AzureAD · Robbie-Microsoft · Aug 29, 2025 · Aug 6, 2025 · Aug 6, 2025 · Aug 6, 2025
@@ -17,6 +17,7 @@
 using Microsoft.Identity.Client.Internal.Broker;
 using Microsoft.Identity.Client.Internal.ClientCredential;
 using Microsoft.Identity.Client.Kerberos;
+using Microsoft.Identity.Client.ManagedIdentity.V2;
 using Microsoft.Identity.Client.PlatformsCommon.Interfaces;
 using Microsoft.Identity.Client.UI;
 using Microsoft.IdentityModel.Abstractions;
@@ -126,6 +127,7 @@ public string ClientVersion
         public Func<AppTokenProviderParameters, Task<AppTokenProviderResult>> AppTokenProvider;
 
         internal IRetryPolicyFactory RetryPolicyFactory { get; set; }
+        internal ICsrFactory CsrFactory { get; set; }
 
         #region ClientCredentials
 

@@ -15,6 +15,7 @@
 using Microsoft.IdentityModel.Abstractions;
 using Microsoft.Identity.Client.Internal;
 using Microsoft.Identity.Client.Http.Retry;
+using Microsoft.Identity.Client.ManagedIdentity.V2;
 
 #if SUPPORTS_SYSTEM_TEXT_JSON
 using System.Text.Json;
@@ -39,6 +40,12 @@ internal BaseAbstractApplicationBuilder(ApplicationConfiguration configuration)
             {
                 Config.RetryPolicyFactory = new RetryPolicyFactory();
             }
+
+            // Ensure the default csr factory is set if the test factory was not provided
+            if (Config.CsrFactory == null)
+            {
+                Config.CsrFactory = new DefaultCsrFactory();
+            }
         }
 
         internal ApplicationConfiguration Config { get; }
@@ -246,6 +253,17 @@ internal T WithRetryPolicyFactory(IRetryPolicyFactory factory)
             return (T)this;
         }
 
+        /// <summary>
+        /// Internal only: Allows tests to inject a custom csr factory.
+        /// </summary>
+        /// <param name="factory">The csr factory to use.</param>
+        /// <returns>The builder for chaining.</returns>
+        internal T WithCsrFactory(ICsrFactory factory)
+        {
+            Config.CsrFactory = factory;
+            return (T)this;
+        }
+
         internal virtual ApplicationConfiguration BuildConfiguration()
         {
             ResolveAuthority();

@@ -82,7 +82,7 @@ public virtual async Task<ManagedIdentityResponse> AuthenticateAsync(
                             method: HttpMethod.Get,
                             logger: _requestContext.Logger,
                             doNotThrow: true,
-                            mtlsCertificate: null,
+                            mtlsCertificate: request.MtlsCertificate,
                             validateServerCertificate: GetValidationCallback(), 
                             cancellationToken: cancellationToken,
                             retryPolicy: retryPolicy).ConfigureAwait(false);
@@ -97,7 +97,7 @@ public virtual async Task<ManagedIdentityResponse> AuthenticateAsync(
                             method: HttpMethod.Post,
                             logger: _requestContext.Logger,
                             doNotThrow: true,
-                            mtlsCertificate: null,
+                            mtlsCertificate: request.MtlsCertificate,
                             validateServerCertificate: GetValidationCallback(), 
                             cancellationToken: cancellationToken,
                             retryPolicy: retryPolicy)

@@ -5,6 +5,7 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Net.Http;
+using System.Security.Cryptography.X509Certificates;
 using Microsoft.Identity.Client.ApiConfig.Parameters;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.OAuth2;
@@ -26,14 +27,21 @@ internal class ManagedIdentityRequest
 
         public RequestType RequestType { get; set; }
 
-        public ManagedIdentityRequest(HttpMethod method, Uri endpoint, RequestType requestType = RequestType.ManagedIdentityDefault)
+        public X509Certificate2 MtlsCertificate { get; set; }
+
+        public ManagedIdentityRequest(
+            HttpMethod method,
+            Uri endpoint,
+            RequestType requestType = RequestType.ManagedIdentityDefault,
+            X509Certificate2 mtlsCertificate = null)
         {
             Method = method;
             _baseEndpoint = endpoint;
             Headers = new Dictionary<string, string>();
             BodyParameters = new Dictionary<string, string>();
             QueryParameters = new Dictionary<string, string>();
             RequestType = requestType;
+            MtlsCertificate = mtlsCertificate;
         }
 
         public Uri ComputeUri()

