Skip to content

[Compute] az ssh vm: Automatically launch browser when getting certificate fails #17093

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jiasli merged 8 commits into from
Mar 16, 2021
Merged

[Compute] az ssh vm: Automatically launch browser when getting certificate fails #17093

jiasli merged 8 commits into from
Mar 16, 2021

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Feb 25, 2021

Description

Fix #16988, #16989
Require #17072

When getting certificate fails for VM SSH,

  1. the original AAD error is shown as a warning
  2. browser is automatically launched to open /authorize with resource=https://pas.windows.net/CheckMyAccess/Linux

Conditional Access policy for MFA (#16989)

When ARM doesn't require MFA, but VM SSH does, az ssh vm calls /token and fails with

AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access 'ce6ff14a-7fdc-4685-bbe0-f6afdfcfa8e0'.
Trace ID: ab8e08ab-b0f3-4c1b-b2b8-85f905da5b00
Correlation ID: 73ad3fe7-524c-4a6f-9e14-b448fa4b8c06
Timestamp: 2021-02-25 11:21:49Z

CLI then launches the browser. The browser prompts the user to do MFA.

Conditional Access policy for compliance check (#16988)

When ARM doesn't require compliance check, but VM SSH does, az ssh vm calls /token and fails with

AADSTS53000: Device is not in required device state: compliant. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune.
Trace ID: fed27c52-e7f0-4d4b-a6df-51016ec54a00
Correlation ID: 582d7943-5bc3-4fd4-9bb9-f6c7721b131f
Timestamp: 2021-02-25 11:06:44Z

CLI then launches the browser. After logging in, the browser gives the user a better error message:

image

Limitation

  • Only user account with authorization code flow is supported.
  • CLI should selectively launch the browser instead of launching the browser unconditionally for any AAD error.

Testing Guide

az login
az ssh vm -g <group> --vm-name <vm>

@yonzhan
Copy link
Collaborator

yonzhan commented Feb 25, 2021
edited
Loading

Automatically launch browser for ssh vm failure

@yonzhan yonzhan added this to the S184 milestone Feb 25, 2021
@jiasli jiasli changed the title [Computer] az ssh vm: Automatically launch browser when getting certificate fails [Compute] az ssh vm: Automatically launch browser when getting certificate fails Feb 25, 2021
rayluo
rayluo approved these changes Feb 25, 2021
View reviewed changes
Copy link
Member

@rayluo rayluo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jiasli jiasli linked an issue Feb 26, 2021 that may be closed by this pull request
MFA enforcement for SSH #16989
Closed
@jiasli jiasli mentioned this pull request Mar 1, 2021
Closed
@jiasli jiasli requested a review from SanDeo-MSFT March 5, 2021 09:31
jiasli added 2 commits March 5, 2021 18:23
@jiasli
Merge branch 'dev' into launch-browser
31e7bed 
# Conflicts:
#	src/azure-cli-core/azure/cli/core/_profile.py
#	src/azure-cli-core/azure/cli/core/adal_authentication.py
@jiasli
Merge branch 'dev' into launch-browser
2dedef8
@jiasli jiasli marked this pull request as ready for review March 15, 2021 07:57
SanDeo-MSFT
SanDeo-MSFT approved these changes Mar 16, 2021
View reviewed changes
Copy link

@SanDeo-MSFT SanDeo-MSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approved

@jiasli jiasli merged commit 23487b5 into Azure:dev Mar 16, 2021
@jiasli jiasli deleted the launch-browser branch March 16, 2021 06:31
This was referenced Mar 31, 2021
Closed
Closed
@jiasli jiasli mentioned this pull request Apr 16, 2021
Merged
@jiasli jiasli mentioned this pull request Oct 18, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evelyn-ys evelyn-ys Awaiting requested review from evelyn-ys evelyn-ys is a code owner

@houk-ms houk-ms Awaiting requested review from houk-ms

@jsntcy jsntcy Awaiting requested review from jsntcy

@Juliehzl Juliehzl Awaiting requested review from Juliehzl

3 more reviewers

@rayluo rayluo rayluo approved these changes

@SanDeo-MSFT SanDeo-MSFT SanDeo-MSFT approved these changes

@fengzhou-msft fengzhou-msft fengzhou-msft approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jiasli jiasli

Labels

Conditional Access

Projects

None yet

Milestone

S184

Development

Successfully merging this pull request may close these issues.

MFA enforcement for SSH Better remediation error message when SSH cert cannot be obtained for an unmanaged/non-compliant device

5 participants

@jiasli @yonzhan @rayluo @SanDeo-MSFT @fengzhou-msft