Use --client-id for user-assigned managed identity authentication in Azure CLI v2.69.0 or later. (#514)

* Bump braces from 3.0.2 to 3.0.3

Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* remove libicu and update powershell version

* apt install libicu72

* change installation url

* fix typo

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: MoChilia <chenshiyingcn@163.com>
Co-authored-by: Shiying Chen <shiyingchen@microsoft.com>

.github/workflows/auto-triage-issues

@@ -1,21 +0,0 @@
-name: "Auto-Labelling Issues"
-on:
-  issues:
-    types: [opened, edited]
-
-jobs:
-  auto_label:
-    runs-on: ubuntu-latest
-    name: Auto-Labelling Issues
-    steps:
-    - name: Label Step
-      uses: larrylawl/Auto-Github-Issue-Labeller@v1.0
-      with:
-        GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
-        REPOSITORY: ${{github.repository}}
-        DELTA: "7"
-        CONFIDENCE: "2"
-        FEATURE: "enhancement"
-        BUG: "bug"
-        DOCS: "documentation"
-        

.github/workflows/azure-login-canary.yml

@@ -0,0 +1,92 @@
+#This workflow is used to test azure login action for CLI edge build. Visit, https://github.com/Azure/azure-cli#edge-builds for more details.
+
+name: Run Azure Login Canary Test
+on: 
+  workflow_dispatch:
+  schedule:
+    - cron:  ' 0 8 * * *'  
+permissions:
+      id-token: write
+      contents: read
+jobs: 
+  az-login-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name : Check Az version before installing
+        run: az --version
+        
+      - name: Installing Az CLI Edge build 
+        run: |
+           cd ../..
+           CWD="$(pwd)"
+           python3 -m venv canary-venv
+           . canary-venv/bin/activate
+           echo "***********activated virual environment**********" 
+           python3 -m pip install --upgrade pip
+           echo "***************started installing cli edge build******************"
+           pip3 install -q --upgrade --pre azure-cli --extra-index-url https://azurecliprod.blob.core.windows.net/edge --no-cache-dir --upgrade-strategy=eager
+           echo "***************installed cli Edge build*******************"    
+           echo "$CWD/canary-venv/bin" >> $GITHUB_PATH
+           az --version
+           
+      - name: Check out repository
+        uses: actions/checkout@v4
+        
+      - name: 'Az CLI login with subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          
+      - run: |
+          az account show --output none
+          
+      - name: 'Az CLI login without subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          allow-no-subscriptions: true
+          
+      - run: |
+          az account show --output none
+          
+      - name: 'Az CLI login with subscription OIDC'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }} 
+        
+      - run: |
+          az account show --output none
+          
+      - name: 'Az CLI login without subscription OIDC'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          allow-no-subscriptions: true
+          
+      - run: |
+          az account show --output none
+          
+  slack-post-result:
+        runs-on: ubuntu-latest
+#         continue-on-error: true
+        if: ${{ always() }}
+        needs: [az-login-test]
+        steps:
+          - name: Create slack post
+            id: slack_report
+            run: |
+              TITLE="Login action canary tests update - "
+              DATEVAR=`date "+%d/%m/%YT%H:%M:%S"`
+              TITLE="${TITLE}${DATEVAR}"
+              REPORT="${TITLE}\r\nLink to run - https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\r\n" 
+              RUN_URL="https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
+              REPORT="${REPORT}\r\n"
+              if [ ${{needs.az-login-test.result}} == 'success' ]; then REPORT="${REPORT}\r\n|✅|<${RUN_URL}|az-login-test>"; else REPORT="${REPORT}\r\n|❌|<${RUN_URL}|az-login-test>"; fi
+              echo "report=$REPORT" >> $GITHUB_OUTPUT
+          - name: Post to slack
+            shell: bash
+            run: curl -X POST -H 'Content-type:application/json' --data '{"blocks":[{"type":"section","text":{"type":"mrkdwn","text":"${{steps.slack_report.outputs.report}}"}}]}' https://hooks.slack.com/services/${{SECRETS.SLACK_CHANNEL_SECRET}}
+

