Replace hardcoded cloud-to-scope mappings with static SSH auth scope and deprecate SshAuthScope parameter (#29228)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: isra-fel <11371776+isra-fel@users.noreply.github.com>

Author: 2 people

src/Accounts/Accounts/ChangeLog.md

@@ -19,6 +19,9 @@
 -->
 
 ## Upcoming Release
+* Improved SSH certificate authentication for Az SSH cmdlets across all Azure clouds.
+    - SSH certificate authentication now works across all Azure clouds without configuring the `-SshAuthScope` parameter.
+    - The `-SshAuthScope` parameter in `Set-AzEnvironment` and `Add-AzEnvironment` does not take any effect.
 * Updated MSAL to 4.83.1 for bug fixes in IMDS endpoint cache.
 
 ## Version 5.3.3

src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs

@@ -226,7 +226,7 @@ public string DataLakeAudience
         public string MicrosoftGraphUrl { get; set; }
 
         [Parameter(ParameterSetName = EnvironmentPropertiesParameterSet, Mandatory = false, ValueFromPipelineByPropertyName = true,
-            HelpMessage = "The scope for authentication when SSH to an Azure VM.")]
+            HelpMessage = "This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured.")]
         public string SshAuthScope { get; set; }
 
         protected override bool RequireDefaultContext()

src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs

@@ -197,7 +197,7 @@ public string DataLakeAudience
         public string MicrosoftGraphUrl { get; set; }
 
         [Parameter(ParameterSetName = EnvironmentPropertiesParameterSet, Mandatory = false, ValueFromPipelineByPropertyName = true,
-            HelpMessage = "The scope for authentication when SSH to an Azure VM.")]
+            HelpMessage = "This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured.")]
         public string SshAuthScope { get; set; }
 
         protected override bool RequireDefaultContext()

src/Accounts/Accounts/help/Add-AzEnvironment.md

@@ -679,7 +679,7 @@ Accept wildcard characters: False
 ```
 
 ### -SshAuthScope
-The scope for authentication when SSH to an Azure VM.
+This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured.
 
 ```yaml
 Type: System.String

src/Accounts/Accounts/help/Set-AzEnvironment.md

@@ -601,7 +601,7 @@ Accept wildcard characters: False
 ```
 
 ### -SshAuthScope
-The scope for authentication when SSH to an Azure VM.
+This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured.
 
 ```yaml
 Type: System.String

src/Accounts/Authentication/Factories/SshCredentialFactory.cs

@@ -15,7 +15,6 @@
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions.Models;
 using Microsoft.Azure.Commands.Common.Authentication.Properties;
-using Microsoft.Azure.Commands.Common.Exceptions;
 using Microsoft.Identity.Client.SSHCertificates;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
 
@@ -30,13 +29,7 @@ namespace Microsoft.Azure.Commands.Common.Authentication.Factories
 {
     public class SshCredentialFactory : ISshCredentialFactory
     {
-        // kept for backward-compatibility
-        private readonly Dictionary<string, string> CloudToScope = new Dictionary<string, string>(StringComparer.InvariantCultureIgnoreCase)
-        {
-            { EnvironmentName.AzureCloud, AzureEnvironmentConstants.AzureSshAuthScope },
-            { EnvironmentName.AzureChinaCloud, AzureEnvironmentConstants.ChinaSshAuthScope },
-            { EnvironmentName.AzureUSGovernment, AzureEnvironmentConstants.USGovernmentSshAuthScope },
-        };
+        private const string AadSshLoginForLinuxServerAppId = "ce6ff14a-7fdc-4685-bbe0-f6afdfcfa8e0";
 
         private string CreateJwk(RSAParameters rsaKeyInfo, out string keyId)
         {
@@ -70,8 +63,7 @@ public SshCredential GetSshCredential(IAzureContext context, RSAParameters rsaKe
             }
 
             var publicClient = tokenCacheProvider.CreatePublicClient(context.Environment.ActiveDirectoryAuthority, context.Tenant.Id);
-            string scope = GetAuthScope(context.Environment)
-                ?? throw new AzPSKeyNotFoundException(string.Format(Resources.ErrorSshAuthScopeNotSet, context.Environment.Name));
+            string scope = GetAuthScope();
             List<string> scopes = new List<string>() { scope };
             var jwk = CreateJwk(rsaKeyInfo, out string keyId);
 
@@ -90,10 +82,9 @@ public SshCredential GetSshCredential(IAzureContext context, RSAParameters rsaKe
             return resultToken;
         }
 
-        private string GetAuthScope(IAzureEnvironment environment)
+        private string GetAuthScope()
         {
-            return environment.GetProperty(AzureEnvironment.ExtendedEndpoint.AzureSshAuthScope)
-                ?? CloudToScope.GetValueOrDefault(environment.Name.ToLower(), null);
+            return $"{AadSshLoginForLinuxServerAppId}/.default";
         }
     }
 }