[Identity] Upgrade MSAL dependencies to 4.78.0 and prepare patch for Azure.Identity (#54037)

* Update MSAL dependencies to version 4.78.0

* Revert Azure.Identity to latest release tag

* Add changelog entry

* Prepare release

Author: JonathanCrd

eng/Packages.Data.props

@@ -185,9 +185,9 @@
     <!-- Other approved packages -->
     <PackageReference Update="Microsoft.Azure.Amqp" Version="2.7.0" />
     <PackageReference Update="Microsoft.Azure.WebPubSub.Common" Version="1.5.0" />
-    <PackageReference Update="Microsoft.Identity.Client" Version="4.76.0" />
-    <PackageReference Update="Microsoft.Identity.Client.Extensions.Msal" Version="4.76.0" />
-    <PackageReference Update="Microsoft.Identity.Client.Broker" Version="4.76.0" />
+    <PackageReference Update="Microsoft.Identity.Client" Version="4.78.0" />
+    <PackageReference Update="Microsoft.Identity.Client.Extensions.Msal" Version="4.78.0" />
+    <PackageReference Update="Microsoft.Identity.Client.Broker" Version="4.78.0" />
     <PackageReference Update="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.14.0" />
     <PackageReference Update="Microsoft.IdentityModel.Tokens" Version="8.14.0" />
     <PackageReference Update="System.IdentityModel.Tokens.Jwt" Version="8.14.0" />

sdk/identity/Azure.Identity.sln

@@ -17,6 +17,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Azure.Identity.Broker", "Az
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Azure.Identity.Broker.Tests", "Azure.Identity.Broker\tests\Azure.Identity.Broker.Tests.csproj", "{5F72962A-E4A5-4DBD-BA00-AB5B7725CACA}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Azure.Core", "..\core\Azure.Core\src\Azure.Core.csproj", "{B8BF1ED4-DD68-4504-9060-008D1A980958}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -51,6 +53,10 @@ Global
 		{5F72962A-E4A5-4DBD-BA00-AB5B7725CACA}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{5F72962A-E4A5-4DBD-BA00-AB5B7725CACA}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{5F72962A-E4A5-4DBD-BA00-AB5B7725CACA}.Release|Any CPU.Build.0 = Release|Any CPU
+		{B8BF1ED4-DD68-4504-9060-008D1A980958}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{B8BF1ED4-DD68-4504-9060-008D1A980958}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{B8BF1ED4-DD68-4504-9060-008D1A980958}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{B8BF1ED4-DD68-4504-9060-008D1A980958}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

sdk/identity/Azure.Identity/CHANGELOG.md

@@ -1,15 +1,11 @@
 # Release History
 
-## 1.18.0-beta.2 (Unreleased)
-
-### Features Added
-
-### Breaking Changes
-
-### Bugs Fixed
+## 1.17.1 (2025-11-18)
 
 ### Other Changes
 
+- Updated `Microsoft.Identity.Client` and `Microsoft.Identity.Client.Extensions.Msal` dependencies to version 4.78.0.
+
 ## 1.18.0-beta.1 (2025-11-14)
 
 ### Features Added

sdk/identity/Azure.Identity/README.md

@@ -107,45 +107,6 @@ While `DefaultAzureCredential` is generally the quickest way to authenticate app
 
 As of version 1.8.0, `ManagedIdentityCredential` supports [token caching](#token-caching).
 