.github/workflows/azure-login-integration-tests.yml

@@ -0,0 +1,129 @@
+name: Run Azure Login Integration Tests
+on: 
+  workflow_dispatch:
+  schedule:
+    - cron:  '0 */3 * * *'
+permissions:
+      id-token: write
+      contents: write
+
+jobs: 
+
+  az-login-test-non-oidc:
+    runs-on: ubuntu-latest
+#     continue-on-error: true
+    steps:
+      - name: 'Az CLI login with subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          
+      - run: |
+          az account show --output none
+          az vm list --output none
+          
+      - name: 'Az CLI login without subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          allow-no-subscriptions: true
+          
+      - run: |
+          az account show --output none
+          
+      - name: 'Azure PowerShell login with subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          enable-AzPSSession: true
+          
+      - uses: azure/powershell@v1
+        with:
+          inlineScript: "(Get-AzContext).Environment.Name"
+          azPSVersion: "latest"
+          
+      - name: 'Azure PowerShell login without subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{secrets.AZURE_CREDENTIALS}}
+          enable-AzPSSession: true
+          allow-no-subscriptions: true
+        
+      - uses: azure/powershell@v1
+        with:
+          inlineScript: "(Get-AzContext).Environment.Name"
+          azPSVersion: "latest"
+
+  az-login-test-oidc:
+    runs-on: ubuntu-latest
+#     continue-on-error: true
+    steps:
+      - name: 'Az CLI login with subscription'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }} 
+        
+      - run: |
+          az account show --output none
+          az vm list --output none
+          
+      - name: 'Az CLI login without subscription'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          allow-no-subscriptions: true
+          
+      - run: |
+          az account show --output none
+          
+      - name: 'Azure PowerShell login with subscription'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }} 
+          enable-AzPSSession: true
+          
+      - uses: azure/powershell@v1
+        with:
+          inlineScript: "(Get-AzContext).Environment.Name"
+          azPSVersion: "latest"
+          
+      - name: 'Azure PowerShell login without subscription'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          enable-AzPSSession: true
+          allow-no-subscriptions: true
+        
+      - uses: azure/powershell@v1
+        with:
+          inlineScript: "(Get-AzContext).Environment.Name"
+          azPSVersion: "latest"
+          
+  slack-post-result:
+        runs-on: ubuntu-latest
+#         continue-on-error: true
+        if: ${{ always() }}
+        needs: [az-login-test-non-oidc, az-login-test-oidc]
+        steps:
+          - name: Create slack post
+            id: slack_report
+            run: |
+              TITLE="Login action OIDC flow tests update - "
+              DATEVAR=`date "+%d/%m/%YT%H:%M:%S"`
+              TITLE="${TITLE}${DATEVAR}"
+              REPORT="${TITLE}\r\nLink to run - https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\r\n" 
+              RUN_URL="https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
+              REPORT="${REPORT}\r\n"
+              if [ ${{needs.az-login-test-non-oidc.result}} == 'success' ]; then REPORT="${REPORT}\r\n|✅|<${RUN_URL}|az-login-test-non-oidc>"; else REPORT="${REPORT}\r\n|❌|<${RUN_URL}|az-login-test-non-oidc>"; fi
+              if [ ${{needs.az-login-test-oidc.result}} == 'success' ]; then REPORT="${REPORT}\r\n|✅|<${RUN_URL}|az-login-test-oidc>"; else REPORT="${REPORT}\r\n|❌|<${RUN_URL}|az-login-test-oidc>"; fi
+              echo "report=$REPORT" >> $GITHUB_OUTPUT
+
+          - name: Post to slack
+            shell: bash
+            run: curl -X POST -H 'Content-type:application/json' --data '{"blocks":[{"type":"section","text":{"type":"mrkdwn","text":"${{steps.slack_report.outputs.report}}"}}]}' https://hooks.slack.com/services/${{SECRETS.SLACK_CHANNEL_SECRET}}

