Azure · isra-fel · Mar 30, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026
diff --git a/src/Accounts/Accounts/ChangeLog.md b/src/Accounts/Accounts/ChangeLog.md
@@ -19,6 +19,9 @@
 -->
 
 ## Upcoming Release
+* Improved SSH certificate authentication for Az SSH cmdlets across all Azure clouds.
+    - SSH certificate authentication now works across all Azure clouds without configuring the `-SshAuthScope` parameter.
+    - The `-SshAuthScope` parameter in `Set-AzEnvironment` and `Add-AzEnvironment` does not take any effect.
 * Updated MSAL to 4.83.1 for bug fixes in IMDS endpoint cache.
 
 ## Version 5.3.3

diff --git a/src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs b/src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs
@@ -226,7 +226,7 @@ public string DataLakeAudience
         public string MicrosoftGraphUrl { get; set; }
 
         [Parameter(ParameterSetName = EnvironmentPropertiesParameterSet, Mandatory = false, ValueFromPipelineByPropertyName = true,
-            HelpMessage = "The scope for authentication when SSH to an Azure VM.")]
+            HelpMessage = "This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured.")]
         public string SshAuthScope { get; set; }
 
         protected override bool RequireDefaultContext()

diff --git a/src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs b/src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs
@@ -197,7 +197,7 @@ public string DataLakeAudience
         public string MicrosoftGraphUrl { get; set; }
 
         [Parameter(ParameterSetName = EnvironmentPropertiesParameterSet, Mandatory = false, ValueFromPipelineByPropertyName = true,
-            HelpMessage = "The scope for authentication when SSH to an Azure VM.")]
+            HelpMessage = "This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured.")]
         public string SshAuthScope { get; set; }
-        public string SshAuthScope { get; set; }
+        [Obsolete("This parameter is deprecated and is ignored. SSH authentication scope is determined automatically.")]
+        public string SshAuthScope
+        {
+            get
+            {
+                // This parameter is deprecated and intentionally ignored.
+                // Returning null ensures that any existing code paths that read this
+                // property will not use a user supplied value.
+                return null;
+            }
+            set
+            {
+                if (!string.IsNullOrEmpty(value))
+                {
+                    // Emit a warning so users know this parameter no longer affects SSH authentication.
+                    WriteWarning("The SshAuthScope parameter is deprecated and is ignored. SSH authentication scope is now determined automatically and does not need to be configured.");
+                }
+            }
+        }
-        public string SshAuthScope { get; set; }
+        [Obsolete("This parameter is deprecated and is ignored. SSH authentication scope is determined automatically.")]
+        public string SshAuthScope
+        {
+            get
+            {
+                // This parameter is deprecated and intentionally ignored.
+                // Returning null ensures that any existing code paths that read this
+                // property will not use a user supplied value.
+                return null;
+            }
+            set
+            {
+                if (!string.IsNullOrEmpty(value))
+                {
+                    // Emit a warning so users know this parameter no longer affects SSH authentication.
+                    WriteWarning("The SshAuthScope parameter is deprecated and is ignored. SSH authentication scope is now determined automatically and does not need to be configured.");
+                }
+            }
+        }
 
         protected override bool RequireDefaultContext()

diff --git a/src/Accounts/Accounts/help/Add-AzEnvironment.md b/src/Accounts/Accounts/help/Add-AzEnvironment.md
@@ -679,7 +679,7 @@ Accept wildcard characters: False
 ```
 
 ### -SshAuthScope
-The scope for authentication when SSH to an Azure VM.
+This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured.
 
 ```yaml
 Type: System.String

diff --git a/src/Accounts/Accounts/help/Set-AzEnvironment.md b/src/Accounts/Accounts/help/Set-AzEnvironment.md
@@ -601,7 +601,7 @@ Accept wildcard characters: False
 ```
 
 ### -SshAuthScope
-The scope for authentication when SSH to an Azure VM.
+This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured.
 
 ```yaml
 Type: System.String

diff --git a/src/Accounts/Authentication/Factories/SshCredentialFactory.cs b/src/Accounts/Authentication/Factories/SshCredentialFactory.cs
@@ -15,7 +15,6 @@
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions.Models;
 using Microsoft.Azure.Commands.Common.Authentication.Properties;
-using Microsoft.Azure.Commands.Common.Exceptions;
 using Microsoft.Identity.Client.SSHCertificates;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
 
@@ -30,13 +29,7 @@ namespace Microsoft.Azure.Commands.Common.Authentication.Factories
 {
     public class SshCredentialFactory : ISshCredentialFactory
     {
-        // kept for backward-compatibility
-        private readonly Dictionary<string, string> CloudToScope = new Dictionary<string, string>(StringComparer.InvariantCultureIgnoreCase)
-        {
-            { EnvironmentName.AzureCloud, AzureEnvironmentConstants.AzureSshAuthScope },
-            { EnvironmentName.AzureChinaCloud, AzureEnvironmentConstants.ChinaSshAuthScope },
-            { EnvironmentName.AzureUSGovernment, AzureEnvironmentConstants.USGovernmentSshAuthScope },
-        };
+        private const string AadSshLoginForLinuxServerAppId = "ce6ff14a-7fdc-4685-bbe0-f6afdfcfa8e0";
 
         private string CreateJwk(RSAParameters rsaKeyInfo, out string keyId)
         {
@@ -70,8 +63,7 @@ public SshCredential GetSshCredential(IAzureContext context, RSAParameters rsaKe
             }
 
             var publicClient = tokenCacheProvider.CreatePublicClient(context.Environment.ActiveDirectoryAuthority, context.Tenant.Id);
-            string scope = GetAuthScope(context.Environment)
-                ?? throw new AzPSKeyNotFoundException(string.Format(Resources.ErrorSshAuthScopeNotSet, context.Environment.Name));
+            string scope = GetAuthScope();
             List<string> scopes = new List<string>() { scope };
             var jwk = CreateJwk(rsaKeyInfo, out string keyId);
 
@@ -90,10 +82,9 @@ public SshCredential GetSshCredential(IAzureContext context, RSAParameters rsaKe
             return resultToken;
         }
 
-        private string GetAuthScope(IAzureEnvironment environment)
+        private string GetAuthScope()
         {
-            return environment.GetProperty(AzureEnvironment.ExtendedEndpoint.AzureSshAuthScope)
-                ?? CloudToScope.GetValueOrDefault(environment.Name.ToLower(), null);
+            return $"{AadSshLoginForLinuxServerAppId}/.default";
         }
     }
 }