[Identity] `az identity federated-credential create/update: ` Add support for claims matching expressions by Sruuujaaan · Pull Request #31436 · Azure/azure-cli

Sruuujaaan · 2025-05-08T22:05:34Z

PREVIEW API version

Related command
az identity federated-credential *

Description
This PR adds support for claims matching expressions (CME) in federated credentials command group using the 2025-01-31-PREVIEW API version. Linked workItem -> https://msazure.visualstudio.com/One/_workitems/edit/26876104

I've changed the federated credential commands to use the AAZ implementation by:

Removing custom SDK implementation (commands, params, and functions)
Retaining AAZ command loading logic in __init__.py
This enables claims matching expression support through the AAZ implementation using API version 2025-01-31-preview

Testing Guide

TODO add detailed testing SS and commands

az identity federated-credential create command using Claims Matching Expression is only enabled in below tenants, if you don't have access to these tenants, please reachout to me and I can get you added to them.

We need to test all the commands under federated-credential subgroup to make sure az identity federated-credential (create, update) commands now support creation using claims matching expression and no regression is observed in az identity federated-credential (delete, list, show) commands

Test Commands
1] az identity federated-credential create
a] Create using Claims Matching Expression

az identity federated-credential create `
--identity-name sbanCentralUSEUAP_UAMI `
--name sbanCLI_FIC `
--resource-group sban_rg `
--issuer https://onebox-test.azurewebsites.net/ `
--claims-matching-expression-version 1 `
--claims-matching-expression-value "claims['sub'] eq 'project_path:CSERV/terraform'" `
--audiences api://AzureADTokenExchange

b] Create using Subject

az identity federated-credential create `
--identity-name sbanCentralUSEUAP_UAMI `
--name sbanCLI_subject `
--resource-group sban_rg `
--issuer https://onebox-test.azurewebsites.net/ `
--subject contosoSubject `
--audiences api://AzureADTokenExchange

2] az identity federated-credential update
a] Update using Claims Matching Expression

az identity federated-credential update `
--identity-name sbanCentralUSEUAP_UAMI `
--name sbanCLI_FIC `
--resource-group sban_rg `
--issuer https://onebox-test.azurewebsites.net/ `
--claims-matching-expression-version 1 `
--claims-matching-expression-value "claims['sub'] eq 'project_path:CSERV/terraformUpdated'" `
--audiences api://AzureADTokenExchange

b] Update using Subject

az identity federated-credential update `
--identity-name sbanCentralUSEUAP_UAMI `
--name sbanCLI_subject `
--resource-group sban_rg `
--issuer https://onebox-test.azurewebsites.net/ `
--subject contosoSubjectUpdated `
--audiences api://AzureADTokenExchange

3] az identity federated-credential show

az identity federated-credential show `
--identity-name sbanCentralUSEUAP_UAMI `
--name sbanCLI_subject `
--resource-group sban_rg `

4] az identity federated-credential list

az identity federated-credential list `
--identity-name sbanCentralUSEUAP_UAMI `
--resource-group sban_rg `

5] az identity federated-credential delete

az identity federated-credential delete `
--identity-name sbanCentralUSEUAP_UAMI `
--name sbanCLI_subject `
--resource-group sban_rg `

History Notes

[Component Name 1] BREAKING CHANGE: az command a: Make some customer-facing breaking change
[Component Name 2] az command b: Add some customer-facing feature

This checklist is used to make sure that common guidelines for a pull request are followed.

The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.

