[Managed_Service_Identity] Added support for FlexibleFIC

Author: sbandarkar

src/azure-cli/azure/cli/command_modules/identity/_help.py

@@ -48,6 +48,9 @@
   - name: Create a federated identity credential under a specific user assigned identity.
     text: |
         az identity federated-credential create --name myFicName --identity-name myIdentityName --resource-group myResourceGroup --issuer myIssuer --subject mySubject --audiences myAudiences
+  - name: Create a federated identity credential with claims matching expression
+    text: |
+        az identity federated-credential create --name myFicName --identity-name myIdentityName --resource-group myResourceGroup --issuer https://tokens.githubusercontent.com --audiences api://AzureADTokenExchange --claims-matching-expression-value "claims['sub'] startswith 'repo:contoso-org/contoso-repo:ref:refs/heads'" --claims-matching-expression-version 1
 """
 
 helps['identity federated-credential update'] = """
@@ -57,6 +60,9 @@
   - name: Update a federated identity credential under a specific user assigned identity.
     text: |
         az identity federated-credential update --name myFicName --identity-name myIdentityName --resource-group myResourceGroup --issuer myIssuer --subject mySubject --audiences myAudiences
+  - name: Update a federated identity credential with claims matching expression
+    text: |
+        az identity federated-credential update --name myFicName --identity-name myIdentityName --resource-group myResourceGroup --issuer https://tokens.githubusercontent.com --audiences api://AzureADTokenExchange --claims-matching-expression-value "claims['sub'] startswith 'repo:contoso-org/contoso-repo:ref:refs/heads'" --claims-matching-expression-version 1
 """
 
 helps['identity federated-credential delete'] = """

src/azure-cli/azure/cli/command_modules/identity/_params.py

@@ -22,7 +22,7 @@ def load_arguments(self, _):
         c.argument('location', get_location_type(self.cli_ctx), required=False)
         c.argument('tags', tags_type)
 
-    with self.argument_context('identity federated-credential', min_api='2022-01-31-preview') as c:
+    with self.argument_context('identity federated-credential', min_api='2025-01-31-PREVIEW') as c:
         c.argument('federated_credential_name', options_list=('--name', '-n'), help='The name of the federated identity credential resource.')
         c.argument('identity_name', help='The name of the identity resource.')
 
@@ -31,3 +31,5 @@ def load_arguments(self, _):
             c.argument('issuer', help='The openId connect metadata URL of the issuer of the identity provider that Azure AD would use in the token exchange protocol for validating tokens before issuing a token as the user-assigned managed identity.')
             c.argument('subject', help='The sub value in the token sent to Azure AD for getting the user-assigned managed identity token. The value configured in the federated credential and the one in the incoming token must exactly match for Azure AD to issue the access token.')
             c.argument('audiences', nargs='+', help='The aud value in the token sent to Azure for getting the user-assigned managed identity token. The value configured in the federated credential and the one in the incoming token must exactly match for Azure to issue the access token.')
+            c.argument('claims_matching_expression_value', options_list=['--claims-matching-expression-value'], help='The claims expression value that will be evaluated by Azure AD to issue a token. For example, claims[\'sub\'] startswith \'repo:contoso-org/contoso-repo:ref:refs/heads\'.')
+            c.argument('claims_matching_expression_version', options_list=['--claims-matching-expression-version'], help='The version of claims expression language. For example, 1.')

src/azure-cli/azure/cli/command_modules/identity/commands.py

@@ -39,7 +39,7 @@ def load_command_table(self, _):
 
     with self.command_group('identity federated-credential', federated_identity_credentials_sdk,
                             client_factory=_msi_federated_identity_credentials_operations,
-                            min_api='2022-01-31-preview') as g:
+                            min_api='2025-01-31-PREVIEW') as g:
         g.custom_command('create', 'create_or_update_federated_credential')
         g.custom_command('update', 'create_or_update_federated_credential')
         g.custom_show_command('show', 'show_federated_credential')

src/azure-cli/azure/cli/command_modules/identity/custom.py

@@ -35,15 +35,22 @@ def list_identity_resources(cmd, resource_group_name, resource_name):
 
 
 def create_or_update_federated_credential(cmd, client, resource_group_name, identity_name, federated_credential_name,
-                                          issuer=None, subject=None, audiences=None):
+                                          issuer=None, subject=None, audiences=None, claims_matching_expression_value=None,
+                                          claims_matching_expression_version=None):
     _default_audiences = ['api://AzureADTokenExchange']
     audiences = _default_audiences if not audiences else audiences
     if not issuer or not subject:
         raise RequiredArgumentMissingError('usage error: please provide both --issuer and --subject parameters')
 
     FederatedIdentityCredential = cmd.get_models('FederatedIdentityCredential', resource_type=ResourceType.MGMT_MSI,
                                                  operation_group='federated_identity_credentials')
-    parameters = FederatedIdentityCredential(issuer=issuer, subject=subject, audiences=audiences)
+    parameters = FederatedIdentityCredential(
+        issuer=issuer,
+        subject=subject,
+        audiences=audiences,
+        claims_matching_expression_value=claims_matching_expression_value,
+        claims_matching_expression_version=claims_matching_expression_version
+    )
 
     return client.create_or_update(resource_group_name=resource_group_name, resource_name=identity_name,
                                    federated_identity_credential_resource_name=federated_credential_name,