Azure
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 1 addition & 1 deletion b/‎.github/CODEOWNERS‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 1 deletion b/‎.gitignore‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.vscode/cspell.json‎
Lines changed: 8 additions & 0 deletions b/‎.vscode/cspell.json‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎doc/dev/tests.md‎
Lines changed: 28 additions & 12 deletions b/‎doc/dev/tests.md‎
Lines changed: 28 additions & 12 deletions
diff --git a/‎eng/.docsettings.yml‎
Lines changed: 1 addition & 0 deletions b/‎eng/.docsettings.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎eng/common/TestResources/New-TestResources.ps1‎
Lines changed: 37 additions & 14 deletions b/‎eng/common/TestResources/New-TestResources.ps1‎
Lines changed: 37 additions & 14 deletions
@@ -277,7 +277,7 @@
 /sdk/mixedreality/azure-mixedreality-authentication/                 @RamonArguelles
 /sdk/remoterendering/                                                @FlorianBorn71
 
-# PRLabel: %Open AI
+# PRLabel: %OpenAI
 /sdk/openai/                                                         @kristapratico @glecaros
 
 # PRLabel: %Purview
 
@@ -3,7 +3,7 @@
 
 # Python cache
 __pycache__/
-*.pyc
+*.py[cod]
 .pytest_cache
 .mypy_cache
 .cache
 
@@ -90,6 +90,7 @@
     "sdk/translation/azure-ai-translation-document/samples/assets/**",
     "sdk/translation/azure-ai-translation-document/tests/glossaries-valid.csv",
     "sdk/storage/azure-storage-blob/**",
+    "sdk/storage/azure-storage-extensions/**",
     "sdk/ml/azure-ai-ml/azure/ai/ml/_restclient/**",
     "sdk/ml/azure-ai-ml/azure/ai/ml/_utils/_virtual_cluster_utils/_restclient/**",
     "sdk/ml/azure-ai-ml/azure/ai/ml/entities/_job/job_name_generator.py",
@@ -549,6 +550,13 @@
         "Jwcmlud"
       ]
     },
+    {
+      "filename": "sdk/identity/test-resources*",
+      "words": [
+        "kubelet",
+        "otsv"
+      ]
+    },
     {
       "filename": "sdk/identity/azure-identity/TROUBLESHOOTING.md",
       "words": [
 
@@ -181,6 +181,13 @@ Live Azure resources will be necessary in order to run live tests and produce re
 resource management commands, documented in [/eng/common/TestResources][test_resources], that streamline this process.
 Both pure ARM templates (`test-resources.json`) and BICEP files (`test-resources.bicep`) are supported.
 
+User-based authentication is preferred when using test resources. To enable this:
+- Use the [`-UserAuth` command flag][user_auth_flag] when running the `New-TestResources` script.
+- Set the environment variable `AZURE_TEST_USE_PWSH_AUTH` to "true" to authenticate with Azure PowerShell, or
+`AZURE_TEST_USE_CLI_AUTH` to "true" to authenticate with Azure CLI.
+  - Ensure you're logged into the tool you choose -- if
+you used `New-TestResources.ps1` to deploy resources, you'll already have logged in with Azure PowerShell.
+
 If you haven't yet set up a `test-resources` file for test resource deployment and/or want to use test resources of
 your own, you can just configure credentials to target these resources instead.
 
@@ -209,14 +216,20 @@ environment variables necessary to run live tests for the service. After storing
 -- formatted as `VARIABLE=value` on separate lines -- your credentials and test configuration variables will be set in
 our environment when running tests.
 
+If you used the [`-UserAuth` command flag][user_auth_flag] to deploy test resources, set either
+`AZURE_TEST_USE_PWSH_AUTH` or `AZURE_TEST_USE_CLI_AUTH` to "true" to authenticate with Azure PowerShell or Azure CLI,
+respectively. If both are set to true, Azure PowerShell will be used.
+
 If your service doesn't have a `test-resources` file for test deployment, you'll need to set environment variables
-for `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, and `AZURE_CLIENT_SECRET` at minimum.
+for authentication at minimum. For user-based authentication, use `AZURE_TEST_USE_PWSH_AUTH` or
+`AZURE_TEST_USE_CLI_AUTH` as described above.
 
