From cfc0e59101105862a7c7a4d3ea3d629dd383ec8a Mon Sep 17 00:00:00 2001 From: Lei Jin Date: Thu, 21 Dec 2023 10:07:21 +0800 Subject: [PATCH 01/18] Issue Doc Review --- Call_For_Testing_Az.Accounts-Preview.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 Call_For_Testing_Az.Accounts-Preview.md diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md new file mode 100644 index 000000000000..e69de29bb2d1 From baa206932446b256cdd7b261c93d440f19f74fb0 Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 10:33:11 +0800 Subject: [PATCH 02/18] Update Call_For_Testing_Az.Accounts-Preview.md --- Call_For_Testing_Az.Accounts-Preview.md | 42 +++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index e69de29bb2d1..ce1c2524078b 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -0,0 +1,42 @@ +We have just released **Az.Accounts-2.14.0-preivew**, which contains the following important features. Most of the customers will be affected and so we invite you to test the new version. +# How to Test +Run the following cmdlet on PowerShell to install Az.Accounts-2.14.0-preivew +```pwsh +Install-Module -Name Az.Accounts -Repository PSGallery -AllowPrerelease –Force +``` +Run your script or `Connect-AzAccounts` +# Send Feedback +Report your findings on [GitHub](https://github.com/Azure/azure-powershell/issue) + +# What are in the Preview Version + +## Update Az.Identity 1.6.1 to 1.10.3 to fix high vulnerability issue. +Azure.Identity 1.6.1 is reported with [high vulnerability](https://dev.azure.com/azclitools/release/_componentGovernance/202327/alert/8736219?branchMoniker=main). However, the updated version renames the token cache file from `msal.cache` to `msal.cache.cae` (or `msal.cache.cae`). In the Az.Accounts preview, we do the migration to eliminate the influence of renaming. Our customers are not expected to depend on the token cache file directly. We emphasize here again that it is highly not recommended to do so. Currently, we use token cache only in the following login method. +- Interactive +- Device code +- User name + Password +- Service Principal + federated token +If you are using any of them, please try the new version to see whether everything goes well. +## Enable Continuous Access Evaluation (CAE) for Service Principal login methods. +In **Azure PowerShell client side**, we already enabled CAE for the following login method +- Interactive +- Device code +- User name + Password + +In this preview version, we enable CAE when you login using Service Principal related methods, which are +- Service Principal+ credential +- Service Principal + certificate +- Service Principal + federated token. + +We highly recommend you try the new feature as it improves account security. You need to do some configuration on your tenant. Please refer to https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation for more information. +## Optimize output UX of cmdlets in Az.Accounts +We decided to adjust cmdlet output format to make it more user-friendly based on the feedback of UX study of Az.Accounts. Adjustments include ordering and grouping output items to make items easy to find, re-prioritizing positions for output properties to highlight valuable properties and so on. Affected cmdlets are `Get-AzContext/Tenant/Subscription` and `Invoke-AzRestMethod`. Take cmdlet `Get-AzContext` for example, we group outputs by TenantId and alphabetically order them then. + +**Please note** +- 1. We only adjust the visual display of output in the preview version, which means no breaking changes are introduced in output object and script will not be broken due to the lack of property even if the property is moved or hidden in display. +- 2. Script may be broken logically if the script assumes the certain order of outputs since we adjusted the order of output items. + +## Fixed the authentication issue when using “FederatedToken” in Sovereign Clouds. +In Soverign Clouds, `Connect-AzAccounts` is found failed when using `Service Principal + federated token`. We also include the fix into this preivew. Please refer to https://github.com/Azure/azure-powershell/issues/23742 for more details. + +**We are going to release this preview feature into next regular release in January.