Cli-microsoft365: Allow authentication using managed identity

To use Managed Identity in the Azure CLI on a VM, the login command has an option:

az login --identity

I would expect the O365 CLI to use a similar pattern on the login command. I would suggest a new AuthType option:

# System-assigned Managed Identity
o365 login --authType managed

# User-assigned Managed Identity
o365 login --authType managed --clientId <clientId>

It is the responsibility of the user to
a) configure managed identity for the host and
b) ensure the Managed Identity AuthType is specified only when executing on a host that supports Managed Identity.

Once login is successful, I would expect the CLI to acquire tokens from the Azure Instance Metadata service. I have an open question on Stack regarding the portability of code across VM/AppService.

References:

• What is managed identities for Azure resources?
• Services that support managed identities for Azure resources
• Obtaining tokens for Azure resources (App Service/Functions)
• Authenticate access to Azure resources by using managed identities in Azure Logic Apps

Thank you for the pointers @pschaeflein, they're very helpful 👍

Thank you for sharing @pschaeflein 👏🏻

I've been looking into using Managed Identities in Azure Functions recently as well, the implementation is actually very simple to obtain a token, the below example would be used for obtaining a token using a System-Assigned Identity, for a User-assigned Identity we would pass the Client Id as an additional query-string parameter.

const getToken = async (resource: string): Promise<IToken> => {
    return new Promise(async (resolve, reject) => {
        const url: string = `${process.env["MSI_ENDPOINT"]}/?resource=${resource}&api-version=2017-09-01`;
        const options: request.RequestPromiseOptions = {
            headers: {
                "Accept": "application/json",
                "Secret": process.env["MSI_SECRET"]
            }
        }
        return request.get(url, options);
    });
}

It is the responsibility of the user to
a) configure managed identity for the host and
b) ensure the Managed Identity AuthType is specified only when executing on a host that supports Managed Identity.

Absolutely agree on this, but we should also help guide our users by providing some documentation, something in a similar format to how we produced the documentation for the GitHub Actions. We can include an explanation to help users understand the benefits of Managed Identity and simple tutorial e.g. "Hello World" that guides the user through the process of configuration and usage to aid adoption.

We should also consider whether there are commands that are missing the CLI that would also be useful to aid the use of managed identities.

For example, to assign permissions to the Managed Identity Service Principal i.e. grant the SP the Sites.Read.All scope on SharePoint Online, you currently need to use a PowerShell command New-AzureADServiceAppRoleAssignment.

New-AzureADServiceAppRoleAssignment -ObjectId <MSI SP Object ID> -PrincipalId <MSI SP Object ID> -ResourceId <SPO Service App Object ID> -Id <SP Role ID>

I couldn't find an Azure CLI equivalent, so maybe there are a set of commands that we could add to the CLI to support the MSI login.

Reference

• https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadserviceapproleassignment?view=azureadps-2.0
• https://finarne.wordpress.com/2019/03/17/azure-function-using-a-managed-identity-to-call-sharepoint-online/

Edited by Velin:
https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet

AZ CLI for Identity: https://docs.microsoft.com/en-us/cli/azure/identity

So guys just FYI, the CLI is using the username (-u) option in a case of user signed identity. Here is the help examples:

    Log in using a VM's system assigned identity
        az login --identity


    Log in using a VM's user assigned identity. Client or object ids of the service identity also
    work
        az login --identity -u /subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microso
        ft.ManagedIdentity/userAssignedIdentities/myID

@waldekmastykarz. @pschaeflein and all are we going to introduce clientId option or we can also keep it as username so in future we can handle clientId or objectId or mi_res_id from the username option the same as the az cli?

Good input @VelinGeorgiev. I'd suggest we stay as close to az CLI as possible to avoid unnecessarily introducing new concepts.