Mark UsernamePasswordCredential as obsolete (Azure#48355)

christothes · web-flow · commit 941d3631569a · 2025-02-25T11:59:43.000-06:00
diff --git a/sdk/identity/Azure.Identity/CHANGELOG.md b/sdk/identity/Azure.Identity/CHANGELOG.md
@@ -9,6 +9,7 @@
 ### Bugs Fixed
 
 ### Other Changes
+- Marked `UsernamePasswordCredential` as obsolete because Resource Owner Password Credentials (ROPC) token grant flow is incompatible with multifactor authentication (MFA), which Microsoft Entra ID requires for all tenants. See https://aka.ms/azsdk/identity/mfa for details about MFA enforcement and migration guidance.
 
 ## 1.14.0-beta.1 (2025-02-11)
 
diff --git a/sdk/identity/Azure.Identity/api/Azure.Identity.net8.0.cs b/sdk/identity/Azure.Identity/api/Azure.Identity.net8.0.cs
@@ -422,6 +422,8 @@ protected UnsafeTokenCacheOptions() { }
         protected internal virtual System.Threading.Tasks.Task<Azure.Identity.TokenCacheData> RefreshCacheAsync(Azure.Identity.TokenCacheRefreshArgs args, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         protected internal abstract System.Threading.Tasks.Task TokenCacheUpdatedAsync(Azure.Identity.TokenCacheUpdatedArgs tokenCacheUpdatedArgs);
     }
+    [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+    [System.ObsoleteAttribute("This credential is deprecated because it doesn't support multifactor authentication (MFA). See https://aka.ms/azsdk/identity/mfa for details about MFA enforcement for Microsoft Entra ID and migration guidance.")]
     public partial class UsernamePasswordCredential : Azure.Core.TokenCredential
     {
         protected UsernamePasswordCredential() { }
diff --git a/sdk/identity/Azure.Identity/api/Azure.Identity.netstandard2.0.cs b/sdk/identity/Azure.Identity/api/Azure.Identity.netstandard2.0.cs
@@ -419,6 +419,8 @@ protected UnsafeTokenCacheOptions() { }
         protected internal virtual System.Threading.Tasks.Task<Azure.Identity.TokenCacheData> RefreshCacheAsync(Azure.Identity.TokenCacheRefreshArgs args, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         protected internal abstract System.Threading.Tasks.Task TokenCacheUpdatedAsync(Azure.Identity.TokenCacheUpdatedArgs tokenCacheUpdatedArgs);
     }
+    [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
+    [System.ObsoleteAttribute("This credential is deprecated because it doesn't support multifactor authentication (MFA). See https://aka.ms/azsdk/identity/mfa for details about MFA enforcement for Microsoft Entra ID and migration guidance.")]
     public partial class UsernamePasswordCredential : Azure.Core.TokenCredential
     {
         protected UsernamePasswordCredential() { }
diff --git a/sdk/identity/Azure.Identity/src/Credentials/EnvironmentCredential.cs b/sdk/identity/Azure.Identity/src/Credentials/EnvironmentCredential.cs
@@ -114,7 +114,9 @@ internal EnvironmentCredential(CredentialPipeline pipeline, TokenCredentialOptio
                 }
                 else if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(password))
                 {
+#pragma warning disable CS0618 // Type or member is obsolete
                     Credential = new UsernamePasswordCredential(username, password, tenantId, clientId, envCredOptions, _pipeline, envCredOptions.MsalPublicClient);
+#pragma warning restore CS0618 // Type or member is obsolete
                 }
             }
         }
diff --git a/sdk/identity/Azure.Identity/src/Credentials/UsernamePasswordCredential.cs b/sdk/identity/Azure.Identity/src/Credentials/UsernamePasswordCredential.cs
@@ -8,6 +8,7 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Azure.Core.Pipeline;
+using System.ComponentModel;
 
