Add KustoManagedIdentityPolicyLoader and fix combined script generation

- Add KustoManagedIdentityPolicyLoader to read managed identity policies
  from a live Kusto cluster during import mode
- Change ManagedIdentityPolicy to use CreateCombinedScript static method
  that generates a single script for all policies, avoiding duplicate Kind
  keys in ScriptCompareChange.ToDictionary()
- Sort policies by ObjectId and usages alphabetically for canonical diffs
- Add demo managedIdentityPolicies to DemoDatabase database.yml
- Update tests for new combined script API and add multi-policy test
- Add YAML round-trip test for managed identity policies

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: alex-slynko

KustoSchemaTools.Tests/DemoData/DemoDeployment/DemoDatabase/database.yml

@@ -13,6 +13,12 @@ admins:
 - name: SPN-ADMIN
   id: aadapp=f678ce29-8f92-4d6e-b95d-f2ed8fa7713f;7396cfeb-2920-488f-b0bb-81a584d34a24
 
+managedIdentityPolicies:
+- objectId: 12345678-1234-1234-1234-123456789abc
+  allowedUsages:
+  - NativeIngestion
+  - ExternalTable
+
 tables:
   sourceTable:
     restrictedViewAccess: true

KustoSchemaTools.Tests/Model/ManagedIdentityPolicyTests.cs

@@ -8,17 +8,20 @@ namespace KustoSchemaTools.Tests.ManagedIdentity
     public class ManagedIdentityPolicyTests
     {
         [Fact]
-        public void CreateScript_SingleUsage_GeneratesCorrectKql()
+        public void CreateCombinedScript_SinglePolicy_GeneratesCorrectKql()
         {
             // Arrange
-            var policy = new ManagedIdentityPolicy
+            var policies = new List<ManagedIdentityPolicy>
             {
-                ObjectId = "12345678-1234-1234-1234-123456789abc",
-                AllowedUsages = new List<string> { "NativeIngestion" }
+                new ManagedIdentityPolicy
+                {
+                    ObjectId = "12345678-1234-1234-1234-123456789abc",
+                    AllowedUsages = new List<string> { "NativeIngestion" }
+                }
             };
 
             // Act
-            var script = policy.CreateScript("MyDatabase");
+            var script = ManagedIdentityPolicy.CreateCombinedScript("MyDatabase", policies);
 
             // Assert
             Assert.Equal("ManagedIdentityPolicy", script.Kind);
@@ -29,51 +32,88 @@ public void CreateScript_SingleUsage_GeneratesCorrectKql()
         }
 
         [Fact]
-        public void CreateScript_MultipleUsages_JoinsWithComma()
+        public void CreateCombinedScript_MultipleUsages_JoinsWithCommaAlphabetically()
         {
             // Arrange
-            var policy = new ManagedIdentityPolicy
+            var policies = new List<ManagedIdentityPolicy>
             {
-                ObjectId = "12345678-1234-1234-1234-123456789abc",
-                AllowedUsages = new List<string> { "AutomatedFlows", "ExternalTable", "NativeIngestion" }
+                new ManagedIdentityPolicy
+                {
+                    ObjectId = "12345678-1234-1234-1234-123456789abc",
+                    AllowedUsages = new List<string> { "NativeIngestion", "AutomatedFlows", "ExternalTable" }
+                }
             };
 
             // Act
-            var script = policy.CreateScript("MyDatabase");
+            var script = ManagedIdentityPolicy.CreateCombinedScript("MyDatabase", policies);
 
             // Assert
             Assert.Contains("\"AllowedUsages\": \"AutomatedFlows, ExternalTable, NativeIngestion\"", script.Script.Text);
         }
 
         [Fact]
-        public void CreateScript_DatabaseNameUsedInKql()
+        public void CreateCombinedScript_MultiplePolicies_SortsByObjectId()
         {
             // Arrange
-            var policy = new ManagedIdentityPolicy
+            var policies = new List<ManagedIdentityPolicy>
             {
-                ObjectId = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
-                AllowedUsages = new List<string> { "ExternalTable" }
+                new ManagedIdentityPolicy
+                {
+                    ObjectId = "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz",
+                    AllowedUsages = new List<string> { "ExternalTable" }
+                },
+                new ManagedIdentityPolicy
+                {
+                    ObjectId = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
+                    AllowedUsages = new List<string> { "NativeIngestion" }
+                }
             };
 
