Device Login: Can we add 2FA code as a query param ?

[thammegowda]

Related command
az login is executed, often implicitly by services that rely on azure.

Is your feature request related to a problem? Please describe.
Related to improving the usability of azure!

Describe the solution you'd like
When device login is prompted in terminal, we usually get a prompt printed like this:

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXXX to authenticate.

Instead, I propose,

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXXX to authenticate, or open https://microsoft.com/devicelogin?code=XXXXXXXX

Additional context
https://microsoft.com/devicelogin?code=XXXXXXXX will enable us to just click the URL without having to copy the code to clipboard. And please make the service behind microsoft.com/devicelogin URL to parse query param code=XXXXXXXX to auto fill the form that currently looks like this:

I believe this small act will save a few seconds and mouse moving-and-clicking efforts. Most of us are already copying the code to clipboard anyway for the sake of pasting it inside browser. Will it make security weaker if we place the code as a URL's query param? I'm not sure but I'm interested in hearing the arguments.

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Code should be part of url on device-login #21671
• Easier login experience #3987
• Simply the AZ login experience #2454
• Add --use-auth-code flag to force auth code without browser #21934

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

Unfortunately, this message:

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code HCLRV78QY to authenticate.

is returned by AAD's and we Azure CLI and the underlying MSAL as a client have no control over it.

Reference:

• Code should be part of url on device-login #21671 (comment)

Solution 2:

Launching a browser is not hard. We are discussing with AAD team which owns the device web page for auto-filling the code.

Reference:

• Easier login experience #3987 (comment)

Powered by issue-sentinel

[jiasli]

It's by Microsoft Entra's design that the device code should be manually copy-and-pasted to the browser. It is out of Azure CLI's control. See #21671 for further information.