** Please leave your comments here if you have ideas or concerns. From fe091372363f9c5111ede50d534bd9cd4f3eb222 Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 10:38:07 +0800 Subject: [PATCH 03/18] Update Call_For_Testing_Az.Accounts-Preview.md --- Call_For_Testing_Az.Accounts-Preview.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index ce1c2524078b..9e94b70e4044 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -4,7 +4,7 @@ Run the following cmdlet on PowerShell to install Az.Accounts-2.14.0-preivew ```pwsh Install-Module -Name Az.Accounts -Repository PSGallery -AllowPrerelease –Force ``` -Run your script or `Connect-AzAccounts` +Run your script or `Connect-AzAccount` # Send Feedback Report your findings on [GitHub](https://github.com/Azure/azure-powershell/issue) @@ -13,30 +13,30 @@ Report your findings on [GitHub](https://github.com/Azure/azure-powershell/issue ## Update Az.Identity 1.6.1 to 1.10.3 to fix high vulnerability issue. Azure.Identity 1.6.1 is reported with [high vulnerability](https://dev.azure.com/azclitools/release/_componentGovernance/202327/alert/8736219?branchMoniker=main). However, the updated version renames the token cache file from `msal.cache` to `msal.cache.cae` (or `msal.cache.cae`). In the Az.Accounts preview, we do the migration to eliminate the influence of renaming. Our customers are not expected to depend on the token cache file directly. We emphasize here again that it is highly not recommended to do so. Currently, we use token cache only in the following login method. - Interactive -- Device code +- Device Code - User name + Password -- Service Principal + federated token +- Service Principal + Federated Token. If you are using any of them, please try the new version to see whether everything goes well. ## Enable Continuous Access Evaluation (CAE) for Service Principal login methods. In **Azure PowerShell client side**, we already enabled CAE for the following login method - Interactive -- Device code +- Device Code - User name + Password In this preview version, we enable CAE when you login using Service Principal related methods, which are -- Service Principal+ credential -- Service Principal + certificate -- Service Principal + federated token. +- Service Principal + Credential +- Service Principal + Certificate +- Service Principal + Federated Token. -We highly recommend you try the new feature as it improves account security. You need to do some configuration on your tenant. Please refer to https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation for more information. +We highly recommend you try the new feature as it improves security. You need to do some configuration on your tenant. Please refer to https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation for more information. ## Optimize output UX of cmdlets in Az.Accounts We decided to adjust cmdlet output format to make it more user-friendly based on the feedback of UX study of Az.Accounts. Adjustments include ordering and grouping output items to make items easy to find, re-prioritizing positions for output properties to highlight valuable properties and so on. Affected cmdlets are `Get-AzContext/Tenant/Subscription` and `Invoke-AzRestMethod`. Take cmdlet `Get-AzContext` for example, we group outputs by TenantId and alphabetically order them then. **Please note** -- 1. We only adjust the visual display of output in the preview version, which means no breaking changes are introduced in output object and script will not be broken due to the lack of property even if the property is moved or hidden in display. -- 2. Script may be broken logically if the script assumes the certain order of outputs since we adjusted the order of output items. +- We only adjust the visual display of output in the preview version, which means no breaking changes are introduced in output object and script will not be broken due to the lack of property even if the property is moved or hidden in display. +- Script may be broken logically if the script assumes the certain order of outputs since we adjusted the order of output items. ## Fixed the authentication issue when using “FederatedToken” in Sovereign Clouds. -In Soverign Clouds, `Connect-AzAccounts` is found failed when using `Service Principal + federated token`. We also include the fix into this preivew. Please refer to https://github.com/Azure/azure-powershell/issues/23742 for more details. +In Soverign Clouds, `Connect-AzAccounts` is found to fail when using `Service Principal + federated token`. We also include the fix into this preivew. Please refer to https://github.com/Azure/azure-powershell/issues/23742 for more details. -**We are going to release this preview feature into next regular release in January.