Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

az login: Deprecate and remove Resource Owner Password Credentials flow support #28252

Open
jiasli opened this issue Jan 26, 2024 · 3 comments
Open

az login: Deprecate and remove Resource Owner Password Credentials flow support #28252

jiasli opened this issue Jan 26, 2024 · 3 comments
Assignees
@jiasli
Labels
Account az login/account Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team feature-request
Milestone
Backlog

Comments

@jiasli
Copy link
Member

jiasli commented Jan 26, 2024

Related command
az login

Is your feature request related to a problem? Please describe.
az login supports Resource Owner Password Credentials (ROPC) flow, which is also known as username password flow:

az login --username xxx --password xxx

ROPC flow is not a recommended flow (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc):

Warning

Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable.

There are also some recent changes:

  1. We are enforcing MFA on our test tenant.
  2. We are investigating enforcing MFA on client tools' first party applications, including Azure CLI and Azure PowerShell.
  3. MSAL doesn't use broker for ROPC flow anymore: acquire_token_silent() shall not invoke broker if the account was not established by broker AzureAD/microsoft-authentication-library-for-python#569

Describe the solution you'd like

ROPC flow inherently doesn't work with MFA (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc):

Important

  • If users need to use multi-factor authentication (MFA) to log in to the application, they will be blocked instead.

As we are broadening the scope of MFA enforcement, we should consider deprecating and removing ROPC flow support.
@microsoft-github-policy-service microsoft-github-policy-service bot added Auto-Assign Auto assign by bot Account az login/account labels Jan 26, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 26, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented Jan 26, 2024

Thank you for opening this issue, we will look into it.

@yonzhan yonzhan added this to the Backlog milestone Jan 26, 2024
@yonzhan yonzhan added feature-request and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 26, 2024
@rayluo
Copy link
Member

rayluo commented May 15, 2024

3. MSAL doesn't use broker for ROPC flow anymore

FYI: MSAL Python is going to bring ROPC-via WAM back.

  1. We are enforcing MFA on our test tenant.
  2. We are investigating enforcing MFA on client tools' first party applications, including Azure CLI and Azure PowerShell.

What about 3rd party customers whose admin may not enforce MFA? ROPC may still work for them. Withdrawing it from Azure CLI may break their usage.

@jiasli
Copy link
Member Author

jiasli commented May 15, 2024
edited
Loading

What about 3rd party customers whose admin may not enforce MFA?

We won't allow that. MFA will be enforced on all tenants.

Also see https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-will-require-mfa-for-all-azure-users/ba-p/4140391

@jiasli jiasli mentioned this issue May 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Account az login/account Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team feature-request
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@rayluo @jiasli @yonzhan