Update proposal document for GetManagedIdentityCapabilitiesAsync#6040
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a new proposal document describing a planned API rename/expansion for managed identity “capability discovery” and a new request-level enforcement knob (WithMinStrength) for mTLS PoP binding strength.
Changes:
- Introduces a proposal for
GetManagedIdentityCapabilitiesAsyncand a newManagedIdentityCapabilitiesreturn type. - Proposes
WithMinStrength(MtlsBindingStrength)for managed identity and confidential client token builders, with “floor assertion” semantics. - Documents API surface impact, acceptance criteria, and open design questions.
bgavrilMS
reviewed
May 28, 2026
bgavrilMS
reviewed
May 28, 2026
bgavrilMS
reviewed
May 28, 2026
bgavrilMS
reviewed
May 28, 2026
bgavrilMS
approved these changes
May 28, 2026
- Fix namespace: ManagedIdentityApplication lives in Microsoft.Identity.Client (not .ManagedIdentity) (Copilot) - Drop `build/` from `fail at build/request time`; no analyzer is planned (Copilot) - Rename `EphemeralSoftware` -> `Software`: software path uses persisted CNG keys on Windows (CreateWindowsPersistedRsa), not in-memory (Copilot) - Collapse ImdsV1FailureReason + ImdsV2FailureReason into single `ErrorReason` to avoid coupling the public surface to v1/v2 (Bogdan) - Remove the [Obsolete] shim section; no external callers, just delete the old API (Bogdan) - Replace `IReadOnlyList<MtlsBindingStrength> SupportedBindingStrengths` with scalar `MaxSupportedBindingStrength`: MSAL always picks the host max, list adds no value to consumers (Bogdan) - Add `Alternatives considered` section for WithMinStrength shape (chained vs overload vs PoPOptions) (Bogdan) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Resolve open question #1: keep the boolean alongside MaxSupportedBindingStrength. The bool is the single, callable check the Azure SDK chain already wants (can this host do PoP at all?); MaxSupportedBindingStrength is the finer-grained signal for callers that care about the strength tier. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Shared by managed identity and confidential client, so the enum belongs in AppConfig rather than the MI sub-namespace. Resolves open question #3. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace WithMinStrength chained builder with an overload of the existing
WithMtlsProofOfPossession that takes a PoPOptions { MinStrength } bag.
Keeps the builder surface stable and lets future PoP knobs (custom binding
key, attestation level, etc.) land on PoPOptions rather than growing
the builder.
- PoPOptions class added in Microsoft.Identity.Client.AppConfig (alongside MtlsBindingStrength)
- MinStrength defaults to Bearer (no floor); same behavior as the parameterless overload
- Semantics table updated to key off PoPOptions.MinStrength
- Sample usage shows the single-call form
- Acceptance criteria updated (PoPOptions class + test for default behavior)
- Alternatives section marked with the chosen shape
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Phase 1 (discovery) vs Phase 2 (PoPOptions floor) split; Phase 1 unblocks AKV. - Build on PR #6026 (compute-metadata host check, already VM-validated). - IsMtlsPopSupportedByHost is derived (> Bearer) and is NOT attestation. - Fold ManagedIdentitySource.ImdsV2 into Imds; note AKS + bearer-over-v2. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Robbie-Microsoft
approved these changes
Jun 2, 2026
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Robbie-Microsoft
added a commit
that referenced
this pull request
Jun 3, 2026
…gelog link - Serialize GetManagedIdentityCapabilitiesAsync with a static SemaphoreSlim so concurrent first calls don't issue redundant IMDS probes or provision the binding key more than once (non-blocking fast-path acquire preserves the existing HTTP-probe cancellation point). - Remove 'MSAL' from the IMDS-unavailable error message. - Enrich the mtls_pop_requires_keyguard message with actionable VBS/KeyGuard guidance (error code unchanged). - Fix CHANGELOG entry to link this PR (#6049) instead of the proposal (#6040). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bgavrilMS
reviewed
Jun 3, 2026
bgavrilMS
reviewed
Jun 3, 2026
bgavrilMS
reviewed
Jun 3, 2026
bgavrilMS
requested changes
Jun 3, 2026
bgavrilMS
left a comment
bgavrilMS
left a comment
Member
There was a problem hiding this comment.
Agreed with the API proposals, but not with this document. The document should only capture the API proposals, the devex, the "why". Not the nitty gritty implementation detail, history of who build what, what was there before etc. The code + version history has all that
…endix Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bgavrilMS
approved these changes
Jun 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update proposal document for GetManagedIdentityCapabilitiesAsync