[Identity] Update AzurePowerShellCredential script (#41675)

- Only add the `-AsSecureString` argument when available and needed.
  This argument is no longer needed for `Az.Accounts` versions 5.0.0 and
  above.
- Update secure string parsing logic to allow it to work if a user is
  using Windows PowerShell instead of PowerShell 7+.

Signed-off-by: Paul Van Eck <[email protected]>
Co-authored-by: Minh-Anh Phan <[email protected]>

Author: pvaneck

sdk/identity/azure-identity/CHANGELOG.md

@@ -8,6 +8,8 @@
 
 ### Bugs Fixed
 
+- Fixed an issue with `AzurePowerShellCredential` not working correctly for users still using older versions of PowerShell (e.g., Windows PowerShell 5.1) where `-AsPlainText` is not supported in the `ConvertFrom-SecureString` cmdlet.  ([#41675](https://github.com/Azure/azure-sdk-for-python/pull/41675))
+
 ### Other Changes
 
 ## 1.23.0 (2025-05-13)

sdk/identity/azure-identity/azure/identity/_credentials/azure_powershell.py

@@ -41,15 +41,25 @@
     $params['TenantId'] = $tenantId
 }}
 
-$useSecureString = $m.Version -ge [version]'2.17.0'
-if ($useSecureString) {{
+if ($m.Version -ge [version]'2.17.0' -and $m.Version -lt [version]'5.0.0') {{
     $params['AsSecureString'] = $true
 }}
 
 $token = Get-AzAccessToken @params
 $tokenValue = $token.Token
-if ($useSecureString) {{
-    $tokenValue = $tokenValue | ConvertFrom-SecureString -AsPlainText
+if ($tokenValue -is [System.Security.SecureString]) {{
+    if ($PSVersionTable.PSVersion.Major -lt 7) {{
+        $ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($tokenValue)
+        try {{
+            $tokenValue = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)
+        }}
+        finally {{
+            [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)
+        }}
+    }}
+    else {{
+        $tokenValue = $tokenValue | ConvertFrom-SecureString -AsPlainText
+    }}
 }}
 Write-Output "`nazsdk%$($tokenValue)%$($token.ExpiresOn.ToUnixTimeSeconds())`n"
 """

sdk/identity/azure-identity/tests/test_powershell_credential.py

@@ -5,7 +5,6 @@
 import base64
 from itertools import product
 import logging
-from platform import python_version
 import re
 import subprocess
 import sys
@@ -121,11 +120,10 @@ def test_get_token(stderr, get_token_method):
     decoded_script = base64.b64decode(encoded_script).decode("utf-16-le")
     assert "tenantId = ''" in decoded_script
     assert f"'ResourceUrl' = '{scope}'" in decoded_script
+    assert "-is [System.Security.SecureString]" in decoded_script
 
     assert Popen().communicate.call_count == 1
     args, kwargs = Popen().communicate.call_args
-    if python_version() >= "3.3":
-        assert "timeout" in kwargs
 
 
 @pytest.mark.parametrize("stderr,get_token_method", product(("", PREPARING_MODULES), GET_TOKEN_METHODS))

sdk/identity/azure-identity/tests/test_powershell_credential_async.py

@@ -115,6 +115,7 @@ async def test_get_token(stderr, get_token_method):
     decoded_script = base64.b64decode(encoded_script).decode("utf-16-le")
     assert "tenantId = ''" in decoded_script
     assert f"'ResourceUrl' = '{scope}'" in decoded_script
+    assert "-is [System.Security.SecureString]" in decoded_script
 
     assert mock_exec().result().communicate.call_count == 1