[FEATURE REQ] Provide ManagedIdentityCredentialOptions.ExcludeWorkloadIdentityCredential boolean option

[dgkanatsios]

Library name

Azure.Identity

Please describe the feature.

We are currently trying to use the feature described here which essentially allows you to use a Managed Identity (MI) to authenticate towards an Azure Active Directory app registration. However, in case this MI is also used as a Workload Identity in an AKS cluster, we cannot use the ManagedIdentityCredential class as described in the blog post.

Reason is that in the current Azure.Identity implementation, if you use ManagedIdentityCredential or WorkloadIdentityCredential, you'll get the workload identity token (https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/ManagedIdentityClient.cs#L127)). This token, however, is already a federated identity token so it cannot be used for token exchange again, since this is FIC chaining which is not allowed by AAD.

The workaround right now is to use DefaultAzureCredentials in this way

 var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions()
        {
            ExcludeWorkloadIdentityCredential = true,
            ExcludeEnvironmentCredential = true,
            ManagedIdentityClientId = miClientId
        });

However, DefaultAzureCredentials should not be used in production as per guidance so it would be great if we have this support in the ManagedIdentityCredential class.

Update: this is the error message one would get

ClientAssertionCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for 
details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS700231: Token obtained using a federated identity credential may    
not be used as a federated identity credential

[github-actions]

Hello @dgkanatsios. I'm an AI assistant for the azure-sdk-for-net repository. I have some suggestions that you can try out while the team gets back to you.

Feature Request Analysis

• You are requesting a boolean option (ExcludeWorkloadIdentityCredential) on ManagedIdentityCredentialOptions to prevent selecting a workload identity token when the MI is shared with an AKS workload identity.
• This would enable direct use of ManagedIdentityCredential without inadvertently acquiring a federated token that cannot be exchanged further.
• As a temporary workaround, you correctly use DefaultAzureCredential with exclusions:

  var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions()
  {
      ExcludeWorkloadIdentityCredential = true,
      ExcludeEnvironmentCredential = true,
      ManagedIdentityClientId = miClientId
  });

• For production scenarios, following the usage guidance for DefaultAzureCredential is generally not recommended; hence, native support in ManagedIdentityCredential would be beneficial.
• We will evaluate adding an option in ManagedIdentityCredentialOptions to exclude workload identity tokens, similar to the behavior used in DefaultAzureCredential.
• Additional context on the scenario can be found in the Access cloud resources across tenants without secrets blog post.

Thank you for this suggestion; it will help improve clarity and functionality for scenarios where managed identity is also a workload identity.

The team will get back to you shortly, hopefully this helps in the meantime.