[Identity] Disable probe in DAC when MICred is set exclusively (#36047)

### Issues associated with this PR
Closes #35971

### Describe the problem that is addressed by this PR
- JS MI credential is currently making a probe request in the `getToken`
call. Probe is a feature specific to DAC, so this PR will address that
issue and ensures only calling probe when MI is inside of DAC chain.
Refer to [MI consistency
gist](https://gist.github.com/ahsonkhan/d6c4d3a9780bb058a729b76844923ef1)
for more information on this feature
- With the addition of `AZURE_TOKEN_CREDENTIALS` variable, we want to
make sure standalone MI Cred behavior will be similar, so if
`AZURE_TOKEN_CREDENTIALS` is set to only MI Cred, then there should be
no probe request.

### What are the possible designs available to address the problem? If
there are more than one possible design, why was the one in this PR
chosen?


### Are there test cases added in this PR? _(If not, why?)_


### Provide a list of related PRs _(if any)_


### Command used to generate this PR:**_(Applicable only to SDK release
request PRs)_

### Checklists
- [ ] Added impacted package name to the issue description
- [ ] Does this PR needs any fixes in the SDK Generator?** _(If so,
create an Issue in the
[Autorest/typescript](https://github.com/Azure/autorest.typescript)
repository and link it here)_
- [ ] Added a changelog (if necessary)

Author: minhanh-phan

sdk/identity/identity/CHANGELOG.md

@@ -4,10 +4,14 @@
 
 ### Features Added
 
+- When `AZURE_TOKEN_CREDENTIALS` is set to only `ManagedIdentityCredential`, `DefaultAzureCredential` does not issue a probe request and performs retries with exponential backoff. [#36047](https://github.com/Azure/azure-sdk-for-js/pull/36047)
+
 ### Breaking Changes
 
 ### Bugs Fixed
 
+- Fixed an issue where `ManagedIdentityCredential` will make an additional probe request in the `getToken` call. [#36047](https://github.com/Azure/azure-sdk-for-js/pull/36047)
+
 ### Other Changes
 
 ## 4.12.0 (2025-09-09)

sdk/identity/identity/src/credentials/defaultAzureCredential.ts

@@ -147,7 +147,11 @@ export class DefaultAzureCredential extends ChainedTokenCredential {
           credentialFunctions = [createDefaultWorkloadIdentityCredential];
           break;
         case "managedidentitycredential":
-          credentialFunctions = [createDefaultManagedIdentityCredential];
+          // Setting `sendProbeRequest` to false to ensure ManagedIdentityCredential behavior
+          // is consistent when used standalone in DAC chain or used directly.
+          credentialFunctions = [
+            () => createDefaultManagedIdentityCredential({ sendProbeRequest: false }),
+          ];
           break;
         case "visualstudiocodecredential":
           credentialFunctions = [createDefaultVisualStudioCodeCredential];
@@ -181,7 +185,7 @@ export class DefaultAzureCredential extends ChainedTokenCredential {
     // 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason
     const credentials: TokenCredential[] = credentialFunctions.map((createCredentialFn) => {
       try {
-        return createCredentialFn(options);
+        return createCredentialFn(options ?? {});
       } catch (err: any) {
         logger.warning(
           `Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`,

sdk/identity/identity/src/credentials/defaultAzureCredentialFunctions.ts

@@ -55,15 +55,20 @@ export function createDefaultVisualStudioCodeCredential(
  * @internal
  */
 export function createDefaultManagedIdentityCredential(
-  options:
+  options: (
     | DefaultAzureCredentialOptions
     | DefaultAzureCredentialResourceIdOptions
-    | DefaultAzureCredentialClientIdOptions = {},
+    | DefaultAzureCredentialClientIdOptions
+  ) & { sendProbeRequest?: boolean } = {},
 ): TokenCredential {
   options.retryOptions ??= {
     maxRetries: 5,
     retryDelayInMs: 800,
   };
+  // ManagedIdentityCredential inside DAC chain should send a probe request by default.
+  // This is different from standalone ManagedIdentityCredential behavior
+  // or when AZURE_TOKEN_CREDENTIALS is set to only ManagedIdentityCredential.
+  options.sendProbeRequest ??= true;
   const managedIdentityClientId =
     (options as DefaultAzureCredentialClientIdOptions)?.managedIdentityClientId ??
     process.env.AZURE_CLIENT_ID;

