const string UserAssignedClientID = "3b57c42c-3201-4295-ae27-d6baec5b7027"; + private const string UserAssignedClientID = "45344e7d-c562-4be6-868f-18dac789c021"; private const string LabAccessClientID = "f62c5ae3-bf3a-4af5-afa8-a68b800396e9"; private const string LabVaultAccessUserAssignedClientID = "4b7a4b0b-ecb2-409e-879a-1e21a15ddaf6"; - private const string UserAssignedObjectID = "9fc6a41b-e161-43ba-90ba-12f172141c23"; + private const string UserAssignedObjectID = "a38637b6-b365-4652-af1f-cf5d8cf829ad"; //Non Existent User Assigned Client/Object ID private const string SomeRandomGuid = "f07359bb-f4f6-4e3c-ba9f-ccdf48eb80ce"; @@ -55,7 +55,7 @@ public class ManagedIdentityTests //Resource ID of the User Assigned Identity private const string UamiResourceId = "/subscriptions/c1686c51-b717-4fe0-9af3-24a20a41fb0c/" + "resourcegroups/MSAL_MSI/providers/Microsoft.ManagedIdentity/userAssignedIdentities/" + - "MSAL_MSI_USERID"; + "Msal_Integration_tests"; //non existent Resource ID of the User Assigned Identity private const string Non_Existent_UamiResourceId = "/subscriptions/userAssignedIdentities/NO_ID"; diff --git a/tests/devapps/Managed Identity apps/MSIHelperService/readme.md b/tests/devapps/Managed Identity apps/MSIHelperService/readme.md index 21b1e96cbb..dc071c4429 100644 --- a/tests/devapps/Managed Identity apps/MSIHelperService/readme.md +++ b/tests/devapps/Managed Identity apps/MSIHelperService/readme.md @@ -186,7 +186,7 @@ Build the current project (The MSI Helper Service - MSIHelperService.csproj) and ## User Assigned Identity -This helper service also exposes the [User Identity](https://ms.portal.azure.com/#@microsoft.onmicrosoft.com/resource/subscriptions/c1686c51-b717-4fe0-9af3-24a20a41fb0c/resourceGroups/MSAL_MSI/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MSAL_MSI_USERID/overview) for testing. +This helper service also exposes the [User Identity](https://ms.portal.azure.com/#@microsoft.onmicrosoft.com/resource/subscriptions/c1686c51-b717-4fe0-9af3-24a20a41fb0c/resourceGroups/MSAL_MSI/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Msal_Integration_tests/overview) for testing.
uid @@ -197,13 +197,13 @@ Following are some useful information to test the User Identity. | Syntax | Description | | ----------- | ----------- | -| Resource ID | /subscriptions/c1686c51-b717-4fe0-9af3-24a20a41fb0c/resourcegroups/MSAL_MSI/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MSAL_MSI_USERID | -| Name | MSAL_MSI_USERID | +| Resource ID | /subscriptions/c1686c51-b717-4fe0-9af3-24a20a41fb0c/resourcegroups/MSAL_MSI/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Msal_Integration_tests | +| Name | Msal_Integration_tests | | Type | Microsoft.ManagedIdentity/userAssignedIdentities | -| Location | eastus2 | +| Location | eastus | | Tenant Id | 72f988bf-86f1-41af-91ab-2d7cd011db47 | -| Principal Id | 3b57c42c-3201-4295-ae27-d6baec5b7027 | -| Client Id | 3b57c42c-3201-4295-ae27-d6baec5b7027 | +| Principal Id | a38637b6-b365-4652-af1f-cf5d8cf829ad | +| Client Id | 45344e7d-c562-4be6-868f-18dac789c021 | # Troubleshooting the test service From 93d9cd2617a423e3acfb00d7b06ec3ebcd1c2e4b Mon Sep 17 00:00:00 2001 From: Ryan Auld Date: Fri, 17 Oct 2025 10:19:50 -0700 Subject: [PATCH 2/4] Consolidate Key Vault UAMI into main UAMI - Remove separate LabVaultAccessUserAssignedClientID (4b7a4b0b-ecb2-409e-879a-1e21a15ddaf6) - Update AcquireMsiToken_ExchangeForEstsToken_Successfully test to use consolidated UAMI - Use single UserAssignedClientID (45344e7d-c562-4be6-868f-18dac789c021) for both MSI and Key Vault access - Add documentation comments explaining the consolidation Note: Token exchange test requires federated identity credential in RequestMSIDLAB app registration --- .../HeadlessTests/ManagedIdentityTests.NetFwk.cs | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs index d73b07b3f9..30163e6116 100644 --- a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs +++ b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs @@ -36,13 +36,12 @@ public class ManagedIdentityTests //http proxy base URL private static readonly string s_baseURL = "https://service.msidlab.com/"; - //Shared User Assigned Client ID + //Shared User Assigned Client ID - Consolidated UAMI for both MSI endpoints and Key Vault access private const string UserAssignedClientID = "45344e7d-c562-4be6-868f-18dac789c021"; + //Lab Access Client ID for certificate-based authentication to lab resources private