 namespace Azure.Identity
 {
@@ -16,6 +17,8 @@ namespace Azure.Identity
     ///  credential will fail to get a token throwing an <see cref="AuthenticationFailedException"/>. Also, this credential requires a high degree of
     ///  trust and is not recommended outside of prototyping when more secure credentials can be used.
     /// </summary>
+    [EditorBrowsable(EditorBrowsableState.Never)]
+    [Obsolete("This credential is deprecated because it doesn't support multifactor authentication (MFA). See https://aka.ms/azsdk/identity/mfa for details about MFA enforcement for Microsoft Entra ID and migration guidance.")]
     public class UsernamePasswordCredential : TokenCredential
     {
         private const string NoDefaultScopeMessage = "Authenticating in this environment requires specifying a TokenRequestContext.";
diff --git a/sdk/identity/Azure.Identity/tests/Azure.Identity.Tests.csproj b/sdk/identity/Azure.Identity/tests/Azure.Identity.Tests.csproj
@@ -3,6 +3,7 @@
   <PropertyGroup>
     <TargetFrameworks>$(RequiredTargetFrameworks)</TargetFrameworks>
     <IsPackable>false</IsPackable>
+    <NoWarn>$(NoWarn);0618</NoWarn>
   </PropertyGroup>
 
   <ItemGroup>

Original file line number	Diff line number	Diff line change
`@@ -422,6 +422,8 @@ protected UnsafeTokenCacheOptions() { }`
`422`	`422`	`protected internal virtual System.Threading.Tasks.Task<Azure.Identity.TokenCacheData> RefreshCacheAsync(Azure.Identity.TokenCacheRefreshArgs args, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }`
`423`	`423`	`protected internal abstract System.Threading.Tasks.Task TokenCacheUpdatedAsync(Azure.Identity.TokenCacheUpdatedArgs tokenCacheUpdatedArgs);`
`424`	`424`	`}`
	`425`	`+ [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]`
	`426`	`+ [System.ObsoleteAttribute("This credential is deprecated because it doesn't support multifactor authentication (MFA). See https://aka.ms/azsdk/identity/mfa for details about MFA enforcement for Microsoft Entra ID and migration guidance.")]`
`425`	`427`	`public partial class UsernamePasswordCredential : Azure.Core.TokenCredential`
`426`	`428`	`{`
`427`	`429`	`protected UsernamePasswordCredential() { }`
Original file line number	Diff line number	Diff line change
`@@ -419,6 +419,8 @@ protected UnsafeTokenCacheOptions() { }`
`419`	`419`	`protected internal virtual System.Threading.Tasks.Task<Azure.Identity.TokenCacheData> RefreshCacheAsync(Azure.Identity.TokenCacheRefreshArgs args, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }`
`420`	`420`	`protected internal abstract System.Threading.Tasks.Task TokenCacheUpdatedAsync(Azure.Identity.TokenCacheUpdatedArgs tokenCacheUpdatedArgs);`
`421`	`421`	`}`
	`422`	`+ [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]`
	`423`	`+ [System.ObsoleteAttribute("This credential is deprecated because it doesn't support multifactor authentication (MFA). See https://aka.ms/azsdk/identity/mfa for details about MFA enforcement for Microsoft Entra ID and migration guidance.")]`
`422`	`424`	`public partial class UsernamePasswordCredential : Azure.Core.TokenCredential`
`423`	`425`	`{`
`424`	`426`	`protected UsernamePasswordCredential() { }`
Original file line number	Diff line number	Diff line change
`@@ -114,7 +114,9 @@ internal EnvironmentCredential(CredentialPipeline pipeline, TokenCredentialOptio`
`114`	`114`	`}`
`115`	`115`	`else if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(password))`
`116`	`116`	`{`
	`117`	`+#pragma warning disable CS0618 // Type or member is obsolete`
`117`	`118`	`Credential = new UsernamePasswordCredential(username, password, tenantId, clientId, envCredOptions, _pipeline, envCredOptions.MsalPublicClient);`
	`119`	`+#pragma warning restore CS0618 // Type or member is obsolete`
`118`	`120`	`}`
`119`	`121`	`}`
`120`	`122`	`}`