Refresh from upstream dev

Author: mentat9

.github/policies/resourceManagement.yml

@@ -585,6 +585,19 @@ configuration:
             - kushagraThapar
             replyTemplate: Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc ${mentionees}.
             assignMentionees: False
+      - if:
+        - hasLabel:
+            label: Service Attention
+        - hasLabel:
+            label: AzureDataTransfer
+        then:
+        - mentionUsers:
+            mentionees:
+            - lasuredd-msft
+            - fzkhan
+            - pkuma-msft
+            replyTemplate: Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc ${mentionees}.
+            assignMentionees: False
       - if:
         - hasLabel:
             label: Service Attention
@@ -2245,6 +2258,19 @@ configuration:
             - AzMonEssential
             replyTemplate: Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc ${mentionees}.
             assignMentionees: False
+      - if:
+        - hasLabel:
+            label: Service Attention
+        - hasLabel:
+            label: Monitor - ScheduledQueryRule
+        then:
+        - mentionUsers:
+            mentionees:
+            - azmonapplicationinsights
+            - asafst
+            - efratbp
+            replyTemplate: Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc ${mentionees}.
+            assignMentionees: False
       - if:
         - hasLabel:
             label: Service Attention
@@ -2676,6 +2702,7 @@ configuration:
         - mentionUsers:
             mentionees:
             - jfggdl
+            - damodaravadhani
             replyTemplate: Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc ${mentionees}.
             assignMentionees: False
       - if:
@@ -2723,6 +2750,17 @@ configuration:
             - stephbaron
             replyTemplate: Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc ${mentionees}.
             assignMentionees: False
+      - if:
+        - hasLabel:
+            label: Service Attention
+        - hasLabel:
+            label: ResourceMover
+        then:
+        - mentionUsers:
+            mentionees:
+            - yashjain4
+            replyTemplate: Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc ${mentionees}.
+            assignMentionees: False
       - if:
         - hasLabel:
             label: Service Attention

scripts/regression_test/extension_regression_test.yml

@@ -21,7 +21,13 @@ jobs:
       inputs:
         versionSpec: '3.12'
         displayName: "Use Python 3.12"
-    - bash: |
+    - task: AzureCLI@2
+      displayName: 'checkout branch'
+      inputs:
+        connectedServiceNameARM: $(azure-cli-live-test-msft-connected-service)
+        scriptType: bash
+        scriptLocation: inlineScript
+        inlineScript: |
           set -ev
           pwd
           git clone https://github.com/Azure/azure-cli-extensions.git
@@ -34,7 +40,6 @@ jobs:
           git remote add azclibot https://azclibot:${GITHUB_TOKEN}@github.com/azclibot/azure-cli-extensions.git
           git checkout -b regression_test_$(Build.BuildId)
           git push --set-upstream azclibot regression_test_$(Build.BuildId)
-      displayName: 'checkout branch'
 
 - job: CLIExtensionRegressionTest
   displayName: CLI Extension Regression Test
@@ -74,7 +79,13 @@ jobs:
     inputs:
       versionSpec: '3.12'
       displayName: "Use Python 3.12"
-  - bash: |
+  - task: AzureCLI@2
+    displayName: 'checkout cli and extension repo'
+    inputs:
+      connectedServiceNameARM: $(azure-cli-live-test-msft-connected-service)
+      scriptType: bash
+      scriptLocation: inlineScript
+      inlineScript: |
         set -ev
         pwd
         if [[ -n "$(CUSTOM_CLI_REPO)" && -n "$(CUSTOM_CLI_BRANCH)" ]]; then
@@ -94,7 +105,6 @@ jobs:
 
         git fetch azclibot
         git checkout -b regression_test_$(Build.BuildId) azclibot/regression_test_$(Build.BuildId)
-    displayName: 'checkout cli and extension repo'
   - template: ../../.azure-pipelines/templates/azdev_setup.yml
     parameters:
       CLIExtensionRepoPath: ./azure-cli-extensions
@@ -153,7 +163,13 @@ jobs:
   pool:
     name: ${{ variables.ubuntu_pool }}
   steps:
-    - bash: |
+    - task: AzureCLI@2
+      displayName: 'Result Summary'
+      inputs:
+        connectedServiceNameARM: $(azure-cli-live-test-msft-connected-service)
+        scriptType: bash
+        scriptLocation: inlineScript
+        inlineScript: |
           set -ev
 