…1-PREVIEW API version

azure-client-tools-bot-prd · 2025-05-08T22:05:37Z

️✔️AzureCLI-FullTest

️✔️acr

️✔️latest

️✔️3.12

️✔️3.9

️✔️acs

️✔️latest

️✔️3.12

️✔️3.9

️✔️advisor

️✔️latest

️✔️3.12

️✔️3.9

️✔️ams

️✔️latest

️✔️3.12

️✔️3.9

️✔️apim

️✔️latest

️✔️3.12

️✔️3.9

️✔️appconfig

️✔️latest

️✔️3.12

️✔️3.9

️✔️appservice

️✔️latest

️✔️3.12

️✔️3.9

️✔️aro

️✔️latest

️✔️3.12

️✔️3.9

️✔️backup

️✔️latest

️✔️3.12

️✔️3.9

️✔️batch

️✔️latest

️✔️3.12

️✔️3.9

️✔️batchai

️✔️latest

️✔️3.12

️✔️3.9

️✔️billing

️✔️latest

️✔️3.12

️✔️3.9

️✔️botservice

️✔️latest

️✔️3.12

️✔️3.9

️✔️cdn

️✔️latest

️✔️3.12

️✔️3.9

️✔️cloud

️✔️latest

️✔️3.12

️✔️3.9

️✔️cognitiveservices

️✔️latest

️✔️3.12

️✔️3.9

️✔️compute_recommender

️✔️latest

️✔️3.12

️✔️3.9

️✔️computefleet

️✔️latest

️✔️3.12

️✔️3.9

️✔️config

️✔️latest

️✔️3.12

️✔️3.9

️✔️configure

️✔️latest

️✔️3.12

️✔️3.9

️✔️consumption

️✔️latest

️✔️3.12

️✔️3.9

️✔️container

️✔️latest

️✔️3.12

️✔️3.9

️✔️containerapp

️✔️latest

️✔️3.12

️✔️3.9

️✔️core

️✔️latest

️✔️3.12

️✔️3.9

️✔️cosmosdb

️✔️latest

️✔️3.12

️✔️3.9

️✔️databoxedge

️✔️latest

️✔️3.12

️✔️3.9

️✔️dls

️✔️latest

️✔️3.12

️✔️3.9

️✔️dms

️✔️latest

️✔️3.12

️✔️3.9

️✔️eventgrid

️✔️latest

️✔️3.12

️✔️3.9

️✔️eventhubs

️✔️latest

️✔️3.12

️✔️3.9

️✔️feedback

️✔️latest

️✔️3.12

️✔️3.9

️✔️find

️✔️latest

️✔️3.12

️✔️3.9

️✔️hdinsight

️✔️latest

️✔️3.12

️✔️3.9

️✔️identity

️✔️latest

️✔️3.12

️✔️3.9

️✔️iot

️✔️latest

️✔️3.12

️✔️3.9

️✔️keyvault

️✔️latest

️✔️3.12

️✔️3.9

️✔️lab

️✔️latest

️✔️3.12

️✔️3.9

️✔️managedservices

️✔️latest

️✔️3.12

️✔️3.9

️✔️maps

️✔️latest

️✔️3.12

️✔️3.9

️✔️marketplaceordering

️✔️latest

️✔️3.12

️✔️3.9

️✔️monitor

️✔️latest

️✔️3.12

️✔️3.9

️✔️mysql

️✔️latest

️✔️3.12

️✔️3.9

️✔️netappfiles

️✔️latest

️✔️3.12

️✔️3.9

️✔️network

️✔️latest

️✔️3.12

️✔️3.9

️✔️policyinsights

️✔️latest

️✔️3.12

️✔️3.9

️✔️privatedns

️✔️latest

️✔️3.12

️✔️3.9

️✔️profile

️✔️latest

️✔️3.12

️✔️3.9

️✔️rdbms

️✔️latest

️✔️3.12

️✔️3.9

️✔️redis

️✔️latest

️✔️3.12

️✔️3.9

️✔️relay

️✔️latest

️✔️3.12

️✔️3.9

️✔️resource

️✔️latest

️✔️3.12

️✔️3.9

️✔️role

️✔️latest

️✔️3.12

️✔️3.9

️✔️search

️✔️latest

️✔️3.12

️✔️3.9

️✔️security

️✔️latest

️✔️3.12

️✔️3.9

️✔️servicebus

️✔️latest

️✔️3.12

️✔️3.9

️✔️serviceconnector

️✔️latest

️✔️3.12

️✔️3.9

️✔️servicefabric

️✔️latest

️✔️3.12

️✔️3.9

️✔️signalr

️✔️latest

️✔️3.12

️✔️3.9

️✔️sql

️✔️latest

️✔️3.12

️✔️3.9

️✔️sqlvm

️✔️latest

️✔️3.12

️✔️3.9

️✔️storage

️✔️latest

️✔️3.12

️✔️3.9

️✔️synapse

️✔️latest

️✔️3.12

️✔️3.9

️✔️telemetry

️✔️latest

️✔️3.12

️✔️3.9

️✔️util

️✔️latest

️✔️3.12

️✔️3.9

️✔️vm

️✔️latest

️✔️3.12

️✔️3.9

azure-client-tools-bot-prd · 2025-05-08T22:05:40Z

Hi @Sruuujaaan,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

azure-client-tools-bot-prd · 2025-05-08T22:05:43Z

⚠️AzureCLI-BreakingChangeTest

⚠️identity

rule cmd_name rule_message suggest_message

⚠️ 1006 - ParaAdd identity federated-credential create cmd identity federated-credential create added parameter claims_matching_expression_value

