az login: Deprecate and remove Resource Owner Password Credentials flow support #28252
Description
Related command
az login
Is your feature request related to a problem? Please describe.
az login supports Resource Owner Password Credentials (ROPC) flow, which is also known as username password flow:
az login --username xxx --password xxx
ROPC flow is not a recommended flow (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc):
Warning
Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable.
There are also some recent changes:
- We are enforcing MFA on our test tenant.
- We are investigating enforcing MFA on client tools' first party applications, including Azure CLI and Azure PowerShell.
- MSAL doesn't use broker for ROPC flow anymore: acquire_token_silent() shall not invoke broker if the account was not established by broker AzureAD/microsoft-authentication-library-for-python#569
Describe the solution you'd like
ROPC flow inherently doesn't work with MFA (https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc):
Important
- If users need to use multi-factor authentication (MFA) to log in to the application, they will be blocked instead.
As we are broadening the scope of MFA enforcement, we should consider deprecating and removing ROPC flow support.