Skip to content

Include ManagedIdentitySource in managed identity error messages and request-failure logs#6095

Closed
juliovi-1 wants to merge 4 commits into
AzureAD:mainfrom
juliovi-1:dev/juliovi/mi-exception-source-in-message
Closed

Include ManagedIdentitySource in managed identity error messages and request-failure logs#6095
juliovi-1 wants to merge 4 commits into
AzureAD:mainfrom
juliovi-1:dev/juliovi/mi-exception-source-in-message

Conversation

@juliovi-1

Copy link
Copy Markdown

Summary

Managed identity authentication failures surface a host-issued Managed Identity Correlation ID, but neither the customer-facing error message nor the request-failure log indicated which managed identity source (AppService, Imds, ServiceFabric, AzureArc, CloudShell, MachineLearning, etc.) produced that correlation ID. During live-site investigations this is ambiguous: each host emits its correlation ID into its own telemetry, so without the source you don't know which host's telemetry to search.

This change appends the detected ManagedIdentitySource to:

  • the request-failure log line ([Managed Identity] request failed, Source: {source}, ...), and
  • the customer-facing correlation ID message, clarifying that the correlation ID should be searched in that source's telemetry.

The source is taken from the existing _sourceType value already known to AbstractManagedIdentity at runtime — it is not hardcoded; the value reflects the host detected at runtime.

Motivation

We recently root-caused a ManagedIdentityCredential authentication failed incident where the failure originated in the host (App Service) with an AADSTS500011 resource-principal-not-found error. The host-issued correlation ID was present, but the exception did not say it came from the App Service host, slowing down the investigation. Surfacing the source makes the correlation ID directly actionable.

Changes

  • AbstractManagedIdentity.cs: include _sourceType in the request-failure log line and in the correlation ID message (only when a host correlation ID is present).
  • ManagedIdentityTests.cs: updated ManagedIdentityTestErrorResponseParsing rows that carry a host correlationId to assert the source (AppService) and the new explanatory text appear in the message.
  • CHANGELOG.md: added a ### Changes entry under the in-progress version.

Testing

  • ManagedIdentityTestErrorResponseParsing — all rows pass.
  • ManagedIdentityTestWrongScopeAsync (cross-source regression coverage) — passes.
  • Local build of Microsoft.Identity.Client is clean; no public API surface changes.

Notes

  • No behavioral/auth changes — message/log content only.
  • The CHANGELOG link placeholder will be updated with this PR number.

Copilot AI review requested due to automatic review settings June 29, 2026 23:45
@juliovi-1
juliovi-1 requested a review from a team as a code owner June 29, 2026 23:45
juliovi-1 added a commit to juliovi-1/microsoft-authentication-library-for-dotnet that referenced this pull request Jun 29, 2026
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves managed identity diagnostics by including the detected ManagedIdentitySource in both request-failure logs and customer-facing error messages when a host-issued managed identity correlation ID is present, making correlation IDs actionable during live-site investigations.

Changes:

  • Added ManagedIdentitySource to the managed identity request-failure error log line.
  • Appended ManagedIdentitySource context to the “Managed Identity Correlation ID” portion of the error message (when correlation ID is present).
  • Updated unit tests and changelog entry to reflect the new message/log content.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs Adds _sourceType to request-failure logging and correlation-ID error message text.
tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ManagedIdentityTests.cs Updates expected substrings in parsing tests to assert the new source/context text.
CHANGELOG.md Documents the diagnostic message/log enhancement under the in-progress release section.

@bgavrilMS

Copy link
Copy Markdown
Member

LGTM. @gladjohn , @Robbie-Microsoft - pls review as well. @Robbie-Microsoft - pls help merge this in once all ok.

juliovi-1 and others added 2 commits July 1, 2026 12:44
…e logs

Managed identity authentication failures surface a host-issued
'Managed Identity Correlation ID', but the message did not indicate which
managed identity source (AppService, Imds, ServiceFabric, etc.) produced it,
making it ambiguous which host's telemetry to search during investigations.

This change appends the detected ManagedIdentitySource to both the
request-failure log line and the customer-facing correlation ID message,
so the correlation ID can be traced to the correct host's telemetry.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@bgavrilMS
bgavrilMS force-pushed the dev/juliovi/mi-exception-source-in-message branch from ecedc6a to 7577185 Compare July 1, 2026 11:45
Comment thread tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ManagedIdentityTests.cs Outdated
Comment thread tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ManagedIdentityTests.cs Outdated
Copilot AI review requested due to automatic review settings July 1, 2026 16:32

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

…ions

- Assert the full composed phrase ("issued by the '<source>' managed
  identity source") instead of the bare source name, so the check is
  position-independent and cannot pass if the source name merely appears
  in the echoed error body.
- Add ManagedIdentityErrorMessageAttributesCorrelationIdToSourceAsync
  covering a non-AppService source (Imds) to guard the source-agnostic
  correlation-ID branch against regression.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

@Robbie-Microsoft

Copy link
Copy Markdown
Contributor

Thanks @juliovi-1. Since this repo doesn't allow fork branches to be merged, I moved your work into a same-repo branch in #6101 by cherry-picking your commits unchanged — you remain the git author of every commit (I'm only the committer). This repo squash-merges, and squash preserves the branch commit author, so the commit that lands on main will be authored by you. Your Co-authored-by: Copilot trailers are preserved too.

Verified locally: the managed-identity error/log tests pass (13/13) on current main. Closing this in favor of #6101 — please review there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants