azure-sdk
diff --git a/‎sdk/extensions/Microsoft.Extensions.Azure/CHANGELOG.md‎
Lines changed: 10 additions & 0 deletions b/‎sdk/extensions/Microsoft.Extensions.Azure/CHANGELOG.md‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎sdk/extensions/Microsoft.Extensions.Azure/src/Internal/AzureCloud.cs‎
Lines changed: 12 additions & 0 deletions b/‎sdk/extensions/Microsoft.Extensions.Azure/src/Internal/AzureCloud.cs‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎sdk/extensions/Microsoft.Extensions.Azure/src/Internal/ClientFactory.cs‎
Lines changed: 73 additions & 12 deletions b/‎sdk/extensions/Microsoft.Extensions.Azure/src/Internal/ClientFactory.cs‎
Lines changed: 73 additions & 12 deletions
diff --git a/‎sdk/extensions/Microsoft.Extensions.Azure/src/Internal/ManagedFederatedIdentityCredential.cs‎
Lines changed: 174 additions & 0 deletions b/‎sdk/extensions/Microsoft.Extensions.Azure/src/Internal/ManagedFederatedIdentityCredential.cs‎
Lines changed: 174 additions & 0 deletions
@@ -4,6 +4,16 @@
 
 ### Features Added
 
+- Added support for [managed identity as a federated identity credential](https://learn.microsoft.com/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity?tabs=microsoft-entra-admin-center#azureidentity) in the client factory by specifying configuration item `credential` as "managedidentityasfederatedidentity" and providing the following named configuration items:
+
+  - `tenantId` : The tenant where the target resource was created
+  - `clientId` : The client identifier for the application, which must be granted access on the target resource
+  - One of [`managedIdentityClientId`, `objectId`, `resourceId`] : The user-assigned managed identity which you configured as a Federated Identity Credential (FIC)
+  - `azureCloud`: One of the following Azure cloud environments:
+    - `public` for Entra ID Global cloud
+    - `usgov` for Entra ID US Government
+    - `china` for Entra ID China operated by 21Vianet
+
 ### Breaking Changes
 
 ### Bugs Fixed
 
@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Microsoft.Extensions.Azure
+{
+    internal static class AzureCloud
+    {
+        public const string Public = "public";
+        public const string USGov = "usgov";
+        public const string China = "china";
+    }
+}
@@ -10,6 +10,7 @@
 using System.Text;
 using Azure.Core;
 using Azure.Identity;
+using Microsoft.Extensions.Azure.Internal;
 using Microsoft.Extensions.Configuration;
 
 namespace Microsoft.Extensions.Azure
@@ -106,7 +107,11 @@ internal static TokenCredential CreateCredential(IConfiguration configuration)
             var systemAccessToken = configuration["systemAccessToken"];
             var additionallyAllowedTenants = configuration["additionallyAllowedTenants"];
             var tokenFilePath = configuration["tokenFilePath"];
+            var azureCloud = configuration["azureCloud"];
+            var managedIdentityClientId = configuration["managedIdentityClientId"];
+
             IEnumerable<string> additionallyAllowedTenantsList = null;
+
             if (!string.IsNullOrWhiteSpace(additionallyAllowedTenants))
             {
                 // not relying on StringSplitOptions.RemoveEmptyEntries as we want to remove leading/trailing whitespace between entries
@@ -117,15 +122,7 @@ internal static TokenCredential CreateCredential(IConfiguration configuration)
 
             if (string.Equals(credentialType, "managedidentity", StringComparison.OrdinalIgnoreCase))
             {
-                int idCount = 0;
-                idCount += string.IsNullOrWhiteSpace(clientId) ? 0 : 1;
-                idCount += string.IsNullOrWhiteSpace(resourceId) ? 0 : 1;
-                idCount += string.IsNullOrWhiteSpace(objectId) ? 0 : 1;
-
-                if (idCount > 1)
-                {
-                    throw new ArgumentException("Only one of either 'clientId', 'managedIdentityResourceId', or 'managedIdentityObjectId' can be specified for managed identity.");
-                }
+                AssertSingleManagedIdentityIdentifier(clientId, managedIdentityClientId, resourceId, objectId, isFederated: false);
 
                 if (!string.IsNullOrWhiteSpace(resourceId))
                 {
@@ -137,6 +134,11 @@ internal static TokenCredential CreateCredential(IConfiguration configuration)
                     return new ManagedIdentityCredential(ManagedIdentityId.FromUserAssignedObjectId(objectId));
                 }
 
