[Bug] Error "[Managed Identity] The error response was either empty or could not be parsed.." when getting access token with User-Assigned managed identity on Azure VM

[jformacek]

Library version used

4.69.1

.NET version

.NET 9
Actually running Powershell 7.5, which is built upon .NET 9.0.301 release according to Release notes

Scenario

ManagedIdentityClient - managed identity

Is this a new or an existing app?

None

Issue description and reproduction steps

When trying to get access token for User-Assigned managed identity in Powershell runbook on Azure VM running as Hybrid worker server, getting the error [Managed Identity] The error response was either empty or could not be parsed..
Sample code:

$resource = 'https://management.azure.com'
$clientId = 'bd662bec-6404-494b-b749-5a23080cc6fc'
$managedIdentityId = [Microsoft.Identity.Client.AppConfig.ManagedIdentityId]::WithUserAssignedClientId($clientId)
$builder = [Microsoft.Identity.Client.ManagedIdentityApplicationBuilder]::Create($managedIdentityId)
$factory = $builder.Build()
try
{
	$result = $Factory.AcquireTokenForManagedIdentity($resource).ExecuteAsync().GetAwaiter().GetResult()
	$result
}
catch
{
	$_ | select * | Out-String
}

Running the same code locally in same powershell runtime works fine.

Getting the token directly from the endpoint with http call works fine in runbook and also when running locally:

"Using User MSI"
$resource = 'https://management.azure.com'
$clientId = 'bd662bec-6404-494b-b749-5a23080cc6fc'
$response = Invoke-WebRequest -Method GET -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=$resource&client_id=$clientId" -Headers @{ Metadata="true" }
"Having response"
$response
$content = $response.Content | ConvertFrom-Json
$accessToken = $content.access_token

I found similar issue here - #5178 - however I don't believe this is the case as it always works locally and never works from automation runbook, so it's unlikely it's caused by http 429

Relevant code snippets

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• [Bug] Unable to Authenticate with a User Assigned Managed Identity In Azure Deployment Scripts (Azure Containers) #5272
• [Bug] [Migrating to workload identity from Pod identity] [AKS]'The error response was either empty or could not be parsed.. Error response received from the server: no azure identity found for request' #5287

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

This indicates a config error. The response simply means that an identity isn't there. I recommend you move this issue to Azure Redis service, who internally use MSAL.

Reference:

• [Bug] [Migrating to workload identity from Pod identity] [AKS]'The error response was either empty or could not be parsed.. Error response received from the server: no azure identity found for request' #5287 (comment)

Solution 2:

Hi - this has been fixed in MSAL 4.67.2 - please update to the latest version. If you are using Azure SDK, please wait for them to release a patch, it should happen soon.

Reference:

• [Bug] Unable to Authenticate with a User Assigned Managed Identity In Azure Deployment Scripts (Azure Containers) #5272 (comment)

Powered by issue-sentinel

[jformacek]

I do not think either proposed solution applies:
Solution 1: identity is there as direct retrieval from token endpoint works fine
Solution 2: we're using higher version of MSAL thank referenced by solution