** Please leave your comments here if you have ideas or concerns. +**We are going to release these preview feature in next regular release in January.** Please feel free leave your comments here if you have ideas or concerns. From 91b610446b5fac1b0d6b233cc1be2f6627829365 Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 12:04:06 +0800 Subject: [PATCH 04/18] Update Call_For_Testing_Az.Accounts-Preview.md Co-authored-by: Beisi Zhou --- Call_For_Testing_Az.Accounts-Preview.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index 9e94b70e4044..a8d732564f95 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -28,7 +28,8 @@ In this preview version, we enable CAE when you login using Service Principal re - Service Principal + Certificate - Service Principal + Federated Token. -We highly recommend you try the new feature as it improves security. You need to do some configuration on your tenant. Please refer to https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation for more information. +We highly recommend you try the new feature as it improves security. You need to do some configuration on your tenant. Please refer to https://learn.microsoft.com/entra/identity/conditional-access/concept-continuous-access-evaluation for more information. + ## Optimize output UX of cmdlets in Az.Accounts We decided to adjust cmdlet output format to make it more user-friendly based on the feedback of UX study of Az.Accounts. Adjustments include ordering and grouping output items to make items easy to find, re-prioritizing positions for output properties to highlight valuable properties and so on. Affected cmdlets are `Get-AzContext/Tenant/Subscription` and `Invoke-AzRestMethod`. Take cmdlet `Get-AzContext` for example, we group outputs by TenantId and alphabetically order them then. From fbc11293d7fe7a855c51067cc43adfbf5ceade76 Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 15:20:49 +0800 Subject: [PATCH 05/18] Update Call_For_Testing_Az.Accounts-Preview.md Co-authored-by: Beisi Zhou --- Call_For_Testing_Az.Accounts-Preview.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index a8d732564f95..28b85834f78b 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -31,7 +31,12 @@ In this preview version, we enable CAE when you login using Service Principal re We highly recommend you try the new feature as it improves security. You need to do some configuration on your tenant. Please refer to https://learn.microsoft.com/entra/identity/conditional-access/concept-continuous-access-evaluation for more information. ## Optimize output UX of cmdlets in Az.Accounts -We decided to adjust cmdlet output format to make it more user-friendly based on the feedback of UX study of Az.Accounts. Adjustments include ordering and grouping output items to make items easy to find, re-prioritizing positions for output properties to highlight valuable properties and so on. Affected cmdlets are `Get-AzContext/Tenant/Subscription` and `Invoke-AzRestMethod`. Take cmdlet `Get-AzContext` for example, we group outputs by TenantId and alphabetically order them then. +We adjusted cmdlet output format to make it more user-friendly based on the feedback of UX study of Az.Accounts. Adjustments include: +- ordering and grouping output items to make items easy to find +- re-prioritizing positions for output properties to highlight valuable properties + +Affected cmdlets include `Get-AzContext`, `Get-AzTenant`, `Get-AzSubscription` and `Invoke-AzRestMethod`. Take cmdlet `Get-AzContext` for example, we group outputs by TenantId and alphabetically order them then. + **Please note** - We only adjust the visual display of output in the preview version, which means no breaking changes are introduced in output object and script will not be broken due to the lack of property even if the property is moved or hidden in display. From db862a847969728f989855bb2953e4c9b8802e9a Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 15:22:56 +0800 Subject: [PATCH 06/18] Update Call_For_Testing_Az.Accounts-Preview.md Co-authored-by: Beisi Zhou --- Call_For_Testing_Az.Accounts-Preview.