[Bug]ManagedIdentityCredential.GetTokenAsync() Identity not found

[drdraw17]

Library version used

4.71.1

.NET version

8.0.412

Scenario

ManagedIdentityClient - managed identity

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

We are a Microsoft internal service hosted on AutoPilot, we have two machine functions A and B, where we try to achieve server to server auth for flow A calling B. We set up user-assigned managed identity, use the client id of it to create an instance of ManagedIdentityCredential, then call GetTokenAsync() and try to pass the token in the http request Authorization header and call B.

The exception was throwed while calling GetTokenAsync() with our customize scope (https:xxx.windows.com/.default),

Failed to get token for scopes [https:xxx.windows.com/.default] using ManagedIdentityCredential. This usually indicates the Managed Identity is not assigned to this resource or doesn't exist. Original error: ManagedIdentityCredential authentication failed: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
**Status: BadRequest
Content:
{"error":"invalid_request","error_description":"Identity not found"}**

Headers:
Server: IMDS/150.870.65.1730
x-ms-request-id: 27906edd-8b22-42b5-acf8-5036334e7fda
Date: Mon, 04 Aug 2025 20:39:58 GMT

I'm not too familiar with auth world, so kindly asking for some help here for a better understanding of the issue, so far the possible reasons that cause the above error I can think of are:

1. ManagedIdentityCredential only supports for accessing azure resources, then I guess in this case we probably need to call Microsoft Entra ID for getting s2s auth token instead of using managed identity?
2. I was wrongly setting up managed identity? Maybe missing some permission or role assignment?
3. I set up the scope wrongly?

Thanks in advance!

Relevant code snippets

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• [Bug] VM Managed Identity (Experimental) throws wrong exception when wrong resource is passed #3979
• [Bug] [Migrating to workload identity from Pod identity] [AKS]'The error response was either empty or could not be parsed.. Error response received from the server: no azure identity found for request' #5287
• [Bug] Unable to Authenticate Using MSI with a User Assigned Managed Identity In Azure Container App #5245

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

This indicates a config error. The response simply means that an identity isn't there. I recommend you move this issue to Azure Redis service, who internally use MSAL.

Reference:

• [Bug] [Migrating to workload identity from Pod identity] [AKS]'The error response was either empty or could not be parsed.. Error response received from the server: no azure identity found for request' #5287 (comment)

Solution 2:

Non-existent scope used, which is a user error in this case.

Reference:

• [Bug] VM Managed Identity (Experimental) throws wrong exception when wrong resource is passed #3979 (comment)

Solution 3:

This is a service exception as we are not validating the resource in MSAL and the error comes from the service. We can maybe update the error message for this exception.

Reference:

• [Bug] VM Managed Identity (Experimental) throws wrong exception when wrong resource is passed #3979 (comment)

Powered by issue-sentinel

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• [Bug] [Migrating to workload identity from Pod identity] [AKS]'The error response was either empty or could not be parsed.. Error response received from the server: no azure identity found for request' #5287
• [Bug] Unable to Authenticate Using MSI with a User Assigned Managed Identity In Azure Container App #5245

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

This indicates a config error. The response simply means that an identity isn't there. I recommend you move this issue to Azure Redis service, who internally use MSAL.

Reference:

• [Bug] [Migrating to workload identity from Pod identity] [AKS]'The error response was either empty or could not be parsed.. Error response received from the server: no azure identity found for request' #5287 (comment)

Solution 2:

We believe this has been fixed in MSAL MSAL 4.67.2 - please update to the latest version. If you are using Azure SDK, please wait for them to release a patch, it should happen soon.

Reference:

• [Bug] Unable to Authenticate Using MSI with a User Assigned Managed Identity In Azure Container App #5245 (comment)

Powered by issue-sentinel

[bgavrilMS]

Scope looks ok. Managed Identity works with any type of resource, not just Azure. Maybe you didn't provision the identity?