[Bug] azureDevOpsAuths MI+FIC PUT consistently fails with "could not acquire a token" on both ARM and data-plane paths

[thealanagrace]

I have been trying to configure a code repo connection + auth via bicep but keep hitting an error. I discussed this at length with the agent itself, which suggested that I file a bug here and said: A bug in StoreManagedIdentityCoreAsync specific to how it constructs the ClientAssertionCredential for your cross-tenant FIC configuration. I can't onboard my team to use SRE Agent until I can get the configuration working in bicep so this is a major blocker for us.

I am able to configure this auth in the agent portal with all the same values and get this to work. But when deployed via bicep or data-plane ARM rest calls, it fails.

Example Bicep Deployment:

• Correlation ID: f6429ffe-052f-43f5-8a37-90608dc4d2df
• Start Time: 6/19/2026, 3:15:25 PM
• Error Message: The managed identity could not acquire a token for organization 'microsoft'. is invalid. (Code: InvalidRequestParameter)

Here is the bicep that I've been running:

@description('Name of the existing SRE Agent resource')
param agentName string

@description('ADO organization short name')
param adoOrg string

@description('Client ID of the UAMI that is configured as an FIC')
param managedIdentityClientId string

@description('Client ID of the Entra app registration')
param federatedClientId string

@description('Tenant ID where the Entra app registration resides')
param federatedTenantId string

resource agent 'Microsoft.App/agents@2025-05-01-preview' existing = {
  name: agentName
}

resource adoAuth 'Microsoft.App/agents/azureDevOpsAuths@2025-05-01-preview' = {
  parent: agent
  name: adoOrg
  properties: {
    value: base64(string({
      authType: 'ManagedIdentity'
      identity: managedIdentityClientId
      federatedClientId: federatedClientId
      federatedTenantId: federatedTenantId
    }))
  }
}

[thealanagrace]

@sanchitmehta - any thoughts on this? This is blocking us from onboarding our code repos to SRE Agent.