-## Identity binding mode (WorkloadIdentityCredential)
-
-`WorkloadIdentityCredential` supports an opt-in identity binding mode to work around [Entra ID's limit on federated identity credentials (FICs)](https://learn.microsoft.com/entra/workload-id/workload-identity-federation-considerations#federated-identity-credential-considerations) per managed identity. When enabled via the `IsAzureKubernetesTokenProxyEnabled ` option, the credential redirects token requests to an AKS-provided proxy that handles the FIC exchange centrally, allowing multiple pods to share the same identity without hitting FIC limits.
-
-**Note:** This feature is only available when using `WorkloadIdentityCredential` directly. It is not supported by `DefaultAzureCredential` or `ManagedIdentityCredential`.
-
-### Usage
-
-```C# Snippet:WorkloadIdentityCredentialWithIdentityBinding
-var credential = new WorkloadIdentityCredential(new WorkloadIdentityCredentialOptions
-{
-    IsAzureKubernetesTokenProxyEnabled = true  // Enable identity binding mode
-});
-```
-
-When enabled, the credential reads these environment variables (typically configured by AKS):
-
-* `AZURE_KUBERNETES_TOKEN_PROXY` - Base HTTPS URL for the proxy endpoint
-* `AZURE_KUBERNETES_CA_FILE` - Path to PEM bundle with proxy CA certificates
-* `AZURE_KUBERNETES_CA_DATA` - PEM-encoded CA bundle (mutually exclusive with `AZURE_KUBERNETES_CA_FILE `)
-* `AZURE_KUBERNETES_SNI_NAME` - TLS Server Name Indication (optional)
-
-The credential validates the configuration at construction time and throws `InvalidOperationException` if the configuration is invalid or incomplete.
-
-### Migration from ManagedIdentityCredential
-
-If you're currently using `ManagedIdentityCredential` for workload identity in AKS and need to use identity binding mode, migrate to `WorkloadIdentityCredential`:
-
-```C# Snippet:MigrationToWorkloadIdentityCredential
-// Before (no identity binding support):
-// var credential = new ManagedIdentityCredential(ManagedIdentityId.SystemAssigned);
-
-// After (with identity binding support):
-var credential = new WorkloadIdentityCredential(new WorkloadIdentityCredentialOptions
-{
-    IsAzureKubernetesTokenProxyEnabled = true
-});
-```
-
 ## Sovereign cloud configuration
 
 By default, credentials authenticate to the Microsoft Entra endpoint for the Azure Public Cloud. To access resources in other clouds, such as Azure US Government or a private cloud, use one of the following solutions:
@@ -181,7 +142,7 @@ Not all credentials require this configuration. Credentials that authenticate th
 |-|-|-|
 |[`EnvironmentCredential`][ref_EnvironmentCredential]|Authenticates a service principal or user via credential information specified in [environment variables](#environment-variables).||
 |[`ManagedIdentityCredential`][ref_ManagedIdentityCredential]|Authenticates the managed identity of an Azure resource.|[user-assigned managed identity][uami_doc]<br>[system-assigned managed identity][sami_doc]|
-|[`WorkloadIdentityCredential`][ref_WorkloadIdentityCredential]|Supports [Microsoft Entra Workload ID](https://learn.microsoft.com/azure/aks/workload-identity-overview) on Kubernetes. Supports [identity binding mode](#identity-binding-mode-workloadidentitycredential) to work around FIC limits in AKS.||
+|[`WorkloadIdentityCredential`][ref_WorkloadIdentityCredential]|Supports [Microsoft Entra Workload ID](https://learn.microsoft.com/azure/aks/workload-identity-overview) on Kubernetes.||
 
 ### Authenticate service principals
 

sdk/identity/Azure.Identity/api/Azure.Identity.net8.0.cs

@@ -115,7 +115,6 @@ public partial class BrowserCustomizationOptions
         public BrowserCustomizationOptions() { }
         public string ErrorMessage { get { throw null; } set { } }
         public string SuccessMessage { get { throw null; } set { } }
-        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
         [System.ObsoleteAttribute("This option requires additional dependencies on Microsoft.Identity.Client.Desktop and is no longer supported. Consider using brokered authentication instead")]
         public bool? UseEmbeddedWebView { get { throw null; } set { } }
     }
@@ -325,12 +324,10 @@ public partial class ManagedIdentityCredential : Azure.Core.TokenCredential
     {
         protected ManagedIdentityCredential() { }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
-        [System.ObsoleteAttribute("Use constructor ManagedIdentityCredential(ManagedIdentityId id) or ManagedIdentityCredential(ManagedIdentityCredentialOptions options).")]
         public ManagedIdentityCredential(Azure.Core.ResourceIdentifier resourceId, Azure.Identity.TokenCredentialOptions options = null) { }
         public ManagedIdentityCredential(Azure.Identity.ManagedIdentityCredentialOptions options) { }
         public ManagedIdentityCredential(Azure.Identity.ManagedIdentityId id) { }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
-        [System.ObsoleteAttribute("Use constructor ManagedIdentityCredential(ManagedIdentityId id) or ManagedIdentityCredential(ManagedIdentityCredentialOptions options).")]
         public ManagedIdentityCredential(string clientId = null, Azure.Identity.TokenCredentialOptions options = null) { }
         public override Azure.Core.AccessToken GetToken(Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public override System.Threading.Tasks.ValueTask<Azure.Core.AccessToken> GetTokenAsync(Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
@@ -502,7 +499,6 @@ public WorkloadIdentityCredentialOptions() { }
         public System.Collections.Generic.IList<string> AdditionallyAllowedTenants { get { throw null; } }
         public string ClientId { get { throw null; } set { } }
         public bool DisableInstanceDiscovery { get { throw null; } set { } }
-        public bool IsAzureKubernetesTokenProxyEnabled { get { throw null; } set { } }
         public string TenantId { get { throw null; } set { } }
         public string TokenFilePath { get { throw null; } set { } }
     }

