Azure Managed Identity to access Graph with User.Read.All

I am trying to connect to MS Graph using a User Managed Identity. I create the managed identity in the azure portal via create-> managed identity. It is not assigned to azure ressource. My goal is to use it from the client code directly (to not have to distinguish between dev and live environment). I got User.Read.All assigned using PowerShell and I can see it is granted when I view it via enterprise applications view.

Now, in my C# code I would like to create an instance of GraphServiceClient using:
var scopes = new[] { "https://graph.microsoft.com/.default" };
var clientCredential = new ManagedIdentityCredential(clientId);
GraphServiceClient graphClient = new GraphServiceClient(clientCredential, scopes);

I am receiving the following error when the code is executed:
Azure.Identity.CredentialUnavailableException: "ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint."

I was only able to find examples where the managed identity is added to the function app it is run under. To my understanding the way I set it up should enable this to work? Or is it not possible to do it this way since the endpoints are protected in general?!

I hope somebody is able to help me out here,
Thanks!

Managed identities are essentially an identity for Azure resources. When you use a Managed Identity, it needs to be associated with an Azure resource such as an Azure VM, Azure Functions, Azure Logic Apps, etc. This is because Managed Identity allows Azure services to authenticate to cloud services without storing credentials in code. The code using the managed identity must be running in an azure compute resource which has that mangaed identity assigned to it. Then only it can request Azure AD to provide tokens for access.

In your case, you're trying to use a Managed Identity without associating it with an Azure resource, which is causing the error. The error essentially says that the Managed Identity endpoint isn't available. This endpoint is automatically available within Azure services that support Managed Identity.

To make this work you should:

• Assign the Managed Identity to an Azure Resource: The Managed Identity you've created should be associated with an Azure service. For example, if you're running your code on an Azure VM, you should assign the Managed Identity to the VM.

• Use Azure SDK Correctly: If running inside an Azure service with Managed Identity enabled, you don't necessarily need to specify the clientId when creating the ManagedIdentityCredential if you are using system managed identity. If you're using a user-assigned identity (which seems to be the case), then specifying the clientId (or ManagedIdentityClientId) is necessary. Make sure this clientId is correctly set.

• Ensure Necessary Permissions: Make sure the Managed Identity has the necessary permissions on Microsoft Graph.

• Network Restrictions: Ensure that there are no network restrictions preventing access to the Managed Identity endpoint. For example, if you're running in an Azure VM, ensure that you don't have NSGs or firewall rules blocking access.

• Using Outside Azure: If you're trying to use Managed Identity outside of Azure (e.g., on your local machine), it won't work. Managed Identity is specifically a feature of Azure resources

• If you're developing locally and want to use Managed Identity, a common pattern is to use your own developer credentials locally and use Managed Identity when deployed to Azure. You can use the DefaultAzureCredential class, which will attempt several methods of authentication in a specific order (Managed Identity, environment variables, etc.), making it seamless between local development and Azure deployment.