.github/workflows/azure-login-negative.yml

@@ -0,0 +1,335 @@
+name: Azure Login Action Negative Test
+on:
+  workflow_dispatch:
+  push:
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+
+  PermissionTest:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    environment: Automation test
+
+    steps:
+
+    - name: 'Checking out repo code'
+      uses: actions/checkout@v4
+
+    - name: Set Node.js 20.x for GitHub Action
+      uses: actions/setup-node@v4
+      with:
+        node-version: 20.x
+
+    - name: 'Validate build'
+      run: |
+        npm install
+        npm run build
+
+    - name: Login with individual parameters
+      uses: ./
+      with:
+        client-id: ${{ secrets.OIDC_SP2_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_SP2_TENANT_ID }}
+        # subscription-id: ${{ secrets.OIDC_SP2_SUBSCRIPTION_ID }}
+        allow-no-subscriptions: true
+        enable-AzPSSession: true
+
+    - name: Run Azure Cli
+      id: cli_3
+      continue-on-error: true
+      run: |
+        az account show --output none
+        az group show --name GitHubAction_CI_RG --output none
+        az vm list --output none
+
+    - name: Check Last step failed
+      if: steps.cli_3.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
+
+    - name: Run Azure PowerShell
+      id: ps_3
+      continue-on-error: true
+      uses: azure/powershell@v1
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+          (Get-AzContext).Environment.Name -eq 'AzureCloud'
+          (Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG'
+          (Get-AzVM).Count -gt 0
+
+    - name: Check Last step failed
+      if: steps.ps_3.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
+
+  ParameterTest:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    environment: Automation test
+
+    steps:
+    - name: 'Checking out repo code'
+      uses: actions/checkout@v4
+
+    - name: Set Node.js 20.x for GitHub Action
+      uses: actions/setup-node@v4
+      with:
+        node-version: 20.x
+
+    - name: 'Validate build'
+      run: |
+        npm install
+        npm run build
+
+    - name: Login with creds, missing parameters in creds
+      id: login_4
+      continue-on-error: true
+      uses: ./
+      with:
+        creds: ${{secrets.SP3_NO_Secret}}
+        enable-AzPSSession: true
+
+    - name: Check Last step failed
+      if: steps.login_4.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
+
+    - name: Login with creds, wrong keys
+      id: login_5
+      continue-on-error: true
+      uses: ./
+      with:
+        creds: ${{secrets.SP4_Wrong_Key}}
+        enable-AzPSSession: true
+
+    - name: Check Last step failed
+      if: steps.login_5.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
+
+    - name: Login with creds, no creds or individual parameters
+      id: login_6
+      continue-on-error: true
+      uses: ./
+      with:
+        enable-AzPSSession: true
+
+    - name: Check Last step failed
+      if: steps.login_6.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
+
+    - name: Login with individual parameters, only client-id, no tenant-id, subscription-id
+      id: login_7
+      continue-on-error: true
+      uses: ./
+      with:
+        client-id: ${{ secrets.OIDC_SP2_CLIENT_ID }}
+        allow-no-subscriptions: true
+        enable-AzPSSession: true
+
+    - name: Check Last step failed
+      if: steps.login_7.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
+
+    - name: Login with individual parameters, only tenant-id, subscription-id, no client-id
+      id: login_8
+      continue-on-error: true
+      uses: ./
+      with:
+        tenant-id: ${{ secrets.OIDC_SP2_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_SP2_SUBSCRIPTION_ID }}
+        allow-no-subscriptions: true
+        enable-AzPSSession: true
+
+    - name: Check Last step failed
+      if: steps.login_8.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
+
+    - name: Login with creds, disable ps session
+      uses: ./
+      with:
+        creds: ${{secrets.SP1}}
+        enable-AzPSSession: false
+
+    - name: Run Azure Cli 
+      run: |
+        az account show --output none
+        az group show --name GitHubAction_CI_RG --output none