sdk/identity/Azure.Identity/api/Azure.Identity.netstandard2.0.cs

@@ -113,7 +113,6 @@ public partial class BrowserCustomizationOptions
         public BrowserCustomizationOptions() { }
         public string ErrorMessage { get { throw null; } set { } }
         public string SuccessMessage { get { throw null; } set { } }
-        [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
         [System.ObsoleteAttribute("This option requires additional dependencies on Microsoft.Identity.Client.Desktop and is no longer supported. Consider using brokered authentication instead")]
         public bool? UseEmbeddedWebView { get { throw null; } set { } }
     }
@@ -322,12 +321,10 @@ public partial class ManagedIdentityCredential : Azure.Core.TokenCredential
     {
         protected ManagedIdentityCredential() { }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
-        [System.ObsoleteAttribute("Use constructor ManagedIdentityCredential(ManagedIdentityId id) or ManagedIdentityCredential(ManagedIdentityCredentialOptions options).")]
         public ManagedIdentityCredential(Azure.Core.ResourceIdentifier resourceId, Azure.Identity.TokenCredentialOptions options = null) { }
         public ManagedIdentityCredential(Azure.Identity.ManagedIdentityCredentialOptions options) { }
         public ManagedIdentityCredential(Azure.Identity.ManagedIdentityId id) { }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
-        [System.ObsoleteAttribute("Use constructor ManagedIdentityCredential(ManagedIdentityId id) or ManagedIdentityCredential(ManagedIdentityCredentialOptions options).")]
         public ManagedIdentityCredential(string clientId = null, Azure.Identity.TokenCredentialOptions options = null) { }
         public override Azure.Core.AccessToken GetToken(Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public override System.Threading.Tasks.ValueTask<Azure.Core.AccessToken> GetTokenAsync(Azure.Core.TokenRequestContext requestContext, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
@@ -499,7 +496,6 @@ public WorkloadIdentityCredentialOptions() { }
         public System.Collections.Generic.IList<string> AdditionallyAllowedTenants { get { throw null; } }
         public string ClientId { get { throw null; } set { } }
         public bool DisableInstanceDiscovery { get { throw null; } set { } }
-        public bool IsAzureKubernetesTokenProxyEnabled { get { throw null; } set { } }
         public string TenantId { get { throw null; } set { } }
         public string TokenFilePath { get { throw null; } set { } }
     }

sdk/identity/Azure.Identity/integration/Directory.Build.props

@@ -5,7 +5,6 @@
     <!-- Signal that integration projects are building in the repo -->
     <IsClientLibrary>true</IsClientLibrary>
     <IsPackable>true</IsPackable>
-    <IsTestProject>true</IsTestProject>
     <WarnOnPackingNonPackableProject>false</WarnOnPackingNonPackableProject>
     <NoWarn>
       $(NoWarn);

sdk/identity/Azure.Identity/integration/Integration.Identity.Common/ManagedIdentityTests.cs

@@ -21,8 +21,8 @@ public static void AuthToStorage()
         string account1 = Environment.GetEnvironmentVariable("IDENTITY_STORAGE_NAME_1")!;
         string account2 = Environment.GetEnvironmentVariable("IDENTITY_STORAGE_NAME_2")!;
 
-        var credential1 = new ManagedIdentityCredential(ManagedIdentityId.SystemAssigned);
-        var credential2 = new ManagedIdentityCredential(ManagedIdentityId.FromUserAssignedResourceId(new ResourceIdentifier(resourceId)));
+        var credential1 = new ManagedIdentityCredential();
+        var credential2 = new ManagedIdentityCredential(new ResourceIdentifier(resourceId));
         var client1 = new BlobServiceClient(new Uri($"https://{account1}.blob.core.windows.net/"), credential1);
         var client2 = new BlobServiceClient(new Uri($"https://{account2}.blob.core.windows.net/"), credential2);
         client1.GetBlobContainers().ToList();

