Remove use of SystemManagedIdentity

heyitsaamir · heyitsaamir · commit 718bc09670ed · 2025-11-04T18:08:36.000-08:00
diff --git a/packages/api/src/microsoft/teams/api/auth/credentials.py b/packages/api/src/microsoft/teams/api/auth/credentials.py
@@ -3,7 +3,7 @@
 Licensed under the MIT License.
 """
 
-from typing import Awaitable, Callable, Literal, Optional, Union
+from typing import Awaitable, Callable, Optional, Union
 
 from ..models import CustomBaseModel
 
@@ -44,15 +44,11 @@ class TokenCredentials(CustomBaseModel):
 
 
 class ManagedIdentityCredentials(CustomBaseModel):
-    """Credentials for authentication using Azure Managed Identity."""
+    """Credentials for authentication using Azure User-Assigned Managed Identity."""
 
     client_id: str
     """
-    The client ID of the app registration.
-    """
-    managed_identity_type: Literal["system", "user"]
-    """
-    The type of managed identity: 'system' for system-assigned or 'user' for user-assigned.
+    The client ID of the user-assigned managed identity.
     """
     tenant_id: Optional[str] = None
     """
diff --git a/packages/apps/src/microsoft/teams/apps/app.py b/packages/apps/src/microsoft/teams/apps/app.py
@@ -292,7 +292,6 @@ def _init_credentials(self) -> Optional[Credentials]:
         tenant_id = self.options.tenant_id or os.getenv("TENANT_ID")
         token = self.options.token
         managed_identity_client_id = self.options.managed_identity_client_id or os.getenv("MANAGED_IDENTITY_CLIENT_ID")
-        managed_identity_type = self.options.managed_identity_type or os.getenv("MANAGED_IDENTITY_TYPE") or "user"
 
         self.log.debug(f"Using CLIENT_ID: {client_id}")
         if not tenant_id:
@@ -311,15 +310,18 @@ def _init_credentials(self) -> Optional[Credentials]:
 
         # - If client_id but no client_secret : use ManagedIdentityCredentials (inferred)
         if client_id:
-            assert managed_identity_type in ("system", "user"), (
-                f"managed_identity_type must be 'system' or 'user', got: {managed_identity_type}"
-            )
-            self.log.debug(f"Using managed identity: {managed_identity_type} for auth")
+            # Validate that if managed_identity_client_id is provided, it must equal client_id
+            if managed_identity_client_id and managed_identity_client_id != client_id:
+                raise ValueError(
+                    "Federated Identity Credentials is not yet supported. "
+                    "managed_identity_client_id must equal client_id."
+                )
+
+            self.log.debug("Using user-assigned managed identity for auth")
             # Use managed_identity_client_id if provided, otherwise fall back to client_id
             mi_client_id = managed_identity_client_id or client_id
             return ManagedIdentityCredentials(
                 client_id=mi_client_id,
-                managed_identity_type=managed_identity_type,
                 tenant_id=tenant_id,
             )
 
diff --git a/packages/apps/src/microsoft/teams/apps/options.py b/packages/apps/src/microsoft/teams/apps/options.py
@@ -5,7 +5,7 @@
 
 from dataclasses import dataclass, field
 from logging import Logger
-from typing import Any, Awaitable, Callable, List, Literal, Optional, TypedDict, Union, cast
+from typing import Any, Awaitable, Callable, List, Optional, TypedDict, Union, cast
 
 from microsoft.teams.common import Storage
 from typing_extensions import Unpack
@@ -33,12 +33,6 @@ class AppOptions(TypedDict, total=False):
     Defaults to client_id if not provided.
     """
 
-    managed_identity_type: Optional[Literal["system", "user"]]
-    """
-    The type of managed identity: 'system' for system-assigned or 'user'
-    for user-assigned. Defaults to 'user' (if managed identity is used at all)
-    """
-
     # Infrastructure
     logger: Optional[Logger]
     storage: Optional[Storage[str, Any]]
@@ -69,8 +63,6 @@ class InternalAppOptions:
     """Custom token provider function. If provided with client_id (no client_secret), uses TokenCredentials."""
     managed_identity_client_id: Optional[str] = None
     """The managed identity client ID for user-assigned managed identity. Defaults to client_id if not provided."""
-    managed_identity_type: Optional[Literal["system", "user"]] = None
-    """The type of managed identity: 'system' for system-assigned or 'user' for user-assigned. Defaults to 'user'."""
     logger: Optional[Logger] = None
     storage: Optional[Storage[str, Any]] = None
 
diff --git a/packages/apps/src/microsoft/teams/apps/token_manager.py b/packages/apps/src/microsoft/teams/apps/token_manager.py
@@ -20,7 +20,6 @@
 from msal import (  # pyright: ignore[reportMissingTypeStubs]
     ConfidentialClientApplication,
     ManagedIdentityClient,
-    SystemAssignedManagedIdentity,
     UserAssignedManagedIdentity,
 )
 
@@ -124,11 +123,8 @@ def _get_msal_client(self, tenant_id: str) -> ConfidentialClientApplication | Ma
                 authority=f"https://login.microsoftonline.com/{tenant_id}",
             )
         elif isinstance(credentials, ManagedIdentityCredentials):
-            # Create the appropriate managed identity based on type
-            if credentials.managed_identity_type == "system":
-                managed_identity = SystemAssignedManagedIdentity()
-            else:  # "user"
-                managed_identity = UserAssignedManagedIdentity(client_id=credentials.client_id)
+            # Create user-assigned managed identity
+            managed_identity = UserAssignedManagedIdentity(client_id=credentials.client_id)
 
             client = ManagedIdentityClient(
                 managed_identity,
