Refine error message about MFA

[isra-fel]

Description

This pull request introduces several improvements to the handling of claims challenges in the authentication flow. Key changes include refining error messages for better guidance, enhancing the processing of claims challenges, and improving code readability and maintainability. These updates aim to provide clearer feedback to users and streamline the handling of authentication challenges.

Error Message Improvements:

• Updated the error message for cmdlet failures due to Multi-Factor Authentication (MFA) policy violations to provide more actionable guidance. (src/Accounts/Accounts/ChangeLog.md)
• Added a method FormatClaimsChallengeErrorMessage to generate detailed error messages for claims challenges, including policy violation details and recommended actions. (src/Accounts/Authentication/Utilities/ClaimsChallengeUtilities.cs)

Claims Challenge Handling Enhancements:

• Modified MatchClaimsChallengePattern to return the claims challenge string via an out parameter, simplifying its usage. (src/Accounts/Authentication/Utilities/ClaimsChallengeUtilities.cs)
• Refactored OnChallengeAsync and related methods to accept the claims challenge string directly, removing redundant calls to extract the challenge. (src/Accounts/Authentication/ClaimsChallengeHandler.cs) [1] [2]
• Enhanced the OnClaimsChallenageAsync method in MsalAccessToken to process claims challenges and renew access tokens more effectively. (src/Accounts/Authenticators/MsalAccessToken.cs)

Codebase Simplification:

• Changed GetClaimsChallenge method to private scope to limit its usage and improve encapsulation. (src/Accounts/Authentication/Utilities/ClaimsChallengeUtilities.cs)
• Updated comments and method signatures to improve clarity, including refining return descriptions and parameter explanations. (src/Accounts/Authentication/Authentication/IClaimsChallengeProcessor.cs)

These updates collectively enhance the user experience and maintainability of the authentication module.

Mandatory Checklist

• Please choose the target release of Azure PowerShell. (⚠️Target release is a different concept from API readiness. Please click below links for details.)

  • General release
  • Public preview
  • Private preview
  • Engineering build
  • No need for a release

• Check this box to confirm: I have read the Submitting Changes section of CONTRIBUTING.md and reviewed the following information:

• SHOULD update ChangeLog.md file(s) appropriately
  • Update src/{{SERVICE}}/{{SERVICE}}/ChangeLog.md.
    • A snippet outlining the change(s) made in the PR should be written under the ## Upcoming Release header in the past tense.
  • Should not change ChangeLog.md if no new release is required, such as fixing test case only.
• SHOULD regenerate markdown help files if there is cmdlet API change. Instruction
• SHOULD have proper test coverage for changes in pull request.
• SHOULD NOT adjust version of module manually in pull request

[azure-client-tools-bot-prd]

Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status.

[Copilot]

Pull Request Overview

This PR refines the error message shown when a request fails due to an MFA (claims) challenge, providing clearer guidance and embedding the claims challenge for easier replay.

• Changed MatchClaimsChallengePattern to return the extracted claims challenge.
• Introduced FormatClaimsChallengeErrorMessage to build a more actionable, base64-encoded CLI command.
• Updated handlers to use the new formatter and updated XML docs and changelog.

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/Accounts/Authenticators/MsalAccessToken.cs	Added XML docs for claims-challenge handler and corrected signature.
src/Accounts/Authentication/Utilities/ClaimsChallengeUtilities.cs	Made GetClaimsChallenge private, enhanced pattern matcher, and added FormatClaimsChallengeErrorMessage.
src/Accounts/Authentication/ClaimsChallengeHandler.cs	Switched to the new formatter in exception handling.
src/Accounts/Accounts/CommonModule/ContextAdapter.cs	Updated catch to throw formatted error message.
src/Accounts/Authentication/Authentication/IClaimsChallengeProcessor.cs	Improved <returns> documentation wording.
src/Accounts/Accounts/ChangeLog.md	Noted the refined MFA error message under Upcoming Release.

Comments suppressed due to low confidence (2)

src/Accounts/Authenticators/MsalAccessToken.cs:136

• The method name 'OnClaimsChallenageAsync' contains a typo; consider renaming it to 'OnClaimsChallengeAsync' for clarity and consistency.

        public async ValueTask<bool> OnClaimsChallenageAsync(HttpRequestMessage request, string claimsChallenge, CancellationToken cancellationToken)

src/Accounts/Authenticators/MsalAccessToken.cs:132

• Provide a description for the <param name="request"> tag to clarify the purpose of this parameter.

        /// <param name="request"></param>

[Copilot]

Correct the grammar in the <returns> tag: change 'indicated' to 'indicating'.

Suggested change

	/// <returns>A boolean indicated whether the request should be retried. Throws if the reauth fails.</returns>
	/// <returns>A boolean indicating whether the request should be retried. Throws if the reauth fails.</returns>

[Copilot]

Avoid hard-coding user-facing strings; consider moving this template message into a resource file to support localization and maintainability.

[isra-fel]

Sample error message:

PS > new-azkeyvault -ResourceGroupName *** -VaultName ***-Location eastus2
New-AzKeyVault: SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user ***@***. Ensure that you have authenticated with a developer tool that supports Azure single sign on.
[This message needs review] Interactive authentication is required. Please run the following cmdlet and add additional parameters as needed:
Connect-AzAccount -ClaimsChallenge "eyJhY2Nlc3NfdG9rZW4iOnsiYWNycyI6eyJlc3NlbnRpYWwiOnRydWUsInZhbHVlcyI6WyJwMSJdfX19"

Error details:
Resource '***' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"[Preview]: Users must authenticate with multi-factor authentication to create or update resources","id":"/subscriptions/***/resourceGroups/yemingtemp/providers/Microsoft.Authorization/policyAssignments/***"},"policyDefinition":{"name":"Users must authenticate with multi-factor authentication to create or update resources","id":"/providers/Microsoft.Authorization/policyDefinitions/***","version":"1.0.0-preview"}}]'.

The error message of autorest-based cmdlets are the same, but less readable => anything we can do to improve? Maybe show less message?

PS > new-azdatabricksworkspace -ResourceGroupName *** -Name *** -Location eastus2
New-AzDatabricksWorkspace_CreateExpanded: C:\Users\***\Documents\PowerShell\Modules\Az.Databricks\1.10.0\Databricks.Autorest\custom\New-AzDatabricksWorkspace.ps1:465
Line |
 465 |              Az.Databricks.internal\New-AzDatabricksWorkspace @PSBound …
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user
     | ***@***. Ensure that you have authenticated with a developer tool that supports
     | Azure single sign on. [This message needs review] Interactive authentication is required. Please run the
     | following cmdlet and add additional parameters as needed: Connect-AzAccount -ClaimsChallenge
     | "eyJhY2Nlc3NfdG9rZW4iOnsiYWNycyI6eyJlc3NlbnRpYWwiOnRydWUsInZhbHVlcyI6WyJwMSJdfX19"  Error details: Resource
     | '***' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"[Preview]: Users
     | must authenticate with multi-factor authentication to create or update
     | resources","id":"/subscriptions/***/resourceGroups/***/providers/Microsoft.Authorization/policyAssignments/***"},"policyDefinition":{"name":"Users must authenticate with multi-factor authentication to create or update resources","id":"/providers/Microsoft.Authorization/policyDefinitions/***","version":"1.0.0-preview"}}]'.

[vidai-msft]

LGTM