+                if (!string.IsNullOrWhiteSpace(managedIdentityClientId))
+                {
+                    return new ManagedIdentityCredential(managedIdentityClientId);
+                }
+
                 return new ManagedIdentityCredential(clientId);
             }
 
@@ -145,6 +147,7 @@ internal static TokenCredential CreateCredential(IConfiguration configuration)
                 // The WorkloadIdentityCredentialOptions object initialization populates its instance members
                 // from the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_FEDERATED_TOKEN_FILE
                 var workloadIdentityOptions = new WorkloadIdentityCredentialOptions();
+
                 if (!string.IsNullOrWhiteSpace(tenantId))
                 {
                     workloadIdentityOptions.TenantId = tenantId;
@@ -178,6 +181,33 @@ internal static TokenCredential CreateCredential(IConfiguration configuration)
                 throw new ArgumentException("For workload identity, 'tenantId', 'clientId', and 'tokenFilePath' must be specified via environment variables or the configuration.");
             }
 
+            if (string.Equals(credentialType, "managedidentityasfederatedidentity", StringComparison.OrdinalIgnoreCase))
+            {
+                AssertSingleManagedIdentityIdentifier(clientId, managedIdentityClientId, resourceId, objectId, isFederated: true);
+
+                if (string.IsNullOrWhiteSpace(tenantId) ||
+                    string.IsNullOrWhiteSpace(clientId) ||
+                    string.IsNullOrWhiteSpace(azureCloud))
+                {
+                    throw new ArgumentException("For managed identity as a federated identity credential, 'tenantId', 'clientId', 'azureCloud', and one of ['managedIdentityClientId', 'resourceId', 'objectId'] must be specified via environment variables or the configuration.");
+                }
+
+                if (!string.IsNullOrWhiteSpace(resourceId))
+                {
+                    return new ManagedFederatedIdentityCredential(tenantId, clientId, new ResourceIdentifier(resourceId), azureCloud, additionallyAllowedTenantsList);
+                }
+
+                if (!string.IsNullOrWhiteSpace(objectId))
+                {
+                    return new ManagedFederatedIdentityCredential(tenantId, clientId, ManagedIdentityId.FromUserAssignedObjectId(objectId), azureCloud, additionallyAllowedTenantsList);
+                }
+
+                if (!string.IsNullOrWhiteSpace(managedIdentityClientId))
+                {
+                    return new ManagedFederatedIdentityCredential(tenantId, clientId, managedIdentityClientId, azureCloud, additionallyAllowedTenantsList);
+                }
+            }
+
             if (string.Equals(credentialType, "azurepipelines", StringComparison.OrdinalIgnoreCase))
             {
                 if (string.IsNullOrWhiteSpace(tenantId) ||
@@ -258,8 +288,6 @@ internal static TokenCredential CreateCredential(IConfiguration configuration)
                 return credential;
             }
 
-            // TODO: More logging
-
             if (!string.IsNullOrWhiteSpace(objectId))
             {
                 throw new ArgumentException("'managedIdentityObjectId' is only supported when the credential type is 'managedidentity'.");
@@ -268,6 +296,7 @@ internal static TokenCredential CreateCredential(IConfiguration configuration)
             if (additionallyAllowedTenantsList != null
                 || !string.IsNullOrWhiteSpace(tenantId)
                 || !string.IsNullOrWhiteSpace(clientId)
+                || !string.IsNullOrWhiteSpace(managedIdentityClientId)
                 || !string.IsNullOrWhiteSpace(resourceId))
             {
                 var options = new DefaultAzureCredentialOptions();
@@ -285,7 +314,11 @@ internal static TokenCredential CreateCredential(IConfiguration configuration)
                     options.TenantId = tenantId;
                 }
 
-                if (!string.IsNullOrWhiteSpace(clientId))
+                if (!string.IsNullOrWhiteSpace(managedIdentityClientId))
+                {
+                    options.ManagedIdentityClientId = managedIdentityClientId;
+                }
+                else if (!string.IsNullOrWhiteSpace(clientId))
                 {
                     options.ManagedIdentityClientId = clientId;
                 }
@@ -366,6 +399,34 @@ internal static object CreateClientOptions(
             return Activator.CreateInstance(optionsType, constructorArguments);
         }
 
