Enhance Azure credential management in AppConfig

- Updated get_azure_credential and get_azure_credential_async methods to use exclude_environment_credential=True for dev environment.
- Refactored MCPEnabledBase to acquire credentials using centralized config method.
- Added unit tests for async credential retrieval in both dev and production environments.

Author: Abdul-Microsoft

src/backend/common/config/app_config.py

@@ -6,6 +6,10 @@
 from azure.ai.projects.aio import AIProjectClient
 from azure.cosmos import CosmosClient
 from azure.identity import DefaultAzureCredential, ManagedIdentityCredential
+from azure.identity.aio import (
+    DefaultAzureCredential as DefaultAzureCredentialAsync,
+    ManagedIdentityCredential as ManagedIdentityCredentialAsync,
+)
 from dotenv import load_dotenv
 
 
@@ -113,7 +117,8 @@ def get_azure_credential(self, client_id=None):
         """
         Returns an Azure credential based on the application environment.
 
-        If the environment is 'dev', it uses DefaultAzureCredential.
+        If the environment is 'dev', it uses DefaultAzureCredential with exclude_environment_credential=True
+        to avoid EnvironmentCredential exceptions in Application Insights traces.
         Otherwise, it uses ManagedIdentityCredential.
 
         Args:
@@ -123,10 +128,29 @@ def get_azure_credential(self, client_id=None):
             Credential object: Either DefaultAzureCredential or ManagedIdentityCredential.
         """
         if self.APP_ENV == "dev":
-            return DefaultAzureCredential()  # CodeQL [SM05139]: DefaultAzureCredential is safe here
+            return DefaultAzureCredential(exclude_environment_credential=True)  # CodeQL [SM05139]: DefaultAzureCredential is safe here
         else:
             return ManagedIdentityCredential(client_id=client_id)
 
+    def get_azure_credential_async(self, client_id=None):
+        """
+        Returns an async Azure credential based on the application environment.
+
+        If the environment is 'dev', it uses DefaultAzureCredential (async) with exclude_environment_credential=True
+        to avoid EnvironmentCredential exceptions in Application Insights traces.
+        Otherwise, it uses ManagedIdentityCredential (async).
+
+        Args:
+            client_id (str, optional): The client ID for the Managed Identity Credential.
+
+        Returns:
+            Async Credential object: Either DefaultAzureCredentialAsync or ManagedIdentityCredentialAsync.
+        """
+        if self.APP_ENV == "dev":
+            return DefaultAzureCredentialAsync(exclude_environment_credential=True)
+        else:
+            return ManagedIdentityCredentialAsync(client_id=client_id)
+
     def get_azure_credentials(self):
         """Retrieve Azure credentials, either from environment variables or managed identity."""
         if self._azure_credentials is None:

src/backend/v4/magentic_agents/common/lifecycle.py

@@ -13,7 +13,7 @@
 # from agent_framework.azure import AzureAIClient
 from agent_framework_azure_ai import AzureAIClient
 from azure.ai.agents.aio import AgentsClient
-from azure.identity.aio import DefaultAzureCredential
+from common.config.app_config import config
 from common.database.database_base import DatabaseBase
 from common.models.messages_af import TeamConfiguration
 from common.utils.utils_agents import (
@@ -52,7 +52,7 @@ def __init__(
         self.team_config: TeamConfiguration | None = team_config
         self.client: Optional[AgentsClient] = None
         self.project_endpoint = project_endpoint
-        self.creds: Optional[DefaultAzureCredential] = None
+        self.creds = None
         self.memory_store: Optional[DatabaseBase] = memory_store
         self.agent_name: str | None = agent_name
         self.agent_description: str | None = agent_description
@@ -66,8 +66,8 @@ async def open(self) -> "MCPEnabledBase":
             return self
         self._stack = AsyncExitStack()
 
-        # Acquire credential
-        self.creds = DefaultAzureCredential()
+        # Acquire credential using centralized config method
+        self.creds = config.get_azure_credential_async(config.AZURE_CLIENT_ID)
         if self._stack:
             await self._stack.enter_async_context(self.creds)
         # Create AgentsClient

src/tests/backend/common/config/test_app_config.py

@@ -251,15 +251,16 @@ def _get_minimal_env(self):
 
     @patch('backend.common.config.app_config.DefaultAzureCredential')
     def test_get_azure_credential_dev_environment(self, mock_default_credential):
-        """Test get_azure_credential method in dev environment."""
+        """Test get_azure_credential method in dev environment with exclude_environment_credential."""
         mock_credential = MagicMock()
         mock_default_credential.return_value = mock_credential
 
         with patch.dict(os.environ, self._get_minimal_env()):
             config = AppConfig()
             result = config.get_azure_credential()
 
-            mock_default_credential.assert_called_once()
+            # Verify it's called with exclude_environment_credential=True in dev
+            mock_default_credential.assert_called_once_with(exclude_environment_credential=True)
             assert result == mock_credential
 
     @patch('backend.common.config.app_config.ManagedIdentityCredential')
@@ -333,6 +334,55 @@ def test_get_access_token_failure(self, mock_default_credential):
             with pytest.raises(Exception, match="Token retrieval failed"):
                 credential.get_token(config.AZURE_COGNITIVE_SERVICES)
 
