Azure · rayluo · Jun 8, 2022 · Jun 8, 2022 · Jun 30, 2022 · Jul 8, 2022
@@ -755,7 +755,7 @@ def find_using_common_tenant(self, username, credential=None):
                     # The tenant requires MFA and can't be accessed with home tenant's refresh token
                     mfa_tenants.append(t)
                 else:
-                    logger.warning("Failed to authenticate '%s' due to error '%s'", t, ex)
+                    logger.warning("Failed to authenticate %s due to error '%s'", t.tenant_id_name, ex)
                 continue
 
             if not subscriptions:

@@ -94,7 +94,9 @@ def _msal_app_kwargs(self):
         return {
             "authority": self._msal_authority,
             "token_cache": Identity._msal_token_cache,
-            "http_cache": Identity._msal_http_cache
+            "http_cache": Identity._msal_http_cache,
+            # TODO: introduce a config option to allow turning broker off
+            "allow_broker": True
-            "allow_broker": True
+            "allow_broker": True,
-            "allow_broker": True
+            "allow_broker": True,
         }
 
     @property
@@ -129,9 +131,11 @@ def _service_principal_store(self):
     def login_with_auth_code(self, scopes, **kwargs):
         # Emit a warning to inform that a browser is opened.
         # Only show the path part of the URL and hide the query string.
-        logger.warning("A web browser has been opened at %s. Please continue the login in the web browser. "
-                       "If no web browser is available or if the web browser fails to open, use device code flow "
-                       "with `az login --use-device-code`.", self._msal_app.authority.authorization_endpoint)
+
+        # TODO: Figure out a way to detect if MSAL will use broker
+        # logger.warning("A web browser has been opened at %s. Please continue the login in the web browser. "
+        #                "If no web browser is available or if the web browser fails to open, use device code flow "
+        #                "with `az login --use-device-code`.", self._msal_app.authority.authorization_endpoint)
 
         from .util import read_response_templates
         success_template, error_template = read_response_templates()
@@ -140,7 +144,8 @@ def login_with_auth_code(self, scopes, **kwargs):
         # on port 8400 from the old design. However, ADFS only allows port 8400.
         result = self._msal_app.acquire_token_interactive(
             scopes, prompt='select_account', port=8400 if self._is_adfs else None,
-            success_template=success_template, error_template=error_template, **kwargs)
+            success_template=success_template, error_template=error_template,
+            parent_window_handle=self._msal_app.CONSOLE_WINDOW_HANDLE, **kwargs)
         return check_result(result)
 
     def login_with_device_code(self, scopes, **kwargs):
@@ -183,6 +188,12 @@ def logout_user(self, user):
             self._msal_app.remove_account(account)
 
     def logout_all_users(self):
+        # Remove users from MSAL
+        accounts = self._msal_app.get_accounts()
+        for account in accounts:
+            self._msal_app.remove_account(account)
+
+        # Also remove token cache file
         for e in file_extensions.values():
             _try_remove(self._token_cache_file + e)
 

@@ -40,7 +40,7 @@ def aad_error_handler(error, **kwargs):
         else "To re-authenticate, please run:\n{}").format(login_command)
 
     from azure.cli.core.azclierror import AuthenticationError
-    raise AuthenticationError(error_description, recommendation=login_message)
+    raise AuthenticationError(error_description, msal_error=error, recommendation=login_message)
 
 
 def _generate_login_command(scopes=None):

@@ -266,6 +266,9 @@ class RecommendationError(ClientError):
 
 class AuthenticationError(ServiceError):
     """ Raised when AAD authentication fails. """
+    def __init__(self, error_msg, msal_error=None, **kwargs):
+        super().__init__(error_msg, **kwargs)
+        self.msal_error = msal_error
 
 
 class HTTPError(CLIError):

@@ -51,7 +51,7 @@
     'jmespath',
     'knack~=0.9.0',
     'msal-extensions~=1.0.0',
-    'msal==1.18.0b1',
+    'msal[broker] @ git+https://github.com/AzureAD/microsoft-authentication-library-for-python.git@wam',  # Temporary source
     'msrestazure~=0.6.4',
     'packaging>=20.9,<22.0',
     'paramiko>=2.0.8,<3.0.0',