+For service principal authentication:
 1. Set the `AZURE_SUBSCRIPTION_ID` variable to your organization's subscription ID. You can find it in the "Overview"
    section of the "Subscriptions" blade in the [Azure Portal][azure_portal].
 2. Define the `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, and `AZURE_CLIENT_SECRET` of a test service principal. If you do not
-   have a service principal, use the Azure CLI's [az ad sp create-for-rbac][azure_cli_service_principal] command (ideally,
-   using your alias as the service principal's name prefix):
+   have a service principal, use the Azure CLI's [az ad sp create-for-rbac][azure_cli_service_principal] command
+   (ideally, using your alias as the service principal's name prefix):
 
 ```
 az login
@@ -326,7 +339,9 @@ well. To run tests in playback, either set `AZURE_TEST_RUN_LIVE` to "false" or l
 
 ### Run and record tests
 
-With the `AZURE_TEST_RUN_LIVE` environment variable set to "true", use `pytest` to run your test(s) in live mode.
+First, refer to the [Configure test variables](#configure-test-variables) section to ensure environment variables are
+set for test resources and authentication. With the `AZURE_TEST_RUN_LIVE` environment variable set to "true", use
+`pytest` to run your test(s) in live mode.
 
 ```
 (env) azure-sdk-for-python\sdk\my-service\my-package> pytest tests
@@ -339,18 +354,18 @@ Playback test errors most frequently indicate a need for additional sanitizers a
 [Sanitize secrets](#sanitize-secrets)). If you encounter any unexpected errors, refer to the
 [test proxy troubleshooting guide][troubleshooting_guide].
 
-At this point there should folder called `recordings` inside your package's `tests` directory. Each recording in this
-folder will be a `.json` file that captures the HTTP traffic that was generated while running the test matching the
-file's name.
+If tests were recorded for a new library, there should now be a folder called `recordings` inside your package's
+`tests` directory. Each recording in this folder will be a `.json` file that captures the HTTP traffic that was
+generated while running the test matching the file's name.
 
 The final step in setting up recordings is to move these files out of the `azure-sdk-for-python` and into the
 `azure-sdk-assets` repository. The [recording migration guide][recording_move] describes how to do so. This step only
-needs to be completed once. Your library will have an `assets.json` file at its root, which stores the `azure-sdk-assets`
-tag that contains the current set of recordings.
+needs to be completed once. Your library will have an `assets.json` file at its root, which stores the
+`azure-sdk-assets` tag that contains the current set of recordings.
 
-From this point on, recordings will automatically be fetched when tests are run in playback mode -- either from
-a local cache (described in [Update test recordings](#update-test-recordings)), or from `azure-sdk-assets` if they're
-not locally available.
+From this point on, recordings will automatically be fetched when tests are run in playback mode -- either from a local
+cache (described in [Update test recordings](#update-test-recordings)), or from `azure-sdk-assets` if they're not
+locally available.
 
 #### Update test recordings
 
@@ -725,3 +740,4 @@ Tests that use the Shared Access Signature (SAS) to authenticate a client should
 [test_proxy_startup]: https://github.com/Azure/azure-sdk-for-python/blob/main/doc/dev/test_proxy_migration_guide.md#start-the-proxy-server
 [test_resources]: https://github.com/Azure/azure-sdk-for-python/tree/main/eng/common/TestResources#readme
 [troubleshooting_guide]: https://github.com/Azure/azure-sdk-for-python/blob/main/doc/dev/test_proxy_troubleshooting.md
+[user_auth_flag]: https://github.com/Azure/azure-sdk-for-python/blob/main/eng/common/TestResources/New-TestResources.ps1.md#-userauth
@@ -14,6 +14,7 @@ omitted_paths:
   - sdk/**/swagger/*
   - sdk/ml/azure-ai-ml/tests/*
   - sdk/vision/azure-ai-vision-imageanalysis/tests/*
+  - sdk/storage/azure-storage-extensions/*
 
 language: python
 root_check_enabled: True
 
@@ -92,6 +92,9 @@ param (
     [Parameter()]
     [switch] $SuppressVsoCommands = ($null -eq $env:SYSTEM_TEAMPROJECTID),
 
+    [Parameter()]
+    [switch] $UserAuth,
+
     # Captures any arguments not declared here (no parameter errors)
     # This enables backwards compatibility with old script versions in
     # hotfix branches if and when the dynamic subscription configuration
@@ -611,8 +614,19 @@ try {
         }
     }
 
