chore(deps): update azure azure-sdk-for-net monorepo

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
Azure.Identity (source)	1.11.4 → 1.21.0
Azure.Monitor.Query (source)	1.3.1 → 1.7.1
Azure.Monitor.Query (source)	1.4.0 → 1.7.1

---

Release Notes

Azure/azure-sdk-for-net (Azure.Identity)

v1.21.0

Compare Source

1.21.0 (2026-04-10)

Other Changes

• All Azure.Identity types have been moved to Azure.Core and are now available through TypeForwardedTo attributes. This is a non-breaking change — existing code continues to work transparently. The library's version number now aligns with that of Azure.Core. See the Migration Guide for details.

v1.20.0

Compare Source

1.20.0 (2026-03-30)

Features Added

• Added a JSON schema segment to the NuGet package that provides IntelliSense and validation for Azure.Identity credential configuration in appsettings.json.

Breaking Changes

• AddAzureClient, AddKeyedAzureClient, and WithAzureCredential return type changed from IHostApplicationBuilder to IClientBuilder to align with the IClientBuilder composition change in System.ClientModel.

v1.19.0

Compare Source

1.19.0 (2026-03-11)

Features Added

• Added support in ClientCertificateCredential to specify a path in the form of cert:/StoreLocation/StoreName/Thumbprint to refer to a certificate in the platform certificate store - such as the Windows Certificate Store on Windows, and the KeyChain on MacOS - instead of a file on disk. For example to load a certificate from the "My" store in the "CurrentUser" location use the path cert:/CurrentUser/My/E661583E8FABEF4C0BEF694CBC41C28FB81CD870 (A community contribution, courtesy of fowl2).

Other Changes

• Updated Microsoft.Identity.Client and Microsoft.Identity.Client.Extensions.Msal dependencies to version 4.83.1.

v1.18.0

Compare Source

1.18.0 (2026-02-25)

Features Added

• Added experimental Microsoft.Extensions.Configuration and Microsoft.Extensions.DependencyInjection integration for Azure SDK clients. For details, see the Configuration and Dependency Injection documentation.

• The WorkloadIdentityCredentialOptions.IsAzureProxyEnabled property, which enables Azure Kubernetes token proxy mode, is only available in beta releases of this package.

• AzureDeveloperCliCredential now parses JSON error output from azd auth token to extract clean error messages instead of including raw JSON in exceptions. Error messages like {"type":"consoleMessage","data":{"message":"ERROR: fetching token: ..."}} are now displayed as ERROR: fetching token: ....

v1.17.2

Compare Source

1.17.2 (2026-04-15)

Other Changes

• Updated Microsoft.Identity.Client and Microsoft.Identity.Client.Extensions.Msal dependencies to version 4.83.1.

v1.17.1

Compare Source

1.17.1 (2025-11-18)

Other Changes

• Updated Microsoft.Identity.Client and Microsoft.Identity.Client.Extensions.Msal dependencies to version 4.78.0.

v1.17.0

Compare Source

1.17.0 (2025-10-07)

Bugs Fixed

• TenantId is now configured via MSAL's WithTenantId instead of WithTenantIdFromAuthority to prevent malformed Uris to the authority.

Other Changes

• Deprecated BrowserCustomizationOptions.UseEmbeddedWebView property. This option requires additional dependencies on Microsoft.Identity.Client.Desktop and is no longer supported. Consider using brokered authentication instead.

v1.16.0

Compare Source

1.16.0 (2025-09-09)

Features Added

• Added a new DefaultAzureCredential constructor that accepts a custom environment variable name for credential configuration. This provides flexibility beyond the default AZURE_TOKEN_CREDENTIALS environment variable. The constructor accepts any environment variable name and uses the same credential selection logic as the existing AZURE_TOKEN_CREDENTIALS processing.
• Added DefaultAzureCredential.DefaultEnvironmentVariableName constant property that returns "AZURE_TOKEN_CREDENTIALS" for convenience when referencing the default environment variable name.
• AzureCliCredential, AzurePowerShellCredential, and AzureDeveloperCliCredential now throw an AuthenticationFailedException when the TokenRequestContext includes claims, as these credentials do not support claims challenges. The exception message includes guidance for handling such scenarios.
• When AZURE_TOKEN_CREDENTIALS or the equivalent custom environment variable is configured to ManagedIdentityCredential, the DefaultAzureCredential does not issue a probe request and performs retries with exponential backoff.

Bugs Fixed

• Fixed AzureDeveloperCliCredential hanging when the AZD_DEBUG environment variable is set by adding the --no-prompt flag to prevent interactive prompts (#​52005).
• BrokerCredential is now included in the chain when AZURE_TOKEN_CREDENTIALS is set to dev.
• Fixed an issue that prevented ManagedIdentityCredential from utilizing the token cache in Workload Identity Federation environments.
• Fixed a bug in DefaultAzureCredential that caused the credential chain to be constructed incorrectly when using AZURE_TOKEN_CREDENTIALS in combination with DefaultAzureCredentialOptions.

