Skip to content

Replace hardcoded cloud-to-scope mappings with static SSH auth scope and deprecate SshAuthScope parameter#29228

Open
Copilot wants to merge 9 commits intomainfrom
copilot/refactor-cloud-scope-mappings
Open

Replace hardcoded cloud-to-scope mappings with static SSH auth scope and deprecate SshAuthScope parameter#29228
Copilot wants to merge 9 commits intomainfrom
copilot/refactor-cloud-scope-mappings

Conversation

Copy link
Contributor

Copilot AI commented Mar 3, 2026
edited
Loading

Port of Azure CLI extensions PR #9465. Replaces per-cloud scope URL mappings with a single app ID-based scope that works across all clouds, and deprecates the SshAuthScope environment property.

Changes

  • SshCredentialFactory.cs: Remove CloudToScope dictionary (which only covered AzureCloud, AzureChinaCloud, AzureUSGovernment) and the AzureSshAuthScope environment property lookup. The SSH auth scope is now solely determined by the static value ce6ff14a-7fdc-4685-bbe0-f6afdfcfa8e0/.default, which works across all clouds.
  • SetAzureRMEnvironment.cs and AddAzureRMEnvironment.cs: Updated the SshAuthScope parameter's HelpMessage metadata to indicate it is deprecated and will be removed in a future release.
  • Set-AzEnvironment.md and Add-AzEnvironment.md: Updated the -SshAuthScope parameter description to indicate it is deprecated and will be removed in a future release.
  • ChangeLog.md: Added entries for the static scope change and the deprecation of -SshAuthScope.
// Before: cloud-specific dictionary lookup, fails for unlisted clouds
return environment.GetProperty(AzureEnvironment.ExtendedEndpoint.AzureSshAuthScope)
    ?? CloudToScope.GetValueOrDefault(environment.Name.ToLower(), null);

// After: static scope works for all clouds, no environment property reference
return $"{AadSshLoginForLinuxServerAppId}/.default";

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Mar 3, 2026

Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status.

Copilot AI and others added 2 commits March 3, 2026 01:17
@isra-fel
Replace hardcoded cloud-to-scope mappings with static SSH auth scope
5d7a413 
Replace the CloudToScope dictionary mapping specific cloud names to
cloud-specific scope URLs with a single static scope using the AAD
SSH Login for Linux server app ID (ce6ff14a-7fdc-4685-bbe0-f6afdfcfa8e0).
This enables SSH authentication across all clouds instead of only
supporting AzureCloud, AzureChinaCloud, and AzureUSGovernment.

The environment property AzureSshAuthScope still takes precedence
when set, preserving backward compatibility.

Similar to Azure CLI extensions PR #9465.

Co-authored-by: isra-fel <11371776+isra-fel@users.noreply.github.com>
@isra-fel
Simplify changelog entry to remove unexpanded acronyms
031e850 
Co-authored-by: isra-fel <11371776+isra-fel@users.noreply.github.com>
Copilot AI changed the title [WIP] Refactor cloud-to-scope mappings to use static value Replace hardcoded cloud-to-scope mappings with static SSH auth scope Mar 3, 2026
@isra-fel
Copy link
Member

isra-fel commented Mar 3, 2026

@copilot here are my comments:
Let's deprecate the AzureSshAuthScope property by (a) do not reference it at all in SshCredentialFactory.cs and rely solely on the static scope value (b) update the reference documents of Set-AzEnvironment or Add-AzEnvironment (potentially more docs) to state that do not use the AzureSshAuthScope parameter.