+        az vm list --output none
+
+    - name: Run Azure PowerShell
+      id: ps_8
+      continue-on-error: true
+      uses: azure/powershell@v1
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+          (Get-AzContext).Environment.Name -eq 'AzureCloud'
+          (Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG'
+          (Get-AzVM).Count -gt 0
+
+    - name: Check Last step failed
+      if: steps.ps_8.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
+
+    - name: Login with creds, wrong boolean value
+      uses: ./
+      with:
+        creds: ${{secrets.SP1}}
+        enable-AzPSSession: notboolean
+
+    - name: Run Azure Cli 
+      run: |
+        az account show --output none
+        az group show --name GitHubAction_CI_RG --output none
+        az vm list --output none
+
+    - name: Run Azure PowerShell
+      id: ps_9
+      continue-on-error: true
+      uses: azure/powershell@v1
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+          (Get-AzContext).Environment.Name -eq 'AzureCloud'
+          (Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG'
+          (Get-AzVM).Count -gt 0
+
+    - name: Check Last step failed
+      if: steps.ps_9.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
+
+    - name: Login with individual parameters, with a wrong audience
+      id: login_10
+      continue-on-error: true
+      uses: ./
+      with:
+        client-id: ${{ secrets.OIDC_SP2_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_SP2_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_SP2_SUBSCRIPTION_ID }}
+        audience: "https://github.com/actions"
+        allow-no-subscriptions: true
+        enable-AzPSSession: true
+
+    - name: Check Last step failed
+      if: steps.login_10.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
+
+    - name: Login with tenant-level account, without allow-no-subscriptions
+      id: login_11
+      continue-on-error: true
+      uses: ./
+      with:
+        client-id: ${{ secrets.OIDC_SP2_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_SP2_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_SP2_SUBSCRIPTION_ID }}
+        enable-AzPSSession: true
+
+    - name: Check Last step failed
+      if: steps.login_11.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
+
+    # SP1 is ignored and SP2 will be used for login, but it will fail since SP2 has no access to the given subscription
+    - name: Login with both creds and individual parameters
+      id: login_12
+      continue-on-error: true
+      uses: ./
+      with:
+        creds: ${{secrets.SP1}}
+        client-id: ${{ secrets.OIDC_SP2_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_SP2_TENANT_ID }}
+        subscription-id: ${{ secrets.OIDC_SP2_SUBSCRIPTION_ID }}
+        allow-no-subscriptions: true
+        enable-AzPSSession: true
+    
+    - name: Check Last step failed
+      if: steps.login_12.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
+
+    - name: Login by OIDC with all info in creds 
+      id: login_13
+      continue-on-error: true
+      uses: ./
+      with:
+        creds: ${{secrets.SP2}}
+        allow-no-subscriptions: true
+        enable-AzPSSession: true
+      
+    - name: Check Last step failed
+      if: steps.login_13.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
+    
+    - name: Login with individual parameters, no subscription-id, no allow-no-subscriptions
+      id: login_14
+      continue-on-error: true
+      uses: ./
+      with:
+        client-id: ${{ secrets.OIDC_SP2_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_SP2_TENANT_ID }}
+        enable-AzPSSession: true
+
+    - name: Check Last step failed
+      if: steps.login_14.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
+    
+    - name: Login with creds, no subscription-id, no allow-no-subscriptions
+      id: login_15
+      continue-on-error: true
+      uses: ./
+      with:
+        creds: '{"clientId":"${{ secrets.OIDC_SP2_CLIENT_ID }}","clientSecret":"${{ secrets.SP2_CLIENT_SECRET }}","tenantId":"${{ secrets.OIDC_SP2_TENANT_ID }}"}'
+        enable-AzPSSession: true
+
+    - name: Check Last step failed
+      if: steps.login_15.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')