+        private static void AssertSingleManagedIdentityIdentifier(string clientId, string managedIdentityClientId, string resourceId, string objectId, bool isFederated = false)
+        {
+            var idCount = 0;
+
+            if (!isFederated)
+            {
+                idCount += string.IsNullOrWhiteSpace(clientId) ? 0 : 1;
+            }
+
+            idCount += string.IsNullOrWhiteSpace(managedIdentityClientId) ? 0 : 1;
+            idCount += string.IsNullOrWhiteSpace(resourceId) ? 0 : 1;
+            idCount += string.IsNullOrWhiteSpace(objectId) ? 0 : 1;
+
+            var validIdentifiers = isFederated
+                ? "'clientId', 'managedIdentityClientId', 'managedIdentityResourceId', or 'managedIdentityObjectId'"
+                : "'managedIdentityClientId', 'managedIdentityResourceId', or 'managedIdentityObjectId'";
+
+            if (idCount > 1)
+            {
+                throw new ArgumentException($"Only one of [{validIdentifiers}] can be specified for managed identity.");
+            }
+
+            if (isFederated && idCount < 1)
+            {
+                throw new ArgumentException($"At least one of [{validIdentifiers}] must be specified for managed identity.");
+            }
+        }
+
         private static bool IsServiceVersionParameter(ParameterInfo parameter) =>
             parameter.ParameterType.Name == ServiceVersionParameterTypeName;
 
