[Profile] BREAKING CHANGE: az account show: Drop --sdk-auth

[jiasli]

Description

#19414 announced the deprecation of --sdk-auth but --sdk-auth was kept during MSAL migration (#19872).

az account show --sdk-auth compromises the security of MSAL's encrypted service principal credential store, as it can "spit out" / echo the original service principal secrets. This is not a secure behavior - consider you can see your password after you login to Windows or https://outlook.live.com/.

However, az ad sp create-for-rbac --sdk-auth is still used by many other services, like GitHub Action (as shown in #19872), it will be kept for now.

[yonzhan]

Profile

[jiasli]

Workaround

WARNING: Saving credentials to a JSON file is considered insecure. Azure Python SDK has also deprecated the usage of JSON file credential. Please see Guide for migrating to azure-identity from azure-common for more details.

If you currently have workflows that utilizes the JSON output of az account show --sdk-auth that can't be migrated immediately, you may manually fill in the below JSON with required information to get the original output of az account show --sdk-auth:

{
  "clientId": "...",
  "clientSecret": "...",
  "subscriptionId": "...",
  "tenantId": "...",
  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
  "resourceManagerEndpointUrl": "https://management.azure.com/",
  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
  "galleryEndpointUrl": "https://gallery.azure.com/",
  "managementEndpointUrl": "https://management.core.windows.net/"
}

If you forget the client secret/password, you may use az ad app/sp credential reset to reset the credential of the application/service principal.