[BUG] ClientOptions.Retry.NetworkTimeout is ignored

[sergesh78]

Library name and version

Azure.Identity 1.12.0

Describe the bug

Recentrly our application started to fail with exception:

Exception caught: Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot
information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
- ManagedIdentityCredential authentication unavailable. No response received from the managed identity endpoint.

We tried increasing timeout and configuring retry option, but that didn't help:

SecretClientOptions opt = new SecretClientOptions();
opt.Retry.NetworkTimeout = TimeSpan.FromSeconds(30);

When debugging through the code I noticed that timeout is ignored and hard-coded value of 1 second is used

I also noticed that no retries are performed by SecretClient itself (log attached).

We will be implementing our own retry mechanism on top but really what we need is ability to configure retries and timeouts properly.

Expected behavior

Retry.NetworkTimeout should be used as actual timeout value

Actual behavior

hard-coded value of 1 sec is used and error message recommends configuring it via ClientOptions.Retry.NetworkTimeout which is not honored.

Reproduction Steps

SecretClientOptions opt = new SecretClientOptions();
opt.Retry.NetworkTimeout = TimeSpan.FromSeconds(30);
var client = new SecretClient(keyVaultUri, credentials, opt);
client.GetSecret("secretname");

Environment

Windows Server 2025 DataCenter, .net framework 4.8

[github-actions]

@christothes @JonathanCrd

[christothes]

Hi @sergesh78 -
This timeout and retry behavior is intentional for DefaultAzureCredential when using managed identity. You can override the retry behavior by setting the RetryPolicy on the credential options. In addition, if you want to get the default timeout and retry behavior there are a couple options:

• Use ManagedIdentityCredential directly
• Use the parameterless ctor for DefaultAzureCredential with the AZURE_TOKEN_CREDENTIALS env var or use this ctor with a custom env var name (available with the latest Azure.Identity release). More info here

[github-actions]

Hi @sergesh78. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[sergesh78]

We already configuring timeouts this way:

azureClientOptions.Retry.Delay = TimeSpan.FromSeconds(5);
azureClientOptions.Retry.MaxDelay = TimeSpan.FromMinutes(3);
azureClientOptions.Retry.MaxRetries = 10;
azureClientOptions.Retry.Mode = RetryMode.Exponential;
azureClientOptions.Retry.NetworkTimeout = TimeSpan.FromSeconds(30);

I looked into using ManagedIdentityCredential directly, but it's constructor doesn't allow specifying InitialImdsConnectionTimeout because ManagedIdentityClientOptions class is internal.

As a side note, the issue started to happen after we moved our VMs to another data center, leaving managed identity in original data center, so providing larger timeout for MSI endpoint discovery might be crucial to others in such cases.

Also, I forgot to attach log file which in my opinion shows that no retries are performed:

Azure_134025227569832928.log