Include ManagedIdentitySource in managed identity error messages and request-failure logs#6095
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR improves managed identity diagnostics by including the detected ManagedIdentitySource in both request-failure logs and customer-facing error messages when a host-issued managed identity correlation ID is present, making correlation IDs actionable during live-site investigations.
Changes:
- Added
ManagedIdentitySourceto the managed identity request-failure error log line. - Appended
ManagedIdentitySourcecontext to the “Managed Identity Correlation ID” portion of the error message (when correlation ID is present). - Updated unit tests and changelog entry to reflect the new message/log content.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs | Adds _sourceType to request-failure logging and correlation-ID error message text. |
| tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ManagedIdentityTests.cs | Updates expected substrings in parsing tests to assert the new source/context text. |
| CHANGELOG.md | Documents the diagnostic message/log enhancement under the in-progress release section. |
|
LGTM. @gladjohn , @Robbie-Microsoft - pls review as well. @Robbie-Microsoft - pls help merge this in once all ok. |
…e logs Managed identity authentication failures surface a host-issued 'Managed Identity Correlation ID', but the message did not indicate which managed identity source (AppService, Imds, ServiceFabric, etc.) produced it, making it ambiguous which host's telemetry to search during investigations. This change appends the detected ManagedIdentitySource to both the request-failure log line and the customer-facing correlation ID message, so the correlation ID can be traced to the correct host's telemetry. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ecedc6a to
7577185
Compare
…ions
- Assert the full composed phrase ("issued by the '<source>' managed
identity source") instead of the bare source name, so the check is
position-independent and cannot pass if the source name merely appears
in the echoed error body.
- Add ManagedIdentityErrorMessageAttributesCorrelationIdToSourceAsync
covering a non-AppService source (Imds) to guard the source-agnostic
correlation-ID branch against regression.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Thanks @juliovi-1. Since this repo doesn't allow fork branches to be merged, I moved your work into a same-repo branch in #6101 by cherry-picking your commits unchanged — you remain the git author of every commit (I'm only the committer). This repo squash-merges, and squash preserves the branch commit author, so the commit that lands on main will be authored by you. Your Co-authored-by: Copilot trailers are preserved too. Verified locally: the managed-identity error/log tests pass (13/13) on current main. Closing this in favor of #6101 — please review there. |
Summary
Managed identity authentication failures surface a host-issued Managed Identity Correlation ID, but neither the customer-facing error message nor the request-failure log indicated which managed identity source (
AppService,Imds,ServiceFabric,AzureArc,CloudShell,MachineLearning, etc.) produced that correlation ID. During live-site investigations this is ambiguous: each host emits its correlation ID into its own telemetry, so without the source you don't know which host's telemetry to search.This change appends the detected
ManagedIdentitySourceto:[Managed Identity] request failed, Source: {source}, ...), andThe source is taken from the existing
_sourceTypevalue already known toAbstractManagedIdentityat runtime — it is not hardcoded; the value reflects the host detected at runtime.Motivation
We recently root-caused a
ManagedIdentityCredential authentication failedincident where the failure originated in the host (App Service) with anAADSTS500011resource-principal-not-found error. The host-issued correlation ID was present, but the exception did not say it came from the App Service host, slowing down the investigation. Surfacing the source makes the correlation ID directly actionable.Changes
AbstractManagedIdentity.cs: include_sourceTypein the request-failure log line and in the correlation ID message (only when a host correlation ID is present).ManagedIdentityTests.cs: updatedManagedIdentityTestErrorResponseParsingrows that carry a hostcorrelationIdto assert the source (AppService) and the new explanatory text appear in the message.CHANGELOG.md: added a### Changesentry under the in-progress version.Testing
ManagedIdentityTestErrorResponseParsing— all rows pass.ManagedIdentityTestWrongScopeAsync(cross-source regression coverage) — passes.Microsoft.Identity.Clientis clean; no public API surface changes.Notes