Add support to use AZD as token credential provider

[vhvb1989]

This PR makes it possible to set AZ_USE_AZD_AUTH env var to make az to use azd to generate the access tokens.

By having this feature, AZD will be able to call AZ and set the ENV VAR as part of the process invocation, effectively re-using AZD's current authentication for AZ.
For example, using az inside azd's hooks would no longer require folks to login az and azd, enhancing the user experience.

This change should have no effect if the ENV VAR is not set.

[azure-client-tools-bot-prd]

Validation for Azure CLI Full Test Starting...

Thanks for your contribution!

[azure-client-tools-bot-prd]

Validation for Breaking Change Starting...

Thanks for your contribution!

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[Copilot]

Pull Request Overview

This PR adds support to use AZD as the token credential provider by enabling the AZ_USE_AZD_AUTH environment variable. It updates dependency versions in requirement files and setup.py and adds a new authentication path in _profile.py that leverages AzureDeveloperCliCredential.

• Added azure-identity dependency in Windows, Linux, and Darwin requirement files.
• Updated dependency version constraints in setup.py.
• Introduced AZD authentication flow in get_raw_token with a fallback to standard authentication.

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

File	Description
src/azure-cli/requirements.py3.*.txt	Add azure-identity version 1.15.0 dependency
src/azure-cli-core/setup.py	Update dependency version for azure-identity and msal[broker]
src/azure-cli-core/azure/cli/core/_profile.py	Add support for AZD authentication via the AZ_USE_AZD_AUTH env var

Comments suppressed due to low confidence (2)

src/azure-cli-core/azure/cli/core/_profile.py:350

• Please ensure that the new AZD authentication flow (lines 350-387) is covered by tests, especially for handling token generation and fallback behavior when an exception occurs.

        # Check if AZ_USE_AZD_AUTH environment variable is set

src/azure-cli-core/setup.py:48

• There is a potential inconsistency: the requirements files enforce azure-identity==1.15.0 while setup.py requires >=1.12.0. Consider aligning these versions to ensure consistent dependency resolution.

    'azure-identity>=1.12.0',

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[kristenwomack]

This will be a HUGE improvement in the dev experience flow! Azure customers will appreciate this.

[rajeshkamal5050]

Thanks @jiasli and @yonzhan for looking into this. This enhancement will significantly improve the experience for AZD users allowing them to seamlessly leverage AZD's authn in AZ. Also, the change appears to be well scoped and should not affect AZ's call flow unless the AZ_USE_AZD_AUTH environment variable is specifically set.

Nice change @vhvb1989

[jiasli]

Only changing get_raw_token is far from enough.

1. get_raw_token is only designed for getting the raw token. It cannot be used with Python SDK. To invoke Python SDK, it is required to call get_login_credentials to get the credential.
2. The account (returned by az account show) containing the current subscription and tenant must also be set. This makes get_subscription work, which is required by get_login_credentials:

   azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

   Line 308 in 9091fee

   account = self.get_subscription(subscription_id)

[jiasli]

Azure CLI dropped the dependency on azure-identity in #22124 and has no plan to add it back, as azure-identity frequently causes dependency conflicts.

[jiasli]

We currently don't want to introduce dependency on AZD or azure-identity library.

An alternative approach is for Azure CLI to support bring-your-own access token (#31575) and feed the access token into Azure CLI via environment variables. This will allow Azure CLI to use external credentials. I understand this may not be the best approach as the user will need to use AZD to get the access token and set the environment variable for Azure CLI. The user also needs to take scopes and token expiration into consideration while feeding the access token into Azure CLI.

Or, we may reuse environment variables from #31575, and invoke Azure CLI with

export AZURE_CLI_ACCESS_TOKEN=AZD      # Use a special value for calling AzureDeveloperCliCredential
export AZURE_CLI_SUBSCRIPTION_ID=<subscription_id>
export AZURE_CLI_TENANT_ID=<tenant_id>