From f8e405784253218b98d04270db7f0dfaf0630c55 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 3 Mar 2026 01:06:44 +0000 Subject: [PATCH 1/8] Initial plan From 5d7a413087f81bdc4c41ae6e3868f8431f422bfa Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 3 Mar 2026 01:17:07 +0000 Subject: [PATCH 2/8] Replace hardcoded cloud-to-scope mappings with static SSH auth scope Replace the CloudToScope dictionary mapping specific cloud names to cloud-specific scope URLs with a single static scope using the AAD SSH Login for Linux server app ID (ce6ff14a-7fdc-4685-bbe0-f6afdfcfa8e0). This enables SSH authentication across all clouds instead of only supporting AzureCloud, AzureChinaCloud, and AzureUSGovernment. The environment property AzureSshAuthScope still takes precedence when set, preserving backward compatibility. Similar to Azure CLI extensions PR #9465. Co-authored-by: isra-fel <11371776+isra-fel@users.noreply.github.com> --- src/Accounts/Accounts/ChangeLog.md | 1 + .../Authentication/Factories/SshCredentialFactory.cs | 10 ++-------- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/src/Accounts/Accounts/ChangeLog.md b/src/Accounts/Accounts/ChangeLog.md index b47c535e5dbe..66889971269d 100644 --- a/src/Accounts/Accounts/ChangeLog.md +++ b/src/Accounts/Accounts/ChangeLog.md @@ -20,6 +20,7 @@ ## Upcoming Release * Updated MSAL to 4.82.1 to fix an issue with ARM endpoint discovery. +* Replaced hardcoded cloud-to-scope mappings in SSH credential factory with a static scope using the AAD SSH Login for Linux server app ID, enabling SSH authentication across all clouds. ## Version 5.3.2 * Updated Azure.Core from 1.47.3 to 1.50.0 diff --git a/src/Accounts/Authentication/Factories/SshCredentialFactory.cs b/src/Accounts/Authentication/Factories/SshCredentialFactory.cs index f4ab2a9d0a45..2efeafcc3256 100644 --- a/src/Accounts/Authentication/Factories/SshCredentialFactory.cs +++ b/src/Accounts/Authentication/Factories/SshCredentialFactory.cs @@ -30,13 +30,7 @@ namespace Microsoft.Azure.Commands.Common.Authentication.Factories { public class SshCredentialFactory : ISshCredentialFactory { - // kept for backward-compatibility - private readonly Dictionary CloudToScope = new Dictionary(StringComparer.InvariantCultureIgnoreCase) - { - { EnvironmentName.AzureCloud, AzureEnvironmentConstants.AzureSshAuthScope }, - { EnvironmentName.AzureChinaCloud, AzureEnvironmentConstants.ChinaSshAuthScope }, - { EnvironmentName.AzureUSGovernment, AzureEnvironmentConstants.USGovernmentSshAuthScope }, - }; + private const string AadSshLoginForLinuxServerAppId = "ce6ff14a-7fdc-4685-bbe0-f6afdfcfa8e0"; private string CreateJwk(RSAParameters rsaKeyInfo, out string keyId) { @@ -93,7 +87,7 @@ public SshCredential GetSshCredential(IAzureContext context, RSAParameters rsaKe private string GetAuthScope(IAzureEnvironment environment) { return environment.GetProperty(AzureEnvironment.ExtendedEndpoint.AzureSshAuthScope) - ?? CloudToScope.GetValueOrDefault(environment.Name.ToLower(), null); + ?? $"{AadSshLoginForLinuxServerAppId}/.default"; } } } From 031e85096b35647d838ff22d5365f0541461126b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 3 Mar 2026 01:17:47 +0000 Subject: [PATCH 3/8] Simplify changelog entry to remove unexpanded acronyms Co-authored-by: isra-fel <11371776+isra-fel@users.noreply.github.com> --- src/Accounts/Accounts/ChangeLog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Accounts/Accounts/ChangeLog.md b/src/Accounts/Accounts/ChangeLog.md index 66889971269d..49353c620812 100644 --- a/src/Accounts/Accounts/ChangeLog.md +++ b/src/Accounts/Accounts/ChangeLog.md @@ -20,7 +20,7 @@ ## Upcoming Release * Updated MSAL to 4.82.1 to fix an issue with ARM endpoint discovery. -* Replaced hardcoded cloud-to-scope mappings in SSH credential factory with a static scope using the AAD SSH Login for Linux server app ID, enabling SSH authentication across all clouds. +* Replaced hardcoded cloud-to-scope mappings in SSH credential factory with a static scope, enabling SSH authentication