Skip to content

[Identity] Respect region env vars for non-MSAL based credentials #44347

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pvaneck merged 3 commits into from
Dec 10, 2025
Merged

[Identity] Respect region env vars for non-MSAL based credentials #44347

pvaneck merged 3 commits into from
Dec 10, 2025
+350 −7

Conversation

@pvaneck
Copy link
Member

@pvaneck pvaneck commented Dec 9, 2025
edited
Loading

Currently, only MSAL confidential client based credentials allow passing in a region through the AZURE_REGIONAL_AUTHORITY_NAME. For the other non-MSAL based confidential flows, we should have parity with the MSAL ones.

I validated these changes on AKS using async WorkloadIdentityCredential with the following configurations:

  1. AZURE_REGIONAL_AUTHORITY_NAME=westus2
  2. MSAL_FORCE_REGION=westus2
  3. AZURE_REGION_AUTHORITY_NAME=tryautodetect

@pvaneck pvaneck changed the title [Identity] Expand usage of regional authorities [Identity] Respect region env vars for non-MSAL based credentials Dec 9, 2025
@pvaneck
[Identity] Expand usage of regional authorities
716174b 
Currently, only MSAL confidential client based credentials allow passing
in a region through the `AZURE_REGIONAL_AUTHORITY_NAME`. For the other
non-MSAL based confidential flows, we should have parity with the MSAL
ones.

Signed-off-by: Paul Van Eck <[email protected]>
@pvaneck pvaneck force-pushed the identity-regional-auth-with-autodiscover branch from 8a3012f to 716174b Compare December 9, 2025 19:30
@pvaneck pvaneck requested a review from Copilot December 9, 2025 19:53
@pvaneck pvaneck marked this pull request as ready for review December 9, 2025 20:04
@pvaneck pvaneck requested review from a team and xiangyan99 as code owners December 9, 2025 20:04
Copilot AI reviewed Dec 9, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for the AZURE_REGIONAL_AUTHORITY_NAME environment variable to non-MSAL-based credentials in the Azure Identity SDK, providing parity with MSAL-based credentials. The implementation allows credentials to use regional authority endpoints, which can improve performance and reliability by routing authentication traffic to region-specific endpoints.

Key changes:

  • Added regional authority initialization logic to AadClientBase and both sync/async AadClient implementations
  • Support for both AZURE_REGIONAL_AUTHORITY_NAME and MSAL_FORCE_REGION environment variables, with auto-discovery capability via IMDS
  • Updated token URL generation to use regional authority when configured
  • Added comprehensive tests covering regional authority initialization and usage scenarios

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 11 comments.

Show a summary per file
File Description
sdk/identity/azure-identity/azure/identity/_internal/aad_client_base.py Added base methods for regional authority URL building, environment variable reading, and IMDS region discovery
sdk/identity/azure-identity/azure/identity/_internal/aad_client.py Sync client now initializes regional authority in __init__ and implements region discovery logic
sdk/identity/azure-identity/azure/identity/aio/_internal/aad_client.py Async client implements lazy regional authority initialization called on each token request, with async region discovery
sdk/identity/azure-identity/tests/test_aad_client.py Added tests for token URL generation with regional authority and initialization logic
sdk/identity/azure-identity/tests/test_aad_client_async.py Added async tests for regional authority in token requests, lazy initialization, and auto-discovery scenarios
sdk/identity/azure-identity/CHANGELOG.md Documents the bug fix for regional authority environment variable support

@pvaneck
Updates
5226ddb 
Signed-off-by: Paul Van Eck <[email protected]>
@pvaneck
Add support for True
8a46885 
Signed-off-by: Paul Van Eck <[email protected]>
@pvaneck pvaneck merged commit c20ccd0 into Azure:main Dec 10, 2025
21 checks passed
@pvaneck pvaneck deleted the identity-regional-auth-with-autodiscover branch December 10, 2025 20:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chlowell chlowell chlowell left review comments

Copilot code review Copilot Copilot left review comments

@xiangyan99 xiangyan99 xiangyan99 approved these changes

@maorleger maorleger Awaiting requested review from maorleger maorleger is a code owner automatically assigned from Azure/azure-sdk-write-identity

@joshfree joshfree Awaiting requested review from joshfree joshfree is a code owner automatically assigned from Azure/azure-sdk-write-identity

@g2vinay g2vinay Awaiting requested review from g2vinay g2vinay is a code owner automatically assigned from Azure/azure-sdk-write-identity

@KarishmaGhiya KarishmaGhiya Awaiting requested review from KarishmaGhiya KarishmaGhiya is a code owner automatically assigned from Azure/azure-sdk-write-identity

@anannya03 anannya03 Awaiting requested review from anannya03 anannya03 is a code owner automatically assigned from Azure/azure-sdk-write-identity

@minhanh-phan minhanh-phan Awaiting requested review from minhanh-phan minhanh-phan is a code owner automatically assigned from Azure/azure-sdk-write-identity

Assignees

No one assigned

Labels

Azure.Identity

Projects

Azure Identity SDK Improvements
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pvaneck @chlowell @xiangyan99