             // Act
-            var script = policy.CreateScript("TargetDatabase");
+            var script = ManagedIdentityPolicy.CreateCombinedScript("MyDatabase", policies);
+
+            // Assert - both identities in a single script, sorted by ObjectId
+            Assert.Equal("ManagedIdentityPolicy", script.Kind);
+            var aIdx = script.Script.Text.IndexOf("aaaaaaaa");
+            var zIdx = script.Script.Text.IndexOf("zzzzzzzz");
+            Assert.True(aIdx < zIdx, "Policies should be sorted by ObjectId");
+        }
+
+        [Fact]
+        public void CreateCombinedScript_DatabaseNameUsedInKql()
+        {
+            // Arrange
+            var policies = new List<ManagedIdentityPolicy>
+            {
+                new ManagedIdentityPolicy
+                {
+                    ObjectId = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
+                    AllowedUsages = new List<string> { "ExternalTable" }
+                }
+            };
+
+            // Act
+            var script = ManagedIdentityPolicy.CreateCombinedScript("TargetDatabase", policies);
 
             // Assert
             Assert.StartsWith(".alter-merge database TargetDatabase policy managed_identity", script.Script.Text);
         }
 
         [Fact]
-        public void CreateScript_WrapsJsonInBackticks()
+        public void CreateCombinedScript_WrapsJsonInBackticks()
         {
             // Arrange
-            var policy = new ManagedIdentityPolicy
+            var policies = new List<ManagedIdentityPolicy>
             {
-                ObjectId = "12345678-1234-1234-1234-123456789abc",
-                AllowedUsages = new List<string> { "NativeIngestion" }
+                new ManagedIdentityPolicy
+                {
+                    ObjectId = "12345678-1234-1234-1234-123456789abc",
+                    AllowedUsages = new List<string> { "NativeIngestion" }
+                }
             };
 
             // Act
-            var script = policy.CreateScript("MyDatabase");
+            var script = ManagedIdentityPolicy.CreateCombinedScript("MyDatabase", policies);
 
             // Assert
             Assert.Contains("```", script.Script.Text);
@@ -112,6 +152,43 @@ public void DatabaseChanges_WithManagedIdentityPolicies_GeneratesScript()
             Assert.Contains("12345678-1234-1234-1234-123456789abc", managedIdentityScript.Script.Text);
         }
 
+        [Fact]
+        public void DatabaseChanges_WithMultipleManagedIdentityPolicies_GeneratesSingleScript()
+        {
+            // Arrange
+            var loggerMock = new Mock<ILogger>();
+            var oldState = new Database { Name = "TestDb" };
+            var newState = new Database
+            {
+                Name = "TestDb",
+                ManagedIdentityPolicies = new List<ManagedIdentityPolicy>
+                {
+                    new ManagedIdentityPolicy
+                    {
+                        ObjectId = "aaaaaaaa-1111-2222-3333-444444444444",
+                        AllowedUsages = new List<string> { "NativeIngestion" }
+                    },
+                    new ManagedIdentityPolicy
+                    {
+                        ObjectId = "bbbbbbbb-1111-2222-3333-444444444444",
+                        AllowedUsages = new List<string> { "ExternalTable" }
+                    }
+                }
+            };
+
+            // Act
+            var changes = DatabaseChanges.GenerateChanges(oldState, newState, "TestDb", loggerMock.Object);
+
+            // Assert - should generate exactly one ManagedIdentityPolicy script (combined)
+            var managedIdentityScripts = changes
+                .SelectMany(c => c.Scripts)
+                .Where(s => s.Kind == "ManagedIdentityPolicy")
+                .ToList();
+            Assert.Single(managedIdentityScripts);
+            Assert.Contains("aaaaaaaa-1111-2222-3333-444444444444", managedIdentityScripts[0].Script.Text);
+            Assert.Contains("bbbbbbbb-1111-2222-3333-444444444444", managedIdentityScripts[0].Script.Text);
+        }
+
         [Fact]
         public void DatabaseChanges_WithUnchangedManagedIdentityPolicies_GeneratesNoChanges()
         {

KustoSchemaTools.Tests/Parser/YamlDatabaseHandlerTests.cs

@@ -41,6 +41,15 @@ public async Task GetDatabase()
             Assert.NotNull(tt.Policies);
             Assert.False(tt.Policies!.RestrictedViewAccess);
             Assert.Equal("120d", tt.Policies?.Retention);
+
+            // Verify managed identity policies are loaded from database.yml
+            Assert.NotNull(db.ManagedIdentityPolicies);
+            Assert.Single(db.ManagedIdentityPolicies);
+            var miPolicy = db.ManagedIdentityPolicies[0];
+            Assert.Equal("12345678-1234-1234-1234-123456789abc", miPolicy.ObjectId);
+            Assert.Equal(2, miPolicy.AllowedUsages.Count);
+            Assert.Contains("NativeIngestion", miPolicy.AllowedUsages);
+            Assert.Contains("ExternalTable", miPolicy.AllowedUsages);
         }
 
         [Fact]

