MSI check for App Service uses incorrect checks

[mattchenderson]

The following checks are not inline with the actual behavior of these services:

msrestazure-for-python/msrestazure/azure_active_directory.py

Lines 552 to 554 in 8849f39

	def _is_app_service():
	# Might be discussed if we think it's not robust enough
	return 'APPSETTING_WEBSITE_SITE_NAME' in os.environ

msrestazure-for-python/msrestazure/azure_active_directory.py

Line 585 in 8849f39

if not _is_app_service() and "MSI_ENDPOINT" not in os.environ:

This for example will fail in Container Apps, and it impacts Azure CLI commands like az login --identity

The correct implementation would be to check for the combination IDENTITY_ENDPOINT and IDENTITY_HEADER. You can also check for MSI_ENDPOINT and MSI_SECRET, but these are just aliases to support legacy app behavior. The IDENTITY_ENDPOINT and IDENTITY_HEADER is the proper way to determine if you should be using the App Service protocol or IMDS.

Reference for the token service API can be found here: https://docs.microsoft.com/azure/app-service/overview-managed-identity#rest-endpoint-reference

[lmazuel]

Hi @mattchenderson
This project is deprecated and no longer receives support. All recent (less than 2 years) SDKs now support azure-identity to provide MSI authentication with complete support from the team, to replace this library.
If you're stuck in a project that do requires msrestazure, please open an issue on azure-sdk-for-python to understand what we can do to help you move to azure-identity.
Thanks!