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index 28b85834f78b..332bb2b059e5 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -40,7 +40,8 @@ Affected cmdlets include `Get-AzContext`, `Get-AzTenant`, `Get-AzSubscription` a **Please note** - We only adjust the visual display of output in the preview version, which means no breaking changes are introduced in output object and script will not be broken due to the lack of property even if the property is moved or hidden in display. -- Script may be broken logically if the script assumes the certain order of outputs since we adjusted the order of output items. +- **Script may be broken logically** if the script assumes the certain order of outputs since we adjusted the order of output items. + ## Fixed the authentication issue when using “FederatedToken” in Sovereign Clouds. In Soverign Clouds, `Connect-AzAccounts` is found to fail when using `Service Principal + federated token`. We also include the fix into this preivew. Please refer to https://github.com/Azure/azure-powershell/issues/23742 for more details. From 2d305147ea9039703006f409951df4d5ae272433 Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 15:46:25 +0800 Subject: [PATCH 07/18] Update Call_For_Testing_Az.Accounts-Preview.md --- Call_For_Testing_Az.Accounts-Preview.md | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index 332bb2b059e5..b9582aea6e35 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -1,4 +1,7 @@ -We have just released **Az.Accounts-2.14.0-preivew**, which contains the following important features. Most of the customers will be affected and so we invite you to test the new version. +We have just released **Az.Accounts-2.14.0-preivew**, which contains the following important features. + + +Most of the customers will be affected and so we invite you to test the new version. # How to Test Run the following cmdlet on PowerShell to install Az.Accounts-2.14.0-preivew ```pwsh @@ -6,16 +9,17 @@ Install-Module -Name Az.Accounts -Repository PSGallery -AllowPrerelease –Force ``` Run your script or `Connect-AzAccount` # Send Feedback -Report your findings on [GitHub](https://github.com/Azure/azure-powershell/issue) +Report your findings on [GitHub](https://github.com/Azure/azure-powershell/issues) # What are in the Preview Version ## Update Az.Identity 1.6.1 to 1.10.3 to fix high vulnerability issue. -Azure.Identity 1.6.1 is reported with [high vulnerability](https://dev.azure.com/azclitools/release/_componentGovernance/202327/alert/8736219?branchMoniker=main). However, the updated version renames the token cache file from `msal.cache` to `msal.cache.cae` (or `msal.cache.cae`). In the Az.Accounts preview, we do the migration to eliminate the influence of renaming. Our customers are not expected to depend on the token cache file directly. We emphasize here again that it is highly not recommended to do so. Currently, we use token cache only in the following login method. +Azure.Identity 1.6.1 is reported with [high vulnerability](https://github.com/advisories/GHSA-5mfx-4wcx-rv27). However, the updated version renames the token cache file from `msal.cache` to `msal.cache.cae` (or `msal.cache.cae`). In the Az.Accounts preview, we do the migration to eliminate the influence of renaming. Our customers are not expected to depend on the token cache file directly. We emphasize here again that it is highly not recommended to do so. Currently, we use token cache only in the following login method. - Interactive - Device Code - User name + Password -- Service Principal + Federated Token. +- Service Principal + Federated Token + If you are using any of them, please try the new version to see whether everything goes well. ## Enable Continuous Access Evaluation (CAE) for Service Principal login methods. In **Azure PowerShell client side**, we already enabled CAE for the following login method @@ -37,11 +41,17 @@ We adjusted cmdlet output format to make it more user-friendly based on the feed Affected cmdlets include `Get-AzContext`, `Get-AzTenant`, `Get-AzSubscription` and `Invoke-AzRestMethod`. Take cmdlet `Get-AzContext` for example, we group outputs by TenantId and alphabetically order them then. - **Please note** - We only adjust the visual display of output