### Terraform Version ```shell 1.13.0 ``` ### Terraform Configuration Files _/project/terraform/main.tf_ ```terraform terraform { backend "azurerm" { # Configured via -backend-config=backend-config.tf } required_providers { azurerm = { source = "hashicorp/azurerm", version = "~> 4" } } } provider "azurerm" { features {} } resource "azurerm_resource_group" "example" { name = "example-resources" location = "West Europe" } ``` __/project/backend-config.hcl__ ```terraform resource_group_name = "rg-test" storage_account_name = "sa-test" container_name = "tf-state" key = "test" subscription_id = "00000000-0000-0000-0000-000000000000" use_azuread_auth = false use_msi = true client_id = "00000000-0000-0000-0000-000000000000" # client id of user-assigned identity client_secret = "" # explicitly set to empty to prevent CLIENT_SECRET environment variable to be set ``` ### Debug Output ``` ...debug output, or link to a gist... ``` ### Expected Behavior The terraform azurerm backend must use managed identity authentication (as it did with Terraform 1.12.2). ### Actual Behavior The terraform azurerm backend is using client credential authentication instead of managed identity: ``` ╷ │ Error: retrieving Storage Account (Subscription: "00000000-0000-0000-0000-000000000000" │ Resource Group Name: "rg-test" │ Storage Account Name: "sa-test"): authorizing request: clientCredentialsToken: received HTTP status 400 with response: {"error":"invalid_client","error_description":"AADSTS7000232: MSI identity (80240f99-b719-4cab-9d18-19abab3165f4) should not use ClientSecretCredential. Trace ID: 00000000-0000-0000-0000-000000000000 Correlation ID: 00000000-0000-0000-0000-000000000000 Timestamp: 2025-10-29 20:18:22Z","error_codes":[7000232],"timestamp":"2025-10-29 20:18:22Z","trace_id":"00000000-0000-0000-0000-000000000000","correlation_id":"00000000-0000-0000-0000-000000000000","error_uri":"https://login.microsoftonline.com/error?code=7000232"} │ ``` ### Steps to Reproduce 1. Export azurerm provider configuration ```shell export ARM_CLIENT_ID="11111111-1111-1111-1111-111111111111" export ARM_CLIENT_SECRET="12345678-1111-1111-1111-111111111111" export ARM_TENANT_ID="11111111-1111-1111-1111-111111111111" export ARM_SUBSCRIPTION_ID="21111111-1111-1111-1111-111111111111" ``` 2. `terraform init -backend-config=/project/backend-config.hcl` ### Additional Context We use Client Secret for Azurerm provider and Managed Identity for Azurerm backend. ### References _No response_ ### Generative AI / LLM assisted development? _No response_