Other Changes

• The BrokerCredential is now always included in the DefaultAzureCredential chain. If the Azure.Identity.Broker package is not referenced, an exception will be thrown when GetToken is called, making its behavior consistent with the rest of the credentials in the chain.
• Updated Microsoft.Identity.Client dependency to version 4.76.0.
• Updated Microsoft.Identity.Client.Extensions.Msal dependency to version 4.76.0.

v1.15.0

Compare Source

1.15.0 (2025-08-07)

Breaking Changes

Behavioral Breaking Changes

• Deprecated SharedTokenCacheCredential. The supporting credential (SharedTokenCacheCredential) was a legacy mechanism for authenticating clients using credentials provided to Visual Studio. For brokered authentication, consider using InteractiveBrowserCredential instead. The following changes have been made:
  • SharedTokenCacheCredential class is marked as [Obsolete] and [EditorBrowsable(EditorBrowsableState.Never)]
  • SharedTokenCacheCredentialOptions class is marked as [Obsolete] and [EditorBrowsable(EditorBrowsableState.Never)]
  • DefaultAzureCredentialOptions.ExcludeSharedTokenCacheCredential property is marked as [Obsolete] and [EditorBrowsable(EditorBrowsableState.Never)]
  • SharedTokenCacheUsername property is marked as [Obsolete] and [EditorBrowsable(EditorBrowsableState.Never)]
  • SharedTokenCacheCredential is no longer included in the DefaultAzureCredential authentication flow

Bugs Fixed

• Tenant ID comparisons in credential options are now case-insensitive. This affects AdditionallyAllowedTenants values which will now be matched against tenant IDs without case sensitivity, making the authentication more resilient to case differences in tenant IDs returned from WWW-Authenticate challenges (#​51693).

Other Changes

• BrokerAuthenticationCredential has been renamed as BrokerCredential.

• Added the EditorBrowsable(Never) attribute to property VisualStudioCodeTenantId as TenantId is preferred. The VisualStudioCodeTenantId property exists only to provide backwards compatibility.

v1.14.2

Compare Source

1.14.2 (2025-07-10)

Other changes

• Updated Microsoft.Identity.Client dependency to version 4.73.1

v1.14.1

Compare Source

1.14.1 (2025-07-08)

Bugs Fixed

• Added support in AzurePowerShellCredential for the Az.Accounts 5.0.0+ (Az 14.0.0+) breaking change where Get-AzAccessToken returns PSSecureAccessToken with a SecureString Token property instead of plaintext.

v1.14.0

Compare Source

1.14.0 (2025-05-13)

Other Changes

• Removed references to Username, Password, AZURE_USERNAME, and AZURE_PASSWORD in XML comments from EnvironmentCredentialOptions and EnvironmentCredential due to lack of MFA support. See MFA enforcement details.
• Marked AZURE_USERNAME and AZURE_PASSWORD as obsolete due to lack of MFA support. See MFA enforcement details.
• Added support for the AZURE_TOKEN_CREDENTIALS environment variable to DefaultAzureCredential, which allows for choosing between 'deployed service' and 'developer tools' credentials. Valid values are 'dev' for developer tools and 'prod' for deployed service.

v1.13.2

Compare Source

1.13.2 (2025-01-14)

Bugs Fixed

• Fixed an issue where setting DefaultAzureCredentialOptions.TenantId twice throws an InvalidOperationException (#​47035)
• Fixed an issue where ManagedIdentityCredential does not honor the CancellationToken passed to GetToken and GetTokenAsync. (#​47156)
• Fixed an issue where some credentials in DefaultAzureCredential would not fall through to the next credential in the chain under certain exception conditions.
• Fixed a regression in ManagedIdentityCredential when used in a ChainedTokenCredential where the invalid json responses do not fall through to the next credential in the chain. (#​47470)

v1.13.1

Compare Source

1.13.1 (2025-11-19)

Other Changes

• Updated Azure.Identity dependency to version 1.17.1

v1.13.0

Compare Source

1.13.0 (2024-10-14)

Features Added

• ManagedIdentityCredential now supports specifying a user-assigned managed identity by object ID.

Bugs Fixed

• If DefaultAzureCredential attempts to authenticate with the MangagedIdentityCredential and it receives either a failed response that is not json, it will now fall through to the next credential in the chain. #​45184
• Fixed the request sent in AzurePipelinesCredential so it doesn't result in a redirect response when an invalid system access token is provided.
• Updated to version 4.65.0 of Microsoft.Identity.Client to address a bug preventing the use of alternate authority types such as dStS (4927) .

Other Changes

• The logging level passed to MSAL now correlates to the log level configured on your configured AzureEventSourceListener. Previously, the log level was always set to Microsoft.Identity.Client.LogLevel.Info.
• AzurePowerShellCredential now utilizes the AsSecureString parameter to Get-AzAccessToken for version 2.17.0 and greater of the Az.Accounts module.
• Improved error logging for AzurePipelinesCredential.

v1.12.1

Compare Source

1.12.1 (2024-09-26)

Bugs Fixed

• Updated to version 4.65.0 of Microsoft.Identity.Client to address a bug preventing the use of alternate authority types such as dStS (4927) .

v1.12.0

Compare Source

1.12.0 (2024-06-17)

Features Added

• Added AzurePipelinesCredential for authenticating with Azure Pipelines service connections.
• OnBehalfOfCredential now supports client assertion callbacks for acquiring tokens on behalf of a user.
• All credentials now support setting RefreshOn value if received from MSAL.
• ManagedIdentityCredential sets RefreshOn value of half the token lifetime for AccessTokens with an ExpiresOn value greater than 2 hours in the future.
• ClientAssertionCredentialOptions now supports TokenCachePersistenceOptions for configuring token cache persistence.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Thank you for your contribution! 🙏 We will review it as soon as possible.