Microsoft.Identity.Web.Certificate (and consequently Microsoft.Identity.Web, Microsoft.Identity.Web.TokenAcquisition,
Microsoft.Identity.Web.GraphServiceClient) takes a direct PackageReference on Azure.Identity. Starting with Azure.Core 1.53.0, the identity
credential types (DefaultAzureCredential, ClientSecretCredential, etc.) are type-forwarded into Azure.Core itself. Consumers that end up with both
assemblies on their compilation input now hit CS0433 duplicate-type errors.
This makes Microsoft.Identity.Web 4.8.0 effectively incompatible with Microsoft.Extensions.Azure 1.14.0 (and any other package that depends on
Azure.Core ≥ 1.53.0) unless consumers apply a workaround in every affected project.
Minimal repro:
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup><TargetFramework>net10.0</TargetFramework></PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Extensions.Azure" Version="1.14.0" />
<PackageReference Include="Microsoft.Identity.Web" Version="4.8.0" />
</ItemGroup>
</Project>
Any source file referencing DefaultAzureCredential (or similar) fails with:
error CS0433: The type 'DefaultAzureCredential' exists in both
'Azure.Core, Version=1.53.0.0, ...' and
'Azure.Identity, Version=1.21.0.0, ...'
Describe the solution you'd like
Replace the Azure.Identity PackageReference in Microsoft.Identity.Web.Certificate with Azure.Core ≥ 1.53.0. The identity credential types that
Microsoft.Identity.Web.Certificate consumes are type-forwarded by Azure.Core 1.53.0, so no source changes should be required beyond the .csproj
update.
Existing consumers that directly reference Azure.Identity remain unaffected — they just stop getting it transitively from the Microsoft.Identity.Web.*
chain, which eliminates one transitive source of the CS0433 clash.
Describe alternatives you've considered
-
Per-project ExcludeAssets workaround (current): downstream consumers add the following to every project that compiles code using the identity
credential types, to suppress the transitive Azure.Identity assembly:
<PackageReference Include="Azure.Identity" Version="1.21.0"
ExcludeAssets="all" PrivateAssets="all" />
This is fragile and verbose — it has to be repeated in every leaf project because NuGet only honors ExcludeAssets on a direct PackageReference.
-
Pinning Azure.Core to 1.52.0: prevents the clash by avoiding the type-forwarding version entirely, but also blocks adoption of any Azure SDK
package that requires Azure.Core ≥ 1.53.0 (e.g., Microsoft.Extensions.Azure 1.14.0, the upcoming Microsoft.Data.SqlClient.Extensions.Azure
7.1.0-preview1).
-
Waiting for Azure.Identity itself to re-align with Azure.Core 1.53.0: doesn't solve the duplication at compile time — both assemblies still
ship the same types.
None of these alternatives are as clean as simply dropping the Azure.Identity dependency upstream.
Additional context
- PR #3787 updates
Azure.Identity versions but does not drop the dependency.
Microsoft.Data.SqlClient.Extensions.Azure addressed the exact same root cause by dropping its Azure.Identity dependency in favor of Azure.Core
1.53.0 — dotnet/SqlClient#4200, merged, shipping in 7.1.0-preview1. That PR can serve as a direct
reference for the minimal change needed here.
- Azure SDK tracking: Azure/azure-sdk-for-net#58129,
Azure/azure-sdk-for-net#58510.
- Impact: any project combining
Microsoft.Identity.Web.* 4.8.0 with Microsoft.Extensions.Azure 1.14.0 or Azure.Core 1.53.0+. Given how commonly
Microsoft.Identity.Web appears alongside Microsoft.Extensions.Azure (Key Vault, Service Bus, Storage, etc. in ASP.NET Core apps), this affects a broad
set of consumers.
Microsoft.Identity.Web.Certificate(and consequentlyMicrosoft.Identity.Web,Microsoft.Identity.Web.TokenAcquisition,Microsoft.Identity.Web.GraphServiceClient) takes a directPackageReferenceonAzure.Identity. Starting withAzure.Core1.53.0, the identitycredential types (
DefaultAzureCredential,ClientSecretCredential, etc.) are type-forwarded intoAzure.Coreitself. Consumers that end up with bothassemblies on their compilation input now hit
CS0433duplicate-type errors.This makes
Microsoft.Identity.Web4.8.0 effectively incompatible withMicrosoft.Extensions.Azure1.14.0 (and any other package that depends onAzure.Core≥ 1.53.0) unless consumers apply a workaround in every affected project.Minimal repro:
Any source file referencing
DefaultAzureCredential(or similar) fails with:Describe the solution you'd like
Replace the
Azure.IdentityPackageReferenceinMicrosoft.Identity.Web.CertificatewithAzure.Core≥ 1.53.0. The identity credential types thatMicrosoft.Identity.Web.Certificateconsumes are type-forwarded byAzure.Core1.53.0, so no source changes should be required beyond the.csprojupdate.
Existing consumers that directly reference
Azure.Identityremain unaffected — they just stop getting it transitively from theMicrosoft.Identity.Web.*chain, which eliminates one transitive source of the CS0433 clash.
Describe alternatives you've considered
Per-project
ExcludeAssetsworkaround (current): downstream consumers add the following to every project that compiles code using the identitycredential types, to suppress the transitive
Azure.Identityassembly:This is fragile and verbose — it has to be repeated in every leaf project because NuGet only honors
ExcludeAssetson a directPackageReference.Pinning
Azure.Coreto 1.52.0: prevents the clash by avoiding the type-forwarding version entirely, but also blocks adoption of any Azure SDKpackage that requires
Azure.Core≥ 1.53.0 (e.g.,Microsoft.Extensions.Azure1.14.0, the upcomingMicrosoft.Data.SqlClient.Extensions.Azure7.1.0-preview1).
Waiting for
Azure.Identityitself to re-align withAzure.Core1.53.0: doesn't solve the duplication at compile time — both assemblies stillship the same types.
None of these alternatives are as clean as simply dropping the
Azure.Identitydependency upstream.Additional context
Azure.Identityversions but does not drop the dependency.Microsoft.Data.SqlClient.Extensions.Azureaddressed the exact same root cause by dropping itsAzure.Identitydependency in favor ofAzure.Core1.53.0 — dotnet/SqlClient#4200, merged, shipping in
7.1.0-preview1. That PR can serve as a directreference for the minimal change needed here.
Azure/azure-sdk-for-net#58510.
Microsoft.Identity.Web.*4.8.0 withMicrosoft.Extensions.Azure1.14.0 orAzure.Core1.53.0+. Given how commonlyMicrosoft.Identity.Webappears alongsideMicrosoft.Extensions.Azure(Key Vault, Service Bus, Storage, etc. in ASP.NET Core apps), this affects a broadset of consumers.