Upgrade Azure.Identity and MSAL versions and WAM (#24792)

* Upgrade Azure.Identity and MSAL versions

* Enbale WAM by default

* Fix static analysis issue

* Fix the issues

* Fix the AzConfig issue and Address review comments

* Fix Microsoft.IdentityModel.Abstractions version issue

* upgrade Microsoft.Identity.Client.NativeInterop to 0.16.0.0

* Disable WAM in the Sovereign Clouds

* Skip BinSkim for msalruntime*.dll

* Apply the existing MFA error messages to acquire token silently with broker error

* revise error message

---------

Co-authored-by: Beisi Zhou <[email protected]>
Co-authored-by: Yeming Liu <[email protected]>

Author: 3 people

.azure-pipelines/security-tools.yml

@@ -60,14 +60,21 @@ jobs:
       targetType: inline
       script: ./src/lib/pdb/CopyPdbToArtifacts.ps1
       pwsh: true
+  
+  - task: PowerShell@2
+    displayName: Generate a response text file for BinSkim
+    inputs:
+      targetType: 'inline'
+      script: |
+        New-Item $(Build.SourcesDirectory)/artifacts/MyFileList.rsp -ItemType File -Force
+        (Get-ChildItem -Path .\artifacts\Debug -Include *.dll,*.exe -Exclude msalruntime.dll,msalruntime_arm64.dll,msalruntime_x86.dll -Recurse).FullName > $(Build.SourcesDirectory)/artifacts/MyFileList.rsp
+      pwsh: true
 
   - task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@3
     displayName: Run BinSkim
     inputs:
-      InputType: 'Basic'
-      Function: 'analyze'
-      AnalyzeTarget: '$(Build.SourcesDirectory)/artifacts/Debug/*.dll;$(Build.SourcesDirectory)/artifacts/*.exe'
-      AnalyzeStatistics: true
+      InputType: 'CommandLine'
+      arguments: 'analyze @$(Build.SourcesDirectory)/artifacts/MyFileList.rsp --recurse'
 
   - task: PowerShell@2
     displayName: Cleanup Build
@@ -88,4 +95,4 @@ jobs:
     inputs:
       artifactName: artifacts
       targetPath: artifacts
-...
+...

src/Accounts/Accounts/ChangeLog.md

@@ -19,6 +19,7 @@
 -->
 
 ## Upcoming Release
+* Web Account Manager (WAM) was set the default experience of interactive login. For more details please refer to https://go.microsoft.com/fwlink/?linkid=2272007
 * Enabled secrets detection option by default.
 * Fixed a null reference issue during the process of `Get-AzContext -ListAvailable` [#24854].
 * Supported interactive subscription selection for user login flow. See more details at [Announcing a new login experience with Azure PowerShell and Azure CLI

src/Accounts/AssemblyLoading/ConditionalAssemblyProvider.cs

@@ -42,15 +42,16 @@ public static void Initialize(string rootPath, IConditionalAssemblyContext conte
                 // todo: add a tool to update assembly versions after replacing the assemblies. (Can it support newly introduced assemblies?)
                 // todo: consider moving the list to a standalone config file
                 #region AssemblyList
-                CreateAssembly("netstandard2.0", "Azure.Core", "1.37.0.0"),
-                CreateAssembly("netstandard2.0", "Azure.Identity", "1.10.3.0"),
-                CreateAssembly("netstandard2.0", "Azure.Identity.Broker", "1.0.0.0"),
+                CreateAssembly("netstandard2.0", "Azure.Core", "1.38.0.0"),
+                CreateAssembly("netstandard2.0", "Azure.Identity", "1.11.2.0"),
+                CreateAssembly("netstandard2.0", "Azure.Identity.Broker", "1.1.0.0"),
                 CreateAssembly("netstandard2.0", "Microsoft.Bcl.AsyncInterfaces", "1.0.0.0"),
-                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client", "4.56.0.0"),
-                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Extensions.Msal", "4.56.0.0"),
-                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Broker", "4.56.0.0"),
-                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.NativeInterop", "0.13.8.0"),
-                CreateAssembly("netstandard2.0", "Microsoft.IdentityModel.Abstractions", "6.22.1.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client", "4.60.3.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Extensions.Msal", "4.60.3.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Broker", "4.60.3.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.NativeInterop", "0.16.0.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.IdentityModel.Abstractions", "6.35.0.0"),
+                CreateAssembly("netstandard2.0", "System.ClientModel", "1.0.0.0"),
                 CreateAssembly("netstandard2.0", "System.Memory.Data", "1.0.2.0"),
                 CreateAssembly("netstandard2.0", "System.Text.Json", "4.0.1.2"),
                 CreateAssembly("netstandard2.0", "System.Buffers", "4.0.3.0").WithWindowsPowerShell(),

src/Accounts/Authentication/Authentication.csproj

@@ -12,10 +12,11 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="1.10.3" />
-    <PackageReference Include="Azure.Identity.Broker" Version="1.0.0-beta.5" />
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.56.0" />
-    <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="4.56.0" />
+    <PackageReference Include="Azure.Identity" Version="1.11.2" />
+    <PackageReference Include="Azure.Identity.Broker" Version="1.1.0" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.60.3" />
+    <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="4.60.3" />
+    <PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.60.3"/>
   </ItemGroup>
 