@@ -10,7 +10,7 @@ namespace Microsoft.Identity.Client.ManagedIdentity.V2
 {
     internal class Csr
     {
-        internal static string Generate(string clientId, string tenantId, CuidInfo cuid)
+        internal static (string csrPem, RSA privateKey) Generate(string clientId, string tenantId, CuidInfo cuid)
         {
             using (RSA rsa = CreateRsaKeyPair())
             {
@@ -28,7 +28,7 @@ internal static string Generate(string clientId, string tenantId, CuidInfo cuid)
                         "1.3.6.1.4.1.311.90.2.10",
                         writer.Encode()));
 
-                return req.CreateSigningRequestPem();
+                return (req.CreateSigningRequestPem(), rsa);
             }
         }
 

@@ -0,0 +1,15 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Security.Cryptography;
+
+namespace Microsoft.Identity.Client.ManagedIdentity.V2
+{
+    internal class DefaultCsrFactory : ICsrFactory
+    {
+        public (string csrPem, RSA privateKey) Generate(string clientId, string tenantId, CuidInfo cuid)
+        {
+            return Csr.Generate(clientId, tenantId, cuid);
+        }
+    }
+}
@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Security.Cryptography;
+
+namespace Microsoft.Identity.Client.ManagedIdentity.V2
+{
+    internal interface ICsrFactory
+    {
+        (string csrPem, RSA privateKey) Generate(string clientId, string tenantId, CuidInfo cuid);
+    }
+}
@@ -5,6 +5,8 @@
 using System.Collections.Generic;
 using System.Net;
 using System.Net.Http;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Http;
@@ -20,6 +22,7 @@ internal class ImdsV2ManagedIdentitySource : AbstractManagedIdentity
         public const string ImdsV2ApiVersion = "2.0";
         public const string CsrMetadataPath = "/metadata/identity/getplatformmetadata";
         public const string CertificateRequestPath = "/metadata/identity/issuecredential";
+        public const string AcquireEntraTokenPath = "/oauth2/v2.0/token";
 
         public static async Task<CsrMetadata> GetCsrMetadataAsync(
             RequestContext requestContext,
@@ -251,12 +254,150 @@ private async Task<CertificateRequestResponse> ExecuteCertificateRequestAsync(st
         protected override async Task<ManagedIdentityRequest> CreateRequestAsync(string resource)
         {
             var csrMetadata = await GetCsrMetadataAsync(_requestContext, false).ConfigureAwait(false);
-            var csr = Csr.Generate(csrMetadata.ClientId, csrMetadata.TenantId, csrMetadata.CuId);
+            var (csr, privateKey) = _requestContext.ServiceBundle.Config.CsrFactory.Generate(csrMetadata.ClientId, csrMetadata.TenantId, csrMetadata.CuId);
 
