search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.22k stars 3.83k forks source link

Az Accounts does not repect $env:AZURE_IDENTITY_DISABLE_CP1 #24433

Open vrdse opened 6 months ago

vrdse commented 6 months ago

Description

AZURE_IDENTITY_DISABLE_CP1 should disable the client-side CAE-capability as per Azure.Identity /CHANGELOG.md and #16766 . However, CAE continues to be enabled even if the environment variable is set to true.

Issue script & Debug output

[Environment]::SetEnvironmentVariable("AZURE_IDENTITY_DISABLE_CP1", "true", "User")
Disconnect-AzAccount
Connect-AzAccount -Tenant $TenantId
(Get-JwtPayload (Get-AzAccessToken -ResourceTypeName MSGraph).Token | ConvertFrom-Json).xms_cc

CP1

Environment data

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.4.1
PSEdition                      Core
GitCommitId                    7.4.1
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

Get-Module Az*

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.16.0                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script     0.13.0                Az.ResourceGraph                    {Search-AzGraph, Get-AzResourceGraphQuery, New-AzResourceGraphQuery, Remove-AzResourceGraphQuery…}
Script     6.16.0                Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, Get-AzDeployment…}

Error output

No response

isra-fel commented 6 months ago

@msJinLei could you look into this? Do we support this env var or should customer disable CAE in another way?

isra-fel commented 6 months ago

@vrdse any particular reason you want to disable it?

vrdse commented 6 months ago

Disabling it is a workaround if the applicable Conditional Access didn't plan for CAE-enabled clients resulting in undesired access denied.