Skip to content

Fix: Support Azure environment selection for Managed Identity#5239

Merged
gautamdsheth merged 4 commits intodevfrom
fix/mi-env-issue
Feb 13, 2026
Merged

Fix: Support Azure environment selection for Managed Identity#5239
gautamdsheth merged 4 commits intodevfrom
fix/mi-env-issue

Conversation

@gautamdsheth
Copy link
Collaborator

Added azureEnvironment parameter to CreateWithManagedIdentity, allowing connections to different Azure clouds. Updated ConnectManagedIdentity to pass this parameter, enabling support for Government, China, and other Azure environments.

Before creating a pull request, make sure that you have read the contribution file located at

https://github.com/pnp/powerShell/blob/dev/CONTRIBUTING.md

Type

  • Bug Fix
  • New Feature
  • Sample

Related Issues?

Fixes #5238

What is in this Pull Request ?

Fixing MI issue with non-commercial clouds

Added azureEnvironment parameter to CreateWithManagedIdentity, allowing connections to different Azure clouds. Updated ConnectManagedIdentity to pass this parameter, enabling support for Government, China, and other Azure environments.
Copilot AI review requested due to automatic review settings February 12, 2026 21:04
@gautamdsheth gautamdsheth marked this pull request as draft February 12, 2026 21:04
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request aims to fix a bug where Managed Identity authentication does not respect the -AzureEnvironment parameter when connecting to non-commercial Azure clouds (Government, China, etc.). The PR adds an azureEnvironment parameter to the CreateWithManagedIdentity method and updates the ConnectManagedIdentity method to pass this parameter.

Changes:

  • Added azureEnvironment parameter with default value to CreateWithManagedIdentity method signature
  • Updated ConnectManagedIdentity to pass the AzureEnvironment parameter from the cmdlet to the connection method

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/Commands/Base/PnPConnection.cs Added azureEnvironment parameter to CreateWithManagedIdentity method signature with default value of AzureEnvironment.Production
src/Commands/Base/ConnectOnline.cs Updated ConnectManagedIdentity to pass the AzureEnvironment parameter to the connection creation method
Comments suppressed due to low confidence (1)

src/Commands/Base/PnPConnection.cs:473

  • The azureEnvironment parameter is not being used in the method implementation. Based on similar authentication methods like CreateWithCertificate (line 375), the Azure environment needs to be:
  1. Passed to Framework.AuthenticationManager.CreateWithManagedIdentity() at line 445 (if that method signature supports it)
  2. Set on the connection.AzureEnvironment property at line 465-471 where the connection object is initialized

Without these changes, the fix won't work - the managed identity will still connect to the commercial Azure endpoints even when a different environment is specified. Please verify the PnP Framework's CreateWithManagedIdentity method signature supports an azureEnvironment parameter and pass it accordingly. Additionally, add AzureEnvironment = azureEnvironment to the connection object initialization to ensure the environment is properly tracked.

        internal static PnPConnection CreateWithManagedIdentity(string url, string tenantAdminUrl, string userAssignedManagedIdentityObjectId = null, string userAssignedManagedIdentityClientId = null, string userAssignedManagedIdentityAzureResourceId = null, AzureEnvironment azureEnvironment = AzureEnvironment.Production)
        {
            // Define the type of Managed Identity that will be used
            ManagedIdentityType managedIdentityType = ManagedIdentityType.SystemAssigned;
            string managedIdentityUserAssignedIdentifier = null;

            if (!string.IsNullOrEmpty(userAssignedManagedIdentityObjectId))
            {
                managedIdentityType = ManagedIdentityType.UserAssignedByObjectId;
                managedIdentityUserAssignedIdentifier = userAssignedManagedIdentityObjectId;
            }
            if (!string.IsNullOrEmpty(userAssignedManagedIdentityClientId))
            {
                managedIdentityType = ManagedIdentityType.UserAssignedByClientId;
                managedIdentityUserAssignedIdentifier = userAssignedManagedIdentityClientId;
            }
            if (!string.IsNullOrEmpty(userAssignedManagedIdentityAzureResourceId))
            {
                managedIdentityType = ManagedIdentityType.UserAssignedByResourceId;
                managedIdentityUserAssignedIdentifier = userAssignedManagedIdentityAzureResourceId;
            }

