[Feature Request] Support for new Azure ML Managed Identity

[gladjohn]

MSAL client type

Confidential

Problem Statement

MSAL client type

Managed identity

Problem statement

The Azure ML Managed Identity API is not the same as the App Service 2017-09-01 API, requiring explicit support to accommodate its unique authentication flow.

Key Differences

1. Expiration Time Format

   • The expires_on field is returned as an integer, whereas App Service returns it as a string.
   • The implementation must correctly handle integer-based expiration times

2. Mandatory clientid Parameter

   • Unlike App Service, all token requests must specify a clientid, even for system-assigned managed identities.
   • The platform provides a default client ID via the environment variable:
     • DEFAULT_IDENTITY_CLIENT_ID
   • The system should default to this environment variable when no client ID is explicitly provided.

Proposed solution

Proposed solution

Add explicit support for the Azure ML Managed Identity API in MSAL.

[rayluo]

Hmm...

The Azure ML managed identity was a popular scenario in Python community, so, we have long been shipped that in MSAL Python's initial Managed Identity implementation.

That implementation already supports the "Expiration Time Format" that you mentioned, but the clientid handling is different. We simply rename the client_id (if any) to clientid.

The implementation was backported from Azure SDK's implementation which is considered to be battle-tested. If we are going to make any changes here, we better have a sync-up with @xiangyan99 from Azure SDK for Python for consensus.

[xiangyan99]

clientid is not required.

If clientid is not provided, it uses SSO auth. https://learn.microsoft.com/en-us/azure/machine-learning/how-to-create-compute-instance?view=azureml-api-2&tabs=python

Defaulting to DEFAULT_IDENTITY_CLIENT_ID is a breaking change.

[gladjohn]

Closing as requested by triage. We will re-evaluate the ask through https://aka.ms/mise/feature