Add Entra credential fallback to CreateAzdoClient (Phase 1, WI 10141)#16806
Merged
mmitche merged 1 commit intoMay 12, 2026
Merged
Conversation
Phase 1 of migrating dn-bot-all-orgs-build-rw-code-rw from PAT to Entra auth. This PR adds backward-compatible C# changes only: - CreateAzdoClient(): When no PAT is provided, falls back to DefaultIdentityTokenCredential with bearer token for AzDO resource (499b84ac-1321-427f-aa17-267ca6975798/.default). Supports AzurePipelinesCredential (from AzureCLI@2 with addSpnToEnvironment:true), ManagedIdentityCredential, WorkloadIdentityCredential, and AzureCliCredential. - HasEntraCredentialsAvailable(): New method to detect available Entra credentials, used in validation to avoid false errors. - AnyMissingRequiredBaseProperties(): Relaxed validation - only errors on missing AzdoApiToken when Entra credentials are also unavailable. The YAML and secret manifest changes are intentionally NOT included here. They will be made in a Phase 2 PR after this SDK version flows to consumers, to avoid the version mismatch that caused the revert of dotnet#16785. Work Item: https://dev.azure.com/dnceng/internal/_workitems/edit/10141
mmitche
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 1 of migrating the
dn-bot-all-orgs-build-rw-code-rwPAT from Basic auth to Entra-based authentication in the V3 publishing pipeline.This PR contains only backward-compatible C# changes. YAML and secret manifest changes will follow in Phase 2 after this SDK version flows to consumers.
Why Phase 1/Phase 2?
The original PR #16785 was reverted (#16792) because it combined C# code changes (shipped in the Arcade SDK NuGet package) with YAML changes (take effect immediately on merge). After merge, the Maestro Build Promotion pipeline was still running the old SDK version (which required
AzdoApiToken), but the YAML had already stopped passing it, causing:Build: https://dev.azure.com/dnceng/internal/_build/results?buildId=2972977
Changes (C# only, PublishArtifactsInManifestBase.cs)
CreateAzdoClient(): When no PAT is provided, falls back toDefaultIdentityTokenCredentialwith bearer token for AzDO resource (499b84ac-1321-427f-aa17-267ca6975798/.default). SupportsAzurePipelinesCredential(from AzureCLI@2 withaddSpnToEnvironment:true),ManagedIdentityCredential,WorkloadIdentityCredential, andAzureCliCredential.HasEntraCredentialsAvailable(): New method to check for available Entra credentials, used in validation to avoid false errors when streaming publishing is configured without a PAT.AnyMissingRequiredBaseProperties(): Relaxed validation -- only errors on missingAzdoApiTokenwhen Entra credentials are also unavailable.What is NOT in this PR (Phase 2)
After this SDK version builds and flows to consumers:
/p:AzdoApiToken='$(dn-bot-all-orgs-build-rw-code-rw)'frompublish.ymlpublish-logs.ymlproduct-builds-engkeyvault.yaml)Identity details
maestro-build-promotion-mi(AppId:6e870007-e236-4eb1-8734-8bf8cd54c748)maestro-build-promotion(ID:df3b9892-c5c9-4d64-8b72-edd72e049305, type:azurerm, auth:WorkloadIdentityFederation)dnceng/internalReaders groupWork Item: https://dev.azure.com/dnceng/internal/_workitems/edit/10141