across all clouds. ## Version 5.3.2 * Updated Azure.Core from 1.47.3 to 1.50.0 From 38022502e46579a3427db873a03a5368cd24c646 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 3 Mar 2026 01:59:42 +0000 Subject: [PATCH 4/8] Deprecate AzureSshAuthScope: remove env property reference, update docs - Remove AzureSshAuthScope environment property lookup from SshCredentialFactory.cs, relying solely on static scope value - Remove unused using directives (AzPSKeyNotFoundException, etc.) - Update Set-AzEnvironment and Add-AzEnvironment help docs to mark -SshAuthScope parameter as deprecated - Update ChangeLog.md with deprecation notice Co-authored-by: isra-fel <11371776+isra-fel@users.noreply.github.com> --- src/Accounts/Accounts/ChangeLog.md | 1 + src/Accounts/Accounts/help/Add-AzEnvironment.md | 2 +- src/Accounts/Accounts/help/Set-AzEnvironment.md | 2 +- .../Authentication/Factories/SshCredentialFactory.cs | 10 +++------- 4 files changed, 6 insertions(+), 9 deletions(-) diff --git a/src/Accounts/Accounts/ChangeLog.md b/src/Accounts/Accounts/ChangeLog.md index 49353c620812..70a6cc87547c 100644 --- a/src/Accounts/Accounts/ChangeLog.md +++ b/src/Accounts/Accounts/ChangeLog.md @@ -21,6 +21,7 @@ ## Upcoming Release * Updated MSAL to 4.82.1 to fix an issue with ARM endpoint discovery. * Replaced hardcoded cloud-to-scope mappings in SSH credential factory with a static scope, enabling SSH authentication across all clouds. +* Deprecated the `-SshAuthScope` parameter in `Set-AzEnvironment` and `Add-AzEnvironment`. The SSH authentication scope is now determined automatically. ## Version 5.3.2 * Updated Azure.Core from 1.47.3 to 1.50.0 diff --git a/src/Accounts/Accounts/help/Add-AzEnvironment.md b/src/Accounts/Accounts/help/Add-AzEnvironment.md index 495054fa34d9..6c2f425d2ad4 100644 --- a/src/Accounts/Accounts/help/Add-AzEnvironment.md +++ b/src/Accounts/Accounts/help/Add-AzEnvironment.md @@ -679,7 +679,7 @@ Accept wildcard characters: False ``` ### -SshAuthScope -The scope for authentication when SSH to an Azure VM. +This parameter is deprecated and has no effect. The SSH authentication scope is now determined automatically. Do not use this parameter. ```yaml Type: System.String diff --git a/src/Accounts/Accounts/help/Set-AzEnvironment.md b/src/Accounts/Accounts/help/Set-AzEnvironment.md index 2d840d7aa5fd..02430574fbc4 100644 --- a/src/Accounts/Accounts/help/Set-AzEnvironment.md +++ b/src/Accounts/Accounts/help/Set-AzEnvironment.md @@ -601,7 +601,7 @@ Accept wildcard characters: False ``` ### -SshAuthScope -The scope for authentication when SSH to an Azure VM. +This parameter is deprecated and has no effect. The SSH authentication scope is now determined automatically. Do not use this parameter. ```yaml Type: System.String diff --git a/src/Accounts/Authentication/Factories/SshCredentialFactory.cs b/src/Accounts/Authentication/Factories/SshCredentialFactory.cs index 2efeafcc3256..f592f48d6255 100644 --- a/src/Accounts/Authentication/Factories/SshCredentialFactory.cs +++ b/src/Accounts/Authentication/Factories/SshCredentialFactory.cs @@ -15,9 +15,7 @@ using Microsoft.Azure.Commands.Common.Authentication.Abstractions; using Microsoft.Azure.Commands.Common.Authentication.Abstractions.Models; using Microsoft.Azure.Commands.Common.Authentication.Properties; -using Microsoft.Azure.Commands.Common.Exceptions; using Microsoft.Identity.Client.SSHCertificates; -using Microsoft.WindowsAzure.Commands.Utilities.Common; using Newtonsoft.Json; @@ -64,8 +62,7 @@ public SshCredential GetSshCredential(IAzureContext context, RSAParameters rsaKe } var publicClient = tokenCacheProvider.CreatePublicClient(context.Environment.ActiveDirectoryAuthority, context.Tenant.Id); - string scope = GetAuthScope(context.Environment) - ?? throw new AzPSKeyNotFoundException(string.Format(Resources.ErrorSshAuthScopeNotSet, context.Environment.Name)); + string scope = GetAuthScope(); List scopes = new List() { scope }; var jwk = CreateJwk(rsaKeyInfo, out string keyId); @@ -84,10 +81,9 @@ public SshCredential GetSshCredential(IAzureContext context, RSAParameters rsaKe return resultToken; } - private string GetAuthScope(IAzureEnvironment environment) + private string GetAuthScope() { - return environment.GetProperty(AzureEnvironment.ExtendedEndpoint.AzureSshAuthScope) - ?? $"{AadSshLoginForLinuxServerAppId}/.default"; + return $"{AadSshLoginForLinuxServerAppId}/.default"; } } } From a165a451bc2af058c94b7a077195d137d9356cd9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 3 Mar 2026 02:01:05 +0000 Subject: [PATCH 5/8] Restore WindowsAzure.Commands.Utilities.Common using (needed for Base64UrlHelper) Co-authored-by: isra-fel <11371776+isra-fel@users.noreply.github.com> --- src/Accounts/Authentication/Factories/SshCredentialFactory.cs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Accounts/Authentication/Factories/SshCredentialFactory.cs b/src/Accounts/Authentication/Factories/SshCredentialFactory.cs index f592f48d6255..8905172e8f07 100644 --- a/src/Accounts/Authentication/Factories/SshCredentialFactory.cs +++ b/src/Accounts/Authentication/Factories/SshCredentialFactory.cs @@ -16,6 +16,7 @@ using Microsoft.Azure.Commands.Common.Authentication.Abstractions.Models; using Microsoft.Azure.Commands.Common.Authentication.Properties; using Microsoft.Identity.Client.SSHCertificates; +using Microsoft.WindowsAzure.Commands.Utilities.Common; using Newtonsoft.Json; From 0aee3e84a1d5f734f33a38448f4dee1ae056df21 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 3 Mar 2026 02:17:52 +0000 Subject: [PATCH 6/8] Update SshAuthScope parameter metadata in Set-AzEnvironment and Add-AzEnvironment cmdlet source Co-authored-by: isra-fel <11371776+isra-fel@users.noreply.github.com> --- src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs | 2 +- src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs b/src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs index cf27e034dba3..c6d6dddf3687 100644 --- a/src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs +++ b/src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs @@ -226,7 +226,7 @@ public string DataLakeAudience public string MicrosoftGraphUrl { get; set; } [Parameter(ParameterSetName = EnvironmentPropertiesParameterSet, Mandatory = false, ValueFromPipelineByPropertyName = true, - HelpMessage = "The scope for authentication when SSH to an Azure VM.")] + HelpMessage = "This parameter is deprecated and has no effect. The SSH authentication scope is now determined automatically. Do not use this parameter.")] public string SshAuthScope { get; set; } protected override bool RequireDefaultContext() diff --git a/src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs b/src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs index b4222400e033..52f4a5368054 100644 --- a/src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs +++ b/src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs @@ -197,7 +197,7 @@ public string DataLakeAudience public string MicrosoftGraphUrl { get; set; } [Parameter(ParameterSetName = EnvironmentPropertiesParameterSet, Mandatory = false, ValueFromPipelineByPropertyName = true, - HelpMessage = "The scope for authentication when SSH to an Azure VM.")] + HelpMessage = "This parameter is deprecated and has no effect. The SSH authentication scope is now determined automatically. Do not use this parameter.")] public string SshAuthScope { get; set; } protected override bool RequireDefaultContext() From 7f1d4bec4fb364c7f137e5a3a5067e7dec49bd37 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 3 Mar 2026 02:19:00 +0000 Subject: [PATCH 7/8] Improve deprecation message wording to follow PowerShell conventions Co-authored-by: isra-fel <11371776+isra-fel@users.noreply.github.com> --- src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs | 2 +- src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs | 2 +- src/Accounts/Accounts/help/Add-AzEnvironment.md | 2 +- src/Accounts/Accounts/help/Set-AzEnvironment.