[ISSUE] azure-devops-oidc strategy breaks when ARM_CLIENT_ID is set (uses Entra endpoints and fails with AADSTS70003)

[tom-ph]

Description
When trying to authenticate via Azure Devops OIDC, if the ARM_CLIENT_ID is set the token refresh fails

Reproduction
Azure Devops Pipeline task example:

      displayName: Deploy
      name: Deploy
      env:
        ARM_TENANT_ID: ${{ parameters.tenant_id }}
        ARM_CLIENT_ID: $(appid)
        ARM_CLIENT_SECRET: $(secret)
        SYSTEM_ACCESSTOKEN: $(System.AccessToken)
        DATABRICKS_HOST: $(databricks-host)
        DATABRICKS_CLIENT_ID: $(appid)
        DATABRICKS_AUTH_TYPE: ${{ parameters.databricks_auth_type }}
      inputs:
        scriptPath: '$(Pipeline.Workspace)/templatesRepo/CI-CD/scripts/deploy_notebooks.py'

code example:

import os

auth_type = os.getenv("DATABRICKS_AUTH_TYPE")
print(f"authenticating with auth {auth_type}...")
#if auth_type == "azure-devops-oidc":
#    del os.environ["ARM_CLIENT_ID"]

w = WorkspaceClient()
w.workspace.list("/")

Other Information

• SDK Version: 0.68.0

Additional context
I think the problem relies in the databricks/sdk/config.py file:

@property
    def oidc_endpoints(self) -> Optional[OidcEndpoints]:
        self._fix_host_if_needed()
        if not self.host:
            return None
        if self.is_azure and self.azure_client_id:
            return get_azure_entra_id_workspace_endpoints(self.host)
        if self.is_account_client and self.account_id:
            return get_account_endpoints(self.host, self.account_id)
        return get_workspace_endpoints(self.host)

Here the "azure-devops-oidc" auth type should prioritize the workspace endpoints over the entra id endpoints.

Thank you very much!