           # git config
@@ -195,4 +211,3 @@ jobs:
 
             sleep 5
           done
-      displayName: 'Result Summary'

scripts/regression_test/regression_test.yml

@@ -22,7 +22,13 @@ jobs:
       inputs:
         versionSpec: '3.12'
         displayName: "Use Python 3.12"
-    - bash: |
+    - task: AzureCLI@2
+      displayName: 'update version'
+      inputs:
+        connectedServiceNameARM: $(azure-cli-live-test-msft-connected-service)
+        scriptType: bash
+        scriptLocation: inlineScript
+        inlineScript: |
           set -ev
 
           # git config
@@ -53,7 +59,6 @@ jobs:
           git add .
           git commit -m "update version"
           git push --set-upstream azclibot regression_test_$(Build.BuildId)
-      displayName: 'update version'
 
 - job: RerunTests
   displayName: CLI Regression tests
@@ -86,7 +91,13 @@ jobs:
       inputs:
         versionSpec: '3.12'
         displayName: "Use Python 3.12"
-    - bash: |
+    - task: AzureCLI@2
+      displayName: 'Checkout Target Branch'
+      inputs:
+        connectedServiceNameARM: $(azure-cli-live-test-msft-connected-service)
+        scriptType: bash
+        scriptLocation: inlineScript
+        inlineScript: |
           set -ev
           # git config
           if [[ -n "$(CUSTOM_REPO)" && -n "$(CUSTOM_BRANCH)" && -n "$(CUSTOM_GITHUB_TOKEN)" ]]; then
@@ -104,7 +115,6 @@ jobs:
           git fetch ${GITHUB_REPO} ${GITHUB_BRANCH}
 
           git checkout -b ${GITHUB_BRANCH} ${GITHUB_REPO}/${GITHUB_BRANCH}
-      displayName: 'Checkout Target Branch'
     - template: ../../.azure-pipelines/templates/azdev_setup.yml
     - task: AzureCLI@2
       displayName: 'Rerun tests'
@@ -137,7 +147,13 @@ jobs:
   pool:
     name: ${{ variables.ubuntu_pool }}
   steps:
-    - bash: |
+    - task: AzureCLI@2
+      displayName: 'Create PR'
+      inputs:
+        connectedServiceNameARM: $(azure-cli-live-test-msft-connected-service)
+        scriptType: bash
+        scriptLocation: inlineScript
+        inlineScript: |
           set -ev
           # git config
           if [[ -n "$(CUSTOM_REPO)" && -n "$(CUSTOM_BRANCH)" && -n "$(CUSTOM_GITHUB_TOKEN)" ]]; then

src/azure-cli-core/HISTORY.rst

@@ -6,6 +6,7 @@ Release History
 2.76.0
 ++++++
 * Resolve CVE-2024-47081 (#31708)
+* Provide actionable error recommendation when a command fails because of Multi-Factor Authentication (MFA) policy violation (#31699)
 
 2.75.0
 ++++++

src/azure-cli-core/azure/cli/core/_profile.py

@@ -172,7 +172,7 @@ def login(self,
                 use_device_code = True
 
             if use_device_code:
-                user_identity = identity.login_with_device_code(scopes=scopes)
+                user_identity = identity.login_with_device_code(scopes=scopes, claims_challenge=claims_challenge)
             else:
                 user_identity = identity.login_with_auth_code(scopes=scopes, claims_challenge=claims_challenge)
         else:
@@ -360,17 +360,20 @@ def get_raw_token(self, resource=None, scopes=None, subscription=None, tenant=No
 
         managed_identity_type, managed_identity_id = Profile._parse_managed_identity_account(account)
 