in the preview version, which means no breaking changes are introduced in output object and script will not be broken due to the lack of property even if the property is moved or hidden in display. - **Script may be broken logically** if the script assumes the certain order of outputs since we adjusted the order of output items. +## Fixed the authentication issue when using `FederatedToken` in Sovereign Clouds +In Soverign Clouds, `Connect-AzAccounts` fails when using `Service Principal + Federated Token`. The issue is currently reported on [GitHub Actions](https://github.com/Azure/login/issues/355). +If you login Soverign Clouds using federated token, Please run the following cmdlet on powershell +```pwsh +Connect-AzAccount -ServicePrincipal -Application $appId -FederatedToken $token -Environment $SoverignCloudName +``` +Please you are using GitHub action, please refer to [how to test Az.Accounts-2.14.0-preivew in GitHub Actions](https://github.com/Azure/login/issues/355#issuecomment-1865516832) for more details. ## Fixed the authentication issue when using “FederatedToken” in Sovereign Clouds. In Soverign Clouds, `Connect-AzAccounts` is found to fail when using `Service Principal + federated token`. We also include the fix into this preivew. Please refer to https://github.com/Azure/azure-powershell/issues/23742 for more details. From 87fbd990c5c9f86204528f4c821b90c32e193fd3 Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 15:46:44 +0800 Subject: [PATCH 08/18] Update Call_For_Testing_Az.Accounts-Preview.md Co-authored-by: Beisi Zhou --- Call_For_Testing_Az.Accounts-Preview.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index b9582aea6e35..ba922d7d51af 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -21,7 +21,8 @@ Azure.Identity 1.6.1 is reported with [high vulnerability](https://github.com/ad - Service Principal + Federated Token If you are using any of them, please try the new version to see whether everything goes well. -## Enable Continuous Access Evaluation (CAE) for Service Principal login methods. +## Enabled Continuous Access Evaluation (CAE) for Service Principal login methods. + In **Azure PowerShell client side**, we already enabled CAE for the following login method - Interactive - Device Code From e214763fd757dbdaebfbe5efc02562183421c187 Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 15:46:50 +0800 Subject: [PATCH 09/18] Update Call_For_Testing_Az.Accounts-Preview.md Co-authored-by: Beisi Zhou --- Call_For_Testing_Az.Accounts-Preview.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index ba922d7d51af..277d11fb92b2 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -35,7 +35,8 @@ In this preview version, we enable CAE when you login using Service Principal re We highly recommend you try the new feature as it improves security. You need to do some configuration on your tenant. Please refer to https://learn.microsoft.com/entra/identity/conditional-access/concept-continuous-access-evaluation for more information. -## Optimize output UX of cmdlets in Az.Accounts +## Optimized output UX of cmdlets in Az.Accounts + We adjusted cmdlet output format to make it more user-friendly based on the feedback of UX study of Az.Accounts. Adjustments include: - ordering and grouping output items to make items easy to find - re-prioritizing positions for output properties to highlight valuable properties From 8563744778b96a65f181632dfbeca3a7b39a5ed6 Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 16:27:25 +0800 Subject: [PATCH 10/18] Update Call_For_Testing_Az.Accounts-Preview.md --- Call_For_Testing_Az.Accounts-Preview.md | 37 ++++++++++++------------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index 277d11fb92b2..6fa485f17a5e 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -1,29 +1,19 @@ We have just released **Az.Accounts-2.14.0-preivew**, which contains the following important features. +## Updated Az.Identity 1.6.1 to 1.10.3 to fix high vulnerability issue. +Azure.Identity 1.6.1, which we currently depend on, is reported with [high vulnerability](https://github.com/advisories/GHSA-5mfx-4wcx-rv27). +>Please Note: Azure-PoweShell doesn't depend on the data types of Azure.Identity that cause the vulnerabiltity. Therefore it is safe to use Azure-PowerShell even it depends on Azure.Identity 1.6.1. -Most of the