             var certificateRequestResponse = await ExecuteCertificateRequestAsync(csr).ConfigureAwait(false);
+
+            // transform certificateRequestResponse.Certificate to x509 with private key
+            var mtlsCertificate = AttachPrivateKeyToCert(
+                certificateRequestResponse.Certificate,
+                privateKey);
+
+            ManagedIdentityRequest request = new(HttpMethod.Post, new Uri($"{certificateRequestResponse.MtlsAuthenticationEndpoint}/{certificateRequestResponse.TenantId}{AcquireEntraTokenPath}"));
+            request.Headers.Add("x-ms-client-request-id", _requestContext.CorrelationId.ToString());
+            request.BodyParameters.Add("client_id", certificateRequestResponse.ClientId);
+            request.BodyParameters.Add("grant_type", certificateRequestResponse.Certificate);
+            request.BodyParameters.Add("scope", "https://management.azure.com/.default");
+            request.RequestType = RequestType.Imds;
+            request.MtlsCertificate = mtlsCertificate;
+
+            return request;
+        }
+
+        /// <summary>
+        /// Attaches a private key to a certificate for use in mTLS authentication.
+        /// </summary>
+        /// <param name="certificatePem">The certificate in PEM format</param>
+        /// <param name="privateKey">The RSA private key to attach</param>
+        /// <returns>An X509Certificate2 with the private key attached</returns>
+        /// <exception cref="ArgumentNullException">Thrown when certificatePem or privateKey is null</exception>
+        /// <exception cref="ArgumentException">Thrown when certificatePem is not a valid PEM certificate</exception>
+        /// <exception cref="FormatException">Thrown when the certificate cannot be parsed</exception>
+        internal X509Certificate2 AttachPrivateKeyToCert(string certificatePem, RSA privateKey)
+        {
+            if (string.IsNullOrEmpty(certificatePem))
+                throw new ArgumentNullException(nameof(certificatePem));
+            if (privateKey == null)
+                throw new ArgumentNullException(nameof(privateKey));
+
+            X509Certificate2 certificate;
+
+#if NET8_0_OR_GREATER
+            // .NET 8.0+ has direct PEM parsing support
+            certificate = X509Certificate2.CreateFromPem(certificatePem);
+            // Attach the private key and return a new certificate instance
+            return certificate.CopyWithPrivateKey(privateKey);
+#else
+            // .NET Framework 4.7.2 and .NET Standard 2.0 - manual PEM parsing and private key attachment
+            certificate = ParseCertificateFromPem(certificatePem);
+            return AttachPrivateKeyToOlderFrameworks(certificate, privateKey);
+#endif
+        }
+
+#if !NET8_0_OR_GREATER
+        /// <summary>
+        /// Parses a certificate from PEM format for older .NET versions.
+        /// </summary>
+        /// <param name="certificatePem">The certificate in PEM format</param>
+        /// <returns>An X509Certificate2 instance</returns>
+        /// <exception cref="ArgumentException">Thrown when the PEM format is invalid</exception>
+        /// <exception cref="FormatException">Thrown when the Base64 content cannot be decoded</exception>
+        internal static X509Certificate2 ParseCertificateFromPem(string certificatePem)
+        {
+            const string CertBeginMarker = "-----BEGIN CERTIFICATE-----";
+            const string CertEndMarker = "-----END CERTIFICATE-----";
+
+            int startIndex = certificatePem.IndexOf(CertBeginMarker, StringComparison.Ordinal);
+            if (startIndex == -1)
+            {
+                throw new ArgumentException("Invalid PEM format: missing BEGIN CERTIFICATE marker", nameof(certificatePem));
+            }
+
+            startIndex += CertBeginMarker.Length;
+            int endIndex = certificatePem.IndexOf(CertEndMarker, startIndex, StringComparison.Ordinal);
+            if (endIndex == -1)
+            {
+                throw new ArgumentException("Invalid PEM format: missing END CERTIFICATE marker", nameof(certificatePem));
+            }
+
+            string base64Content = certificatePem.Substring(startIndex, endIndex - startIndex)
+                .Replace("\r", "")
+                .Replace("\n", "")
+                .Replace(" ", "");
 
