Skip to content

Support managed identity + application authentication #31628

New issue
New issue
Open
Open
Support managed identity + application authentication#31628
Assignees
jiasli
Labels
Accountaz login/accountAuto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamfeature-request
Milestone
Backlog
@jiasli

Description

@jiasli
jiasli
opened on Jun 10, 2025

Related command
az login

Is your feature request related to a problem? Please describe.
MSAL previously has a draft PR AzureAD/microsoft-authentication-library-for-python#560 on supporting managed identity + application FIC authentication, but this PR is not completed yet.

There is an internal work item of migrating to managed identity + multitenant application (MI+CCA). Below is some sample code:

Currently Azure CLI doesn't support MI+CCA, but there is a workaround:

# First log in with managed identity
az login --identity

# Acquire an access token for token exchange
token=$(az account get-access-token --scope api://AzureADTokenExchange/.default --query accessToken --output tsv)

# Use the above token as an OIDC token to log into the multitenant application
az login --service-principal --username <App ID> --federated-token $token

As $token is passed via --federated-token, #28708 will be hit. It is better for MSAL to support MI+CCA authentication and refresh the managed identity's token on demand.

Then Azure CLI can expose this feature via something like

az login --service-principal --username <App ID> --fic-mi

After that, AzureCLI@2 - Azure CLI v2 and Azure Login Action task also need to be updated to support this command.

Metadata

Metadata

Assignees

Labels

Accountaz login/accountAuto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamfeature-request

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions