Skip to content

{Auth} Enable PII log for WAM#28954

Merged
jiasli merged 1 commit intoAzure:devfrom
jiasli:enable_pii_log
Apr 8, 2025
Merged

{Auth} Enable PII log for WAM#28954
jiasli merged 1 commit intoAzure:devfrom
jiasli:enable_pii_log

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented May 13, 2024
edited
Loading

Related command
az login

Description
MSAL hides the original AADSTS error when WAM is used (AzureAD/microsoft-authentication-library-for-python#698).

This PR uses enable_pii_log from AzureAD/microsoft-authentication-library-for-python#590 to print the original AADSTS error.

We should carefully inspect that no PII is sent to the telemetry before merging this PR.

As confirmed by MSAL (AzureAD/microsoft-authentication-library-for-python#590 (comment)), enable_pii_log only affects logs, not telemetry. In other words, the telemetry will not contain PII even when enable_pii_log is set to True.

Testing Guide
Before:

> az login --scope https://graph.microsoft.com/User.ReadWrite
...
(pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614466, Tag: 557973643

After:

> az login --scope https://graph.microsoft.com/User.ReadWrite
...
V2Error: invalid_request AADSTS65002: Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' 
and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - 
applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that 
API. Trace ID: 75dc241c-0678-496c-ab6a-101595e34000 Correlation ID: 33a31850-1124-47d8-ab9c-085c4a0b9db8 Timestamp: 
2024-05-13 12:31:04Z. Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614466, Tag: 557973643

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented May 13, 2024
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️acs
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.9
️✔️ams
️✔️latest
️✔️3.12
️✔️3.9
️✔️apim
️✔️latest
️✔️3.12
️✔️3.9
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.9
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️aro
️✔️latest
️✔️3.12
️✔️3.9
️✔️backup
️✔️latest
️✔️3.12
️✔️3.9
️✔️batch
️✔️latest
️✔️3.12
️✔️3.9
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.9
️✔️billing
️✔️latest
️✔️3.12
️✔️3.9
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.9
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.9
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.9
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.9
️✔️config
️✔️latest
️✔️3.12
️✔️3.9
️✔️configure
️✔️latest
️✔️3.12
️✔️3.9
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.9
️✔️container
️✔️latest
️✔️3.12
️✔️3.9
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.9
️✔️core
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.9
️✔️databoxedge
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️dls
️✔️latest
️✔️3.12
️✔️3.9
️✔️dms
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.9
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.9
️✔️find
️✔️latest
️✔️3.12
️✔️3.9
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.9
️✔️identity
️✔️latest
️✔️3.12
️✔️3.9
️✔️iot
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️keyvault
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️lab
️✔️latest
️✔️3.12
️✔️3.9
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️maps
️✔️latest
️✔️3.12
️✔️3.9
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.9
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.9
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.9
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.9
️✔️network
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.9
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.9
️✔️profile
️✔️latest
️✔️3.12
️✔️3.9
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.9
️✔️redis
️✔️latest
️✔️3.12
️✔️3.9
️✔️relay
️✔️latest
️✔️3.12
️✔️3.9
️✔️resource
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️role
️✔️latest
️✔️3.12
️✔️3.9
️✔️search
️✔️latest
️✔️3.12
️✔️3.9
️✔️security
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.9
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.9
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.9
️✔️sql
️✔️latest
️✔️3.12
️✔️3.9
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.9
️✔️storage
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.9
️✔️telemetry
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️util
️✔️latest
️✔️3.12
️✔️3.9
️✔️vm
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented May 13, 2024

Hi @jiasli,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented May 13, 2024
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@yonzhan
Copy link
Collaborator

yonzhan commented May 13, 2024
edited
Loading

Enable PII log for troubleshooting purpose

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label May 13, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Account az login/account label May 13, 2024
@jiasli jiasli mentioned this pull request May 13, 2024
Closed
@jiasli jiasli marked this pull request as ready for review March 4, 2025 08:12
@jiasli jiasli changed the title {Auth} Enable PII log when WAM is used {Auth} Enable PII log for WAM Apr 7, 2025
evelyn-ys
evelyn-ys reviewed Apr 7, 2025
View reviewed changes
src/azure-cli-core/azure/cli/core/auth/identity.py
return {**self._msal_app_kwargs, "enable_broker_on_windows": self._enable_broker_on_windows}
return {**self._msal_app_kwargs,
"enable_broker_on_windows": self._enable_broker_on_windows,
"enable_pii_log": True}
Copy link
Member

@evelyn-ys evelyn-ys Apr 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May I know why not adding this to _msal_app_kwargs?

Copy link
Member Author

@jiasli jiasli Apr 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

enable_pii_log only affects the WAM flow from PublicClientApplication:

If adding enable_pii_log to _msal_app_kwargs, it will be passed to ConfidentialClientApplication which doesn't support WAM at all.

https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/30dce4ecc63d93ef34b89c052aab1a1231395ce6/msal/application.py#L660

        self._decide_broker(allow_broker, enable_pii_log)

https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/30dce4ecc63d93ef34b89c052aab1a1231395ce6/msal/application.py#L675-L676

    def _decide_broker(self, allow_broker, enable_pii_log):
        is_confidential_app = self.client_credential or isinstance(
            self, ConfidentialClientApplication)
        if is_confidential_app and allow_broker:
            raise ValueError("allow_broker=True is only supported in PublicClientApplication")

@jiasli jiasli merged commit 6190c8d into Azure:dev Apr 8, 2025
53 checks passed
@jiasli jiasli deleted the enable_pii_log branch April 8, 2025 06:18
@jiasli jiasli mentioned this pull request Apr 15, 2025
Open
@jiasli jiasli mentioned this pull request Jun 4, 2025
Closed
@jiasli jiasli mentioned this pull request Jul 1, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bebound bebound bebound approved these changes

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@yonzhan yonzhan Awaiting requested review from yonzhan

@calvinhzy calvinhzy Awaiting requested review from calvinhzy

Assignees

@jiasli jiasli

Labels

Account az login/account Auto-Assign Auto assign by bot

Projects

None yet

Milestone

May 2025 (2025-05-06)

Development

Successfully merging this pull request may close these issues.

4 participants

@jiasli @yonzhan @bebound @evelyn-ys