Enable e2e tests in CI pipeline + fix interactive-test skip logic for ADO

- tests/test_e2e.py:
  - Add TF_BUILD to _SKIP_UNATTENDED_E2E_TESTS so acquire_token_interactive()
    and acquire_token_by_device_flow() tests skip on ADO (no browser/display),
    preventing hangs in SshCertTestCase.test_user_account, AtPopWithExternalKey,
    and any other interactive test method that runs on a headless agent.
  - Remove the class-level @unittest.skipIf(TF_BUILD) from PublicCloudScenariosTestCase
    now that the class uses lab config instead of the old config.json. The tests
    can now run on ADO when LAB_APP_CLIENT_ID is set.
  - Add a LAB_APP_CLIENT_ID guard in PublicCloudScenariosTestCase.setUpClass()
    so the class raises unittest.SkipTest (not EnvironmentError) when the env var
    is absent, giving the same clean-skip behaviour as LabBasedTestCase.

- .Pipelines/template-pipeline-stages.yml:
  - Uncomment LAB_APP_CLIENT_ID: \ in the 'Run tests' env block.
    Service-principal / ROPC e2e tests now run when the pipeline variable is set;
    interactive tests remain skipped on ADO via the _SKIP_UNATTENDED_E2E_TESTS fix.

- .Pipelines/ADO-PUBLISH-SETUP.md:
  - Add Step 5b documenting how to set the LAB_APP_CLIENT_ID pipeline variable
    and link to docs.msidlab.com for the client ID value.

Author: RyAuld

.Pipelines/ADO-PUBLISH-SETUP.md

@@ -250,6 +250,38 @@ Environments let you add approval gates before the deployment jobs run.
 
 ---
 
+## Step 5b — Configure Pipeline Variables for E2E Tests (Optional)
+
+The CI stage can run the full MSID Lab-backed integration test suite if two pipeline
+variables are configured. Without them the `LabBasedTestCase` tests gracefully skip
+(the build still passes).
+
+| Variable | Where to get the value |
+|----------|----------------------|
+| `LAB_APP_CLIENT_ID` | The client ID of the lab confidential client app. See [https://docs.msidlab.com/accounts/confidentialclient.html](https://docs.msidlab.com/accounts/confidentialclient.html). |
+
+The matching PFX certificate (`LabAuth`) is already in the `msidlabs` Key Vault and
+is retrieved at run time by the `AzureKeyVault@2` step (which uses the
+`AuthSdkResourceManager` service connection). The cert path is automatically exported
+to `LAB_APP_CLIENT_CERT_PFX_PATH` — you do **not** set that variable manually.
+
+**To add `LAB_APP_CLIENT_ID`:**
+
+1. Open the pipeline → **Edit → Variables** (top-right `⋮` menu → **Variables**).
+2. Click **+** → Name: `LAB_APP_CLIENT_ID`, Value: *(lab app client ID from docs.msidlab.com)*.
+3. Leave **Secret** unchecked (it is a client ID, not a secret).
+4. Click **Save**.
+
+Also make sure the `AuthSdkResourceManager` service connection is authorized for
+this pipeline (prerequisite in Step 1) — it is used to retrieve the lab certificate
+from the `msidlabs` Key Vault from which the cert path variable is populated.
+
+> **Without this variable:** All `LabBasedTestCase` integration tests are automatically
+> skipped (`SkipTest`). The build passes with the same 228 unit-test passing, ~50 skipped
+> result as the PR gate.
+
+---
+
 ## Step 6 — Authorize Pipelines to use Service Connections
 
 When the pipeline first uses a service connection you may be prompted to

.Pipelines/template-pipeline-stages.yml

@@ -183,13 +183,12 @@ stages:
         pytest -vv --junitxml=test-results/junit.xml 2>&1 | tee test-results/pytest.log
       displayName: 'Run tests'
       env:
-        # LAB_APP_CLIENT_ID is intentionally omitted to match the PR gate build
-        # behaviour (azure-pipelines.yml). Without it, _get_credential() in
-        # lab_config.py raises EnvironmentError and all e2e tests skip or error
-        # gracefully — identical to the PR build result.
-        # Uncomment and set this variable to enable full e2e runs on a
-        # lab-capable agent pool (requires CA-exempt network / internal agent).
-        # LAB_APP_CLIENT_ID: $(LAB_APP_CLIENT_ID)
+        # LAB_APP_CLIENT_ID enables e2e tests against the MSID Lab infrastructure.
+        # Must be set as a pipeline variable to the lab app's client ID
+        # (see https://docs.msidlab.com/accounts/confidentialclient.html).
+        # The matching certificate is retrieved from Key Vault by the steps above.
+        # When unset, all LabBasedTestCase tests skip gracefully.
+        LAB_APP_CLIENT_ID: $(LAB_APP_CLIENT_ID)
         LAB_APP_CLIENT_CERT_PFX_PATH: $(LAB_APP_CLIENT_CERT_PFX_PATH)
 
     - task: PublishTestResults@2

tests/test_e2e.py

@@ -44,7 +44,15 @@
 
 _PYMSALRUNTIME_INSTALLED = is_pymsalruntime_installed()
 _AZURE_CLI = "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
-_SKIP_UNATTENDED_E2E_TESTS = os.getenv("TRAVIS") or not os.getenv("CI")
+# Skip interactive / browser-dependent tests when:
+#   - on Travis CI (TRAVIS), or
+#   - on Azure DevOps (TF_BUILD) where there is no display/browser on the agent, or
+#   - not running in any CI environment at all (not CI).
+# Service-principal and ROPC tests are NOT gated on this flag; only tests that
+# call acquire_token_interactive() or acquire_token_by_device_flow() are.
+_SKIP_UNATTENDED_E2E_TESTS = (
+    os.getenv("TRAVIS") or os.getenv("TF_BUILD") or not os.getenv("CI")
+)
 
 def _get_app_and_auth_code(
         client_id,
@@ -329,13 +337,17 @@ def test_access_token_should_be_obtained_for_a_supported_scope(self):
         self.assertIsNotNone(result.get("access_token"))
 
 
-@unittest.skipIf(os.getenv("TF_BUILD"), "Skip PublicCloud scenarios on Azure DevOps")
 class PublicCloudScenariosTestCase(E2eTestCase):
     # Historically this class was driven by tests/config.json for semi-automated runs.
-    # It now uses lab config + env vars so it can run automatically without local files.
+    # It now uses lab config + env vars so it can run automatically on any CI
+    # (including Azure DevOps) as long as LAB_APP_CLIENT_ID and
+    # LAB_APP_CLIENT_CERT_PFX_PATH are set.
 
     @classmethod
     def setUpClass(cls):
+        if not os.getenv("LAB_APP_CLIENT_ID"):
+            raise unittest.SkipTest(
+                "LAB_APP_CLIENT_ID not set; skipping PublicCloud e2e tests")
         pca_app = get_app_config(AppSecrets.PCA_CLIENT)
         user = get_user_config(UserSecrets.PUBLIC_CLOUD)
         cls.config = {