Bump Azure.Identity from 1.17.1 to 1.20.0 (#19368)

Updated [Azure.Identity](https://github.com/Azure/azure-sdk-for-net)
from 1.17.1 to 1.20.0.

<details>
<summary>Release notes</summary>

_Sourced from [Azure.Identity's
releases](https://github.com/Azure/azure-sdk-for-net/releases)._

## 1.20.0

## 1.20.0 (2026-03-30)

### Features Added

- Added a JSON schema segment to the NuGet package that provides
IntelliSense and validation for Azure.Identity credential configuration
in `appsettings.json`.

### Breaking Changes

- `AddAzureClient`, `AddKeyedAzureClient`, and `WithAzureCredential`
return type changed from `IHostApplicationBuilder` to `IClientBuilder`
to align with the `IClientBuilder` composition change in
System.ClientModel.


## 1.19.0

## 1.19.0 (2026-03-11)

### Features Added

- Added support in `ClientCertificateCredential` to specify a path in
the form of `cert:/StoreLocation/StoreName/Thumbprint` to refer to a
certificate in the platform certificate store - such as the Windows
Certificate Store on Windows, and the KeyChain on MacOS - instead of a
file on disk. For example to load a certificate from the "My" store in
the "CurrentUser" location use the path
`cert:/CurrentUser/My/E661583E8FABEF4C0BEF694CBC41C28FB81CD870` (A
community contribution, courtesy of
_[fowl2](https://github.com/fowl2)_).

### Other Changes

- Updated `Microsoft.Identity.Client` and
`Microsoft.Identity.Client.Extensions.Msal` dependencies to version
4.83.1.


Commits viewable in [compare
view](https://github.com/Azure/azure-sdk-for-net/commits/Azure.Identity_1.20.0).
</details>

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Azure.Identity&package-manager=nuget&previous-version=1.17.1&new-version=1.20.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>
###### Microsoft Reviewers: [Open in
CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/19368)

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: brendandburns <5751682+brendandburns@users.noreply.github.com>

Author: 3 people

src/Bicep.Core/AzureApi/TokenCredentialFactory.cs

@@ -32,12 +32,18 @@ public TokenCredential CreateSingle(CredentialType credentialType, CredentialOpt
                 // Handle user-assigned identity.
                 if (credentialOptions?.ManagedIdentity?.ClientId is { } clientId)
                 {
-                    return new ManagedIdentityCredential(clientId, new() { AuthorityHost = authorityUri });
+                    return new ManagedIdentityCredential(new ManagedIdentityCredentialOptions(ManagedIdentityId.FromUserAssignedClientId(clientId))
+                    {
+                        AuthorityHost = authorityUri,
+                    });
                 }
 
                 if (credentialOptions?.ManagedIdentity?.ResourceId is { } resourceId)
                 {
-                    return new ManagedIdentityCredential(new ResourceIdentifier(resourceId), new() { AuthorityHost = authorityUri });
+                    return new ManagedIdentityCredential(new ManagedIdentityCredentialOptions(ManagedIdentityId.FromUserAssignedResourceId(new ResourceIdentifier(resourceId)))
+                    {
+                        AuthorityHost = authorityUri,
+                    });
                 }
 
                 // This is a defensive check. ClientId and ResourceId should already be validated when binding the cloud configuration.

src/Directory.Packages.props

@@ -19,7 +19,7 @@
     <PackageVersion Include="Azure.Deployments.Extensibility.Core" Version="0.1.67" />
     <PackageVersion Include="Azure.Deployments.Internal.GenerateNotice" Version="0.1.60" />
     <PackageVersion Include="Azure.Deployments.Templates" Version="1.641.0" />
-    <PackageVersion Include="Azure.Identity" Version="1.17.1" />
+    <PackageVersion Include="Azure.Identity" Version="1.20.0" />
     <PackageVersion Include="Azure.ResourceManager.ResourceGraph" Version="1.1.0" />
     <PackageVersion Include="Azure.ResourceManager.Resources" Version="1.11.2" />
     <PackageVersion Include="BenchmarkDotNet" Version="0.15.8" />