diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs index 10fef4610b..efc156b691 100644 --- a/src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs +++ b/src/client/Microsoft.Identity.Client/ManagedIdentity/AppServiceManagedIdentitySource.cs @@ -14,7 +14,7 @@ namespace Microsoft.Identity.Client.ManagedIdentity internal class AppServiceManagedIdentitySource : AbstractManagedIdentity { // MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity - private const string AppServiceMsiApiVersion = "2019-08-01"; + private const string AppServiceMsiApiVersion = "2025-03-30"; private const string SecretHeaderName = "X-IDENTITY-HEADER"; private readonly Uri _endpoint; diff --git a/src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentitySourceExtensions.cs b/src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentitySourceExtensions.cs index 6bbf861834..592f054b76 100644 --- a/src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentitySourceExtensions.cs +++ b/src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentitySourceExtensions.cs @@ -9,8 +9,9 @@ internal static class ManagedIdentitySourceExtensions { private static readonly HashSet s_supportsClaimsAndCaps = [ - // add other sources here as they light up - ManagedIdentitySource.ServiceFabric, + // add other sources here as they light up + ManagedIdentitySource.ServiceFabric, + ManagedIdentitySource.AppService ]; internal static bool SupportsClaimsAndCapabilities( diff --git a/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHttpManagerExtensions.cs b/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHttpManagerExtensions.cs index 565ca72e68..dbfb49ecf9 100644 --- a/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHttpManagerExtensions.cs +++ b/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHttpManagerExtensions.cs @@ -447,7 +447,7 @@ private static MockHttpMessageHandler BuildMockHandlerForManagedIdentitySource( { case ManagedIdentitySource.AppService: httpMessageHandler.ExpectedMethod = HttpMethod.Get; - expectedQueryParams.Add("api-version", "2019-08-01"); + expectedQueryParams.Add("api-version", "2025-03-30"); expectedQueryParams.Add("resource", resource); expectedRequestHeaders.Add("X-IDENTITY-HEADER", "secret"); break; diff --git a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs index cfb1c04af3..589a2dd7db 100644 --- a/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs +++ b/tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ManagedIdentityTests.NetFwk.cs @@ -414,6 +414,10 @@ public async Task AcquireMSITokenWithClaimsAsync( // Token source should now be IdentityProvider again Assert.AreEqual(TokenSource.IdentityProvider, result3.AuthenticationResultMetadata.TokenSource); + + // The new access token (with claims) must be different than the initial one + Assert.AreNotEqual(result1.AccessToken, result3.AccessToken, + "Claims challenge should result in a new access token different from the initial one."); } }