+    @patch('backend.common.config.app_config.DefaultAzureCredentialAsync')
+    def test_get_azure_credential_async_dev_environment(self, mock_default_credential_async):
+        """Test get_azure_credential_async method in dev environment with exclude_environment_credential."""
+        mock_credential = MagicMock()
+        mock_default_credential_async.return_value = mock_credential
+        
+        with patch.dict(os.environ, self._get_minimal_env()):
+            config = AppConfig()
+            result = config.get_azure_credential_async()
+            
+            # Verify it's called with exclude_environment_credential=True in dev
+            mock_default_credential_async.assert_called_once_with(exclude_environment_credential=True)
+            assert result == mock_credential
+
+    @patch('backend.common.config.app_config.ManagedIdentityCredentialAsync')
+    def test_get_azure_credential_async_prod_environment(self, mock_managed_credential_async):
+        """Test get_azure_credential_async method in production environment."""
+        mock_credential = MagicMock()
+        mock_managed_credential_async.return_value = mock_credential
+        
+        env = self._get_minimal_env()
+        env["APP_ENV"] = "prod"
+        env["AZURE_CLIENT_ID"] = "test-client-id"
+        
+        with patch.dict(os.environ, env):
+            config = AppConfig()
+            result = config.get_azure_credential_async("test-client-id")
+            
+            mock_managed_credential_async.assert_called_once_with(client_id="test-client-id")
+            assert result == mock_credential
+
+    @patch('backend.common.config.app_config.ManagedIdentityCredentialAsync')
+    def test_get_azure_credential_async_prod_uppercase(self, mock_managed_credential_async):
+        """Test get_azure_credential_async handles uppercase Prod environment value."""
+        mock_credential = MagicMock()
+        mock_managed_credential_async.return_value = mock_credential
+        
+        env = self._get_minimal_env()
+        env["APP_ENV"] = "Prod"  # Bicep sets it as "Prod" with capital P
+        env["AZURE_CLIENT_ID"] = "test-client-id"
+        
+        with patch.dict(os.environ, env):
+            config = AppConfig()
+            result = config.get_azure_credential_async("test-client-id")
+            
+            # Should use ManagedIdentityCredential even with capital "Prod"
+            mock_managed_credential_async.assert_called_once_with(client_id="test-client-id")
+            assert result == mock_credential
+
 
 class TestAppConfigClientMethods:
     """Test cases for client creation methods in AppConfig class."""

src/tests/backend/v4/magentic_agents/common/test_lifecycle.py

@@ -171,7 +171,9 @@ async def test_open_method_success(self):
         mock_mcp_tool = AsyncMock()
 
         with patch('backend.v4.magentic_agents.common.lifecycle.AsyncExitStack', return_value=mock_stack):
-            with patch('backend.v4.magentic_agents.common.lifecycle.DefaultAzureCredential', return_value=mock_creds):
+            with patch('backend.v4.magentic_agents.common.lifecycle.config') as mock_config:
+                mock_config.get_azure_credential_async.return_value = mock_creds
+                mock_config.AZURE_CLIENT_ID = "test-client-id"
                 with patch('backend.v4.magentic_agents.common.lifecycle.AgentsClient', return_value=mock_client):
                     with patch('backend.v4.magentic_agents.common.lifecycle.MCPStreamableHTTPTool', return_value=mock_mcp_tool):
                         with patch.object(base, '_after_open', new_callable=AsyncMock) as mock_after_open:
@@ -182,6 +184,7 @@ async def test_open_method_success(self):
                             assert base._stack is mock_stack
                             assert base.creds is mock_creds
                             assert base.client is mock_client
+                            mock_config.get_azure_credential_async.assert_called_once_with("test-client-id")
                             mock_after_open.assert_called_once()
                             mock_agent_registry.register_agent.assert_called_once_with(base)
 
@@ -207,7 +210,9 @@ async def test_open_method_registration_failure(self):
         mock_client = AsyncMock()
 
         with patch('backend.v4.magentic_agents.common.lifecycle.AsyncExitStack', return_value=mock_stack):
-            with patch('backend.v4.magentic_agents.common.lifecycle.DefaultAzureCredential', return_value=mock_creds):
+            with patch('backend.v4.magentic_agents.common.lifecycle.config') as mock_config:
+                mock_config.get_azure_credential_async.return_value = mock_creds
+                mock_config.AZURE_CLIENT_ID = "test-client-id"
                 with patch('backend.v4.magentic_agents.common.lifecycle.AgentsClient', return_value=mock_client):
                     with patch.object(base, '_after_open', new_callable=AsyncMock):
                         mock_agent_registry.register_agent.side_effect = Exception("Registration failed")
@@ -216,6 +221,7 @@ async def test_open_method_registration_failure(self):
                         result = await base.open()
 
                         assert result is base
+                        mock_config.get_azure_credential_async.assert_called_once_with("test-client-id")
                         mock_agent_registry.register_agent.assert_called_once_with(base)
 
     @pytest.mark.asyncio