update

Author: seanmcc-msft

sdk/storage/Azure.Storage.Blobs/tests/BlobSasTests.cs

@@ -285,6 +285,7 @@ public async Task ContainerIdentitySas_AllPermissions()
         }
 
         [RecordedTest]
+        [LiveOnly] // Cannot record Entra ID token
         [ServiceVersion(Min = BlobClientOptions.ServiceVersion.V2026_02_06)]
         public async Task ContainerIdentitySAS_DelegatedObjectId()
         {
@@ -303,11 +304,11 @@ public async Task ContainerIdentitySAS_DelegatedObjectId()
             // We need to get the object ID from the token credential used to authenticate the request
             TokenCredential tokenCredential = TestEnvironment.Credential;
             AccessToken accessToken = await tokenCredential.GetTokenAsync(
-                new TokenRequestContext(new[] { "https://storage.azure.com/.default" }),
+                new TokenRequestContext(Scopes),
                 CancellationToken.None);
 
             JwtSecurityToken jwtSecurityToken = new JwtSecurityTokenHandler().ReadJwtToken(accessToken.Token);
-            jwtSecurityToken.Payload.TryGetValue("oid", out object objectId);
+            jwtSecurityToken.Payload.TryGetValue(Constants.Sas.ObjectId, out object objectId);
 
             BlobSasBuilder blobSasBuilder = new BlobSasBuilder(BlobContainerSasPermissions.Read, Recording.UtcNow.AddHours(1))
             {
@@ -333,6 +334,7 @@ public async Task ContainerIdentitySAS_DelegatedObjectId()
         }
 
         [RecordedTest]
+        [LiveOnly] // Cannot record Entra ID token
         [ServiceVersion(Min = BlobClientOptions.ServiceVersion.V2026_02_06)]
         public async Task ContainerIdentitySAS_DelegatedObjectId_Fail()
         {
@@ -351,11 +353,11 @@ public async Task ContainerIdentitySAS_DelegatedObjectId_Fail()
             // We need to get the object ID from the token credential used to authenticate the request
             TokenCredential tokenCredential = TestEnvironment.Credential;
             AccessToken accessToken = await tokenCredential.GetTokenAsync(
-                new TokenRequestContext(new[] { "https://storage.azure.com/.default" }),
+                new TokenRequestContext(Scopes),
                 CancellationToken.None);
 
             JwtSecurityToken jwtSecurityToken = new JwtSecurityTokenHandler().ReadJwtToken(accessToken.Token);
-            jwtSecurityToken.Payload.TryGetValue("oid", out object objectId);
+            jwtSecurityToken.Payload.TryGetValue(Constants.Sas.ObjectId, out object objectId);
 
             BlobSasBuilder blobSasBuilder = new BlobSasBuilder(BlobContainerSasPermissions.Read, Recording.UtcNow.AddHours(1))
             {

sdk/storage/Azure.Storage.Common/src/Shared/Constants.cs

@@ -539,6 +539,8 @@ internal static class QuickQuery
         /// </summary>
         internal static class Sas
         {
+            public const string ObjectId = "oid";
+
             internal static class Permissions
             {
                 public const char Read = 'r';

sdk/storage/Azure.Storage.Common/tests/Shared/StorageTestBase.cs

@@ -406,12 +406,14 @@ public async Task<string> GetAuthToken(string[] scopes = default, TenantConfigur
                 return "auth token";
             }
 
-            scopes ??= new string[] { "https://storage.azure.com/.default" };
+            scopes ??= scopes;
             TokenRequestContext tokenRequestContext = new TokenRequestContext(scopes);
             AccessToken accessToken = await TestEnvironment.Credential.GetTokenAsync(tokenRequestContext, CancellationToken.None);
             return accessToken.Token;
         }
 
+        public string[] Scopes => ["https://storage.azure.com/.default"];
+
         public string CreateRandomDirectory(string parentPath, string directoryName = default)
         {
             return Directory.CreateDirectory(Path.Combine(parentPath, string.IsNullOrEmpty(directoryName) ? Recording.Random.NewGuid().ToString() : directoryName)).FullName;