customers will be affected and so we invite you to test the new version. -# How to Test -Run the following cmdlet on PowerShell to install Az.Accounts-2.14.0-preivew -```pwsh -Install-Module -Name Az.Accounts -Repository PSGallery -AllowPrerelease –Force -``` -Run your script or `Connect-AzAccount` -# Send Feedback -Report your findings on [GitHub](https://github.com/Azure/azure-powershell/issues) - -# What are in the Preview Version - -## Update Az.Identity 1.6.1 to 1.10.3 to fix high vulnerability issue. -Azure.Identity 1.6.1 is reported with [high vulnerability](https://github.com/advisories/GHSA-5mfx-4wcx-rv27). However, the updated version renames the token cache file from `msal.cache` to `msal.cache.cae` (or `msal.cache.cae`). In the Az.Accounts preview, we do the migration to eliminate the influence of renaming. Our customers are not expected to depend on the token cache file directly. We emphasize here again that it is highly not recommended to do so. Currently, we use token cache only in the following login method. +To fix the issue, we update Azure.Identity to 1.10.3. However tht new version renames the token cache file from `msal.cache` to `msal.cache.cae` (or `msal.cache.cae`). In the Az.Accounts preview, we do the migration to eliminate the influence of renaming. Our customers are not expected to depend on the token cache file directly. We emphasize here again that it is highly not recommended to do so. Currently, we use token cache only in the following login methods. - Interactive - Device Code - User name + Password - Service Principal + Federated Token If you are using any of them, please try the new version to see whether everything goes well. -## Enabled Continuous Access Evaluation (CAE) for Service Principal login methods. -In **Azure PowerShell client side**, we already enabled CAE for the following login method +## Enabled Continuous Access Evaluation (CAE) for Service Principal login methods. +In **Azure PowerShell client side**, we already enabled CAE for the following login methods - Interactive - Device Code - User name + Password @@ -55,7 +45,16 @@ Connect-AzAccount -ServicePrincipal -Application $appId -FederatedToken $token - ``` Please you are using GitHub action, please refer to [how to test Az.Accounts-2.14.0-preivew in GitHub Actions](https://github.com/Azure/login/issues/355#issuecomment-1865516832) for more details. -## Fixed the authentication issue when using “FederatedToken” in Sovereign Clouds. -In Soverign Clouds, `Connect-AzAccounts` is found to fail when using `Service Principal + federated token`. We also include the fix into this preivew. Please refer to https://github.com/Azure/azure-powershell/issues/23742 for more details. +**Most of the customers will be affected and so we invite you to test the new version.** +# How to Test +Run the following cmdlet on PowerShell to install Az.Accounts-2.14.0-preivew +```pwsh +Install-Module -Name Az.Accounts -Repository PSGallery -AllowPrerelease –Force +``` +Run your script or `Connect-AzAccount` + +# When to Release the Preview features +We are going to release these preview feature in next regular release in January. -**We are going to release these preview feature in next regular release in January.** Please feel free leave your comments here if you have ideas or concerns. +# Send Feedback +Report your findings on [GitHub](https://github.com/Azure/azure-powershell/issues) From 9fa39a8290071b5561003d7a9376c2be67668420 Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 17:39:43 +0800 Subject: [PATCH 11/18] Update Call_For_Testing_Az.Accounts-Preview.md Co-authored-by: Yan Xu --- Call_For_Testing_Az.Accounts-Preview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index 6fa485f17a5e..b22aff0cf910 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -57,4 +57,4 @@ Run your script or `Connect-AzAccount` We are going to release these preview feature in next regular release in January. # Send Feedback -Report your findings on [GitHub](https://github.com/Azure/azure-powershell/issues) +Report your findings on [GitHub](https://github.com/Azure/azure-powershell/issues). From e740417768edafa006472a01f3e188e4077d2434 Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 17:39:53 +0800 Subject: [PATCH 12/18] Update Call_For_Testing_Az.Accounts-Preview.md Co-authored-by: Yan Xu --- Call_For_Testing_Az.Accounts-Preview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index b22aff0cf910..9b68d57e79b2 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -54,7 +54,7 @@ Install-Module -Name Az.Accounts -Repository PSGallery -AllowPrerelease –Force Run your script or `Connect-AzAccount` # When to Release the Preview features -We are going to release these preview feature in next regular release in January. +We are going to release these preview features in next regular release in January. # Send Feedback Report your findings on [GitHub](https://github.com/Azure/azure-powershell/issues). From 567abcfb47265778517ef87dc9fffd702362902d Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 17:40:01 +0800 Subject: [PATCH 13/18] Update Call_For_Testing_Az.Accounts-Preview.md Co-authored-by: Beisi Zhou --- Call_For_Testing_Az.Accounts-Preview.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index 9b68d57e79b2..01589eb1a638 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -2,7 +2,9 @@ We have just released **Az.Accounts-2.14.0-preivew**, which contains the followi ## Updated Az.Identity 1.6.1 to 1.10.3 to fix high vulnerability issue. Azure.Identity 1.6.1, which we currently depend on, is reported with [high vulnerability](https://github.com/advisories/GHSA-5mfx-4wcx-rv27). ->Please Note: Azure-PoweShell doesn't depend on the data types of Azure.Identity that cause the vulnerabiltity. Therefore it is safe to use Azure-PowerShell even it depends on Azure.Identity 1.6.1. +> [!NOTE] +> Azure-PoweShell doesn't depend on the data types of Azure.Identity that cause the vulnerabiltity. Therefore it is safe to use Azure-PowerShell even it depends on Azure.Identity 1.6.1. + To fix the issue, we update Azure.Identity to 1.10.3. However tht new version renames the token cache file from `msal.cache` to `msal.cache.cae` (or `msal.cache.cae`). In the Az.Accounts preview, we do the migration to eliminate the influence of renaming. Our customers are not expected to depend on the token cache file directly. We emphasize here again that it is highly not recommended to do so. Currently, we use token cache only in the following login methods. - Interactive From ec12265ff28655c4da37a52e6a1837bc51800381 Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 17:40:10 +0800 Subject: [PATCH 14/18] Update Call_For_Testing_Az.Accounts-Preview.md Co-authored-by: Beisi Zhou --- Call_For_Testing_Az.Accounts-Preview.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index 01589eb1a638..2df32346edf8 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -35,9 +35,10 @@ We adjusted cmdlet output format to make it more user-friendly based on the feed Affected cmdlets include `Get-AzContext`, `Get-AzTenant`, `Get-AzSubscription` and `Invoke-AzRestMethod`. Take cmdlet `Get-AzContext` for example, we group outputs by TenantId and alphabetically order them then. -**Please note** -- We only adjust the visual display of output in the preview version, which means no breaking changes are introduced in output object and script will not be broken due to the lack of property even if the property is moved or hidden in display. -- **Script may be broken logically** if the script assumes the certain order of outputs since we adjusted the order of output items. +> [!NOTE] +> - We only adjust the visual display of output in the preview version, which means no breaking changes are introduced in output object and script will not be broken due to the lack of property even if the property is moved or hidden in display. +> - **Script may be broken logically** if the script assumes the certain order of outputs since we adjusted the order of output items. + ## Fixed the authentication issue when using `FederatedToken` in Sovereign Clouds In Soverign Clouds, `Connect-AzAccounts` fails when using `Service Principal + Federated Token`. The issue is currently reported on [GitHub Actions](https://github.com/Azure/login/issues/355). From e7a1be9a6beb73eb4e227881f55f456458180e80 Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 17:40:16 +0800 Subject: [PATCH 15/18] Update Call_For_Testing_Az.Accounts-Preview.md Co-authored-by: Yan Xu --- Call_For_Testing_Az.Accounts-Preview.