Warn on unsupported managed identity configuration (#27991)

Author: christothes

sdk/identity/Azure.Identity/src/CloudShellManagedIdentitySource.cs

@@ -41,7 +41,7 @@ public static ManagedIdentitySource TryCreate(ManagedIdentityClientOptions optio
         private CloudShellManagedIdentitySource(Uri endpoint, ManagedIdentityClientOptions options) : base(options.Pipeline)
         {
             _endpoint = endpoint;
-            if (!string.IsNullOrEmpty(options.ClientId) || null == options.ResourceIdentifier)
+            if (!string.IsNullOrEmpty(options.ClientId) || null != options.ResourceIdentifier)
             {
                 AzureIdentityEventSource.Singleton.UserAssignedManagedIdentityNotSupported("Cloud Shell");
             }

sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs

@@ -459,9 +459,8 @@ public async Task VerifyCloudShellMsiRequestMockAsync()
 
         [NonParallelizable]
         [Test]
-        [TestCase(null)]
-        [TestCase("mock-client-id")]
-        public async Task VerifyCloudShellMsiRequestWithClientIdMockAsync(string clientId)
+        [TestCaseSource(nameof(ResourceAndClientIds))]
+        public async Task VerifyCloudShellMsiRequestWithClientIdMockAsync(string clientId, bool includeResourceIdentifier)
         {
             using var environment = new TestEnvVar(new() { { "MSI_ENDPOINT", "https://mock.msi.endpoint/" }, { "MSI_SECRET", null }, { "IDENTITY_ENDPOINT", null }, { "IDENTITY_HEADER", null }, { "AZURE_POD_IDENTITY_AUTHORITY_HOST", null } });
 
@@ -474,7 +473,13 @@ public async Task VerifyCloudShellMsiRequestWithClientIdMockAsync(string clientI
             var mockTransport = new MockTransport(response);
             var options = new TokenCredentialOptions() { Transport = mockTransport };
 
-            ManagedIdentityCredential client = InstrumentClient(new ManagedIdentityCredential(clientId, options));
+            // ManagedIdentityCredential client = InstrumentClient(new ManagedIdentityCredential(clientId, options));
+            ManagedIdentityCredential client = (clientId, includeResourceIdentifier) switch
+            {
+                (Item1: null, Item2: true) => InstrumentClient(new ManagedIdentityCredential(new ResourceIdentifier(_expectedResourceId), options)),
+                (Item1: not null, Item2: false) => InstrumentClient(new ManagedIdentityCredential(clientId, options)),
+                _ => InstrumentClient(new ManagedIdentityCredential(clientId: null, options))
+            };
 
             AccessToken actualToken = await client.GetTokenAsync(new TokenRequestContext(MockScopes.Default));
 
@@ -491,7 +496,7 @@ public async Task VerifyCloudShellMsiRequestWithClientIdMockAsync(string clientI
             string body = Encoding.UTF8.GetString(content);
 
             Assert.IsTrue(body.Contains($"resource={Uri.EscapeDataString(ScopeUtilities.ScopesToResource(MockScopes.Default))}"));
-            if (clientId != null)
+            if (clientId != null || includeResourceIdentifier)
             {
                 Assert.That(messages, Does.Contain(string.Format(AzureIdentityEventSource.UserAssignedManagedIdentityNotSupportedMessage, "Cloud Shell")));
             }