Related command
az login
Is your feature request related to a problem? Please describe.
MSAL previously has a draft PR AzureAD/microsoft-authentication-library-for-python#560 on supporting managed identity + application FIC authentication, but this PR is not completed yet.
There is an internal work item of migrating to managed identity + multitenant application (MI+CCA). Below is some sample code:
Currently Azure CLI doesn't support MI+CCA, but there is a workaround:
# First log in with managed identity
az login --identity
# Acquire an access token for token exchange
token=$(az account get-access-token --scope api://AzureADTokenExchange/.default --query accessToken --output tsv)
# Use the above token as an OIDC token to log into the multitenant application
az login --service-principal --username <App ID> --federated-token $token
As $token is passed via --federated-token, #28708 will be hit. It is better for MSAL to support MI+CCA authentication and refresh the managed identity's token on demand.
Then Azure CLI can expose this feature via something like
az login --service-principal --username <App ID> --fic-mi
After that, AzureCLI@2 - Azure CLI v2 and Azure Login Action task also need to be updated to support this command.
Related command
az loginIs your feature request related to a problem? Please describe.
MSAL previously has a draft PR AzureAD/microsoft-authentication-library-for-python#560 on supporting managed identity + application FIC authentication, but this PR is not completed yet.
There is an internal work item of migrating to managed identity + multitenant application (MI+CCA). Below is some sample code:
Currently Azure CLI doesn't support MI+CCA, but there is a workaround:
As
$tokenis passed via--federated-token, #28708 will be hit. It is better for MSAL to support MI+CCA authentication and refresh the managed identity's token on demand.Then Azure CLI can expose this feature via something like
After that, AzureCLI@2 - Azure CLI v2 and Azure Login Action task also need to be updated to support this command.