-
Notifications
You must be signed in to change notification settings - Fork 3.3k
Description
Is your feature request related to a problem? Please describe.
The current Azure CLI unconditionally uses ARM resource ID (e.g.
| active_directory_resource_id='https://management.core.windows.net/', |
) to call /authorize API of authorization code flow.
There are increasing asks for Conditional Access support from multiple service teams (#15220):
- Storage
- App Configuration
- VM SSH
Describe the solution you'd like
We should reconsider supporting Conditional Access on dev branch.
In order to do so, az login must take --scope and use it in /authorize.
ℹ ADAL only takes resource, so scope must be converted back to resource using
azure-cli/src/azure-cli-core/azure/cli/core/util.py
Lines 1214 to 1228 in ad30d55
| def scopes_to_resource(scopes): | |
| """Convert MSAL scopes to ADAL resource by stripping the /.default suffix and return a str. | |
| For example: | |
| ['https://management.core.windows.net//.default'] -> 'https://management.core.windows.net/' | |
| ['https://managedhsm.azure.com/.default'] -> 'https://managedhsm.azure.com' | |
| :param scopes: The MSAL scopes. It can be a list or tuple of string | |
| :return: The ADAL resource | |
| :rtype: str | |
| """ | |
| scope = scopes[0] | |
| if scope.endswith("/.default"): | |
| scope = scope[:-len("/.default")] | |
| return scope |
Reactions are currently unavailable