Detect system-assigned managed identities in AzureCredentialHelper

src/Shared/AzureCredentialHelper.cs

@@ -18,13 +18,20 @@ internal static TokenCredential CreateDefaultAzureCredential()
             return new DefaultAzureCredential(DefaultAzureCredential.DefaultEnvironmentVariableName);
         }
 
-        if (Environment.GetEnvironmentVariable("AZURE_CLIENT_ID") is not null)
+        if (Environment.GetEnvironmentVariable("AZURE_CLIENT_ID") is string azureClientId)
         {
             // When we don't see DefaultEnvironmentVariableName, but we do see AZURE_CLIENT_ID,
             // we just use ManagedIdentityCredential because that's the only credential type that
             // Aspire Hosting enables by default.
+            // This is also used to support user assigned managed identities in Azure App Service and Azure Functions.
             // If this doesn't work for applications, they can override the TokenCredential in their settings.
-            return new ManagedIdentityCredential(new ManagedIdentityCredentialOptions());
+            return new ManagedIdentityCredential(new ManagedIdentityCredentialOptions(ManagedIdentityId.FromUserAssignedClientId(azureClientId)));
+        }
+        else if (Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT") is not null)
+        {
+            // When we see IDENTITY_ENDPOINT, but not AZURE_CLIENT_ID, we assume we're in an Azure
+            // environment with a system assigned managed identity such as Azure App Service or Azure Functions.
+            return new ManagedIdentityCredential(new ManagedIdentityCredentialOptions(ManagedIdentityId.SystemAssigned));
         }
 
         // when we can't detect a known Azure environment, fall back to the development credential