azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard
verified publisher icon Azure

[Core] Allow disabling subscription finding

Open jiasli opened this issue 5 years ago • 5 comments

This is previously raised by IcM 154830377: Azure CLI fails if NSG doesn't allow ARM endpoint

It should be possible to force az login to only do a tenant-level login and disable subscription finding. This is also called ARM-detached mode.

The current param --allow-no-subscriptions always queries ARM and the result depends on whether the tenant has subscriptions. The result is unpredictable for the client:

Does the tenant have subscriptions?

  • ✔ -> build subscription-level accounts
  • ❌ -> build a tenant-level account

Allowing disabling subscription finding is helpful in these scenarios:

  1. As in the IcM, if ARM endpoint (https://management.azure.com/ in public AzureCloud) is blocked by an NSG, az login fails. However, it shouldn't, as customer should still be able to use az to manage data-plane services like Storage, Microsoft Graph...
  2. A custom cloud may not have ARM endpoint, thus causing az login to fail

jiasli avatar May 01 '20 03:05 jiasli

Introduced by https://github.com/Azure/azure-cli/pull/13053, Profile.login now has a flag find_subscriptions to disable subscription finding.

jiasli avatar May 01 '20 03:05 jiasli

How az login interacts with ARM

By default (with no --tenant or --allow-no-subscriptions specified):

  1. Call Tenants - List API to list all accessible tenants.
  2. For each tenant, call Subscriptions - List API to list all accessible subscriptions. If a tenant doesn't have any accessible subscription, the tenant is skipped.
  3. Save subscriptions to ~/.azure/azureProfile.json, using subscriptionId as the primary key id.

If --tenant is specified, step 1 is skipped and only the specified tenant is used in step 2.

If --allow-no-subscriptions is specified, in step 2, CLI doesn't skip tenants that have no accessible subscriptions, but build placeholder/dummy/pseudo subscriptions for those tenants, using tenantId as the primary key id and string N/A(tenant level account) as name.

jiasli avatar Nov 21 '23 06:11 jiasli

Copied from https://github.com/Azure/azure-cli/issues/15585#issuecomment-1819313037

Explanation on --allow-no-subscriptions

--allow-no-subscriptions behaves differently under the below 2 scenarios:

Scenario 1: The identity has no accessible subscriptions

In such case, az login --allow-no-subscriptions creates a placeholder subscription representing the tenant:

> az login --service-principal --username 92375e31-0eae-4019-8207-0698ce16d144 --password xxx --tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a --allow-no-subscriptions
[
  {
    "cloudName": "AzureCloud",
    "id": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
    "isDefault": true,
    "name": "N/A(tenant level account)",
    "state": "Enabled",
    "tenantId": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
    "user": {
      "name": "92375e31-0eae-4019-8207-0698ce16d144",
      "type": "servicePrincipal"
    }
  }
]

Notice name is N/A(tenant level account) and id is the same as tenantId.

Scenario 2: The identity has accessible subscriptions

In such case, --allow-no-subscriptions degenerates into a no-op. az login --allow-no-subscriptions is equivalent to az login and returns real subscriptions.

> az login --service-principal --username 92375e31-0eae-4019-8207-0698ce16d144 --password xxx --tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a --allow-no-subscriptions
[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
    "id": "0b1f6471-1bf0-4dda-aec3-cb9272f09590",
    "isDefault": true,
    "managedByTenants": [],
    "name": "AzureSDKTest",
    "state": "Enabled",
    "tenantId": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
    "user": {
      "name": "92375e31-0eae-4019-8207-0698ce16d144",
      "type": "servicePrincipal"
    }
  }
]

Now name is the real subscription name AzureSDKTest and id is the subscription ID. tenantId is the tenant of the token used to access this subscription (for Azure Lighthouse). homeTenantId is the tenant where the subscription belongs to.

jiasli avatar Feb 05 '24 10:02 jiasli

the new experience of interactive login makes it almost worse. now I have to scan the list of subs and enter a number associated to it?

image

serbrech avatar Jun 25 '24 01:06 serbrech

the new experience of interactive login makes it almost worse. now I have to scan the list of subs and enter a number associated to it?

Solution for this "awesome" login experience is:

# disable the subscription selector (v. 2.61.0 and up)
az config set core.login_experience_v2=off

c0deb3nder avatar Jun 27 '24 10:06 c0deb3nder

Is it too much to ask for to have:

az login --tenant example.com --subscription 00000001-0000-0000-0000-000000000001

Which is the same as:

az config set core.login_experience_v2=off
az login --tenant example.com
az account set --subscription 00000001-0000-0000-0000-000000000001

If --subscription is present on az login, just select the matching subscription and suppress the table list and interactive prompt.

csijake avatar Nov 13 '25 18:11 csijake