Announcing Azure PowerShell 5.0
Published Oct 27 2020 07:49 AM 10.7K Views

A major version is an opportunity to introduce several improvements that may not be compatible with the scripts that you have developed with a previous version. As always, we recommend that you read the migration guide to measure the impact of this new version on your environment.

Az 5.0 introduces the following fundamental changes:

  • Updated authentication
  • A security update for Az.KeyVault
  • Improved support for ACR (Azure Container Registry) and AKS (Azure Kubernetes Service)
  • New default behaviors for Az.KeyVault and Az.Functions

Azure PowerShell is open source. Community contributions are always welcome, but we have not done a good job of recognizing our contributors. Starting with this release, we will add entries to the release notes for PRs merged that were submitted by non-Microsoft employees!


Community contributions

  • @atul-ram, Update (#13176)
  • @dineshreddy007, Get the App Roles assigned correctly in case of Stack HCI registration using WAC token. (#13249)
  • @kongou-ae, Update (#13217)
  • Lohith Chowdary Chilukuri (@Lochiluk), Update (#13150)
  • Matthew Burleigh (@mburleigh), 6 PRs - Add links to PowerShell cmdlet referenced in the document (#13203, #13190, #13189, #13137, #13204, #13205)

Thank you for your contributions. We’re making Azure PowerShell better together!



With Az 5.0, Az.Accounts, the module performing the authentication to Azure, is now using the Microsoft Authentication Library (MSAL).

The only change visible to you is that the default login mechanism changes to interactive from device code for PowerShell 7. The device login mechanism remains available if you want to use it.

MSAL maintains a token cache and refreshes tokens when needed. The cache can be used by other applications also using MSAL, reducing the number of authentications required. You can now share the same authentication among Az PowerShell, Visual Studio 2019, and Azure CLI. (Note: at the time of writing this article, this is only supported with the Azure CLI beta).
When moving from ADAL to MSAL, we will also migrate the existing token making the migration to Az.Accounts 2.0 transparent.
We recommend considering performing the upgrade to Az.Accounts 2.x as soon as possible since some new Azure capabilities like continuous access evaluation will not be compatible with older versions.


Security update 

Under certain circumstances, the secret value of a KeyVault secret could be unintentionally displayed in the logs causing a security issue.
We removed the plain text property SecretValueText from the cmdlets that operate on KeyVault secrets. Your scripts will now need to use SecretValue (a SecureString) instead.
Since all Azure PowerShell cmdlets use SecureString or PSCredentials to manage confidential information, this change standardizes KeyVault secrets with other Azure PowerShell cmdlets. This comment indicates different method to convert a secure string to plain text depending on the version of PowerShell:


Improved support for ACR and AKS 

To better support customers with container workloads in Azure, we are working to improve the overall experience with the associated services in PowerShell.
With this release, we are introducing several breaking changes in Az.AKS and Az.ContainerRegistry:

  • The “Classic” SKU is no longer supported by Azure Container Registry. It has been removed from the list of supported values for ‘New-AzContainerRegistry’ along with the ‘StorageAccountName’ parameter.
  • We are changing the following default value to allow the creation of Windows Server containers by default and provide consistent behavior with Azure CLI:
    • NodeVmSetType’ from ‘AvailabilitySet to ‘VirtualMachineScaleSets’
    • NetworkPlugin’ from ‘None’ to ‘azure’
  • We removed the parameter ‘NodeOsType’ for ‘New-AzAksCluster’ since only one value was accepted.

You can help us prioritize the additional improvements we are planning for the coming weeks by logging feature requests in the azure-powershell GitHub repo:


New defaults for Key Vault and Functions 

Based on customer feedback, Azure services may need to change the default settings over time. This new version of Az introduces the following changes to default values:

  • Az.KeyVault: We removed parameters related to soft delete settings in the cmdlets to reflect the service deprecating the ability to opt-out of soft-delete.
  • Az.Functions: Following the end of support of PowerShell 6.2, the default runtime version in Functions version 3 is now PowerShell 7; PowerShell 6.2 is no longer a possible choice.


New modules

Our current priority is to add modules for the Azure services that do not have PowerShell support. Since the last major release, we have added the following 17 new modules:

Those modules are still in preview, hence not part of Az. Depending on the feedback we receive, our plan is to GA as many of them as possible in the coming weeks.
Try them out and provide feedback by logging issues in the azure-powershell GitHub repo:


Next steps 

We are continuing our effort to provide a PowerShell module for all Azure services. This will allow you to manage any Azure resource with PowerShell.

Soon, we will be announcing the preview of a new user interface for Azure PowerShell. The goal of this new interface is to make you more efficient with the Azure related cmdlets and parameters.
Follow our @azureposh Twitter account for continuous updates and interactions with the team.


Version history
Last update:
‎Oct 27 2020 08:51 AM
Updated by: