Integrate managed identity handling in Plugin sync#14
Merged
Conversation
Managed identity was previously handled only as a separate command. This integrates it into plugin sync and reworks the reconcile semantics: - Plugin sync can now ensure a managed identity via ManagedIdentityClientId/TenantId on PluginSyncItem or --client-id/ --tenant-id on the plugins command. The reconcile runs after the assembly upsert, regardless of whether the assembly binary changed. - Ensure is now a true upsert: it updates the linked identity in place when its application id, tenant id, or name has drifted, instead of no-opping. It never deletes during ensure. - Remove no longer fails when the assembly is missing; it logs a warning and exits successfully so teardown pipelines are safe. - Extracted the shared reconcile logic into IManagedIdentityReconciler, used by both PluginSyncService and the standalone IdentitySyncService. Adds ManagedIdentityInfo + reader/writer support for drift detection, updates tests, and documents the behavior in README/CLAUDE. Co-Authored-By: Claude <[email protected]> via Conducktor <[email protected]>
mkholt
changed the title
There was a problem hiding this comment.
Pull request overview
This PR integrates managed identity reconciliation into the plugin sync workflow, so managed identities can be ensured/updated inline during plugins sync (in addition to the standalone identity command), and refactors the shared reconcile behavior into a dedicated service.
Changes:
- Add
--client-id/--tenant-idsupport topluginssync (and profilePluginSyncItem) and ensure the managed identity after assembly upsert even when the binary is unchanged. - Refactor managed identity logic into a shared
IManagedIdentityReconcilerwith “true upsert” semantics (update-in-place on drift; ensure never deletes). - Adjust identity removal to be teardown-safe (missing assembly logs a warning and exits successfully), and add/update unit tests + docs.
Reviewed changes
Copilot reviewed 21 out of 23 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| XrmSync/Commands/XrmSyncRootCommand.cs | Propagates CLI client/tenant overrides into plugin sync items. |
| XrmSync/Commands/PluginSyncCommand.cs | Adds --client-id/--tenant-id options, merges CLI+profile, and validates managed identity GUIDs for plugin sync. |
| SyncService/PluginSyncService.cs | Ensures managed identity (when configured) immediately after assembly upsert. |
| SyncService/ManagedIdentityReconciler.cs | Introduces shared reconcile service for ensure/remove with drift detection and update-in-place behavior. |
| SyncService/IdentitySyncService.cs | Delegates ensure/remove to the shared reconciler and makes remove tolerant to missing assemblies. |
| SyncService/Extensions/ServiceCollectionExtensions.cs | Registers IManagedIdentityReconciler for both plugin sync and identity service DI graphs. |
| Model/XrmSyncOptions.cs | Extends PluginSyncItem to include managed identity client/tenant IDs. |
| Model/Plugin/PluginSyncCommandOptions.cs | Adds managed identity options and HasManagedIdentity helper for plugin sync execution. |
| Model/Identity/ManagedIdentityInfo.cs | Adds a record to represent current managed identity state for drift detection. |
| Dataverse/ManagedIdentityWriter.cs | Adds writer support for updating an existing managed identity record. |
| Dataverse/ManagedIdentityReader.cs | Adds reader support to fetch managed identity state for drift detection. |
| Dataverse/Interfaces/IManagedIdentityWriter.cs | Adds Update(...) to the writer contract. |
| Dataverse/Interfaces/IManagedIdentityReader.cs | Adds GetManagedIdentity(...) to the reader contract. |
| Dataverse/Interfaces/IDataverseReader.cs | Exposes ManagedIdentities queryable for managed identity reads. |
| Dataverse/DataverseReader.cs | Implements ManagedIdentities via DataverseContext.ManagedIdentitySet. |
| Tests/Plugins/PluginServiceTests.cs | Adds coverage for plugin sync managed identity integration behavior. |
| Tests/ManagedIdentity/ManagedIdentityReconcilerTests.cs | New unit tests for reconciler ensure/remove and drift/update semantics. |
| Tests/ManagedIdentity/IdentitySyncServiceTests.cs | Updates tests to reflect delegation to reconciler and remove-on-missing-assembly behavior. |
| Tests.Integration/Metadata/TypeDeclarations.cs | Formatting-only adjustment in integration test metadata declarations. |
| README.md | Documents inline managed identity behavior for plugin sync and updated ensure/remove semantics. |
| CLAUDE.md | Updates developer documentation/examples to include inline managed identity plugin sync. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
EntityReference.Name can be blank if the related record has no primary name, producing an unhelpful "Deleting managed identity ''" message. Fall back to the id so the log stays actionable. Co-Authored-By: Claude <[email protected]> via Conducktor <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Integrate managed identity into plugin sync and make ensure an upsert
Managed identity was previously handled only as a separate command.
This integrates it into plugin sync and reworks the reconcile semantics:
ManagedIdentityClientId/TenantId on PluginSyncItem or --client-id/
--tenant-id on the plugins command. The reconcile runs after the
assembly upsert, regardless of whether the assembly binary changed.
when its application id, tenant id, or name has drifted, instead of
no-opping. It never deletes during ensure.
warning and exits successfully so teardown pipelines are safe.
used by both PluginSyncService and the standalone IdentitySyncService.
Adds ManagedIdentityInfo + reader/writer support for drift detection,
updates tests, and documents the behavior in README/CLAUDE.
Co-Authored-By: Claude [email protected] via Conducktor [email protected]