            // Ensure if its not a System Assigned Managed Identity, that we an identifier pointing to the user assigned Managed Identity
            if (managedIdentityType != ManagedIdentityType.SystemAssigned && string.IsNullOrEmpty(managedIdentityUserAssignedIdentifier))
            {
                throw new InvalidOperationException("Unable to use a User Assigned Managed Identity without passing in an identifier for the User Assigned Managed Identity.");
            }

            // Set up the AuthenticationManager in PnP Framework to use a Managed Identity context
            using (var authManager = Framework.AuthenticationManager.CreateWithManagedIdentity(null, null, managedIdentityType, managedIdentityUserAssignedIdentifier))
            {
                PnPClientContext context = null;
                ConnectionType connectionType = ConnectionType.O365;
                if (url != null)
                {
                    context = PnPClientContext.ConvertFrom(authManager.GetContext(url.ToString()));
                    context.ApplicationName = Resources.ApplicationName;
                    context.DisableReturnValueCache = true;
                    context.ExecutingWebRequest += (sender, e) =>
                    {
                        e.WebRequestExecutor.WebRequest.UserAgent = $"NONISV|SharePointPnP|PnPPS/{((AssemblyFileVersionAttribute)Assembly.GetExecutingAssembly().GetCustomAttribute(typeof(AssemblyFileVersionAttribute))).Version} ({System.Environment.OSVersion.VersionString})";
                    };
                    if (IsTenantAdminSite(context))
                    {
                        connectionType = ConnectionType.TenantAdmin;
                    }
                }

                // Set up PnP PowerShell to use a Managed Identity
                var connection = new PnPConnection(context, connectionType, null, url?.ToString(), tenantAdminUrl, PnPPSVersionTag, InitializationType.ManagedIdentity)
                {
                    UserAssignedManagedIdentityObjectId = userAssignedManagedIdentityObjectId,
                    UserAssignedManagedIdentityClientId = userAssignedManagedIdentityClientId,
                    UserAssignedManagedIdentityAzureResourceId = userAssignedManagedIdentityAzureResourceId,
                    ConnectionMethod = ConnectionMethod.ManagedIdentity,
                };
                return connection;
            }

/// <param name="azureEnvironment">Type of Azure cloud to connect to</param>
/// <returns>Instantiated PnPConnection</returns>
internal static PnPConnection CreateWithManagedIdentity(string url, string tenantAdminUrl, string userAssignedManagedIdentityObjectId = null, string userAssignedManagedIdentityClientId = null, string userAssignedManagedIdentityAzureResourceId = null)
internal static PnPConnection CreateWithManagedIdentity(string url, string tenantAdminUrl, string userAssignedManagedIdentityObjectId = null, string userAssignedManagedIdentityClientId = null, string userAssignedManagedIdentityAzureResourceId = null, AzureEnvironment azureEnvironment = AzureEnvironment.Production)
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the repository's coding guidelines, when creating a PR, please add an entry to the CHANGELOG.md file under the [Current nightly] section. Since this is a bug fix for issue #5238, add an entry under the "### Fixed" section with a description of the fix and a link to this PR. For example:

- Fixed Managed Identity authentication not respecting AzureEnvironment parameter for non-commercial clouds [#XXXX](https://github.com/pnp/powershell/pull/XXXX)

This helps maintain a comprehensive changelog for the project and ensures users are aware of the fix when the next release is published.

Copilot generated this review using guidance from repository custom instructions.
Updated the AuthenticationManager instantiation to pass the azureEnvironment parameter when creating a connection with a Managed Identity. This enables support for specifying different Azure environments, such as Azure US Government or China clouds.
@gautamdsheth gautamdsheth marked this pull request as ready for review February 13, 2026 08:31
@gautamdsheth gautamdsheth merged commit 251c281 into dev Feb 13, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] managed identity auth using -AzureEnvironment USGovernmentHigh still connects to commercial graph endpoints

1 participant