sdk/identity/identity/src/credentials/managedIdentityCredential/index.ts

@@ -18,6 +18,7 @@ import { tokenExchangeMsi } from "./tokenExchangeMsi.js";
 import { mapScopesToResource, serviceFabricErrorMessage } from "./utils.js";
 import type { MsalToken, ValidMsalToken } from "../../msal/types.js";
 import type {
+  InternalManagedIdentityCredentialOptions,
   ManagedIdentityCredentialClientIdOptions,
   ManagedIdentityCredentialObjectIdOptions,
   ManagedIdentityCredentialResourceIdOptions,
@@ -45,6 +46,7 @@ export class ManagedIdentityCredential implements TokenCredential {
     intervalIncrement: 2,
   };
   private isAvailableIdentityClient: IdentityClient;
+  private sendProbeRequest: boolean;
 
   /**
    * Creates an instance of ManagedIdentityCredential with the client ID of a
@@ -94,7 +96,8 @@ export class ManagedIdentityCredential implements TokenCredential {
     }
     this.resourceId = (_options as ManagedIdentityCredentialResourceIdOptions)?.resourceId;
     this.objectId = (_options as ManagedIdentityCredentialObjectIdOptions)?.objectId;
-
+    this.sendProbeRequest =
+      (_options as InternalManagedIdentityCredentialOptions)?.sendProbeRequest ?? false;
     // For JavaScript users.
     const providedIds = [
       { key: "clientId", value: this.clientId },
@@ -247,7 +250,7 @@ export class ManagedIdentityCredential implements TokenCredential {
           }
 
           return result;
-        } else if (isImdsMsi) {
+        } else if (isImdsMsi && this.sendProbeRequest) {
           // In the IMDS scenario we will probe the IMDS endpoint to ensure it's available before trying to get a token.
           // If the IMDS endpoint is not available and this is the source that MSAL will use, we will fail-fast with an error that tells DAC to move to the next credential.
           logger.getToken.info("Using the IMDS endpoint to probe for availability.");
@@ -268,7 +271,8 @@ export class ManagedIdentityCredential implements TokenCredential {
 
         // If we got this far, it means:
         // - This is not a tokenExchangeMsi,
-        // - We already probed for IMDS endpoint availability and failed-fast if it's unreachable.
+        // - We already probed for IMDS endpoint availability and failed-fast if it's unreachable,
+        // or we skip probing because the credential is set in DAC.
         // We can proceed normally by calling MSAL for a token.
         logger.getToken.info("Calling into MSAL for managed identity token.");
         const token = await this.managedIdentityApp.acquireToken({

sdk/identity/identity/src/credentials/managedIdentityCredential/options.ts

@@ -40,3 +40,20 @@ export interface ManagedIdentityCredentialObjectIdOptions extends TokenCredentia
    */
   objectId: string;
 }
+
+/**
+ * @internal
+ * Internal options for configuring the {@link ManagedIdentityCredential} with disable probe ability for DAC.
+ * This type ensures that we can use any of the credential options (clientId, resourceId, or objectId)
+ * along with the disableProbe flag for DefaultAzureCredential.
+ */
+export type InternalManagedIdentityCredentialOptions =
+  | (ManagedIdentityCredentialClientIdOptions & ManagedIdentityDisableProbeOptions)
+  | (ManagedIdentityCredentialResourceIdOptions & ManagedIdentityDisableProbeOptions)
+  | (ManagedIdentityCredentialObjectIdOptions & ManagedIdentityDisableProbeOptions);
+
+/**
+ * Options for configuring Managed Identity Credential with disable probe.
+ * This is only meant to use in DefaultAzureCredential when AZURE_TOKEN_CREDENTIALS is set to Managed Identity Credential.
+ */
+type ManagedIdentityDisableProbeOptions = { sendProbeRequest?: boolean };

