Skip to content

Include ManagedIdentitySource in managed identity error messages and request-failure logs#6101

Open
Robbie-Microsoft wants to merge 3 commits into
mainfrom
dev/juliovi/mi-exception-source-in-message
Open

Include ManagedIdentitySource in managed identity error messages and request-failure logs#6101
Robbie-Microsoft wants to merge 3 commits into
mainfrom
dev/juliovi/mi-exception-source-in-message

Conversation

@Robbie-Microsoft

Copy link
Copy Markdown
Contributor

Managed identity auth failures surface a host-issued correlation ID, but neither the error message nor the request-failure log identified which managed identity source (AppService, Imds, ServiceFabric, etc.) produced it — making live-site triage ambiguous across host telemetry systems.

Changes proposed in this request

  • AbstractManagedIdentity.cs
    • Request-failure log line now includes _sourceType:
      [Managed Identity] request failed, Source: AppService, HttpStatusCode: 500 Error message: ...
      
    • Correlation ID message now attributes the ID to the specific host:
      Managed Identity Correlation ID: <id> (issued by the 'AppService' managed identity source; search that source's telemetry with this correlation ID). Use this Correlation ID for further investigation.
      
    • Source is taken from the existing _sourceType field — no hardcoding, reflects the host detected at runtime.
  • CHANGELOG.md — added a ### Changes entry under the in-progress version.

Testing

  • Updated two [DataRow] entries in ManagedIdentityTestErrorResponseParsing to assert the new source-attribution phrase appears in the error message for correlation-ID-bearing responses.
  • Added ManagedIdentityErrorMessageAttributesCorrelationIdToSourceAsync — parametrized over AppService and Imds — to guard the correlation-ID attribution branch against regression across non-AppService sources. Asserts the full composed phrase (not just the source name) to prevent false passes from echoed error bodies.

No behavioral or auth changes — message/log content only. No public API surface changes.

Attribution / provenance

This PR carries @juliovi-1's original commits, cherry-picked unchanged onto main so he remains the git author of every commit (committer is the maintainer who moved them across). It replaces:

Since the repo squash-merges and squash preserves the branch commit author, the commit that lands on main will be authored by Julio.

Co-authored-by: Julio Villarreal Cantu juliovi@microsoft.com

…e logs

Managed identity authentication failures surface a host-issued
'Managed Identity Correlation ID', but the message did not indicate which
managed identity source (AppService, Imds, ServiceFabric, etc.) produced it,
making it ambiguous which host's telemetry to search during investigations.

This change appends the detected ManagedIdentitySource to both the
request-failure log line and the customer-facing correlation ID message,
so the correlation ID can be traced to the correct host's telemetry.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 1, 2026 20:41
@Robbie-Microsoft Robbie-Microsoft requested a review from a team as a code owner July 1, 2026 20:41
juliovi-1 and others added 2 commits July 1, 2026 16:42
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ions

- Assert the full composed phrase ("issued by the '<source>' managed
  identity source") instead of the bare source name, so the check is
  position-independent and cannot pass if the source name merely appears
  in the echoed error body.
- Add ManagedIdentityErrorMessageAttributesCorrelationIdToSourceAsync
  covering a non-AppService source (Imds) to guard the source-agnostic
  correlation-ID branch against regression.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves managed identity diagnostics by including the detected ManagedIdentitySource in both managed identity request-failure logs and correlation-ID-bearing error messages, making live-site triage unambiguous when correlating with host telemetry.

Changes:

  • Include _sourceType in the managed identity request-failure log line.
  • Attribute host-issued Managed Identity Correlation ID messages to the specific managed identity source.
  • Extend unit tests to assert the new source-attribution text and add a cross-source regression test (AppService + IMDS).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
src/client/Microsoft.Identity.Client/ManagedIdentity/AbstractManagedIdentity.cs Adds managed identity source attribution to request-failure logs and correlation-ID error message text.
tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ManagedIdentityTests.cs Updates existing parsing assertions and adds a parameterized test to guard the correlation-ID attribution behavior across sources.
CHANGELOG.md Adds a release note describing the new source attribution in MI diagnostics.

Comment thread CHANGELOG.md
Copilot AI review requested due to automatic review settings July 1, 2026 20:43

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

@Robbie-Microsoft Robbie-Microsoft enabled auto-merge (squash) July 1, 2026 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants