Azure CLI and Azure PowerShell Ignite 2024 Announcement

The priority for Azure CLI and Azure PowerShell remains to provide our customers with the most complete, secure, and easy-to-use tools to manage Azure resources. 

At Microsoft Ignite 2024, we are announcing the following new capabilities delivering on our priorities: 

• Extending our coverage and commands API version upgrade.
• Security improvements. 
• Investments in Copilot in Azure 

 

Extending our coverage 

  

In the past six months, we have added or refreshed coverage for new or existing Azure services within 30 days of their general availability. 

You will see new and updated command lines for ArcGateway, AzTerraform, ConnectedMachine, Fabric, Astro, Synapse, AppComplianceAutomation, Storage, App, and other modules. 

Note: To use the associated commands, you need to install the Azure CLI extension or the Azure PowerShell module. 

  

For details about all the commands that have been updated, as well as a complete list of the new features in this release for the Azure client tools, see the release notes for each tool: 

  

• Azure CLI: https://learn.microsoft.com/cli/azure/release-notes-azure-cli  
• Azure PowerShell:  https://learn.microsoft.com/powershell/azure/release-notes-azureps   

 

Credential detection from Az CLIs outputs 

  

We have been actively working on hardening your defense in depth with secrets awareness in Azure command line tools.

For Azure CLI and Azure PowerShell, in the past 6 months, we have collaborated with our internal team to replace verification patten with the Azure secret common library, expanding the coverage types of patches and the range of command lines. The range of command line detection has been almost 100% covered. The Azure CLI and Azure PowerShell use the same detection logic and are continually being upgraded.

 

We still encourage users to enable environment parameters:

AZURE_CLIENTS_SHOW_SECRETS_WARNING=True (Default)

 

For Azure PowerShell only

 

Our team is gradually transitioning to using SecureString for tokens, account keys, and secrets, replacing the traditional string types. Currently, we offer an opt-in method for the Get-AzAccessToken command line, which does not introduce breaking changes:

 

Get-AzAccessToken –AsSecureString

 

We encourage users to utilize the -AsSecureString parameter to output tokens securely. Over the next year, we plan to implement this security method across more command lines, converting all keys, tokens, and similar data from string types to SecureString. Please note that when the command line output defaults to -AsSecureString mode, it may result in breaking changes. Therefore, we advise users to stay updated with our breaking change documentation.  

 

Support Azure Linux 3.0 for Azure CLI

 

Azure CLI has supported Azure Linux 3.0 from 2.65.0. The Azure Linux 3 user can install CLI with 

 

tdnf install azure-cli

 

Starting from version 2.64.0 of Azure CLI, the base Linux distribution of Azure CLI is now Azure Linux 3.0.

It’s available at Microsoft Artifact Registry (MAR) https://mcr.microsoft.com/en-us/artifact/mar/azure-cli/about.  You can get it with the below command：

 

docker pull mcr.microsoft.com/azure-cli

or

docker pull mcr.microsoft.com/azure-cli:azurelinux3.0

 

For further migration guidance especially involved with GitHub Actions, please check out more details from blog.

 

Deprecate SP with certificate with az login –password for Azure CLI

 

For az login,

--password will no longer accept service principal certificate in Azure CLI 2.67.0. Use `--certificate` to pass a service principal certificate.

 

# Logging in with secret should work as before
az login --service-principal --username xxx --password mysecret --tenant xxx

# Old way to log in with a certificate, will show a deprecation warning
az login --service-principal --username xxx --password ~/mycert.pem --tenant xxx

# New way to log in with a certificate
az login --service-principal --username xxx --certificate ~/mycert.pem --tenant xxx

 

Note: 

To sign in with a certificate, the certificate must be available locally as a PEM or DER file in ASCII format. PKCS#12 files (.p12/.pfx) don't work.

When you use a PEM file, the PRIVATE KEY and CERTIFICATE must be appended together within the file. You don't need to prefix the path with an `@` like you do with other az commands.

Azure PowerShell WAM Authentication Issues and Fixes   

 

Since version Az 12.0.0, Azure PowerShell has supported Web Authentication Manager (WAM) as the default authentication mechanism. During this period, several critical issues affected users logging in interactively. These issues have been addressed and fixed by version 13.0.0, including:

• The WAM login interface failing to pop up, resulting in login failures.
• Login failures for users using the device-code authentication method.
• The "Work and school account" option does not appear in the WAM pop-up window.
• Incompatibility of the Export-AzSshConfig and Enter-AzVM commands from the Az.Ssh module when WAM is enabled.

For detailed announcements on specific issues, please refer to our WAM issues and Workarounds/azure-powershell issue.

 

In response to these WAM issues, our team has been actively fixing bugs, making improvements, and establishing monitoring and alert mechanisms with relevant teams to detect issues early and assess their impact. Additionally, we have integrated test cases baseline into the release pipeline.

 

We encourage users to enable the WAM function for security by using the command:

Update-AzConfig -EnableLoginByWam $true

If you encounter problems, please report them in Issues · Azure/azure-powershell

 

Note: 

Sovereign Cloud does not currently support WAM, we plan to implement this in the coming months. 

 

Change in Azure CLI extension management

 

Starting with Azure CLI version 2.56.0, a new `--allow-preview` parameter was introduced for the extension installations, with its default value set to True. This change, as outlined in our extension versioning guidelines, helps distinguish between stable and preview versions, ensuring consistency across stable releases while still enabling the publication of preview features.

 

Beginning with version 2.67.0, Azure CLI will now install only stable versions of extension modules by default. If a later preview version of an extension is available, users will receive a warning message that explains how to enable preview versions by using the `--allow-preview` parameter.

 

Important Note:

If no stable version of an extension is available, preview versions will be installed by default, along with a warning message, like below, notifying users of this behavior.
"No stable version of 'xxx' to install. Preview versions are allowed."

Azure PowerShell Long Term Support releases (LTS) support 

  

Azure PowerShell already supports both Standard Term Support releases (STS) and Long-Term Support releases (LTS). Users can choose the appropriate version according to their project needs. Users can choose to stay with the LTS version until the next LTS version, or upgrade with the latest version to experience new features. The following document details the definitions of LTS and STS. Beginning with Az 12, even numbered releases are LTS versions.

Azure PowerShell support lifecycle: Azure PowerShell support lifecycle | Microsoft Learn 

 

Azure CLI will provide LTS version in early 2025. More details could be found at Azure CLI lifecycle and support | Microsoft Learn

 

 

Enhancement to Invoke-AzRestMethod in Azure PowerShell

 

Azure PowerShell 13.0.0 introduces major enhancements to the Invoke-AzRestMethod cmdlet, empowering users with a new option to enable long-running operations (LRO) and flexible control over operation status polling in complex Azure workflows.

 

Key Features of Invoke-AzRestMethod Enhancement:

• LRO Support with Enhanced Status Tracking: With the new -WaitForCompletion parameter, users can wait for the operations to complete and directly receive the final status. In debug mode, users can also monitor long-running operations (such as deployments or resource provisioning) and receive real-time status updates directly in their PowerShell session.
• Flexible Polling Options for Customized Control: The addition of -PollFrom and -FinalResultFrom parameters enable users to define custom polling URIs and specify final result header sources, ensuring compatibility across various Azure resources and scenarios.

 

Example Usage:

Using the new -WaitForCompletion parameter, here’s how to create a Managed HSM (Hardware Security Module) and track its provisioning status until it’s fully completed:

 

Invoke-AzRestMethod -Method PUT -WaitForCompletion -Path "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{hsmName}"

 

This example monitors the creation of a Managed HSM, providing real-time updates throughout the longer provisioning process (in debug mode), ensuring the resource reaches a fully operational state.

 

For more details and examples, refer to the updated release notes: Azure PowerShell release notes 

 

Azure CLI/PS scenarios with Copilot in Azure

  

In the second half of 2024, we improved knowledge of Azure CLI commands and end-to-end scenarios for Copilot in Azure to answer questions related to Azure CLI commands or scripts, following our best practices.

In the past 6 months, we have optimized the following scenarios:

1. Enhanced Prompt Flow and RAG architecture tailored for CLI script generation, ensuring higher command and scenario accuracy.
2. Improved user intent recognition with hybrid search, enabling more precise retrieval of relevant knowledge from user queries.
3. Supported parameter value injection, simplifying the process for customers to input parameter values and generate directly usable scripts on Copilot in Azure.
4. Optimized the knowledge base to reduce hallucination issues.
5. More accurately identified out-of-scope questions.

In the 2024 Ignite Event, we’ve also released a public preview of AI Shell, which lets you access Copilot in Azure to help answer any questions you have about Azure CLI or Azure PowerShell. For more information about the AI Shell release please check out. AI Shell

 

To learn more about Microsoft Copilot for Azure and how it can help you, visit: Microsoft Copilot for Azure

 

Breaking Changes  

The latest breaking change guidance documents can be found at the links below. To read more about the breaking changes migration guide, ensure your environment is ready to install the newest version of Azure CLI and Azure PowerShell. 

 

Azure CLI:  Release notes & updates – Azure CLI | Microsoft Learn 

Azure PowerShell: Migration guide for Az 13.0.0 | Microsoft Learn

 

Milestone timelines:

Azure CLI Milestones 

Azure PowerShell Milestones

Thank you for using the Azure command-line tools. We look forward to continuing to improve your experience. We hope you enjoy Ignite and all the great work released this week. We'd love to hear your feedback, so feel free to reach out anytime.   

• GitHub: 
  • https://github.com/Azure/azure-cli
  • https://github.com/Azure/azure-powershell

• Let's be in touch on X (Twitter) : @azureposh   @AzureCli   

 

Azure CLI and Azure PowerShell team