[BUG]: Initialize Containers with WorkloadIdentityFederation bypasses agent proxy for Entra token aqcuisition

[manuelgorman]

What happened?

Initialize Containers fails when using a container job with an ACR service connection configured for WorkloadIdentityFederation.

The agent is configured with a proxy using the standard .proxy and .proxybypass configuration.

Observed behaviour:

• Azure DevOps/VSS traffic is correctly routed via proxy
• OIDC token is retrieved from ADO
• Subsequent Entra calls to login.microsoft.com timeout
• Packet capture confirms the agent attempts to connect directly, bypassing the proxy
• Step fails with MSAL.NetCore.MsalServiceException: request_timeout

A workaround has been confirmed by setting system environment variables HTTP_PROXY, HTTPS_PROXY and NO_PROXY. The MSAL client then routes correctly via the proxy.

It is expected that the MSAL client should honour the Agent's proxy settings, rather than use it's own (or the system's).

Versions

Agent: 4.237.0
OS: Windows Server 2025 Core

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Windows Server 2025 Core

Version controll system

Git

Relevant log output

Unable to share due to corporate policy.