Copilot AI and others added 2 commits March 3, 2026 01:59
@isra-fel
Deprecate AzureSshAuthScope: remove env property reference, update docs
3802250 
- Remove AzureSshAuthScope environment property lookup from
  SshCredentialFactory.cs, relying solely on static scope value
- Remove unused using directives (AzPSKeyNotFoundException, etc.)
- Update Set-AzEnvironment and Add-AzEnvironment help docs to
  mark -SshAuthScope parameter as deprecated
- Update ChangeLog.md with deprecation notice

Co-authored-by: isra-fel <11371776+isra-fel@users.noreply.github.com>
@isra-fel
Restore WindowsAzure.Commands.Utilities.Common using (needed for Base…
a165a45 
…64UrlHelper)

Co-authored-by: isra-fel <11371776+isra-fel@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Mar 3, 2026

@copilot here are my comments:
Let's deprecate the AzureSshAuthScope property by (a) do not reference it at all in SshCredentialFactory.cs and rely solely on the static scope value...

Done in a165a45. Changes made:

  • SshCredentialFactory.cs: Removed AzureSshAuthScope environment property lookup entirely — GetAuthScope() now returns only the static scope value (ce6ff14a-7fdc-4685-bbe0-f6afdfcfa8e0/.default). Also removed the now-unnecessary null check and AzPSKeyNotFoundException throw.
  • Set-AzEnvironment.md and Add-AzEnvironment.md: Updated the -SshAuthScope parameter description to state it is deprecated and has no effect.
  • ChangeLog.md: Added deprecation notice for the -SshAuthScope parameter.

Copilot AI changed the title Replace hardcoded cloud-to-scope mappings with static SSH auth scope Replace hardcoded cloud-to-scope mappings with static SSH auth scope and deprecate SshAuthScope parameter Mar 3, 2026
@isra-fel
Copy link
Member

isra-fel commented Mar 3, 2026

One last thing @copilot find the source code of the *-AzEnvironment cmdlets and update the paraemter metadata in it, because they are the source of truth of documents.

@isra-fel
Update SshAuthScope parameter metadata in Set-AzEnvironment and Add-A…
0aee3e8 
…zEnvironment cmdlet source

Co-authored-by: isra-fel <11371776+isra-fel@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Mar 3, 2026

One last thing @copilot find the source code of the *-AzEnvironment cmdlets and update the paraemter metadata in it, because they are the source of truth of documents.

Updated the HelpMessage in both SetAzureRMEnvironment.cs and AddAzureRMEnvironment.cs to indicate the -SshAuthScope parameter is deprecated and has no effect. See commit 0aee3e8.

@isra-fel
Improve deprecation message wording to follow PowerShell conventions
7f1d4be 
Co-authored-by: isra-fel <11371776+isra-fel@users.noreply.github.com>
@isra-fel isra-fel marked this pull request as ready for review March 3, 2026 09:43
Copilot AI review requested due to automatic review settings March 3, 2026 09:43
@isra-fel
Copy link
Member

isra-fel commented Mar 3, 2026

/azp run azure-powershell - security-tools

@azure-pipelines
Copy link
Contributor

azure-pipelines bot commented Mar 3, 2026

Azure Pipelines successfully started running 1 pipeline(s).

isra-fel
isra-fel approved these changes Mar 3, 2026
View reviewed changes
Copy link
Member

@isra-fel isra-fel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@isra-fel isra-fel requested a review from vthiebaut10 March 3, 2026 09:47
@isra-fel isra-fel enabled auto-merge (squash) March 3, 2026 09:48
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Azure PowerShell’s SSH certificate authentication to use a single, cross-cloud AAD app scope instead of per-cloud scope mappings, and deprecates the -SshAuthScope environment parameter accordingly.

Changes:

  • Simplified SshCredentialFactory to always use a static SSH auth scope (ce6ff14a-7fdc-4685-bbe0-f6afdfcfa8e0/.default) and removed the cloud-to-scope mapping + environment property lookup.
  • Marked -SshAuthScope as deprecated in cmdlet parameter help metadata (Add-AzEnvironment, Set-AzEnvironment) and updated reference help markdown.
  • Added release notes entries describing the static scope change and the parameter deprecation.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
src/Accounts/Authentication/Factories/SshCredentialFactory.cs Removes cloud/env-property scope resolution in favor of a single static .default scope.
src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs Updates -SshAuthScope parameter help text to indicate deprecation.
src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs Updates -SshAuthScope parameter help text to indicate deprecation.
src/Accounts/Accounts/help/Set-AzEnvironment.md Updates -SshAuthScope reference help to indicate deprecation.
src/Accounts/Accounts/help/Add-AzEnvironment.md Updates -SshAuthScope reference help to indicate deprecation.
src/Accounts/Accounts/ChangeLog.md Adds Upcoming Release notes for the static scope behavior and deprecation.