⚠️ 1006 - ParaAdd identity federated-credential create cmd identity federated-credential create added parameter claims_matching_expression_version

⚠️ 1008 - ParaPropAdd identity federated-credential create cmd identity federated-credential create update parameter audiences: added property aaz_type=AAZListArg

⚠️ 1008 - ParaPropAdd identity federated-credential create cmd identity federated-credential create update parameter audiences: added property type=List<String>

⚠️ 1008 - ParaPropAdd identity federated-credential create cmd identity federated-credential create update parameter federated_credential_name: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential create cmd identity federated-credential create update parameter federated_credential_name: added property type=string

⚠️ 1010 - ParaPropUpdate identity federated-credential create cmd identity federated-credential create update parameter federated_credential_name: updated property name from federated_credential_name to name

⚠️ 1008 - ParaPropAdd identity federated-credential create cmd identity federated-credential create update parameter identity_name: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential create cmd identity federated-credential create update parameter identity_name: added property type=string

⚠️ 1008 - ParaPropAdd identity federated-credential create cmd identity federated-credential create update parameter issuer: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential create cmd identity federated-credential create update parameter issuer: added property type=string

⚠️ 1008 - ParaPropAdd identity federated-credential create cmd identity federated-credential create update parameter resource_group_name: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential create cmd identity federated-credential create update parameter resource_group_name: added property type=string

⚠️ 1010 - ParaPropUpdate identity federated-credential create cmd identity federated-credential create update parameter resource_group_name: updated property name from resource_group_name to resource_group

⚠️ 1008 - ParaPropAdd identity federated-credential create cmd identity federated-credential create update parameter subject: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential create cmd identity federated-credential create update parameter subject: added property type=string

⚠️ 1004 - CmdPropRemove identity federated-credential delete cmd identity federated-credential delete removed property confirmation

⚠️ 1008 - ParaPropAdd identity federated-credential delete cmd identity federated-credential delete update parameter federated_credential_name: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential delete cmd identity federated-credential delete update parameter federated_credential_name: added property type=string

⚠️ 1010 - ParaPropUpdate identity federated-credential delete cmd identity federated-credential delete update parameter federated_credential_name: updated property name from federated_credential_name to name

⚠️ 1008 - ParaPropAdd identity federated-credential delete cmd identity federated-credential delete update parameter identity_name: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential delete cmd identity federated-credential delete update parameter identity_name: added property type=string

⚠️ 1008 - ParaPropAdd identity federated-credential delete cmd identity federated-credential delete update parameter resource_group_name: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential delete cmd identity federated-credential delete update parameter resource_group_name: added property type=string

⚠️ 1010 - ParaPropUpdate identity federated-credential delete cmd identity federated-credential delete update parameter resource_group_name: updated property name from resource_group_name to resource_group

⚠️ 1006 - ParaAdd identity federated-credential list cmd identity federated-credential list added parameter pagination_limit

⚠️ 1006 - ParaAdd identity federated-credential list cmd identity federated-credential list added parameter pagination_token

⚠️ 1006 - ParaAdd identity federated-credential list cmd identity federated-credential list added parameter skiptoken

⚠️ 1006 - ParaAdd identity federated-credential list cmd identity federated-credential list added parameter top

⚠️ 1008 - ParaPropAdd identity federated-credential list cmd identity federated-credential list update parameter identity_name: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential list cmd identity federated-credential list update parameter identity_name: added property type=string

⚠️ 1008 - ParaPropAdd identity federated-credential list cmd identity federated-credential list update parameter resource_group_name: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential list cmd identity federated-credential list update parameter resource_group_name: added property type=string

⚠️ 1010 - ParaPropUpdate identity federated-credential list cmd identity federated-credential list update parameter resource_group_name: updated property name from resource_group_name to resource_group

⚠️ 1008 - ParaPropAdd identity federated-credential show cmd identity federated-credential show update parameter federated_credential_name: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential show cmd identity federated-credential show update parameter federated_credential_name: added property type=string

⚠️ 1010 - ParaPropUpdate identity federated-credential show cmd identity federated-credential show update parameter federated_credential_name: updated property name from federated_credential_name to name

⚠️ 1008 - ParaPropAdd identity federated-credential show cmd identity federated-credential show update parameter identity_name: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential show cmd identity federated-credential show update parameter identity_name: added property type=string

⚠️ 1008 - ParaPropAdd identity federated-credential show cmd identity federated-credential show update parameter resource_group_name: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential show cmd identity federated-credential show update parameter resource_group_name: added property type=string