   <ItemGroup>

src/Accounts/Authentication/Authentication/TokenCache/AdalTokenMigrator.cs

@@ -100,7 +100,11 @@ public void MigrateFromAdalToMsal(string tokenCacheFile)
                         var tenantId = GetTenantId(account.Username);
                         if(!string.IsNullOrEmpty(tenantId))
                         {
-                            clientApplication.AcquireTokenSilent(scopes, account).WithAuthority(environment.ActiveDirectoryAuthority, tenantId).ExecuteAsync().ConfigureAwait(false).GetAwaiter().GetResult();
+                            var uriBuilder = new UriBuilder(environment.ActiveDirectoryAuthority)
+                            {
+                                Path = tenantId
+                            };
+                            clientApplication.AcquireTokenSilent(scopes, account).WithTenantIdFromAuthority(uriBuilder.Uri).ExecuteAsync().ConfigureAwait(false).GetAwaiter().GetResult();
                         }
                     }
                     //TODO: Set HomeAccountId for migration

src/Accounts/Authentication/Authentication/TokenCache/PowerShellTokenCacheProvider.cs

@@ -21,6 +21,7 @@
 using Hyak.Common;
 
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
+using Microsoft.Azure.Commands.Common.Authentication.Utilities;
 using Microsoft.Azure.Commands.Shared.Config;
 using Microsoft.Azure.Internal.Subscriptions;
 using Microsoft.Azure.Internal.Subscriptions.Models;
@@ -170,8 +171,7 @@ private SubscriptionClient GetSubscriptionClient(IAccessToken token, IAzureEnvir
         public virtual IPublicClientApplication CreatePublicClient(string authority = null)
         {
             var builder = PublicClientApplicationBuilder.Create(Constants.PowerShellClientId);
-            if (AzureSession.Instance.TryGetComponent<IConfigManager>(nameof(IConfigManager), out var config)
-                && config.GetConfigValue<bool>(ConfigKeys.EnableLoginByWam))
+            if (AzConfigReader.IsWamEnabled(authority))
             {
                 builder = builder.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows));
             }

src/Accounts/Authentication/Config/Definitions/EnableLoginByWamConfig.cs

@@ -27,7 +27,7 @@ namespace Microsoft.Azure.Commands.Common.Authentication.Config.Definitions
     /// </summary>
     internal class EnableLoginByWamConfig : TypedConfig<bool>
     {
-        public override object DefaultValue => false; // Opt-in. Will change to opt-out.
+        public override object DefaultValue => true;
 
         public override string Key => ConfigKeys.EnableLoginByWam;
 

src/Accounts/Authentication/Factories/AuthenticationFactory.cs

@@ -16,6 +16,7 @@
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
 using Microsoft.Azure.Commands.Common.Authentication.Authentication;
 using Microsoft.Azure.Commands.Common.Authentication.Properties;
+using Microsoft.Azure.Commands.Common.Authentication.Utilities;
 using Microsoft.Azure.Commands.Common.Exceptions;
 using Microsoft.Azure.Commands.ResourceManager.Common;
 using Microsoft.Azure.Commands.Shared.Config;
@@ -24,6 +25,7 @@
 using Microsoft.Rest;
 using Microsoft.WindowsAzure.Commands.Common;
 using System;
+using System.Diagnostics;
 using System.Linq;
 using System.Security;
 using System.Threading.Tasks;
@@ -184,28 +186,23 @@ private static AzPSAuthenticationFailedException AnalyzeMsalException(Exception
             {
                 if (exception is MsalUiRequiredException msalUiRequiredException)
                 {
-                    //There's no official error message for requiring MFA permission, so have to compare UGLY error message
-                    if (msalUiRequiredException.ErrorCode == "invalid_grant" &&
-                        msalUiRequiredException.Message.Contains("you must use multi-factor authentication to access"))
+                    string errorMessage;
+                    string desensitizedMessage;
+                    if (NeedTenantArmPermission(environment, tenantId, resourceId))
                     {
-                        string errorMessage;
-                        string desensitizedMessage;
-                        if (NeedTenantArmPermission(environment, tenantId, resourceId))
-                        {
-                            errorMessage = $"You must use multi-factor authentication to access tenant {tenantId}, please rerun 'Connect-AzAccount' with additional parameter '-TenantId {tenantId}'.";
-                            desensitizedMessage = "MFA is required to access tenant";
-                        }
-                        else
-                        {
-                            errorMessage = $"You must use multi-factor authentication to access resource {resourceId}, please rerun 'Connect-AzAccount' with additional parameter '-AuthScope {resourceId}'.";
-                            desensitizedMessage = "MFA is required to access resource";
-                        }
-                        return new AzPSAuthenticationFailedException(
-                            errorMessage,
-                            msalUiRequiredException.ErrorCode,
-                            originalException,
-                            desensitizedMessage: desensitizedMessage);
+                        errorMessage = string.Format(Resources.ErrorMessageMsalInteractionRequiredWithTid, tenantId);
+                        desensitizedMessage = "MFA is required to access tenant";
                     }
+                    else
+                    {
+                        errorMessage = string.Format(Resources.ErrorMsgMsalInteractionRequiredWithResourceID, resourceId);
+                        desensitizedMessage = "MFA is required to access resource";
+                    }
+                    return new AzPSAuthenticationFailedException(
+                        errorMessage,
+                        msalUiRequiredException.ErrorCode,
+                        originalException,
+                        desensitizedMessage: desensitizedMessage);
                 }
                 exception = exception.InnerException;
             }
@@ -615,7 +612,7 @@ private AuthenticationParameters GetAuthenticationParameters(
 
