Add doc for MSAL-based Azure CLI (#2807)

docs-ref-conceptual/TOC.yml

@@ -9,15 +9,15 @@
     href: azure-services-the-azure-cli-can-manage.md
     displayName: >-
       into, introduction, matrix, azure products, products supported, services
-      App Configuration, App Service, Active Directory (AD), Backup, Cognitive Search, 
-      Cosmos DB, Data Lake Storage, Database, MariaDB, MySQL, PostgreSQL, PostgreSQL, 
-      DevOps, DevTest Labs, DNS, Functions, IoT, IoT Central, IoT Edge, IoT Hub, 
-      Kubernetes Service (AKS), Lab Services, Machine Learning, Managed Applications, 
-      Private Link, Resource Manager, Spring Cloud, SQL Database, Batch, Cognitive Services, 
-      Container Instances, Container Registry, Data Lake Analytics, Event Grid, Event Hubs, 
-      HDInsight, Key Vault, Load Balancer, Managed Disks, Media Services, 
-      Notification Hubs, Service Bus, Service Fabric, Storage Accounts, Traffic Manager, 
-      Virtual Machine Scale Sets, Virtual Network, Compute, Networking, Internet of Things, 
+      App Configuration, App Service, Active Directory (AD), Backup, Cognitive Search,
+      Cosmos DB, Data Lake Storage, Database, MariaDB, MySQL, PostgreSQL, PostgreSQL,
+      DevOps, DevTest Labs, DNS, Functions, IoT, IoT Central, IoT Edge, IoT Hub,
+      Kubernetes Service (AKS), Lab Services, Machine Learning, Managed Applications,
+      Private Link, Resource Manager, Spring Cloud, SQL Database, Batch, Cognitive Services,
+      Container Instances, Container Registry, Data Lake Analytics, Event Grid, Event Hubs,
+      HDInsight, Key Vault, Load Balancer, Managed Disks, Media Services,
+      Notification Hubs, Service Bus, Service Fabric, Storage Accounts, Traffic Manager,
+      Virtual Machine Scale Sets, Virtual Network, Compute, Networking, Internet of Things,
       Developer Tools, Databases, Analytics, Management and Governance, Hybrid, Storage, Security, AI + Machine Learning
   - name: Get started
     href: get-started-with-azure-cli.md
@@ -27,6 +27,9 @@
     displayName: core, extension, status, GA, public preview, experimental
   - name: Release notes
     href: release-notes-azure-cli.md?toc=%2fcli%2fazure%2ftoc.json&bc=%2fcli%2fazure%2fbreadcrumb%2ftoc.json
+  - name: MSAL-based Azure CLI
+    href: msal-based-azure-cli.md
+    displayName: MSAL, ADAL, authentication, encryption, accessTokens, az account get-access-token
   - name: CLI Versioning
     href: cli-versioning-identifiers.md
     displayName: version, classic, 2.0, 1.0, xplat
@@ -44,9 +47,6 @@
     - name: Install - Linux
       href: install-azure-cli-linux.md
       displayName: install, script, unix, bsd, linux, lfs, wsl, slackware, ubuntu, debian, mint, opensuse, suse, sles, leap, tumbleweed, rhel, redhat, red hat, fedora
-    - name: Install - beta
-      href: install-azure-cli-beta.md
-      displayName: install, beta
   - name: Update
     href: update-azure-cli.md
     displayName: update, upgrade
@@ -131,9 +131,6 @@
   - name: Work with multiple clouds
     href: manage-clouds-azure-cli.md?toc=%2fcli%2fazure%2ftoc.json&bc=%2fcli%2fazure%2fbreadcrumb%2ftoc.json
     displayName: region, china, germany, government, governance, stack
-  - name: Migrate to Azure Identity
-    href: migrate-to-azure-identity.md
-    displayName: accessTokens, ADAL, MSAL, az account get-access-token
   - name: Request support
     href: azure-cli-support-request.md
   - name: Deploy with templates
@@ -156,7 +153,7 @@
   items:
   - name: Azure Cosmos DB
     href: azure-cli-reference-for-cosmos-db.md
-    display: Azure Cosmos DB, SQL, MongoDB, Cassandra, Gremlin, Table, colleciton, database, identity, keys, network-rule, private-endpoint-connection, private-link-resource, restorable-database-account, managed-cassandra, cluster, datacenter  
+    display: Azure Cosmos DB, SQL, MongoDB, Cassandra, Gremlin, Table, colleciton, database, identity, keys, network-rule, private-endpoint-connection, private-link-resource, restorable-database-account, managed-cassandra, cluster, datacenter
   - name: Azure Data Share
     href: azure-cli-reference-for-data-share.md
     displayName: Azure Data Share, az datashare, Data Share
@@ -171,16 +168,16 @@
     displayName: IoT, az iot, az dt, az maps, az timeseriesinsights
   - name: Azure Monitor
     href: azure-cli-reference-for-monitor.md
-    display: Azure Monitor, az monitor, insights, application insights, log analytics, az app-insights, az log-analytics  
+    display: Azure Monitor, az monitor, insights, application insights, log analytics, az app-insights, az log-analytics
   - name: Azure Network
     href: azure-cli-reference-for-network.md
-    display: peering, asg, appliance, dns, endpoint, nat, nic, route, vmware, vnet, cross connection, express-route, vhub, vpn, vrouter, vwan, ib, ip, front-door, gateway, traffic, bastion, ddos, firewall    
+    display: peering, asg, appliance, dns, endpoint, nat, nic, route, vmware, vnet, cross connection, express-route, vhub, vpn, vrouter, vwan, ib, ip, front-door, gateway, traffic, bastion, ddos, firewall
   - name: Azure SQL
     href: azure-cli-reference-for-sql.md
     display: Azure SQL, Azure SQL Database, Azure SQL Managed Instance, SQL Server on Azure VM, SQL pool, database
   - name: Azure Storage
     href: azure-cli-reference-for-storage.md
-    display: Azure Storage, Azure Blob Storage, Azure Import/Export service, Azure Data Lake Storage Gen2   
+    display: Azure Storage, Azure Blob Storage, Azure Import/Export service, Azure Data Lake Storage Gen2
   - name: Azure Virtual Machines
     href: azure-cli-reference-for-virtual-machines.md
-    display: Azure Virtual Machines, Azure virtual machine scale set, shared image galleries, desktop virtualization 
+    display: Azure Virtual Machines, Azure virtual machine scale set, shared image galleries, desktop virtualization

docs-ref-conceptual/install-azure-cli-windows.md

@@ -29,23 +29,17 @@ The MSI distributable is used for installing or updating the Azure CLI on Window
 
 # [Microsoft Installer (MSI)](#tab/azure-cli)
 
-When the installer asks if it can make changes to your computer, click the "Yes" box.
+### Latest version
 
-### Current version
-
-Download and install the current release of the Azure CLI.  After the installation is complete, you will need to close and reopen any active Windows Command Prompt or PowerShell windows to use the Azure CLI.
+Download and install the latest release of the Azure CLI. When the installer asks if it can make changes to your computer, click the "Yes" box. After the installation is complete, you will need to close and reopen any active Windows Command Prompt or PowerShell windows to use the Azure CLI.
 
 > [!div class="nextstepaction"]
-> [Current release of the Azure CLI](https://aka.ms/installazurecliwindows)
+> [Latest release of the Azure CLI](https://aka.ms/installazurecliwindows)
 
 ### Specific version
 
 To download the MSI installer for specific version, change the version segment in URL `https://azcliprod.blob.core.windows.net/msi/azure-cli-<version>.msi` and download it. Available versions can be found at [Azure CLI release notes](/cli/azure/release-notes-azure-cli).
 
-### Azure CLI beta version
-
-The beta version of the Azure CLI supports all commands and will stay in sync with the current released version.  For installation instructions, see [Install Azure CLI beta version](install-azure-cli-beta.md).
-
 # [Microsoft Installer (MSI) with Command](#tab/azure-powershell)
 
 ### Powershell Command

docs-ref-conceptual/install-azure-cli.md

@@ -27,7 +27,6 @@ The Azure CLI is available to install in Windows, macOS and Linux environments.
   * [Install with dnf on RHEL, Fedora, or CentOS](/cli/azure/install-azure-cli-linux?pivots=yum)
   * [Install with zypper on openSUSE or SLE](/cli/azure/install-azure-cli-linux?pivots=zypper)
   * [Install from script](install-azure-cli-linux.md)
-* [Install beta version (all environments)](install-azure-cli-beta.md)
 * [Run in Docker container](run-azure-cli-docker.md)
 * [Run in Azure Cloud Shell](/azure/cloud-shell/quickstart)
 

docs-ref-conceptual/msal-based-azure-cli.md

@@ -0,0 +1,61 @@
+---
+title: MSAL-based Azure CLI | Microsoft Docs
+description: Learn about the MSAL-based Azure CLI.
+author: jiasli
+ms.author: jiasli
+manager: yonzhan
+ms.date: 10/28/2021
+ms.topic: conceptual
+ms.service: azure-cli
+ms.devlang: azurecli
+ms.custom: devx-track-azurecli, seo-azure-cli
+keywords: msal, msal-based azure cli
+---
+
+# MSAL-based Azure CLI
+
+Starting in version 2.30.0, Azure CLI uses [MSAL](https://github.com/AzureAD/microsoft-authentication-library-for-python) as the underlying authentication library. MSAL uses AAD v2.0 authentication flow to provide more functionality and increases security for token cache.
+
+> [!WARNING]
+> BREAKING CHANGES are introduced in Azure CLI 2.30.0. Carefully read document prior to installation.
+
+## `accessTokens.json` deprecation
+
+Previous versions of Azure CLI save ADAL tokens and service principal entries to `~/.azure/accessToken.json`. Latest versions of Azure CLI use MSAL and no longer generate `accessTokens.json`. Any existing workflow depending on `accessTokens.json` no longer works.
+
+The MSAL token cache and service principal entries are saved as encrypted files on Windows, and plaintext files on Linux and MacOS.
+
+## Alternatives to consider
+
+Below are several alternatives you may consider:
+
+### Calling `az account get-access-token`
+
+You can manually call [`az account get-access-token`](/cli/azure/account#az_account_get_access_token) in a terminal or use subprocess to call it from another programming language. By default, the returned access token is for Azure Resource Manager (ARM) and the default subscription/tenant shown in [`az account show`](/cli/azure/account#az_account_show).
+
+```azurecli
+# get the active subscription
+az account show --output table
+
+# get access token for the active subscription
+az account get-access-token
+
+# get access token for a specific subscription
+az account get-access-token --subscription "<subscription ID or name>"
+```
+
+### Using `AzureCliCredential`
+
+`AzureCliCredential` is a credential type in all existing language SDKs. It uses subprocess to call `az account get-access-token` to get an access token for the current logged-in account.
+
+## See also
+
+* MSAL
+  * [Overview of the Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview)
+  * [Migrate applications to the Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-migration)
+* Python
+  * [AzureCliCredential Class](/python/api/azure-identity/azure.identity.azureclicredential) in Python
+* .NET
+  * [AzureCliCredential Class](/dotnet/api/azure.identity.azureclicredential) in .NET
+* Java
+  * [AzureCliCredential Class](/java/api/com.azure.identity.azureclicredential) in Java