From 64adb3f08b21c199f2bc5fd3bde4a830f5db2a06 Mon Sep 17 00:00:00 2001
From: Nick Stenning <nst@microsoft.com>
Date: Thu, 14 Feb 2019 15:49:25 +0100
Subject: [PATCH] Support using MSI to fetch Key Vault access tokens

In situations requiring cross-tenant auth, it is currently not possible
to use MSI to fetch an access token directly. In these scenarios, it
would be helpful to be able to use a client certificate grant, but with
the certificate stored in Key Vault.

Currently, this workflow is supported, but only for "development-like"
environments (i.e. through the Visual Studio or Azure CLI token flows).
This commit makes it possible for a service to use its managed identity
to retrieve a Key Vault access token for client certificate grants.
---
 .../Clients/KeyVault/KeyVaultClient.cs                           | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/SdkCommon/AppAuthentication/Azure.Services.AppAuthentication/Clients/KeyVault/KeyVaultClient.cs b/src/SdkCommon/AppAuthentication/Azure.Services.AppAuthentication/Clients/KeyVault/KeyVaultClient.cs
index fa7ebdc36293..755bf15edc82 100644
--- a/src/SdkCommon/AppAuthentication/Azure.Services.AppAuthentication/Clients/KeyVault/KeyVaultClient.cs
+++ b/src/SdkCommon/AppAuthentication/Azure.Services.AppAuthentication/Clients/KeyVault/KeyVaultClient.cs
@@ -174,6 +174,7 @@ private List<NonInteractiveAzureServiceTokenProviderBase> GetTokenProviders(stri
                 string azureAdInstance = UriHelper.GetAzureAdInstanceByAuthority(authority);
                 tokenProviders = new List<NonInteractiveAzureServiceTokenProviderBase>
                 {
+                    new MsiAccessTokenProvider(),
                     new VisualStudioAccessTokenProvider(new ProcessManager()),
                     new AzureCliAccessTokenProvider(new ProcessManager()),
 #if FullNetFx