src/Accounts/Accounts/ChangeLog.md
Comment on lines +22 to +23
* Replaced hardcoded cloud-to-scope mappings in SSH credential factory with a static scope, enabling SSH authentication across all clouds.
* Deprecated the `-SshAuthScope` parameter in `Set-AzEnvironment` and `Add-AzEnvironment`. The SSH authentication scope is now determined automatically.
Copy link

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These ChangeLog entries are fairly implementation-focused (e.g., “cloud-to-scope mappings in SSH credential factory”). Since the ChangeLog is user-facing, consider rephrasing in terms of user impact (e.g., SSH certificate auth now works across Azure clouds without configuring -SshAuthScope, and -SshAuthScope is deprecated).

Suggested change
* Replaced hardcoded cloud-to-scope mappings in SSH credential factory with a static scope, enabling SSH authentication across all clouds.
* Deprecated the `-SshAuthScope` parameter in `Set-AzEnvironment` and `Add-AzEnvironment`. The SSH authentication scope is now determined automatically.
* Improved SSH (Secure Shell) certificate authentication for Az SSH cmdlets across all Azure clouds.
- SSH certificate authentication now works across all Azure clouds without configuring the `-SshAuthScope` parameter.
- The `-SshAuthScope` parameter in `Set-AzEnvironment` and `Add-AzEnvironment` is deprecated, and the SSH authentication scope is now determined automatically.

Copilot uses AI. Check for mistakes.
src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs
[Parameter(ParameterSetName = EnvironmentPropertiesParameterSet, Mandatory = false, ValueFromPipelineByPropertyName = true,
HelpMessage = "The scope for authentication when SSH to an Azure VM.")]
HelpMessage = "This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured.")]
public string SshAuthScope { get; set; }
Copy link

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-SshAuthScope is now documented as deprecated, but the cmdlet still persists the value into the environment (AzureSshAuthScope). Since the SSH credential flow no longer reads this endpoint, consider emitting a warning when the parameter is supplied (and/or ignoring it) to avoid users thinking it will affect SSH auth.

Suggested change
public string SshAuthScope { get; set; }
[Obsolete("This parameter is deprecated and is ignored. SSH authentication scope is determined automatically.")]
public string SshAuthScope
{
get
{
// This parameter is deprecated and intentionally ignored.
// Returning null ensures that any existing code paths that read this
// property will not use a user supplied value.
return null;
}
set
{
if (!string.IsNullOrEmpty(value))
{
// Emit a warning so users know this parameter no longer affects SSH authentication.
WriteWarning("The SshAuthScope parameter is deprecated and is ignored. SSH authentication scope is now determined automatically and does not need to be configured.");
}
}
}

Copilot uses AI. Check for mistakes.
src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs
Comment on lines 228 to 230
[Parameter(ParameterSetName = EnvironmentPropertiesParameterSet, Mandatory = false, ValueFromPipelineByPropertyName = true,
HelpMessage = "The scope for authentication when SSH to an Azure VM.")]
HelpMessage = "This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured.")]
public string SshAuthScope { get; set; }
Copy link

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-SshAuthScope is now documented as deprecated, but the cmdlet still persists the value into the environment (AzureSshAuthScope). Since the SSH credential flow no longer reads this endpoint, consider emitting a warning when the parameter is supplied (and/or ignoring it) to avoid users thinking it will affect SSH auth.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+2 more reviewers

@isra-fel isra-fel isra-fel approved these changes

@vthiebaut10 vthiebaut10 vthiebaut10 approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@isra-fel isra-fel

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@isra-fel @vthiebaut10