Skip to content

Refactor SetupRunner to Correctly Handle Managed Identity in Azure vs External Hosting Scenarios #42

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mengyimicro merged 2 commits into from
Nov 24, 2025
Merged

Refactor SetupRunner to Correctly Handle Managed Identity in Azure vs External Hosting Scenarios #42

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f15b719
Refactor SetupRunner to Correctly Handle Managed Identity in Azure vs…
mengyimicro Nov 22, 2025
a77c512
resolving comments
mengyimicro Nov 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 29 additions & 5 deletions src/Microsoft.Agents.A365.DevTools.Cli/Services/A365SetupRunner.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,8 +135,9 @@ public async Task<bool> RunAsync(string configPath, string generatedConfigPath,
var deploymentProjectPath = Get("deploymentProjectPath");

bool needDeployment = CheckNeedDeployment(cfg);

var skipInfra = blueprintOnly || !needDeployment;
var externalHosting = !needDeployment && !blueprintOnly;

if (!skipInfra)
{
// Azure hosting scenario – need full infra details
Expand Down Expand Up @@ -293,11 +294,19 @@ public async Task<bool> RunAsync(string configPath, string generatedConfigPath,
{
generatedConfig = JsonNode.Parse(await File.ReadAllTextAsync(generatedConfigPath, cancellationToken))?.AsObject() ?? new JsonObject();

if (generatedConfig.TryGetPropertyValue("managedIdentityPrincipalId", out var existingPrincipalId))
if (blueprintOnly && generatedConfig.TryGetPropertyValue("managedIdentityPrincipalId", out var existingPrincipalId))
{
// Only reuse MSI in blueprint-only mode
principalId = existingPrincipalId?.GetValue<string>();
_logger.LogInformation("Found existing Managed Identity Principal ID: {Id}", principalId ?? "(none)");
}
else if (externalHosting)
{
_logger.LogInformation("External hosting selected - Managed Identity will NOT be used.");

// Make sure we don't create FIC later
principalId = null;
}

_logger.LogInformation("Existing configuration loaded successfully");
}
Expand Down Expand Up @@ -478,12 +487,22 @@ public async Task<bool> RunAsync(string configPath, string generatedConfigPath,

try
{
// Validate that needDeployment and blueprintOnly are not both true
if (needDeployment && blueprintOnly)
{
_logger.LogError("Invalid configuration: both needDeployment and blueprintOnly are true. This is not supported, as it may result in attempting to use a managed identity that was not created.");
return false;
}

var useManagedIdentity = (needDeployment && !blueprintOnly) || blueprintOnly;

// Create the agent blueprint using Graph API directly (no PowerShell)
var blueprintResult = await CreateAgentBlueprintAsync(
tenantId,
agentBlueprintDisplayName,
agentIdentityDisplayName,
principalId,
useManagedIdentity,
generatedConfig,
cfg,
cancellationToken);
Expand Down Expand Up @@ -591,6 +610,7 @@ public async Task<bool> RunAsync(string configPath, string generatedConfigPath,
string displayName,
string? agentIdentityDisplayName,
string? managedIdentityPrincipalId,
bool useManagedIdentity,
JsonObject generatedConfig,
JsonObject setupConfig,
CancellationToken ct)
Expand Down Expand Up @@ -791,10 +811,10 @@ public async Task<bool> RunAsync(string configPath, string generatedConfigPath,
_logger.LogInformation("Waiting 10 seconds to ensure Service Principal is fully propagated...");
await Task.Delay(10000, ct);

// Create Federated Identity Credential (if managed identity provided)
if (!string.IsNullOrWhiteSpace(managedIdentityPrincipalId))
// Create Federated Identity Credential ONLY when MSI is relevant (if managed identity provided)
if (useManagedIdentity && !string.IsNullOrWhiteSpace(managedIdentityPrincipalId))
{
_logger.LogInformation("Creating Federated Identity Credential...");
_logger.LogInformation("Creating Federated Identity Credential for Managed Identity...");
var credentialName = $"{displayName.Replace(" ", "")}-MSI";

var ficSuccess = await CreateFederatedIdentityCredentialAsync(
Expand All @@ -814,6 +834,10 @@ public async Task<bool> RunAsync(string configPath, string generatedConfigPath,
_logger.LogWarning("Failed to create Federated Identity Credential");
}
}
else if (!useManagedIdentity)
{
_logger.LogInformation("Skipping Federated Identity Credential creation (external hosting / no MSI configured)");
}
else
{
_logger.LogInformation("Skipping Federated Identity Credential creation (no MSI Principal ID provided)");
Expand Down