[Identity] Consistency review (Azure#49889)

* Reference docs

* Marking obsolete Username and Password option in EnvironmentCredentials and EnvVars

* Update samples and troubleshooting

* Update changelog

* ExportAPI

* Remove obsolete attribute for internal members

* Export API

* Remove unused imports and pragma warning disables

* Remove false statement in changelog

Author: JonathanCrd

sdk/identity/Azure.Identity/CHANGELOG.md

@@ -10,6 +10,9 @@
 
 ### Other Changes
 
+- Removed references to `Username`, `Password`, `AZURE_USERNAME`, and `AZURE_PASSWORD` in XML comments from `EnvironmentCredentialOptions` and `EnvironmentCredential` due to lack of MFA support. See [MFA enforcement details](https://aka.ms/azsdk/identity/mfa).
+- Marked `AZURE_USERNAME` and `AZURE_PASSWORD` as obsolete due to lack of MFA support. See [MFA enforcement details](https://aka.ms/azsdk/identity/mfa).
+
 ## 1.14.0-beta.4 (2025-05-01)
 
 ### Bugs Fixed

sdk/identity/Azure.Identity/TROUBLESHOOTING.md

@@ -15,7 +15,6 @@ This troubleshooting guide covers failure investigation techniques, common error
 - [Troubleshoot ClientSecretCredential authentication issues](#troubleshoot-clientsecretcredential-authentication-issues)
 - [Troubleshoot ClientCertificateCredential authentication issues](#troubleshoot-clientcertificatecredential-authentication-issues)
 - [Troubleshoot ClientAssertionCredential authentication issues](#troubleshoot-clientassertioncredential-authentication-issues)
-- [Troubleshoot UsernamePasswordCredential authentication issues](#troubleshoot-usernamepasswordcredential-authentication-issues)
 - [Troubleshoot WorkloadIdentityCredential authentication issues](#troubleshoot-workloadidentitycredential-authentication-issues)
 - [Troubleshoot ManagedIdentityCredential authentication issues](#troubleshoot-managedidentitycredential-authentication-issues)
   - [Azure Virtual Machine managed identity](#azure-virtual-machine-managed-identity)
@@ -165,15 +164,6 @@ DefaultAzureCredentialOptions options = new
 |AADSTS700023| Client assertion audience claim doesn't match Realm issuer. Review the documentation at [Microsoft Identity platform application authentication certificate credentials](https://learn.microsoft.com/entra/identity-platform/certificate-credentials). | Ensure the audience `aud` field in the JWT assertion created has the correct value for the audience specified in the payload. This should be set to `https://login.microsoftonline.com/{tenantId}/v2`.|
 |AADSTS50027| JWT token is invalid or malformed. | Ensure the JWT assertion token is in the valid format. Refer to the documentation for [client assertion format](https://learn.microsoft.com/entra/identity-platform/certificate-credentials).|
 
-## Troubleshoot `UsernamePasswordCredential` authentication issues
-
-`AuthenticationFailedException`
-
-| Error Code | Issue | Mitigation |
-|---|---|---|
-|AADSTS50076|Multifactor authentication (MFA) is enabled on your Entra tenant, and the username + password flow is incompatible with MFA.|Use a different credential, per the guidance at [Planning for mandatory MFA: Client libraries](https://aka.ms/azsdk/identity/mfa).|
-|AADSTS50126|The provided username or password is invalid|Ensure the `username` and `password` provided when constructing the credential are valid.|
-
 ## Troubleshoot `WorkloadIdentityCredential` authentication issues
 
 `CredentialUnavailableException`

sdk/identity/Azure.Identity/samples/TokenCache.md

@@ -87,7 +87,7 @@ If `UnsafeAllowUnencryptedStorage` is `false` (the default), a `CredentialUnavai
 
 ### Silently authenticate a user with AuthenticationRecord and TokenCachePersistenceOptions
 
-When authenticating a user via `InteractiveBrowserCredential`, `DeviceCodeCredential`, or `UsernamePasswordCredential`, an [AuthenticationRecord](https://learn.microsoft.com/dotnet/api/azure.identity.authenticationrecord?view=azure-dotnet) can be persisted as well. The authentication record is:
+When authenticating a user via `InteractiveBrowserCredential`, or `DeviceCodeCredential`, an [AuthenticationRecord](https://learn.microsoft.com/dotnet/api/azure.identity.authenticationrecord?view=azure-dotnet) can be persisted as well. The authentication record is:
 