 
@@ -0,0 +1,174 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure.Core;
+using Azure.Identity;
+
+namespace Microsoft.Extensions.Azure.Internal
+{
+    internal class ManagedFederatedIdentityCredential : TokenCredential
+    {
+        private readonly ManagedIdentityCredential _managedIdentityCredential;
+        private readonly ClientAssertionCredential _clientAssertionCredential;
+        private readonly TokenRequestContext _tokenContext;
+
+        /// <summary>
+        /// Gets the set of additionally allowed tenants.
+        /// </summary>
+        public IList<string> AdditionallyAllowedTenants { get; }
+
+        /// <summary>
+        /// Creates an instance of the ManagedFederatedIdentityCredential with a synchronous callback that provides a signed client assertion to authenticate against Microsoft Entra ID.
+        /// </summary>
+        /// <param name="tenantId">The Microsoft Entra tenant (directory) ID of the service principal.</param>
+        /// <param name="clientId">The client (application) ID of the service principal.</param>
+        /// <param name="managedIdentityId">The user-assigned managed identity which has been configured as a Federated Identity Credential (FIC).  May be a client id, resource id, or object id.</param>
+        /// <param name="azureCloud">
+        ///     The name of the cloud where the managed identity is configured.  Valid values are:
+        ///       <list type="bullet">
+        ///         <item>
+        ///           <term>public</term>
+        ///           <description>Entra ID Global cloud</description>
+        ///         </item>
+        ///         <item>
+        ///           <term>usgov</term>
+        ///           <description>Entra ID US Government</description>
+        ///         </item>
+        ///         <item>
+        ///           <term>china</term>
+        ///           <description>Entra ID China operated by 21Vianet</description>
+        ///         </item>
+        ///       </list>
+        /// </param>
+        /// <param name="additionallyAllowedTenants">The set of </param>
+        public ManagedFederatedIdentityCredential(string tenantId, string clientId, string managedIdentityId, string azureCloud, IEnumerable<string> additionallyAllowedTenants = default)
+            : this(tenantId, clientId, (object)managedIdentityId, azureCloud, additionallyAllowedTenants)
+        {
+        }
+
+        /// <summary>
+        /// Creates an instance of the ManagedFederatedIdentityCredential with a synchronous callback that provides a signed client assertion to authenticate against Microsoft Entra ID.
+        /// </summary>
+        /// <param name="tenantId">The Microsoft Entra tenant (directory) ID of the service principal.</param>
+        /// <param name="clientId">The client (application) ID of the service principal.</param>
+        /// <param name="managedIdentityId">The user-assigned managed identity which has been configured as a Federated Identity Credential (FIC).  May be a client id, resource id, or object id.</param>
+        /// <param name="azureCloud">
+        ///     The name of the cloud where the managed identity is configured.  Valid values are:
+        ///       <list type="bullet">
+        ///         <item>
+        ///           <term>public</term>
+        ///           <description>Entra ID Global cloud</description>
+        ///         </item>
+        ///         <item>
+        ///           <term>usgov</term>
+        ///           <description>Entra ID US Government</description>
+        ///         </item>
+        ///         <item>
+        ///           <term>china</term>
+        ///           <description>Entra ID China operated by 21Vianet</description>
+        ///         </item>
+        ///       </list>
+        /// </param>
+        /// <param name="additionallyAllowedTenants">The set of </param>
+        public ManagedFederatedIdentityCredential(string tenantId, string clientId, ResourceIdentifier managedIdentityId, string azureCloud, IEnumerable<string> additionallyAllowedTenants = default)
+            : this(tenantId, clientId, (object)managedIdentityId, azureCloud, additionallyAllowedTenants)
+        {
+        }
+
+        /// <summary>
+        /// Creates an instance of the ManagedFederatedIdentityCredential with a synchronous callback that provides a signed client assertion to authenticate against Microsoft Entra ID.
+        /// </summary>
+        /// <param name="tenantId">The Microsoft Entra tenant (directory) ID of the service principal.</param>
+        /// <param name="clientId">The client (application) ID of the service principal.</param>
+        /// <param name="managedIdentityId">The user-assigned managed identity which has been configured as a Federated Identity Credential (FIC).  May be a client id, resource id, or object id.</param>
+        /// <param name="azureCloud">
+        ///     The name of the cloud where the managed identity is configured.  Valid values are:
+        ///       <list type="bullet">
+        ///         <item>
+        ///           <term>public</term>
+        ///           <description>Entra ID Global cloud</description>
+        ///         </item>
+        ///         <item>
+        ///           <term>usgov</term>
+        ///           <description>Entra ID US Government</description>
+        ///         </item>
+        ///         <item>
+        ///           <term>china</term>
+        ///           <description>Entra ID China operated by 21Vianet</description>
+        ///         </item>
+        ///       </list>
+        /// </param>
+        /// <param name="additionallyAllowedTenants">The set of </param>
+        public ManagedFederatedIdentityCredential(string tenantId, string clientId, ManagedIdentityId managedIdentityId, string azureCloud, IEnumerable<string> additionallyAllowedTenants = default)
+            : this(tenantId, clientId, (object)managedIdentityId, azureCloud, additionallyAllowedTenants)
+        {
+        }
+
+        internal ManagedFederatedIdentityCredential(string tenantId, string clientId, object managedIdentityId, string azureCloud, IEnumerable<string> additionallyAllowedTenants = default)
+        {
+            ClientAssertionCredentialOptions clientAssertionOptions = null;
+
+            if (additionallyAllowedTenants != null)
+            {
+                clientAssertionOptions = new();
+
+                foreach (var tenant in additionallyAllowedTenants)
+                {
+                    clientAssertionOptions.AdditionallyAllowedTenants.Add(tenant);
+                }
+
+                AdditionallyAllowedTenants = clientAssertionOptions.AdditionallyAllowedTenants;
+            }
+            else
+            {
+                AdditionallyAllowedTenants = new List<string>();
+            }
+
+            _managedIdentityCredential = managedIdentityId switch
+            {
+                ManagedIdentityId objectId => new ManagedIdentityCredential(objectId),
+                ResourceIdentifier resourceId => new ManagedIdentityCredential(resourceId),
+                string managedClientId => new ManagedIdentityCredential(managedClientId),
+                _ => throw new ArgumentException($"Invalid managed identity ID type: {managedIdentityId.GetType()}", nameof(managedIdentityId))
+            };
+
+            _tokenContext = new TokenRequestContext([TranslateCloudToTokenScope(azureCloud)]);
+            _clientAssertionCredential = new ClientAssertionCredential(
+                tenantId,
+                clientId,
+                async _ =>
+                    (await _managedIdentityCredential
+                        .GetTokenAsync(_tokenContext)
+                        .ConfigureAwait(false))
+                    .Token,
+                clientAssertionOptions
+            );
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ManagedFederatedIdentityCredential"/> class.
+        /// </summary>
+        protected ManagedFederatedIdentityCredential()
+        {
+        }
+
+        /// <inheritdoc />
+        public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken) => _clientAssertionCredential.GetToken(requestContext, cancellationToken);
+
+        /// <inheritdoc />
+        public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) => _clientAssertionCredential.GetTokenAsync(requestContext, cancellationToken);
+
+        private static string TranslateCloudToTokenScope(string azureCloud) =>
+            azureCloud switch
+            {
+                AzureCloud.Public => "api://AzureADTokenExchange/.default",
+                AzureCloud.USGov => "api://AzureADTokenExchangeUSGov/.default",
+                AzureCloud.China => "api://AzureADTokenExchangeChina/.default",
+                _ => throw new ArgumentException($"Unknown Azure cloud: {azureCloud}", nameof(azureCloud)),
+            };
+        }
+}