[Issue] Azure CLI auth delegation not working

[scottaddie]

Output from azd version
azd version 1.23.2 (commit 83096ae)

What I hoped to accomplish
To set context, I'm hoping to delegate auth responsibilities to Azure CLI to gain access to the broker on Windows (WAM). Azure CLI supports this type of auth by default. See below for steps and thoughts as I attempted to accomplish this task.

To Reproduce

1. Ensure the latest version of Azure CLI is installed. I'm using v2.82.0.

2. Log out of Azure CLI via az logout. Then run az account show to ensure this message appears:

   Please run 'az login' to setup account.
   

3. Log out of azd via azd auth logout.

4. Configure auth delegation to Azure CLI by running the following command:

   azd config set auth.useAzCliAuth true
   

5. Run azd config show to ensure the setting was saved. Notice the following snippet in the JSON:

   {
     "auth": {
       "useAzCliAuth": "true"
     },

6. Run azd auth login and answer "N" to the question "Do you want to switch back to azd built-in authentication?" Notice the following error appears:

   ERROR: log in is not supported on current mode: az cli
   

   At this point, I'm confused for 2 reasons:

   1. The error message leads me to believe auth delegation isn't supported. If true, why does the auth.useAzCliAuth setting exist?
   2. When auth.useAzCliAuth has been set to true, I wouldn't expect to be prompted to switch back to azd built-in authN. My expectation was that azd would run az login on my behalf. That obviously didn't happen.

7. Run azd auth status for kicks. The following output appears:

   fetching az cli account: exit code: 1, stdout: , stderr: ERROR: Please run 'az login' to setup account.
   
   Not logged in, run `azd auth login` to login to Azure
   

   Now I'm confused again because the error asks me to run az login. Why can't azd run that command for me if I've set auth.useAzCliAuth to true? It's clearly aware of the command that needs to be run.

Additional notes

With Azure CLI auth delegation enabled, my expectation is that running azd auth login or azd auth logout would call az login or az logout on my behalf, respectively. Things don't appear to work that way today. If that's not the vision, some docs should be added to better explain the feature.

/cc: @kristenwomack @puicchan

[vhvb1989]

Hi @scottaddie,
The mechanics behind az auth-delegation mode is that the user is managing az directly and they have (or will) run az login in any way the need. It could be using a principal, or something specific that is not only az login. That's why azd would not run az login, bc we don't know if that's what the user wants or if az is already logged in.

[scottaddie]

@vhvb1989 I appreciate that explanation. I ran az login, followed by azd auth status --debug and now see that I'm authenticated via Azure CLI.

I think some docs will be extremely helpful for demystifying this feature. I won't be the last person to struggle. Thoughts on where such docs can be added? By the way, I noticed the auth.useAzCliAuth option doesn't appear in the list returned by azd config options. Any idea why?

[JeffreyCA]

By the way, I noticed the auth.useAzCliAuth option doesn't appear in the list returned by azd config options. Any idea why?

We just fixed this in #6619 and should be in the next release