         private static AuthenticationParameters GetInteractiveParameters(PowerShellTokenCacheProvider tokenCacheProvider, IAzureAccount account, IAzureEnvironment environment, string tenant, Action<string> promptAction, IAzureTokenCache tokenCache, string resourceId, string homeAccountId)
         {
-            return IsWamEnabled()
+            return AzConfigReader.IsWamEnabled(environment.ActiveDirectoryAuthority)
                 ? new InteractiveWamParameters(tokenCacheProvider, environment, tokenCache, tenant, resourceId, account.GetProperty("LoginHint"), homeAccountId, promptAction) as AuthenticationParameters
                 : new InteractiveParameters(tokenCacheProvider, environment, tokenCache, tenant, resourceId, account.GetProperty("LoginHint"), homeAccountId, promptAction);
         }
@@ -624,11 +621,5 @@ private static AuthenticationParameters GetSilentParameters(PowerShellTokenCache
         {
             return new SilentParameters(tokenCacheProvider, environment, tokenCache, tenant, resourceId, account.Id, homeAccountId);
         }
-
-        private static bool IsWamEnabled()
-        {
-            return AzureSession.Instance.TryGetComponent<IConfigManager>(nameof(IConfigManager), out var config)
-                && config.GetConfigValue<bool>(ConfigKeys.EnableLoginByWam);
-        }
     }
 }

src/Accounts/Authentication/Identity/MsalConfidentialClient.cs

@@ -173,7 +173,11 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenForClientCoreAs
 
             if (!string.IsNullOrEmpty(tenantId))
             {
-                builder.WithAuthority(AuthorityHost.AbsoluteUri, tenantId);
+                var uriBuilder = new UriBuilder(AuthorityHost.AbsoluteUri)
+                {
+                    Path = tenantId
+                };
+                builder.WithTenantIdFromAuthority(uriBuilder.Uri);
             }
             return await builder
                 .ExecuteAsync(async, cancellationToken)
@@ -208,7 +212,11 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenSilentCoreAsync
             var builder = client.AcquireTokenSilent(scopes, account);
             if (!string.IsNullOrEmpty(tenantId))
             {
-                builder.WithAuthority(AuthorityHost.AbsoluteUri, tenantId);
+                var uriBuilder = new UriBuilder(AuthorityHost.AbsoluteUri)
+                {
+                    Path = tenantId
+                };
+                builder.WithTenantIdFromAuthority(uriBuilder.Uri);
             }
             return await builder
                 .ExecuteAsync(async, cancellationToken)
@@ -244,7 +252,11 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenByAuthorization
 
             if (!string.IsNullOrEmpty(tenantId))
             {
-                builder.WithAuthority(AuthorityHost.AbsoluteUri, tenantId);
+                var uriBuilder = new UriBuilder(AuthorityHost.AbsoluteUri)
+                {
+                    Path = tenantId
+                };
+                builder.WithTenantIdFromAuthority(uriBuilder.Uri);
             }
             return await builder
                 .ExecuteAsync(async, cancellationToken)
@@ -280,7 +292,11 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenOnBehalfOfCoreA
 
             if (!string.IsNullOrEmpty(tenantId))
             {
-                builder.WithAuthority(AuthorityHost.AbsoluteUri, tenantId);
+                var uriBuilder = new UriBuilder(AuthorityHost.AbsoluteUri)
+                {
+                    Path = tenantId
+                };
+                builder.WithTenantIdFromAuthority(uriBuilder.Uri);
             }
             return await builder
                 .ExecuteAsync(async, cancellationToken)