Skip to content

[Feature Request] Drop Azure.Identity dependency in Microsoft.Identity.Web.Certificate in favor of Azure.Core 1.53.0+ #3791

Description

@cmenzi

Microsoft.Identity.Web.Certificate (and consequently Microsoft.Identity.Web, Microsoft.Identity.Web.TokenAcquisition,
Microsoft.Identity.Web.GraphServiceClient) takes a direct PackageReference on Azure.Identity. Starting with Azure.Core 1.53.0, the identity
credential types (DefaultAzureCredential, ClientSecretCredential, etc.) are type-forwarded into Azure.Core itself. Consumers that end up with both
assemblies on their compilation input now hit CS0433 duplicate-type errors.

This makes Microsoft.Identity.Web 4.8.0 effectively incompatible with Microsoft.Extensions.Azure 1.14.0 (and any other package that depends on
Azure.Core ≥ 1.53.0) unless consumers apply a workaround in every affected project.

Minimal repro:

<Project Sdk="Microsoft.NET.Sdk.Web">
  <PropertyGroup><TargetFramework>net10.0</TargetFramework></PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Microsoft.Extensions.Azure" Version="1.14.0" />
    <PackageReference Include="Microsoft.Identity.Web" Version="4.8.0" />
  </ItemGroup>
</Project>

Any source file referencing DefaultAzureCredential (or similar) fails with:

error CS0433: The type 'DefaultAzureCredential' exists in both
  'Azure.Core, Version=1.53.0.0, ...' and
  'Azure.Identity, Version=1.21.0.0, ...'

Describe the solution you'd like

Replace the Azure.Identity PackageReference in Microsoft.Identity.Web.Certificate with Azure.Core ≥ 1.53.0. The identity credential types that
Microsoft.Identity.Web.Certificate consumes are type-forwarded by Azure.Core 1.53.0, so no source changes should be required beyond the .csproj
update.

Existing consumers that directly reference Azure.Identity remain unaffected — they just stop getting it transitively from the Microsoft.Identity.Web.*
chain, which eliminates one transitive source of the CS0433 clash.

Describe alternatives you've considered

  1. Per-project ExcludeAssets workaround (current): downstream consumers add the following to every project that compiles code using the identity
    credential types, to suppress the transitive Azure.Identity assembly:

    <PackageReference Include="Azure.Identity" Version="1.21.0"
                      ExcludeAssets="all" PrivateAssets="all" />

    This is fragile and verbose — it has to be repeated in every leaf project because NuGet only honors ExcludeAssets on a direct PackageReference.

  2. Pinning Azure.Core to 1.52.0: prevents the clash by avoiding the type-forwarding version entirely, but also blocks adoption of any Azure SDK
    package that requires Azure.Core ≥ 1.53.0 (e.g., Microsoft.Extensions.Azure 1.14.0, the upcoming Microsoft.Data.SqlClient.Extensions.Azure
    7.1.0-preview1).

  3. Waiting for Azure.Identity itself to re-align with Azure.Core 1.53.0: doesn't solve the duplication at compile time — both assemblies still
    ship the same types.

None of these alternatives are as clean as simply dropping the Azure.Identity dependency upstream.

Additional context

  • PR #3787 updates Azure.Identity versions but does not drop the dependency.
  • Microsoft.Data.SqlClient.Extensions.Azure addressed the exact same root cause by dropping its Azure.Identity dependency in favor of Azure.Core
    1.53.0 — dotnet/SqlClient#4200, merged, shipping in 7.1.0-preview1. That PR can serve as a direct
    reference for the minimal change needed here.
  • Azure SDK tracking: Azure/azure-sdk-for-net#58129,
    Azure/azure-sdk-for-net#58510.
  • Impact: any project combining Microsoft.Identity.Web.* 4.8.0 with Microsoft.Extensions.Azure 1.14.0 or Azure.Core 1.53.0+. Given how commonly
    Microsoft.Identity.Web appears alongside Microsoft.Extensions.Azure (Key Vault, Service Bus, Storage, etc. in ASP.NET Core apps), this affects a broad
    set of consumers.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions