microsoft-authentication-library-for-python Support Managed Identity (formerly known as MSI)

Some resources below:

MSAL does not currently support MSI (UPDATE at 2020: It still does not support Managed Identity, even though that FAQ was later removed from that doc page.)
How to get a token from MSI
Currently IMDS is still based on AADv1, which takes resource parameter, and the output expires_in is in string (rather than integer). There is a pending workitem to support AADv2.
Existing MSI client-side implementation in MSRestAsure Python and its example. And another implementation in Azure Python SDK.

Jun 11 '19 20:06 rayluo

Currently the MSI support is in scope of Azure SDKs. Closing this for now.

Dec 17 '19 18:12 navyasric

_{Moved from https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/2806#issuecomment-911455955}

Getting a certificate for VM SSH

As Azure CLI developer, another scenario I would like to bring out is VM SSH which requires getting a certificate through the data argument.

Why Azure CLI dropped Azure Identity

Azure Identity has explicitly dropped data (by removing kwargs) for user identities (https://github.com/Azure/azure-sdk-for-python/pull/16397). In order to implement VM SSH, Azure CLI has to

Get an access token from Azure Identity
Get a certificate from MSAL

This of course introduces unnecessary duplication, as Azure CLI will have to work dual-stack-ly. If Azure CLI can get a certificate from MSAL, why can't it use the same flow to get an access token from MSAL?

After careful consideration, Azure CLI dropped Azure Identity and directly uses MSAL. Even for managed identity, Azure CLI will not use Azure Identity given there will be no data support in the future. (The Azure Identity for managed identity migration on beta has been reverted.)

The current libraries Azure CLI beta uses are

MSAL: User / Service Principal
msrestazure (deprecated): Managed Identity / Cloud Shell

Possible solutions for supporting managed identity

As msrestazure as been deprecated as well, Azure CLI must move away from msrestazure. Possible solutions:

Azure CLI implements managed identity by itself. This will of course take big amount of effort and the code can't be shared by other SDK tools.
MSAL implements managed identity and Azure CLI directly uses MSAL for managed identity. The code can of course be utilized by other Azure libraries.

Additional information

Per How to use managed identities for Azure resources on an Azure VM to acquire an access token

GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01
     &resource=https://management.azure.com/' HTTP/1.1 Metadata: true

managed identity's endpoint has some limitations:

It still only accepts resource which is an ADAL concept. MSAL now uses scopes. If there will be no changes on managed identity and MSAL whats to support it, MSAL must bring back the old resource interface.
There is no data support. We are not sure what the future design would be to support getting a certificate for VM SSH.

Reference email: VM SSH with managed identity

Sep 03 '21 03:09 jiasli

By the way, the name "MSI" has been deprecated:

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

Managed identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI).

Nov 23 '21 03:11 jiasli

@jiasli From what you posted about Managed Identity:

managed identity's endpoint has some limitations:

It still only accepts resource which is an ADAL concept. MSAL now uses scopes. If there will be no changes on managed identity and MSAL whats to support it, MSAL must bring back the old resource interface. There is no data support. We are not sure what the future design would be to support getting a certificate for VM SSH.

Are you implying that managed identity is using ADAL? Are there any updates since ADAL is migrating into MSAL and ADAL will be deprecated on June 30, 2022?

Mar 08 '22 22:03 bh7cw

Are you implying that managed identity is using ADAL?

Actually, they are independent with each other. It was just that Managed Identity protocol and ADAL design happened to be created in around the same era therefore shared some concepts.

Are there any updates since ADAL is migrating into MSAL and ADAL will be deprecated on June 30, 2022?

Neither ADAL Python nor MSAL Python supports Managed Identity. This issue remains open so that we can keep track of this feature requirement for MSAL Python.

Mar 09 '22 00:03 rayluo

@rayluo - is this not done?

Aug 17 '23 18:08 bgavrilMS