search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.92k stars 2.88k forks source link

`az login`: Deprecate and remove Resource Owner Password Credentials flow support #28252

Open jiasli opened 5 months ago

jiasli commented 5 months ago

Related command az login

Is your feature request related to a problem? Please describe. az login supports Resource Owner Password Credentials (ROPC) flow, which is also known as username password flow:

az login --username xxx --password xxx

ROPC flow is not a recommended flow (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc):

[!WARNING] Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable.

There are also some recent changes:

  1. We are enforcing MFA on our test tenant.
  2. We are investigating enforcing MFA on client tools' first party applications, including Azure CLI and Azure PowerShell.
  3. MSAL doesn't use broker for ROPC flow anymore: https://github.com/AzureAD/microsoft-authentication-library-for-python/pull/569

Describe the solution you'd like

ROPC flow inherently doesn't work with MFA (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc):

[!IMPORTANT]

  • If users need to use multi-factor authentication (MFA) to log in to the application, they will be blocked instead.

As we are broadening the scope of MFA enforcement, we should consider deprecating and removing ROPC flow support.

yonzhan commented 5 months ago

Thank you for opening this issue, we will look into it.

rayluo commented 1 month ago

3. MSAL doesn't use broker for ROPC flow anymore

FYI: MSAL Python is going to bring ROPC-via WAM back.

  1. We are enforcing MFA on our test tenant.
  2. We are investigating enforcing MFA on client tools' first party applications, including Azure CLI and Azure PowerShell.

What about 3rd party customers whose admin may not enforce MFA? ROPC may still work for them. Withdrawing it from Azure CLI may break their usage.

jiasli commented 1 month ago

What about 3rd party customers whose admin may not enforce MFA?

We won't allow that. MFA will be enforced on all tenants.

Also see https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-will-require-mfa-for-all-azure-users/ba-p/4140391