⚠️ 1010 - ParaPropUpdate identity federated-credential show cmd identity federated-credential show update parameter resource_group_name: updated property name from resource_group_name to resource_group

⚠️ 1006 - ParaAdd identity federated-credential update cmd identity federated-credential update added parameter claims_matching_expression_value

⚠️ 1006 - ParaAdd identity federated-credential update cmd identity federated-credential update added parameter claims_matching_expression_version

⚠️ 1006 - ParaAdd identity federated-credential update cmd identity federated-credential update added parameter generic_update_add

⚠️ 1006 - ParaAdd identity federated-credential update cmd identity federated-credential update added parameter generic_update_force_string

⚠️ 1006 - ParaAdd identity federated-credential update cmd identity federated-credential update added parameter generic_update_remove

⚠️ 1006 - ParaAdd identity federated-credential update cmd identity federated-credential update added parameter generic_update_set

⚠️ 1008 - ParaPropAdd identity federated-credential update cmd identity federated-credential update update parameter audiences: added property aaz_type=AAZListArg

⚠️ 1008 - ParaPropAdd identity federated-credential update cmd identity federated-credential update update parameter audiences: added property type=List<String>

⚠️ 1008 - ParaPropAdd identity federated-credential update cmd identity federated-credential update update parameter federated_credential_name: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential update cmd identity federated-credential update update parameter federated_credential_name: added property type=string

⚠️ 1010 - ParaPropUpdate identity federated-credential update cmd identity federated-credential update update parameter federated_credential_name: updated property name from federated_credential_name to name

⚠️ 1008 - ParaPropAdd identity federated-credential update cmd identity federated-credential update update parameter identity_name: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential update cmd identity federated-credential update update parameter identity_name: added property type=string

⚠️ 1008 - ParaPropAdd identity federated-credential update cmd identity federated-credential update update parameter issuer: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential update cmd identity federated-credential update update parameter issuer: added property type=string

⚠️ 1008 - ParaPropAdd identity federated-credential update cmd identity federated-credential update update parameter resource_group_name: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential update cmd identity federated-credential update update parameter resource_group_name: added property type=string

⚠️ 1010 - ParaPropUpdate identity federated-credential update cmd identity federated-credential update update parameter resource_group_name: updated property name from resource_group_name to resource_group

⚠️ 1008 - ParaPropAdd identity federated-credential update cmd identity federated-credential update update parameter subject: added property aaz_type=string

⚠️ 1008 - ParaPropAdd identity federated-credential update cmd identity federated-credential update update parameter subject: added property type=string

yonzhan · 2025-05-08T22:05:45Z

Thank you for your contribution! We will review the pull request and get back to you soon.

github-actions · 2025-05-08T22:05:47Z

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

…from _help.py

…eview tags and fixed linting

zhoxing-ms · 2025-05-12T03:05:40Z

/azp run

azure-pipelines · 2025-05-12T03:05:55Z

Azure Pipelines successfully started running 3 pipeline(s).

zhoxing-ms · 2025-05-12T03:39:26Z

@Sruuujaaan Please take a look at these CI issues

Sruuujaaan · 2025-05-13T02:57:11Z

/azp run

azure-pipelines · 2025-05-13T02:57:17Z

Commenter does not have sufficient privileges for PR 31436 in repo Azure/azure-cli

yonzhan · 2025-05-13T03:14:45Z

/azp run

azure-pipelines · 2025-05-13T03:15:00Z

Azure Pipelines successfully started running 3 pipeline(s).

zhoxing-ms · 2025-05-13T06:55:26Z

May I ask what changes have been introduced in this PR? If so, please add the corresponding tests

Sruuujaaan · 2025-05-13T17:00:37Z

/azp run

azure-pipelines · 2025-05-13T17:00:44Z

Commenter does not have sufficient privileges for PR 31436 in repo Azure/azure-cli

yonzhan · 2025-05-13T23:21:18Z

/azp run

azure-pipelines · 2025-05-13T23:21:34Z

Azure Pipelines successfully started running 3 pipeline(s).

zhoxing-ms · 2025-05-14T06:37:26Z

/azp run

azure-pipelines · 2025-05-14T06:37:43Z

Azure Pipelines successfully started running 3 pipeline(s).

