Log when az login uses WAM as authentication method

[medhir]

As we roll out broker-based auth to more customers on Windows, we would like to monitor the health of authentication through WAM with visibility into:

• when allow_broker is enabled and used by any az command that would acquire a token
• associated command execution, errors

[yonzhan]

@evelyn-ys for awareness

[rayluo]

when it is enabled and used by az login

We can go one step further by monitoring "when allow_broker is enabled and used by any az command that would acquire a token". Because when a command "az foo bar" silently gets a new access token (AT), it is still using the WAM mechanism. Even if the AT was served from MSAL Python's token cache thus bypassing WAM, that AT was still originally served by WAM. From client-side perspective (on the contrary to the service-side perspective), such a cache hit can and probably should still be counted it as "MSAL Python (and its cache system) successfully served a token request while operating in allow_broker=True mode".

[isra-fel]

Hi @medhir as you may already know Azure PowerShell is going to integrate WAM as well (preview), so I assume you have the same ask for us too?

[medhir]

@isra-fel, yes! Thanks for bringing this to my attention. I will double check with the team, but I do believe we'd be interested in telemetry from Powershell as well. Do you track new asks through Github issues as well?

[medhir]

@rayluo, thanks for that suggestion. I've updated the issue description, feel free to edit if you want to add any other details.