KustoSchemaTools/Changes/DatabaseChanges.cs

@@ -22,17 +22,17 @@ public static List<IChange> GenerateChanges(Database oldState, Database newState
                     otherFromScripts.AddRange(oldState.Scripts.Select(itm => new DatabaseScriptContainer(itm, "DatabaseScript")));
                 if (oldState.DefaultRetentionAndCache != null)
                     otherFromScripts.AddRange(oldState.DefaultRetentionAndCache.CreateScripts(name, "database"));
-                if (oldState.ManagedIdentityPolicies != null)
-                    otherFromScripts.AddRange(oldState.ManagedIdentityPolicies.Select(p => p.CreateScript(name)));
+                if (oldState.ManagedIdentityPolicies != null && oldState.ManagedIdentityPolicies.Any())
+                    otherFromScripts.Add(ManagedIdentityPolicy.CreateCombinedScript(name, oldState.ManagedIdentityPolicies));
             }
 
             var otherToScripts = new List<DatabaseScriptContainer>();
             if (newState.Scripts != null)
                 otherToScripts.AddRange(newState.Scripts.Select(itm => new DatabaseScriptContainer(itm, "DatabaseScript")));
             if (newState.DefaultRetentionAndCache != null)
                 otherToScripts.AddRange(newState.DefaultRetentionAndCache.CreateScripts(name, "database"));
-            if (newState.ManagedIdentityPolicies != null)
-                otherToScripts.AddRange(newState.ManagedIdentityPolicies.Select(p => p.CreateScript(name)));
+            if (newState.ManagedIdentityPolicies != null && newState.ManagedIdentityPolicies.Any())
+                otherToScripts.Add(ManagedIdentityPolicy.CreateCombinedScript(name, newState.ManagedIdentityPolicies));
 
             if (otherToScripts.Count > 0)
             {

KustoSchemaTools/Model/ManagedIdentityPolicy.cs

@@ -10,9 +10,16 @@ public class ManagedIdentityPolicy
         public string ObjectId { get; set; }
         public List<string> AllowedUsages { get; set; } = new List<string>();
 
-        public DatabaseScriptContainer CreateScript(string databaseName)
+        /// <summary>
+        /// Creates a single script that sets managed identity policy for all provided identities.
+        /// Uses one combined command to avoid duplicate Kind keys in the diff pipeline.
+        /// </summary>
+        public static DatabaseScriptContainer CreateCombinedScript(string databaseName, List<ManagedIdentityPolicy> policies)
         {
-            var policyObjects = new[] { new { ObjectId = ObjectId, AllowedUsages = string.Join(", ", AllowedUsages) } };
+            var policyObjects = policies
+                .OrderBy(p => p.ObjectId)
+                .Select(p => new { p.ObjectId, AllowedUsages = string.Join(", ", p.AllowedUsages.OrderBy(u => u)) })
+                .ToArray();
             var json = JsonConvert.SerializeObject(policyObjects, Serialization.JsonPascalCase);
             return new DatabaseScriptContainer("ManagedIdentityPolicy", 80, $".alter-merge database {databaseName.BracketIfIdentifier()} policy managed_identity ```{json}```");
         }

KustoSchemaTools/Parser/KustoLoader/KustoManagedIdentityPolicyLoader.cs

@@ -0,0 +1,39 @@
+using Kusto.Data.Common;
+using KustoSchemaTools.Model;
+using KustoSchemaTools.Plugins;
+using Newtonsoft.Json;
+
+namespace KustoSchemaTools.Parser.KustoLoader
+{
+    public class KustoManagedIdentityPolicyLoader : IKustoBulkEntitiesLoader
+    {
+        const string script = @"
+.show database policy managed_identity
+| project Policies = parse_json(Policies)
+| mv-expand Policy = Policies
+| project ObjectId = tostring(Policy.ObjectId), AllowedUsages = tostring(Policy.AllowedUsages)";
+
+        public async Task Load(Database database, string databaseName, KustoClient kusto)
+        {
+            var response = await kusto.Client.ExecuteQueryAsync(databaseName, script, new ClientRequestProperties());
+            var rows = response.As<ManagedIdentityRow>();
+            database.ManagedIdentityPolicies = rows
+                .Select(r => new ManagedIdentityPolicy
+                {
+                    ObjectId = r.ObjectId,
+                    AllowedUsages = r.AllowedUsages
+                        .Split(',', StringSplitOptions.TrimEntries | StringSplitOptions.RemoveEmptyEntries)
+                        .OrderBy(u => u)
+                        .ToList()
+                })
+                .OrderBy(p => p.ObjectId)
+                .ToList();
+        }
+
+        private class ManagedIdentityRow
+        {
+            public string ObjectId { get; set; }
+            public string AllowedUsages { get; set; }
+        }
+    }
+}