sdk/identity/Azure.Identity/src/Azure.Identity.csproj

@@ -2,7 +2,7 @@
   <PropertyGroup>
     <Description>Provides APIs for authenticating to Microsoft Entra ID</Description>
     <AssemblyTitle>Microsoft Azure.Identity Component</AssemblyTitle>
-    <Version>1.18.0-beta.2</Version>
+    <Version>1.17.1</Version>
     <!--The ApiCompatVersion is managed automatically and should not generally be modified manually.-->
     <ApiCompatVersion>1.17.0</ApiCompatVersion>
     <PackageTags>Microsoft Azure Identity;$(PackageCommonTags)</PackageTags>

sdk/identity/Azure.Identity/src/AzureIdentityEventSource.cs

@@ -43,9 +43,6 @@ internal sealed class AzureIdentityEventSource : AzureEventSource, IIdentityLogg
         private const int ServiceFabricManagedIdentityRuntimeConfigurationNotSupportedEvent = 22;
         private const int ManagedIdentitySourceAttemptedEvent = 25;
         private const int ManagedIdentityCredentialSelectedEvent = 26;
-        private const int KubernetesProxyCaCertificateReloadSkippedEvent = 27;
-        private const int KubernetesProxyCaCertificateReloadFailedEvent = 28;
-        private const int KubernetesProxyCaCertificateReloadedEvent = 29;
 
         internal const string TenantIdDiscoveredAndNotUsedEventMessage = "A token was request for a different tenant than was configured on the credential, but the configured value was used since multi tenant authentication has been disabled. Configured TenantId: {0}, Requested TenantId {1}";
         internal const string TenantIdDiscoveredAndUsedEventMessage = "A token was requested for a different tenant than was configured on the credential, and the requested tenant id was used to authenticate. Configured TenantId: {0}, Requested TenantId {1}";
@@ -56,9 +53,6 @@ internal sealed class AzureIdentityEventSource : AzureEventSource, IIdentityLogg
         internal const string ServiceFabricManagedIdentityRuntimeConfigurationNotSupportedMessage = "Service Fabric user assigned managed identity ClientId or ResourceId is not configurable at runtime.";
         internal const string ManagedIdentitySourceAttemptedMessage = "ManagedIdentitySource {0} was attempted. IsSelected={1}.";
         internal const string ManagedIdentityCredentialSelectedMessage = "Managed Identity source selected: {0} with ID: {1}";
-        internal const string KubernetesProxyCaCertificateReloadSkippedMessage = "Kubernetes proxy CA certificate reload skipped. Reason: {0}";
-        internal const string KubernetesProxyCaCertificateReloadFailedMessage = "Kubernetes proxy CA certificate read failed. Error: {0}";
-        internal const string KubernetesProxyCaCertificateReloadedMessage = "Kubernetes proxy CA certificate changed, handler will be reloaded.";
 
         private AzureIdentityEventSource() : base(EventSourceName) { }
 
@@ -431,32 +425,5 @@ public void ManagedIdentityCredentialSelected(string credentialType, string id)
                 WriteEvent(ManagedIdentityCredentialSelectedEvent, credentialType, id);
             }
         }
-
-        [Event(KubernetesProxyCaCertificateReloadSkippedEvent, Level = EventLevel.Informational, Message = KubernetesProxyCaCertificateReloadSkippedMessage)]
-        public void KubernetesProxyCaCertificateReloadSkipped(string reason)
-        {
-            if (IsEnabled(EventLevel.Informational, EventKeywords.All))
-            {
-                WriteEvent(KubernetesProxyCaCertificateReloadSkippedEvent, reason);
-            }
-        }
-
-        [Event(KubernetesProxyCaCertificateReloadFailedEvent, Level = EventLevel.Warning, Message = KubernetesProxyCaCertificateReloadFailedMessage)]
-        public void KubernetesProxyCaCertificateReloadFailed(string error)
-        {
-            if (IsEnabled(EventLevel.Warning, EventKeywords.All))
-            {
-                WriteEvent(KubernetesProxyCaCertificateReloadFailedEvent, error);
-            }
-        }
-
-        [Event(KubernetesProxyCaCertificateReloadedEvent, Level = EventLevel.Informational, Message = KubernetesProxyCaCertificateReloadedMessage)]
-        public void KubernetesProxyCaCertificateReloaded()
-        {
-            if (IsEnabled(EventLevel.Informational, EventKeywords.All))
-            {
-                WriteEvent(KubernetesProxyCaCertificateReloadedEvent);
-            }
-        }
     }
 }