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index 2df32346edf8..697f07866e47 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -41,7 +41,8 @@ Affected cmdlets include `Get-AzContext`, `Get-AzTenant`, `Get-AzSubscription` a ## Fixed the authentication issue when using `FederatedToken` in Sovereign Clouds -In Soverign Clouds, `Connect-AzAccounts` fails when using `Service Principal + Federated Token`. The issue is currently reported on [GitHub Actions](https://github.com/Azure/login/issues/355). +In Soverign Clouds, `Connect-AzAccounts` fails when using `Service Principal + Federated Token`. The issue is currently reported on [Azure Login Action](https://github.com/Azure/login/issues/355). + If you login Soverign Clouds using federated token, Please run the following cmdlet on powershell ```pwsh Connect-AzAccount -ServicePrincipal -Application $appId -FederatedToken $token -Environment $SoverignCloudName From 03f5609e27b3f98aa686b05d9da71f34190f55fd Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 17:40:24 +0800 Subject: [PATCH 16/18] Update Call_For_Testing_Az.Accounts-Preview.md Co-authored-by: Yan Xu --- Call_For_Testing_Az.Accounts-Preview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index 697f07866e47..8a6a2a6fa1da 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -47,7 +47,7 @@ If you login Soverign Clouds using federated token, Please run the following cmd ```pwsh Connect-AzAccount -ServicePrincipal -Application $appId -FederatedToken $token -Environment $SoverignCloudName ``` -Please you are using GitHub action, please refer to [how to test Az.Accounts-2.14.0-preivew in GitHub Actions](https://github.com/Azure/login/issues/355#issuecomment-1865516832) for more details. +Please you are using GitHub Actions, please refer to [how to test Az.Accounts-2.14.0-preivew in GitHub Actions](https://github.com/Azure/login/issues/355#issuecomment-1865516832) for more details. **Most of the customers will be affected and so we invite you to test the new version.** # How to Test From 8dc62220bfa641b7688f4ba836b4fdfc850c7982 Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 17:40:32 +0800 Subject: [PATCH 17/18] Update Call_For_Testing_Az.Accounts-Preview.md Co-authored-by: Yan Xu --- Call_For_Testing_Az.Accounts-Preview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index 8a6a2a6fa1da..c512d3fc6d52 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -55,7 +55,7 @@ Run the following cmdlet on PowerShell to install Az.Accounts-2.14.0-preivew ```pwsh Install-Module -Name Az.Accounts -Repository PSGallery -AllowPrerelease –Force ``` -Run your script or `Connect-AzAccount` +Run your script or `Connect-AzAccount`. # When to Release the Preview features We are going to release these preview features in next regular release in January. From a87b57ad0ebcb6041e08e0b72827d8b57a71bdbd Mon Sep 17 00:00:00 2001 From: Jin Lei <54836179+msJinLei@users.noreply.github.com> Date: Thu, 21 Dec 2023 17:41:40 +0800 Subject: [PATCH 18/18] Update Call_For_Testing_Az.Accounts-Preview.md --- Call_For_Testing_Az.Accounts-Preview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Call_For_Testing_Az.Accounts-Preview.md b/Call_For_Testing_Az.Accounts-Preview.md index c512d3fc6d52..1457ee8c5c09 100644 --- a/Call_For_Testing_Az.Accounts-Preview.md +++ b/Call_For_Testing_Az.Accounts-Preview.md @@ -3,7 +3,7 @@ We have just released **Az.Accounts-2.14.0-preivew**, which contains the followi Azure.Identity 1.6.1, which we currently depend on, is reported with [high vulnerability](https://github.com/advisories/GHSA-5mfx-4wcx-rv27). > [!NOTE] -> Azure-PoweShell doesn't depend on the data types of Azure.Identity that cause the vulnerabiltity. Therefore it is safe to use Azure-PowerShell even it depends on Azure.Identity 1.6.1. +> Azure PoweShell modules doesn't depend on the data types of Azure.Identity that cause the vulnerabiltity. Therefore it is safe to use Azure PoweShell modules even it depends on Azure.Identity 1.6.1. To fix the issue, we update Azure.Identity to 1.10.3. However tht new version renames the token cache file from `msal.cache` to `msal.cache.cae` (or `msal.cache.cae`). In the Az.Accounts preview, we do the migration to eliminate the influence of renaming. Our customers are not expected to depend on the token cache file directly. We emphasize here again that it is highly not recommended to do so. Currently, we use token cache only in the following login methods.