ImdsV2 is detected, even on a UAMI configuration error

[Robbie-Microsoft]

Fixes #5565

[gladjohn]

IMDS throttles very aggressively on 200s, but is much more forgiving of 400s.
For that reason we want the IMDSv2 probe to have a single responsibility:

“Does the endpoint exist and respond?”

and nothing else.

---

Right now GetPlatformMetadata ends up hitting IMDSv2 twice, and the probe path behaves too much like a “real” call:

• It can return 200.
• It runs identity-specific logic (UAMI / IdentityNotFound) that we only need on the second call.

---

We’d like to align the probe with the way Azure.Identity does it in ImdsManagedIdentityProbeSource:

• The probe sends a GET to the IMDS endpoint without the Metadata: true header.
• IMDS responds with 400 very quickly.
• A 400 of that specific shape is treated as “probe succeeded, endpoint exists”
  (they throw an internal ProbeRequestResponseException and then do the real call through MsalManagedIdentityClient).
• Only the second call is a full, valid IMDS request that can return 200 and surface identity errors.

---

Concretely, for MSAL

Probe call

• Build the request so IMDS returns a predictable 400 (e.g., omit the Metadata header).
• Treat that 400 as “IMDSv2 endpoint is available.”
• Do not rely on 200 responses or run UAMI / IdentityNotFound logic here — the probe is not an identity call.

Second (real) call

• Send the fully valid IMDSv2 request (with Metadata: true + identity hints).
• This is the only call that should be able to return 200.
• This is also the only place where we classify UAMI vs system-assigned and map
  IdentityNotFound vs ManagedIdentityRequestFailed.

---

That keeps the probe cheap and stable (one responsibility: endpoint exists)
and ensures we’re not burning extra 200s against IMDS just to detect IMDSv2.

IMDS V2 probe spec - https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/docs/msi_v2/vm_vmss_credential_probe.md

[Robbie-Microsoft]

I think this should be tracked on a separate GitHub issue. This PR fixes the linked bug, that you were pushing me to fix, so that people using public preview are no longer blocked.

Do you remember our discussions where we decided to combine the probe and the metadata endpoint? We had that discussion very early on.

[bgavrilMS]

If there are partners blocked by this, agreed to take this fix, but I am not sure there are?

Otherwise, it does seem like the 400 error is the correct fix and this can be done alongisde MSIv1 probing

[gladjohn]

While onboarding the partner we found they are using UAMI, and UAMI itself is not working in the environment. So no new partner onboarding till end of month.

[gladjohn]

IMDS already returns the IdentityNotFound error message, and MSAL simply bubbles up the IMDS payload without rewriting or overriding it. Adding our own string introduces duplication and may cause divergence from IMDS' authoritative error.

[Robbie-Microsoft]

This is the exact error message from Imds - It's used multiple times in this PR, including test mocks, so I made it a constant.

I could return the error message from Imds, but I would still keep this constant for the test mocks.

[bgavrilMS]

Agreed with @gladjohn - we can depend on the error code, but the error messages should from the server.

[bgavrilMS]

Are we abandoning this @Robbie-Microsoft ?

[Robbie-Microsoft]

Are we abandoning this @Robbie-Microsoft ?

Yes, that's what you and Gladwin told me.