[Feature Request] Support CAE

## Context

As explained in https://github.com/Azure/azure-cli/pull/19853#issuecomment-1011763038, Azure Identity SDK was dropped during MSAL migration. With that, the experimental CAE (Continuous Access Evaluation) support was dropped.

We need to support CAE in the new MSAL-based Azure CLI.

## Problems

### MSAL

MSAL.PY returns revoked access tokens even after re-login and updating the refresh token (https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/335). This imposes some complexity in supporting CAE.

### Track 1 SDKs

Python SDK Track 2 has now supported challenge through `azure.mgmt.core.policies._authentication.ARMChallengeAuthenticationPolicy`, but there are still many Azure CLI modules or extensions based on Track 1 SDKs and there is and will be no CAE support for Track 1 SDKs (https://github.com/Azure/azure-cli/issues/20460).

### Microsoft Graph

According to my observation, Microsoft Graph has already enforced CAE. However, there is no Python SDK for Microsoft Graph and we use our own light-weight client to call Microsoft Graph API (https://github.com/Azure/azure-cli/issues/12946). We need to make that light-weight client support CAE as well.

## Reference

- https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation




Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Feature Request] Support CAE #21296

Context

Problems

MSAL

Track 1 SDKs

Microsoft Graph

Reference

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Feature Request] Support CAE #21296

Description

Context

Problems

MSAL

Track 1 SDKs

Microsoft Graph

Reference

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions