[Enhancement Proposal] User and tenant isolation

[jiasli]

Issue

Currently, Azure CLI uses subscriptionId as the primary key to distinguish between accounts (stored in ~/.azure/azureProfile.json).

azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

Lines 399 to 405 in 58c9f78

	def _get_key_name(account, secondary_key_name):
	return (account[_SUBSCRIPTION_ID] if secondary_key_name is None
	else '{}-{}'.format(account[_SUBSCRIPTION_ID], account[secondary_key_name]))
	def _match_account(account, subscription_id, secondary_key_name, secondary_key_val):
	return (account[_SUBSCRIPTION_ID] == subscription_id and
	(secondary_key_val is None or account[secondary_key_name] == secondary_key_val))

This causes problem when

1. az login is run twice with different accounts that have access to the same subscriptions. The subscriptions listed during the second az login will overwrite subscriptions from the first az login.
2. A subscription can be accessed in multiple tenants. Only the first occurrence is preserved and all subsequent occurrences are discarded. ([Core][Profile] Support lighthouse multi-tenant subscription #11886)
   

   azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

   Lines 924 to 935 in 58c9f78

   	# When a subscription can be listed by multiple tenants, only the first appearance is retained
   	for sub_to_add in subscriptions:
   	add_sub = True
   	for sub_to_compare in all_subscriptions:
   	if sub_to_add.subscription_id == sub_to_compare.subscription_id:
   	logger.warning("Subscription %s '%s' can be accessed from tenants %s(default) and %s. "
   	"To select a specific tenant when accessing this subscription, "
   	"use 'az login --tenant TENANT_ID'.",
   	sub_to_add.subscription_id, sub_to_add.display_name,
   	sub_to_compare.tenant_id, sub_to_add.tenant_id)
   	add_sub = False
   	break

Proposal

1. CLI should use a combined primary key or 3-layer structure which consists of username + tenant_id + subscription_id.
2. CLI should support switching users with az account set --username.
3. CLI should support switching tenants with az account set --tenant.
4. The selected subscription should be saved for each user and each tenant, so that after switching users/tenants, the selected subscription is restored.

[yonzhan]

login Enhancement

[miqm]

@yonzhan - any ETA when this will be implemented?

[jiasli]

Thank you @miqm for your interest in feature. 😊 We will consider this feature in future planning with our PM @chasewilson.

[jiasli]

Now I more and more prefer keeping the current flattened subscription list and introducing combined primary key which consists of username + tenant_id + subscription_id, like what Azure PowerShell does.

Thus, we can keep the current interface of az account set --subscription. If the subscription can't be uniquely identified, --tenant or --username can be introduced and used.

[cveld]

@jiasli any progress?