{Profile} az login: Add warning for username password flow (#28982)

Azure · Jun 24, 2024 · 41c2910 · 41c2910
1 parent ad23628
commit 41c2910
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/src/azure-cli/azure/cli/command_modules/profile/_help.py b/src/azure-cli/azure/cli/command_modules/profile/_help.py
@@ -14,11 +14,17 @@
     By default, this command logs in with a user account. CLI will try to launch a web browser to log in interactively.
     If a web browser is not available, CLI will fall back to device code login.
 
+
+    [WARNING] Authentication with username and password in the command line is strongly discouraged.
+    Use one of the recommended authentication methods based on your requirements.
+    For more details, see https://go.microsoft.com/fwlink/?linkid=2276314
+
+
     To login with a service principal, specify --service-principal.
 examples:
     - name: Log in interactively.
       text: az login
-    - name: Log in with user name and password. This doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled. Use -p=secret if the first character of the password is '-'.
+    - name: Log in with username and password. This doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled. Use -p=secret if the first character of the password is '-'.
       text: az login -u johndoe@contoso.com -p VerySecret
     - name: Log in with a service principal using client secret. Use -p=secret if the first character of the password is '-'.
       text: az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant contoso.onmicrosoft.com

diff --git a/src/azure-cli/azure/cli/command_modules/profile/custom.py b/src/azure-cli/azure/cli/command_modules/profile/custom.py
@@ -41,6 +41,11 @@
     "[Warning] The login output has been updated. Please be aware that it no longer displays the full list of "
     "available subscriptions by default.\n")
 
+USERNAME_PASSWORD_DEPRECATION_WARNING = (
+    "Authentication with username and password in the command line is strongly discouraged. "
+    "Use one of the recommended authentication methods based on your requirements. "
+    "For more details, see https://go.microsoft.com/fwlink/?linkid=2276314")
+
 
 def list_subscriptions(cmd, all=False, refresh=False):  # pylint: disable=redefined-builtin
     """List the imported subscriptions."""
@@ -123,6 +128,8 @@ def login(cmd, username=None, password=None, service_principal=None, tenant=None
         raise CLIError("usage error: '--use-sn-issuer' is only applicable with a service principal")
     if service_principal and not username:
         raise CLIError('usage error: --service-principal --username NAME --password SECRET --tenant TENANT')
+    if username and not service_principal and not identity:
+        logger.warning(USERNAME_PASSWORD_DEPRECATION_WARNING)
 
     interactive = False