-            throw new NotImplementedException();
+            if (string.IsNullOrEmpty(base64Content))
+            {
+                throw new ArgumentException("Invalid PEM format: no certificate content found", nameof(certificatePem));
+            }
+
+            try
+            {
+                byte[] certBytes = Convert.FromBase64String(base64Content);
+                return new X509Certificate2(certBytes);
+            }
+            catch (FormatException ex)
+            {
+                throw new FormatException("Invalid PEM format: certificate content is not valid Base64", ex);
+            }
+        }
+
+        /// <summary>
+        /// Attaches a private key to a certificate for older .NET Framework versions.
+        /// This method uses the older RSACng approach for .NET Framework 4.7.2 and .NET Standard 2.0.
+        /// </summary>
+        /// <param name="certificate">The certificate without private key</param>
+        /// <param name="privateKey">The RSA private key to attach</param>
+        /// <returns>An X509Certificate2 with the private key attached</returns>
+        /// <exception cref="NotSupportedException">Thrown when private key attachment fails</exception>
+        internal X509Certificate2 AttachPrivateKeyToOlderFrameworks(X509Certificate2 certificate, RSA privateKey)
+        {
+            try
+            {
+                // For older frameworks, we need to use the legacy approach with RSACryptoServiceProvider
+                // First, export the RSA parameters from the provided private key
+                var parameters = privateKey.ExportParameters(includePrivateParameters: true);
+
+                // Create a new RSACryptoServiceProvider with the correct key size
+                int keySize = parameters.Modulus.Length * 8;
+                var rsaProvider = new RSACryptoServiceProvider(keySize);
+
+                try
+                {
+                    // Import the parameters into the new provider
+                    rsaProvider.ImportParameters(parameters);
+
+                    // Create a new certificate instance from the raw data
+                    var certWithPrivateKey = new X509Certificate2(certificate.RawData);
+
+                    // Assign the private key using the legacy property
+                    certWithPrivateKey.PrivateKey = rsaProvider;
+
+                    return certWithPrivateKey;
+                }
+                catch
+                {
+                    // Clean up the RSA provider if something goes wrong
+                    rsaProvider?.Dispose();
+                    throw;
+                }
+            }
+            catch (Exception ex)
+            {
+                throw new NotSupportedException(
+                    "Failed to attach private key to certificate on this .NET Framework version.", ex);
+            }
         }
+#endif
 
         private static string ImdsV2QueryParamsHelper(RequestContext requestContext)
         {

@@ -626,5 +626,37 @@ public static MockHttpMessageHandler MockCsrResponseFailure()
             // 400 doesn't trigger the retry policy
             return MockCsrResponse(HttpStatusCode.BadRequest);
         }
+
+        public static MockHttpMessageHandler MockCertificateRequestResponse()
+        {
+            IDictionary<string, string> expectedQueryParams = new Dictionary<string, string>();
+            IDictionary<string, string> expectedRequestHeaders = new Dictionary<string, string>();
+            //expectedQueryParams.Add("uaid", "fake_client_id");
+            expectedQueryParams.Add("cred-api-version", ImdsV2ManagedIdentitySource.ImdsV2ApiVersion);
+            expectedRequestHeaders.Add("Metadata", "true");
+
+            string content =
+                "{" +
+                "\"client_id\": \"fake_client_id\"," +
+                "\"tenant_id\": \"fake_tenant_id\"," +
+                "\"certificate\": \"" + TestConstants.ValidPemCertificate + "\"," +
+                "\"identity_type\": \"fake_identity_type\"," +
+                "\"mtls_authentication_endpoint\": \"http://fake_mtls_authentication_endpoint\"," +
+                "}";
+
+            var handler = new MockHttpMessageHandler()
+            {
+                ExpectedUrl = $"{ImdsManagedIdentitySource.DefaultImdsBaseEndpoint}{ImdsV2ManagedIdentitySource.CertificateRequestPath}",
+                ExpectedMethod = HttpMethod.Post,
+                ExpectedQueryParams = expectedQueryParams,
+                ExpectedRequestHeaders = expectedRequestHeaders,
+                ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)
+                {
+                    Content = new StringContent(content),
+                }
+            };
+
+            return handler;
+        }
     }
 }
@@ -460,6 +460,15 @@ private static MockHttpMessageHandler BuildMockHandlerForManagedIdentitySource(
                     expectedQueryParams.Add("resource", resource);
                     expectedRequestHeaders.Add("Metadata", "true");
                     break;
+                case ManagedIdentitySource.ImdsV2:
+                    httpMessageHandler.ExpectedMethod = HttpMethod.Post;
+                    expectedPostData = new Dictionary<string, string>
+                    {
+                        { "client_id", "fake_client_id" },
+                        { "grant_type", TestConstants.ValidPemCertificate },
+                        { "scope", resource }
+                    };
+                    break;
                 case ManagedIdentitySource.CloudShell:
                     httpMessageHandler.ExpectedMethod = HttpMethod.Post;
                     expectedRequestHeaders.Add("Metadata", "true");