const string LabAccessClientID = "f62c5ae3-bf3a-4af5-afa8-a68b800396e9"; - private const string LabVaultAccessUserAssignedClientID = "4b7a4b0b-ecb2-409e-879a-1e21a15ddaf6"; - private const string UserAssignedObjectID = "a38637b6-b365-4652-af1f-cf5d8cf829ad"; //Non Existent User Assigned Client/Object ID @@ -191,8 +190,8 @@ public async Task AcquireMsiToken_ExchangeForEstsToken_Successfully() string uri = s_baseURL + $"MSIToken?" + $"azureresource={MsiAzureResource.WebApp}&uri="; - //Create CCA with Proxy - IManagedIdentityApplication mia = CreateMIAWithProxy(uri, LabVaultAccessUserAssignedClientID, UserAssignedIdentityId.ClientId); + //Create CCA with Proxy - using the consolidated UAMI for both MSI and Key Vault access + IManagedIdentityApplication mia = CreateMIAWithProxy(uri, UserAssignedClientID, UserAssignedIdentityId.ClientId); AuthenticationResult result; //Act From 529ff1fd157423dccf6790fa3fbeabe5bcaccd38 Mon Sep 17 00:00:00 2001 From: Ryan Auld Date: Mon, 20 Oct 2025 14:41:38 -0700 Subject: [PATCH 3/4] Fix E2E IMDS tests to use ID4SMSIHostedAgent pool's managed identity - Update ManagedIdentityImdsTests.cs to use ID4SMSIHostedAgent_UAMI - Client ID: 8ef2ae5a-f349-4d36-bc0e-a567f2cc50f7 - Object ID: 0651a6fc-fbf5-4904-9e48-16f63ec1f2b1 - Resource ID: /subscriptions/6f52c299-a200-4fe1-8822-a3b61cf1f931/resourcegroups/DevOpsHostedAgents/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID4SMSIHostedAgent_UAMI - Fixes pool access issues where E2E tests couldn't access the consolidated MI --- .../Microsoft.Identity.Test.E2e/ManagedIdentityImdsTests.cs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/Microsoft.Identity.Test.E2e/ManagedIdentityImdsTests.cs b/tests/Microsoft.Identity.Test.E2e/ManagedIdentityImdsTests.cs index f67274bfe9..cc6e9a1421 100644 --- a/tests/Microsoft.Identity.Test.E2e/ManagedIdentityImdsTests.cs +++ b/tests/Microsoft.Identity.Test.E2e/ManagedIdentityImdsTests.cs @@ -38,10 +38,10 @@ private static IManagedIdentityApplication BuildMi( [TestCategory("MI_E2E_Imds")] [DataTestMethod] [DataRow(null /*SAMI*/, null, DisplayName = "SAMI")] - [DataRow("45344e7d-c562-4be6-868f-18dac789c021", "clientid", DisplayName = "UAMI-ClientId")] - [DataRow("/subscriptions/c1686c51-b717-4fe0-9af3-24a20a41fb0c/resourcegroups/MSAL_MSI/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Msal_Integration_tests", + [DataRow("8ef2ae5a-f349-4d36-bc0e-a567f2cc50f7", "clientid", DisplayName = "UAMI-ClientId")] + [DataRow("/subscriptions/6f52c299-a200-4fe1-8822-a3b61cf1f931/resourcegroups/DevOpsHostedAgents/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID4SMSIHostedAgent_UAMI", "resourceid", DisplayName = "UAMI-ResourceId")] - [DataRow("a38637b6-b365-4652-af1f-cf5d8cf829ad", "objectid", DisplayName = "UAMI-ObjectId")] + [DataRow("0651a6fc-fbf5-4904-9e48-16f63ec1f2b1", "objectid", DisplayName = "UAMI-ObjectId")] public async Task AcquireToken_OnImds_Succeeds(string id, string idType) { var mi = BuildMi(id, idType); From 0aa48a9381ac86298a016930aad9c60535b4e04c Mon Sep 17 00:00:00 2001 From: Ryan Auld Date: Mon, 20 Oct 2025 15:27:49 -0700 Subject: [PATCH 4/4] Fix SAMI test to specify client ID when multiple UAMIs exist - Change SAMI test to use explicit client ID instead of null - Resolves 'Multiple user assigned identities exist' error in IMDS - Maintains compatibility with main branch by keeping both UAMIs on pool - All 4 test cases now specify explicit identity parameters --- tests/Microsoft.Identity.Test.E2e/ManagedIdentityImdsTests.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/Microsoft.Identity.Test.E2e/ManagedIdentityImdsTests.cs b/tests/Microsoft.Identity.Test.E2e/ManagedIdentityImdsTests.cs index cc6e9a1421..3d9fd96958 100644 --- a/tests/Microsoft.Identity.Test.E2e/ManagedIdentityImdsTests.cs +++ b/tests/Microsoft.Identity.Test.E2e/ManagedIdentityImdsTests.cs @@ -37,7 +37,7 @@ private static IManagedIdentityApplication BuildMi( [RunOnAzureDevOps] [TestCategory("MI_E2E_Imds")] [DataTestMethod] - [DataRow(null /*SAMI*/, null, DisplayName = "SAMI")] + [DataRow("8ef2ae5a-f349-4d36-bc0e-a567f2cc50f7", "clientid", DisplayName = "SAMI-as-UAMI")] [DataRow("8ef2ae5a-f349-4d36-bc0e-a567f2cc50f7", "clientid", DisplayName = "UAMI-ClientId")] [DataRow("/subscriptions/6f52c299-a200-4fe1-8822-a3b61cf1f931/resourcegroups/DevOpsHostedAgents/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID4SMSIHostedAgent_UAMI", "resourceid", DisplayName = "UAMI-ResourceId")]