Sruuujaaan · 2025-05-14T14:57:54Z

@microsoft-github-policy-service agree

zhoxing-ms · 2025-06-05T03:53:40Z

-    _default_audiences = ['api://AzureADTokenExchange']
-    audiences = _default_audiences if not audiences else audiences


This issue #31598 is due to ignoring the default audience logic when migrating Code Gen. Could you submit a PR to resolve this issue? @Sruuujaaan

[Identity] Add support for claims matching expressions with 2025-01-3…

24b4937

…1-PREVIEW API version

Sruuujaaan requested review from jiasli, yanzhudd and zhoxing-ms as code owners May 8, 2025 22:05

azure-client-tools-bot-prd Bot added this to the June 2025 (2025-06-03) milestone May 8, 2025

microsoft-github-policy-service Bot requested review from wangzelin007 and yonzhan May 8, 2025 22:06

microsoft-github-policy-service Bot added the Auto-Assign Auto assign by bot label May 8, 2025

microsoft-github-policy-service Bot assigned zhoxing-ms May 8, 2025

microsoft-github-policy-service Bot added the Managed Identity For `az identity` only label May 8, 2025

sbandarkar added 4 commits May 8, 2025 19:52

revert changes made to az identity commands

516d2f3

Adding examples for CME scenario and some other nit fixes

c834735

Removed now redundant all help text related to federated-credentials …

d9996f2

…from _help.py

cleaned up all the legacy federated credential implementation; fix pr…

834fcd4

…eview tags and fixed linting

Sruuujaaan changed the title ~~[Identity] Add support for claims matching expressions with 2025-01-31-PREVIEW API version~~ [Identity] az identity federated-credential create: Add support for claims matching expressions with 2025-01-31-PREVIEW API version May 9, 2025

sbandarkar added 2 commits May 9, 2025 11:15

Fix --identity-name --name interchange issue

3cb39af

Removed Resource Id Arguments grouping

96a9fc3

isaacbanner approved these changes May 9, 2025

View reviewed changes

zhoxing-ms changed the title ~~[Identity] az identity federated-credential create/update: Add support for claims matching expressions with 2025-01-31-PREVIEW API version~~ [Identity] az identity federated-credential create/update: Add support for claims matching expressions May 12, 2025

zhoxing-ms previously approved these changes May 12, 2025

View reviewed changes

Sruuujaaan changed the title ~~[Identity] az identity federated-credential create/update: Add support for claims matching expressions~~ [Identity] az identity federated-credential create/update: Add support for claims matching expressions May 13, 2025

Update federated-credential test suite

3c49266

Sruuujaaan dismissed zhoxing-ms’s stale review via 3c49266 May 13, 2025 02:46

Added tests for Claims Matching Expression scenario

d71b261

zhoxing-ms approved these changes May 14, 2025

View reviewed changes

zhoxing-ms approved these changes May 15, 2025

View reviewed changes

zhoxing-ms merged commit c8a6ad1 into Azure:dev May 15, 2025
49 checks passed

zhoxing-ms reviewed Jun 5, 2025

View reviewed changes

		_default_audiences = ['api://AzureADTokenExchange']
		audiences = _default_audiences if not audiences else audiences

Conversation

Sruuujaaan commented May 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

azure-client-tools-bot-prd Bot commented May 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

azure-client-tools-bot-prd Bot commented May 8, 2025

Uh oh!

azure-client-tools-bot-prd Bot commented May 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

yonzhan commented May 8, 2025

Uh oh!

github-actions Bot commented May 8, 2025

Uh oh!

zhoxing-ms commented May 12, 2025

Uh oh!

azure-pipelines Bot commented May 12, 2025

Uh oh!

zhoxing-ms commented May 12, 2025

Uh oh!

Sruuujaaan commented May 13, 2025

Uh oh!

azure-pipelines Bot commented May 13, 2025

Uh oh!

yonzhan commented May 13, 2025

Uh oh!

azure-pipelines Bot commented May 13, 2025

Uh oh!

zhoxing-ms commented May 13, 2025

Uh oh!

Sruuujaaan commented May 13, 2025

Uh oh!

azure-pipelines Bot commented May 13, 2025

Uh oh!

yonzhan commented May 13, 2025

Uh oh!

azure-pipelines Bot commented May 13, 2025

Uh oh!

zhoxing-ms commented May 14, 2025

Uh oh!

azure-pipelines Bot commented May 14, 2025

Uh oh!

Sruuujaaan commented May 14, 2025

Uh oh!

Uh oh!

zhoxing-ms Jun 5, 2025

Choose a reason for hiding this comment

Uh oh!

cceneag Jun 6, 2025

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Sruuujaaan commented May 8, 2025 •

edited

Loading

azure-client-tools-bot-prd Bot commented May 8, 2025 •

edited

Loading

azure-client-tools-bot-prd Bot commented May 8, 2025 •

edited

Loading