+        non_current_tenant_template = ("For {} account, getting access token for non-current tenants is not "
+                                       "supported. The specified tenant must be the current tenant "
+                                       f"{account[_TENANT_ID]}")
         if in_cloud_console() and account[_USER_ENTITY].get(_CLOUD_SHELL_ID):
             # Cloud Shell
-            if tenant:
-                raise CLIError("Tenant shouldn't be specified for Cloud Shell account")
+            if tenant and tenant != account[_TENANT_ID]:
+                raise CLIError(non_current_tenant_template.format('Cloud Shell'))
             from .auth.msal_credentials import CloudShellCredential
             cred = CloudShellCredential()
 
         elif managed_identity_type:
             # managed identity
-            if tenant:
-                raise CLIError("Tenant shouldn't be specified for managed identity account")
+            if tenant and tenant != account[_TENANT_ID]:
+                raise CLIError(non_current_tenant_template.format('managed identity'))
             cred = ManagedIdentityAuth.credential_factory(managed_identity_type, managed_identity_id)
             if credential_out:
                 credential_out['credential'] = cred

src/azure-cli-core/azure/cli/core/auth/identity.py

@@ -171,14 +171,14 @@ def _prompt_launching_ui(ui=None, **_):
             claims_challenge=claims_challenge)
         return check_result(result)
 
-    def login_with_device_code(self, scopes):
-        flow = self._msal_app.initiate_device_flow(scopes)
+    def login_with_device_code(self, scopes, claims_challenge=None):
+        flow = self._msal_app.initiate_device_flow(scopes, claims_challenge=claims_challenge)
         if "user_code" not in flow:
             raise ValueError(
                 "Fail to create device flow. Err: %s" % json.dumps(flow, indent=4))
         from azure.cli.core.style import print_styled_text, Style
         print_styled_text((Style.WARNING, flow["message"]), file=sys.stderr)
-        result = self._msal_app.acquire_token_by_device_flow(flow)  # By default it will block
+        result = self._msal_app.acquire_token_by_device_flow(flow, claims_challenge=claims_challenge)
         return check_result(result)
 
     def login_with_username_password(self, username, password, scopes):

src/azure-cli-core/azure/cli/core/profiles/_shared.py

@@ -187,10 +187,7 @@ def default_api_version(self):
         ResourceType.MGMT_RESOURCE_MANAGEDAPPLICATIONS: '2019-07-01',
         ResourceType.MGMT_NETWORK_PRIVATEDNS: None,
         ResourceType.MGMT_KEYVAULT: None,
-        ResourceType.MGMT_AUTHORIZATION: SDKProfile('2022-04-01', {
-            'role_definitions': '2022-05-01-preview',
-            'provider_operations_metadata': '2018-01-01-preview'
-        }),
+        ResourceType.MGMT_AUTHORIZATION: None,
         ResourceType.MGMT_CONTAINERREGISTRY: SDKProfile('2025-03-01-preview', {
             'agent_pools': '2025-03-01-preview',
             'tasks': '2025-03-01-preview',
@@ -227,7 +224,7 @@ def default_api_version(self):
         ResourceType.MGMT_ARO: '2023-11-22',
         ResourceType.MGMT_DATABOXEDGE: '2021-02-01-preview',
         ResourceType.MGMT_CUSTOMLOCATION: '2021-03-15-preview',
-        ResourceType.MGMT_CONTAINERSERVICE: SDKProfile('2025-05-01'),
+        ResourceType.MGMT_CONTAINERSERVICE: None,
         ResourceType.MGMT_APPCONTAINERS: '2022-10-01',
     }
 }
@@ -236,10 +233,6 @@ def default_api_version(self):
 # We should avoid using ad hoc API versions,
 # use the version in a profile as much as possible.
 AD_HOC_API_VERSIONS = {
-    ResourceType.MGMT_IOTHUB: {
-        # src/azure-cli/azure/cli/command_modules/iot/custom.py#iot_hub_devicestream_show
-        'iot_hub_resource': '2019-07-01-preview',
-    },
     ResourceType.MGMT_APPSERVICE: {
         # src/azure-cli/azure/cli/command_modules/appservice/_constants.py:68
         'app_service_certificate_orders': '2022-09-01'

src/azure-cli-core/azure/cli/core/tests/test_profile.py

@@ -1134,9 +1134,15 @@ def test_get_raw_token_mi_system_assigned(self):
         self.assertEqual(subscription_id, self.test_mi_subscription_id)
         self.assertEqual(tenant_id, self.test_mi_tenant)
 