 - Returned from the `Authenticate` API and contains data identifying an authenticated account.
 - Needed to identify the appropriate entry in the persisted token cache to silently authenticate on subsequent executions.
@@ -151,6 +151,5 @@ The following table indicates the state of in-memory and persistent caching in e
 | `InteractiveBrowserCredential` | Supported                                                              | Supported                     |
 | `ManagedIdentityCredential`    | Supported                                                              | Not Supported                 |
 | `OnBehalfOfCredential`         | Supported                                                              | Supported                     |
-| `UsernamePasswordCredential`   | Supported                                                              | Supported                     |
 | `VisualStudioCredential`       | Supported                                                              | Not Supported                 |
 | `WorkloadIdentityCredential`   | Supported                                                              | Supported                     |

sdk/identity/Azure.Identity/src/Credentials/DefaultAzureCredentialOptions.cs

@@ -5,7 +5,6 @@
 using System.Collections.Generic;
 using System.ComponentModel;
 using System.Diagnostics.CodeAnalysis;
-using System.Net;
 using Azure.Core;
 
 namespace Azure.Identity

sdk/identity/Azure.Identity/src/Credentials/EnvironmentCredential.cs

@@ -11,8 +11,7 @@
 namespace Azure.Identity
 {
     /// <summary>
-    /// Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user
-    /// with a username and password.
+    /// Enables authentication to Microsoft Entra ID using a client secret or certificate.
     /// <para>
     /// Configuration is attempted in this order, using these environment variables:
     /// </para>
@@ -40,13 +39,11 @@ namespace Azure.Identity
     /// <listheader><term>Variable</term><description>Description</description></listheader>
     /// <item><term>AZURE_TENANT_ID</term><description>The Microsoft Entra tenant (directory) ID.</description></item>
     /// <item><term>AZURE_CLIENT_ID</term><description>The client (application) ID of an App Registration in the tenant.</description></item>
-    /// <item><term>AZURE_USERNAME</term><description>The username, also known as upn, of a Microsoft Entra user account.</description></item>
-    /// <item><term>AZURE_PASSWORD</term><description>The password of the Microsoft Entra user account. Note this does not support accounts with MFA enabled.</description></item>
     /// </list>
     ///
-    /// This credential ultimately uses a <see cref="ClientSecretCredential"/>, <see cref="ClientCertificateCredential"/>, or <see cref="UsernamePasswordCredential"/> to
+    /// This credential ultimately uses a <see cref="ClientSecretCredential"/> or <see cref="ClientCertificateCredential"/> to
     /// perform the authentication using these details. Please consult the
-    /// documentation of that class for more details.
+    /// documentation of those classes for more details.
     /// </summary>
     public class EnvironmentCredential : TokenCredential
     {
@@ -129,7 +126,7 @@ internal EnvironmentCredential(CredentialPipeline pipeline, TokenCredential cred
 
         /// <summary>
         /// Obtains a token from Microsoft Entra ID, using the client details specified in the environment variables
-        /// AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET or AZURE_USERNAME and AZURE_PASSWORD to authenticate.
+        /// AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET to authenticate.
         /// Acquired tokens are <see href="https://aka.ms/azsdk/net/identity/token-cache">cached</see> by the credential
         /// instance. Token lifetime and refreshing is handled automatically. Where possible, <see href="https://aka.ms/azsdk/net/identity/credential-reuse">reuse credential instances</see>
         /// to optimize cache effectiveness.
@@ -149,7 +146,7 @@ public override AccessToken GetToken(TokenRequestContext requestContext, Cancell
 
         /// <summary>
         /// Obtains a token from Microsoft Entra ID, using the client details specified in the environment variables
-        /// AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET or AZURE_USERNAME and AZURE_PASSWORD to authenticate.
+        /// AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET to authenticate.
         /// Acquired tokens are <see href="https://aka.ms/azsdk/net/identity/token-cache">cached</see> by the credential
         /// instance. Token lifetime and refreshing is handled automatically. Where possible, <see href="https://aka.ms/azsdk/net/identity/credential-reuse">reuse credential instances</see>
         /// to optimize cache effectiveness.

sdk/identity/Azure.Identity/src/EnvironmentVariables.cs

@@ -4,7 +4,6 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
-using System.Net.Http.Headers;
 
 namespace Azure.Identity
 {