Azure Connected Machine Agent update 1.56 creates issues for IIS App Pool Identities

A production server my company has installed the Azure Connected Machine Agent recently updated the agent to version 1.56.

We use the agent for IIS sites to have a Managed Identity when connecting to an Azure App Configuration resource for loading sensitive values for our sites.

A couple of hours after the Arc Agent was installed, some of these sites App Pools were recycled. When they were restarted some of them were not able to access the C:\ProgramData\AzureConnectedMachineAgent\Tokens folder and therefore could not start.

All the effected sites are running using App Pool Identities. I confirmed that all the App Pool Identities were still members of the "Hybrid agent extension applications" group, confirming all the security ids were still valid.

Some odd behaviour observed is that only 3 of the sites seemed to be effected, while others could start, and therefore access the tokens folder.

This was the exception being thrown

MSAL.NetCore.4.73.1.0.MsalServiceException:

ErrorCode: managed_identity_request_failed

Microsoft.Identity.Client.MsalServiceException: Access to the path 'C:\ProgramData\AzureConnectedMachineAgent\Tokens\443864d5-d293-4b3a-a7cc-440f32d8dc2d.key' is denied.

The effected sites had the same configuration as the others and the App Pool Identities they were running under were members of the "Hybrid agent extension applications" group.

What I'm looking for are instances of other users having similar issues, and hopefully remediation steps, or further troubleshooting steps I could try to find the root cause of the issue.

For now I've assigned the IIS_IUSRS group read access to the tokens folder. While this works, it's a sub-optimal solution.

I have managed to replicate the issue on a non production server and it does seem related to the 1.56 update.