-        # verify tenant shouldn't be specified for MSI account
-        with self.assertRaisesRegex(CLIError, "Tenant shouldn't be specified"):
-            cred, subscription_id, _ = profile.get_raw_token(resource='http://test_resource', tenant=self.tenant_id)
+        # Specifying the current tenant is allowed
+        cred, subscription_id, tenant_id = profile.get_raw_token(tenant=self.test_mi_tenant)
+        self.assertEqual(tenant_id, self.test_mi_tenant)
+
+        # Specifying a non-current tenant is disallowed
+        with self.assertRaisesRegex(CLIError,
+                                    "For managed identity account, getting access token for non-current tenants is "
+                                    "not supported"):
+            profile.get_raw_token(tenant='another-tenant')
 
     @mock.patch('azure.cli.core.auth.util.now_timestamp', new=now_timestamp_mock)
     @mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub)
@@ -1285,9 +1291,15 @@ def cloud_shell_credential_factory():
         self.assertEqual(subscription_id, test_subscription_id)
         self.assertEqual(tenant_id, test_tenant_id)
 
-        # Verify tenant shouldn't be specified for Cloud Shell account
-        with self.assertRaisesRegex(CLIError, 'Cloud Shell'):
-            profile.get_raw_token(resource='http://test_resource', tenant=self.tenant_id)
+        # Specifying the current tenant is allowed
+        cred, subscription_id, tenant_id = profile.get_raw_token(tenant=test_tenant_id)
+        self.assertEqual(tenant_id, test_tenant_id)
+
+        # Specifying a non-current tenant is disallowed
+        with self.assertRaisesRegex(CLIError,
+                                    "For Cloud Shell account, getting access token for non-current tenants is "
+                                    "not supported"):
+            profile.get_raw_token(tenant='another-tenant')
 
     @mock.patch('azure.cli.core.auth.identity.Identity.get_user_credential')
     def test_get_msal_token(self, get_user_credential_mock):

src/azure-cli-core/azure/cli/core/util.py

@@ -1164,12 +1164,6 @@ def __exit__(self, exc_type, exc_val, exc_tb):
 
 
 def _ssl_context():
-    if sys.version_info < (3, 4) or (in_cloud_console() and platform.system() == 'Windows'):
-        try:
-            return ssl.SSLContext(ssl.PROTOCOL_TLS)  # added in python 2.7.13 and 3.6
-        except AttributeError:
-            return ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-
     return ssl.create_default_context()
 
 

src/azure-cli-core/setup.py

@@ -45,6 +45,7 @@
 DEPENDENCIES = [
     'argcomplete~=3.5.2',
     'azure-cli-telemetry==1.1.0.*',
+    'azure-core~=1.35.0',
     'azure-mgmt-core>=1.2.0,<2',
     'cryptography',
     # On Linux, the distribution (Ubuntu, Debian, etc) and version are logged in telemetry
@@ -54,8 +55,8 @@
     'knack~=0.11.0',
     'microsoft-security-utilities-secret-masker~=1.0.0b4',
     'msal-extensions==1.2.0',
-    'msal[broker]==1.33.0b1; sys_platform == "win32"',
-    'msal==1.33.0b1; sys_platform != "win32"',
+    'msal[broker]==1.34.0b1; sys_platform == "win32"',
+    'msal==1.34.0b1; sys_platform != "win32"',
     'packaging>=20.9',
     'pkginfo>=1.5.0.1',
     # psutil can't install on cygwin: https://github.com/Azure/azure-cli/issues/9399