Az.Accounts 2.0.0-preview
Installation
This preview version of the Az.Accounts works with the current stable versions of the Az module, and will need to be installed side-by-side with these modules.
To install a prerelease modules in PowerShell, you will need to have at least version 1.6.0 of the PowerShellGet module on your machine. To see what version of PowerShellGet you currently have installed, you can run the following command:
Get-Module -Name PowerShellGet -ListAvailableTo install the latest version of PowerShellGet from the PowerShell Gallery, run the following command:
Install-Module -Name PowerShellGet -Repository PSGallery -ForceWith a compatible version of PowerShellGet installed, you can then install the preview version of Az.Accounts by running the following command:
Install-Module -Name Az.Accounts -Repository PSGallery -RequiredVersion 2.0.0-preview -AllowPrereleaseOnce installed, you will be able to freely use the existing Az commands with the commands found in the Az.Accounts module. When running commands, you can verify that the correct version of Az.Accounts was loaded by running the following command and verifying that the version loaded was "2.0.0":
Get-Module -Name Az.AccountsWhat's New?
In this preview of Az.Accounts, the underlying authentication library was changed to use the new Microsoft Authentication Library (MSAL), which allows for some new features in Azure PowerShell.
Single Sign-On Support
There is now a single token cache that is shared among multiple products, such as Visual Studio 2019 Preview 1 and Azure CLI. This new functionality allows accounts to be shared across these different tools, and removes the needs for users to continuously login across their different Azure tools.
In Azure PowerShell, you'll notice a few new things:
- When running a cmdlet in Azure PowerShell, there is always a check for an update in the shared token cache:
- If an account was added to the token cache, contexts will be created for each subscription for that account
- If an account was removed from the token cache, and it was associated with your default context, all contexts associated with that account will be removed and an error will be thrown asking to select a new default context or re-authenticate
- If an account was removed from the token cache, but it was your default context, all contexts associated with that account will be removed
- When running
Connect-AzAccount, the authenticated account will be added to the shared token cache (if not already found there), and other tool will pick up the new account immediately - When running
Disconnect-AzAccount, the corresponding account will be removed from the shared token cache and all contexts in Azure PowerShell associated with that account will be removed - When running
Clear-AzAccount, all contexts in Azure PowerShell will be removed and all accounts will be cleared from the shared token cache
PowerShell Core - Interactive Login
Previously, the default behavior when running the Connect-AzAccount cmdlet in PowerShell Core was to notify the user of a URL to go to and a code to enter at that site in order to authenticate with device code flow.
Now, the default behavior is similar to that of the Azure CLI: notify the user that their default browser has been launched for them and they will need to select an account that they want to authenticate with. There's no URL that needs to be followed or a code that needs to be entered anymore.
PowerShell Core - Username/Password Support
Previously, there was no support for username/password authentication for CSP accounts in PowerShell Core; this functionality can now be found in PowerShell Core versions of the Az.Account module.
Note: Username/password authentication was previously removed but added back for CSP accounts. If you are looking for authentication to do for automation, please use service principal authentication. A full discussion of this issue can be foud here.