sdk/identity/identity/test/internal/node/defaultAzureCredential.spec.ts

@@ -26,6 +26,7 @@ describe("DefaultAzureCredential", () => {
       `Invalid value for AZURE_TOKEN_CREDENTIALS = randomValue. Valid values are 'prod' or 'dev' or any of these credentials - EnvironmentCredential, WorkloadIdentityCredential, ManagedIdentityCredential, VisualStudioCodeCredential, AzureCliCredential, AzurePowerShellCredential, AzureDeveloperCliCredential.`,
     );
   });
+
   it("should not throw an error if AZURE_TOKEN_CREDENTIALS is set to a supported value", () => {
     vi.stubEnv("AZURE_TOKEN_CREDENTIALS", "prod");
     expect(() => new DefaultAzureCredential()).not.toThrowError();
@@ -122,6 +123,12 @@ describe("create functions", () => {
     expect(cliSpy).not.toHaveBeenCalled();
     expect(devCliSpy).not.toHaveBeenCalled();
     expect(psSpy).not.toHaveBeenCalled();
+
+    expect(miSpy).toHaveBeenCalledWith(
+      expect.objectContaining({
+        sendProbeRequest: false,
+      }),
+    );
   });
 
   it("calls only createDefaultWorkloadIdentityCredential when AZURE_TOKEN_CREDENTIALS is 'WorkloadIdentityCredential'", () => {
@@ -201,6 +208,12 @@ describe("create functions", () => {
 
     expect(envSpy).toHaveBeenCalled();
     expect(miSpy).toHaveBeenCalled();
+    // Ensure default MI behavior is passed in correctly to send probe request
+    expect(miSpy).toHaveBeenCalledWith(
+      expect.objectContaining({
+        sendProbeRequest: true,
+      }),
+    );
     expect(wiSpy).toHaveBeenCalled();
     expect(vscSpy).not.toHaveBeenCalled();
     expect(cliSpy).not.toHaveBeenCalled();

sdk/identity/identity/test/internal/node/managedIdentityCredential/msalMsiProvider.spec.ts

@@ -16,6 +16,7 @@ import { describe, it, assert, expect, vi, beforeEach, afterEach, type MockInsta
 import type { IdentityClient } from "$internal/client/identityClient.js";
 import { serviceFabricErrorMessage } from "$internal/credentials/managedIdentityCredential/utils.js";
 import { logger } from "@azure/identity";
+import { InternalManagedIdentityCredentialOptions } from "$internal/credentials/managedIdentityCredential/options.js";
 
 describe("ManagedIdentityCredential (MSAL)", function () {
   let acquireTokenStub: MockInstance<
@@ -204,7 +205,7 @@ describe("ManagedIdentityCredential (MSAL)", function () {
       });
 
       describe("when using IMDS", function () {
-        it("probes the IMDS endpoint", async function () {
+        it("should not probe the IMDS endpoint by default", async function () {
           vi.spyOn(
             ManagedIdentityApplication.prototype,
             "getManagedIdentitySource",
@@ -213,7 +214,33 @@ describe("ManagedIdentityCredential (MSAL)", function () {
 
           const credential = new ManagedIdentityCredential();
           await credential.getToken("scope");
-          expect(imdsIsAvailableStub).toHaveBeenCalledOnce();
+          expect(imdsIsAvailableStub).not.toHaveBeenCalledOnce();
+        });
+
+        it("skips IMDS probing when sendProbeRequest is false", async function () {
+          vi.spyOn(
+            ManagedIdentityApplication.prototype,
+            "getManagedIdentitySource",
+          ).mockReturnValue("DefaultToImds");
+          acquireTokenStub.mockResolvedValue(validAuthenticationResult as AuthenticationResult);
+
+          const options: InternalManagedIdentityCredentialOptions = { sendProbeRequest: false };
+          const credential = new ManagedIdentityCredential(options);
+          await credential.getToken("scope");
+          expect(imdsIsAvailableStub).not.toHaveBeenCalled();
+        });
+
+        it("probes IMDS when sendProbeRequest is true", async function () {
+          vi.spyOn(
+            ManagedIdentityApplication.prototype,
+            "getManagedIdentitySource",
+          ).mockReturnValue("DefaultToImds");
+          acquireTokenStub.mockResolvedValue(validAuthenticationResult as AuthenticationResult);
+
+          const options: InternalManagedIdentityCredentialOptions = { sendProbeRequest: true };
+          const credential = new ManagedIdentityCredential(options);
+          await credential.getToken("scope");
+          expect(imdsIsAvailableStub).toHaveBeenCalled();
         });
       });
     });