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs b/src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs index c6d6dddf3687..c24359a22a55 100644 --- a/src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs +++ b/src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs @@ -226,7 +226,7 @@ public string DataLakeAudience public string MicrosoftGraphUrl { get; set; } [Parameter(ParameterSetName = EnvironmentPropertiesParameterSet, Mandatory = false, ValueFromPipelineByPropertyName = true, - HelpMessage = "This parameter is deprecated and has no effect. The SSH authentication scope is now determined automatically. Do not use this parameter.")] + HelpMessage = "This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured.")] public string SshAuthScope { get; set; } protected override bool RequireDefaultContext() diff --git a/src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs b/src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs index 52f4a5368054..1dfff7384f01 100644 --- a/src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs +++ b/src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs @@ -197,7 +197,7 @@ public string DataLakeAudience public string MicrosoftGraphUrl { get; set; } [Parameter(ParameterSetName = EnvironmentPropertiesParameterSet, Mandatory = false, ValueFromPipelineByPropertyName = true, - HelpMessage = "This parameter is deprecated and has no effect. The SSH authentication scope is now determined automatically. Do not use this parameter.")] + HelpMessage = "This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured.")] public string SshAuthScope { get; set; } protected override bool RequireDefaultContext() diff --git a/src/Accounts/Accounts/help/Add-AzEnvironment.md b/src/Accounts/Accounts/help/Add-AzEnvironment.md index 6c2f425d2ad4..9feaf9491a99 100644 --- a/src/Accounts/Accounts/help/Add-AzEnvironment.md +++ b/src/Accounts/Accounts/help/Add-AzEnvironment.md @@ -679,7 +679,7 @@ Accept wildcard characters: False ``` ### -SshAuthScope -This parameter is deprecated and has no effect. The SSH authentication scope is now determined automatically. Do not use this parameter. +This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured. ```yaml Type: System.String diff --git a/src/Accounts/Accounts/help/Set-AzEnvironment.md b/src/Accounts/Accounts/help/Set-AzEnvironment.md index 02430574fbc4..b13b2d7db4d6 100644 --- a/src/Accounts/Accounts/help/Set-AzEnvironment.md +++ b/src/Accounts/Accounts/help/Set-AzEnvironment.md @@ -601,7 +601,7 @@ Accept wildcard characters: False ``` ### -SshAuthScope -This parameter is deprecated and has no effect. The SSH authentication scope is now determined automatically. Do not use this parameter. +This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured. ```yaml Type: System.String From 9e0c72421f76a63ac1dbfbfe8bdab9ca4b757827 Mon Sep 17 00:00:00 2001 From: isra-fel <11371776+isra-fel@users.noreply.github.com> Date: Tue, 3 Mar 2026 20:45:02 +1100 Subject: [PATCH 8/8] update changelog --- src/Accounts/Accounts/ChangeLog.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Accounts/Accounts/ChangeLog.md b/src/Accounts/Accounts/ChangeLog.md index 53397e30b84a..56556e53a96a 100644 --- a/src/Accounts/Accounts/ChangeLog.md +++ b/src/Accounts/Accounts/ChangeLog.md @@ -19,11 +19,11 @@ --> ## Upcoming Release +* Replaced hardcoded cloud-to-scope mappings in SSH credential factory with a static scope, enabling SSH authentication across all clouds. +* Deprecated the `-SshAuthScope` parameter in `Set-AzEnvironment` and `Add-AzEnvironment`. The SSH authentication scope is now determined automatically. ## Version 5.3.3 * Updated MSAL to 4.82.1 to fix an issue with ARM endpoint discovery. -* Replaced hardcoded cloud-to-scope mappings in SSH credential factory with a static scope, enabling SSH authentication across all clouds. -* Deprecated the `-SshAuthScope` parameter in `Set-AzEnvironment` and `Add-AzEnvironment`. The SSH authentication scope is now determined automatically. ## Version 5.3.2 * Updated Azure.Core from 1.47.3 to 1.50.0