Skip to content

Refactor SetupRunner to Correctly Handle Managed Identity in Azure vs External Hosting Scenarios#42

Merged
mengyimicro merged 2 commits intomainfrom
users/mengyixu/handleManagedIdentity
Nov 24, 2025
Merged

Refactor SetupRunner to Correctly Handle Managed Identity in Azure vs External Hosting Scenarios#42
mengyimicro merged 2 commits intomainfrom
users/mengyixu/handleManagedIdentity

Conversation

@mengyimicro
Copy link
Contributor

@mengyimicro mengyimicro commented Nov 22, 2025
edited
Loading

This PR refactors A365SetupRunner to correctly separate the behavior of Azure-hosted deployments, blueprint-only mode, and external (non-Azure) hosting.

Previously, both blueprint-only and external hosting paths flowed through the same logic, causing the managed identity (MSI) logic to be reused incorrectly.

This change introduces clear separation and ensures that Managed Identity, Federated Identity Credential (FIC), and Azure infra provisioning occur only when appropriate.

  1. NeedDeployment = true (Azure hosting)
  • Create/ensure web app.
  • Assign system-assigned MSI.
  • Use its principalId to:
    ** Store managedIdentityPrincipalId in a365.generated.config.json.
    ** Create Federated Identity Credential (FIC) in CreateAgentBlueprintAsync.
  1. Blueprint-only (--blueprint = true)
  • No new web app or MSI.
  • If an existing managedIdentityPrincipalId is present from a previous run, re-use it for FIC (optional but nice).
  • Otherwise, just create blueprint without FIC.
  1. External hosting (needDeployment = false, no --blueprint)
  • No web app, no MSI, no FIC.
  • Blueprint uses client secret only (no managed identity).

Copilot AI review requested due to automatic review settings November 22, 2025 01:42
@mengyimicro mengyimicro requested review from a team as code owners November 22, 2025 01:42
Copilot AI reviewed Nov 22, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the A365SetupRunner to correctly handle three distinct hosting scenarios: Azure-hosted deployments (with managed identity), blueprint-only mode (reusing existing managed identity), and external hosting (no managed identity). The changes introduce explicit separation of these modes through the externalHosting and useManagedIdentity variables, ensuring that Managed Identity and Federated Identity Credential creation only occur when appropriate.

Key Changes:

  • Introduced externalHosting variable to distinguish external hosting from blueprint-only mode
  • Added useManagedIdentity parameter to CreateAgentBlueprintAsync to control FIC creation
  • Updated configuration loading logic to handle external hosting differently from blueprint-only mode

skg-marimuthu
skg-marimuthu approved these changes Nov 22, 2025
View reviewed changes
Copy link
Contributor

@skg-marimuthu skg-marimuthu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@mengyimicro mengyimicro merged commit 6795ed3 into main Nov 24, 2025
2 checks passed
@pontemonti pontemonti deleted the users/mengyixu/handleManagedIdentity branch December 5, 2025 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Josina20 Josina20 Josina20 approved these changes

@skg-marimuthu skg-marimuthu skg-marimuthu approved these changes

@tmlsousa tmlsousa tmlsousa approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mengyimicro @Josina20 @skg-marimuthu @tmlsousa