Deprecate `--sdk-auth` of `az ad sp create-for-rbac`

[jiasli]

Related command

az ad sp create-for-rbac

Is your feature request related to a problem? Please describe.

The original designed consumers of the az ad sp create-for-rbac --sdk-auth JSON output - Azure SDKs (Java, Python, etc.) have deprecated the usage of get_client_from_json_dict (Azure/azure-sdk-for-python#15075). Azure CLI should deprecate --sdk-auth as well.

However, we can't immediately take --sdk-auth away because GitHub Action heavily relies on --sdk-auth, even though GitHub Action is not a designed consumer of --sdk-auth (Azure/github#152).

The output of az ad sp create-for-rbac without or with --sdk-auth varies a lot.

Without --sdk-auth:

> az ad sp create-for-rbac

{
  "appId": "21ec2946-231c-480f-86c7-824b215326a4",
  "displayName": "azure-cli-2022-02-07-07-07-00",
  "password": "{redacted_password}",
  "tenant": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a"
}

With --sdk-auth:

> az ad sp create-for-rbac --sdk-auth
{
  "clientId": "21ec2946-231c-480f-86c7-824b215326a4",
  "clientSecret": "{redacted_password}",
  "subscriptionId": "...",
  "tenantId": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
  "resourceManagerEndpointUrl": "https://management.azure.com/",
  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
  "galleryEndpointUrl": "https://gallery.azure.com/",
  "managementEndpointUrl": "https://management.core.windows.net/"
}

The root cause leading to this confusion is due to the name inconsistency between Azure AD and Azure SDKs (#19872 (comment)):

Azure AD names	Azure SDK names
appId	clientId
password	clientSecret
tenant/directory	tenantId

Describe the solution you'd like

We should either

• Work with GitHub Action team to deprecate --sdk-auth
• Keep --sdk-auth indefinitely

Additional context

• [Profile] Deprecate --sdk-auth #19414
• {Role} Keep --sdk-auth, for now #19872
• [Core] ADAL to MSAL migration #19853

[yonzhan]

Deprecate --sdk-auth

[divyabhushan-okta]

@jiasli Following up with this thread.
Can you confirm if --sdk-auth was deprecated or not!
The official docs for az ad sp still lists the flag without any deprecation notice.

[mildronize]

I've seen the Azure CLI latest doc has been provide new option --json-auth will be different format than --sdk-auth

From my understanding, they will discontinue for --sdk-auth in the future

[dgolja]

Also crossplane upbound.io Azure provider configuration still relies on --sdk-auth - see

[BlaiseD]

I get an "Error: AADSTS7000229: The client application *** is missing service principal in the tenant ''" error message using --json-auth to create the principal in the Azure clou console and running azure/login@v2 in a GitHub action.

az ad sp create-for-rbac --name myPrincipal01 --role "Contributor" --scopes /subscriptions/{subscription-id}/resourceGroups/{resourceGroup}/providers/Microsoft.Web/sites/MyApp --json-auth

Using --sdk-auth instead of --json-auth got rid of the error.

Note: tenant:appOwnerOrganizationId was empty for the --json-auth principal e.g.

az ad sp list --all --query "[].{SPname:displayName, SPid:appId, tenant:appOwnerOrganizationId}" --filter "displayname eq 'myPrincipal01'" --output table