+    if ($UserAuth) {
+        if ($TestApplicationId) {
+            Write-Warning "The specified TestApplicationId '$TestApplicationId' will be ignored when UserAuth is set."
+        }
+
+        $userAccount = (Get-AzADUser -UserPrincipalName (Get-AzContext).Account)
+        $TestApplicationOid = $userAccount.Id
+        $TestApplicationId = $testApplicationOid
+        $userAccountName = $userAccount.UserPrincipalName
+        Log "User authentication with user '$userAccountName' ('$TestApplicationId') will be used."
+    }
     # If no test application ID was specified during an interactive session, create a new service principal.
-    if (!$CI -and !$TestApplicationId) {
+    elseif (!$CI -and !$TestApplicationId) {
         # Cache the created service principal in this session for frequent reuse.
         $servicePrincipal = if ($AzureTestPrincipal -and (Get-AzADServicePrincipal -ApplicationId $AzureTestPrincipal.AppId) -and $AzureTestSubscription -eq $SubscriptionId) {
             Log "TestApplicationId was not specified; loading cached service principal '$($AzureTestPrincipal.AppId)'"
@@ -674,11 +688,11 @@ try {
     $PSBoundParameters['TestApplicationOid'] = $TestApplicationOid
     $PSBoundParameters['TestApplicationSecret'] = $TestApplicationSecret
 
-    # If the role hasn't been explicitly assigned to the resource group and a cached service principal is in use,
+    # If the role hasn't been explicitly assigned to the resource group and a cached service principal or user authentication is in use,
     # query to see if the grant is needed.
-    if (!$resourceGroupRoleAssigned -and $AzureTestPrincipal) {
+    if (!$resourceGroupRoleAssigned -and $TestApplicationOid) {
         $roleAssignment = Get-AzRoleAssignment `
-                            -ObjectId $AzureTestPrincipal.Id `
+                            -ObjectId $TestApplicationOid `
                             -RoleDefinitionName 'Owner' `
                             -ResourceGroupName "$ResourceGroupName" `
                             -ErrorAction SilentlyContinue
@@ -690,19 +704,20 @@ try {
    # considered a critical failure, as the test application may have subscription-level permissions and not require
    # the explicit grant.
    if (!$resourceGroupRoleAssigned) {
-        Log "Attempting to assigning the 'Owner' role for '$ResourceGroupName' to the Test Application '$TestApplicationId'"
-        $principalOwnerAssignment = New-AzRoleAssignment `
-                                        -RoleDefinitionName "Owner" `
-                                        -ApplicationId "$TestApplicationId" `
-                                        -ResourceGroupName "$ResourceGroupName" `
-                                        -ErrorAction SilentlyContinue
-
-        if ($principalOwnerAssignment.RoleDefinitionName -eq 'Owner') {
-            Write-Verbose "Successfully assigned ownership of '$ResourceGroupName' to the Test Application '$TestApplicationId'"
+        $idSlug = if ($userAuth) { "User '$userAccountName' ('$TestApplicationId')"} else { "Test Application '$TestApplicationId'"};
+        Log "Attempting to assign the 'Owner' role for '$ResourceGroupName' to the $idSlug"
+        $ownerAssignment = New-AzRoleAssignment `
+                            -RoleDefinitionName "Owner" `
+                            -ObjectId "$TestApplicationOId" `
+                            -ResourceGroupName "$ResourceGroupName" `
+                            -ErrorAction SilentlyContinue
+
+        if ($ownerAssignment.RoleDefinitionName -eq 'Owner') {
+            Write-Verbose "Successfully assigned ownership of '$ResourceGroupName' to the $idSlug"
         } else {
             Write-Warning ("The 'Owner' role for '$ResourceGroupName' could not be assigned. " +
                           "You may need to manually grant 'Owner' for the resource group to the " +
-                          "Test Application '$TestApplicationId' if it does not have subscription-level permissions.")
+                          "$idSlug if it does not have subscription-level permissions.")
         }
     }
 
@@ -1001,6 +1016,14 @@ The environment file will be named for the test resources template that it was
 generated for. For ARM templates, it will be test-resources.json.env. For
 Bicep templates, test-resources.bicep.env.
 
+.PARAMETER UserAuth
+Create the resource group and deploy the template using the signed in user's credentials.
+No service principal will be created or used.
+
+The environment file will be named for the test resources template that it was
+generated for. For ARM templates, it will be test-resources.json.env. For
+Bicep templates, test-resources.bicep.env.
+
 .PARAMETER SuppressVsoCommands
 By default, the -CI parameter will print out secrets to logs with Azure Pipelines log
 commands that cause them to be redacted. For CI environments that don't support this (like