.github/workflows/azure-login-positive.yml

@@ -0,0 +1,315 @@
+name: Azure Login Action Positive Test
+on:
+  workflow_dispatch:
+  push:
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+
+  BasicTest:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    environment: Automation test
+
+    steps:
+    - name: 'Checking out repo code'
+      uses: actions/checkout@v4
+
+    - name: Set Node.js 20.x for GitHub Action
+      uses: actions/setup-node@v4
+      with:
+        node-version: 20.x
+
+    - name: 'Validate build'
+      run: |
+        npm install
+        npm run build
+        
+    - name: 'Run L0 tests'
+      run: |
+        npm run test
+
+    - name: Login with creds
+      uses: ./
+      with:
+        creds: ${{secrets.SP1}}
+        enable-AzPSSession: true
+
+    - name: Run Azure Cli
+      run: |
+        az account show --output none
+        az group show --name GitHubAction_CI_RG --output none
+        az vm list --output none
+
+    - name: Run Azure PowerShell
+      uses: azure/powershell@v2
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            if(-not $checkResult){
+                throw "Not all checks passed!"
+            }
+
+    - name: Login with individual parameters
+      uses: ./
+      with:
+        client-id: ${{ secrets.SP1_CLIENT_ID }}
+        tenant-id: ${{ secrets.SP1_TENANT_ID }}
+        subscription-id: ${{ secrets.SP1_SUBSCRIPTION_ID }}
+        enable-AzPSSession: true
+
+    - name: Run Azure Cli again
+      run: |
+        az account show --output none
+
+    - name: Run Azure PowerShell again
+      uses: azure/powershell@v2
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            if(-not $checkResult){
+                throw "Not all checks passed!"
+            }
+
+    - name: Login with explicit auth-type
+      uses: ./
+      with:
+        creds: ${{secrets.SP1}}
+        auth-type: SERVICE_PRINCIPAL
+        enable-AzPSSession: true
+
+    - name: Run Azure Cli
+      run: |
+        az account show --output none
+        az group show --name GitHubAction_CI_RG --output none
+        az vm list --output none
+
+    - name: Run Azure PowerShell
+      uses: azure/powershell@v2
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            if(-not $checkResult){
+                throw "Not all checks passed!"
+            }
+
+  ParameterTest:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    environment: Automation test
+
+    steps:
+    - name: 'Checking out repo code'
+      uses: actions/checkout@v4
+
+    - name: Set Node.js 20.x for GitHub Action
+      uses: actions/setup-node@v4
+      with:
+        node-version: 20.x
+
+    - name: 'Validate build'
+      run: |
+        npm install
+        npm run build
+
+    - name: Login with creds, disable ps session
+      uses: ./
+      with:
+        creds: ${{secrets.SP1}}
+        enable-AzPSSession: false
+
+    - name: Run Azure Cli 
+      run: |
+        az account show --output none
+        az group show --name GitHubAction_CI_RG --output none
+        az vm list --output none
+
+    - name: Login with creds, wrong boolean value
+      uses: ./
+      with:
+        creds: ${{secrets.SP1}}
+        enable-AzPSSession: notboolean
+
+    - name: Run Azure Cli 
+      run: |
+        az account show --output none
+        az group show --name GitHubAction_CI_RG --output none
+        az vm list --output none
+
+    - name: Login with creds, allow no subscription
+      uses: ./
+      with:
+        creds: ${{secrets.SP1}}
+        allow-no-subscriptions: true
+        enable-AzPSSession: true
+
+    - name: Run Azure Cli
+      run: |
+        az account show --output none
+        az group show --name GitHubAction_CI_RG --output none
+        az vm list --output none
+ 
+    - name: Run Azure PowerShell
+      uses: azure/powershell@v2
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            if(-not $checkResult){
+                throw "Not all checks passed!"
+            }
+
+    - name: Login with individual parameters, allow no subscription
+      uses: ./
+      with:
+        client-id: ${{ secrets.SP1_CLIENT_ID }}
+        tenant-id: ${{ secrets.SP1_TENANT_ID}}
+        subscription-id: ${{ secrets.SP1_SUBSCRIPTION_ID }}
+        allow-no-subscriptions: true
+        enable-AzPSSession: true
+
+    - name: Run Azure Cli again
+      run: |
+        az account show --output none
+
+    - name: Run Azure PowerShell again
+      uses: azure/powershell@v2
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            if(-not $checkResult){
+                throw "Not all checks passed!"
+            }
+
+    - name: Login with individual parameters, no subscription, allow no subscription
+      uses: ./
+      with:
+        client-id: ${{ secrets.OIDC_SP2_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_SP2_TENANT_ID }}
+        allow-no-subscriptions: true
+        enable-AzPSSession: true
+
+    - name: Run Azure Cli
+      shell: pwsh
+      run: |
+        $checkResult = (az account list --output json | ConvertFrom-Json).Count -eq 3
+        if(-not $checkResult){
+            throw "Not all checks passed!"
+        }
+
+    - name: Run Azure PowerShell
+      uses: azure/powershell@v2
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            if(-not $checkResult){
+              throw "Not all checks passed!"
+            }
+
+    - name: Login with creds, no subscription, allow no subscription
+      uses: ./
+      with:
+        creds: '{"clientId":"${{ secrets.OIDC_SP2_CLIENT_ID }}","clientSecret":"${{ secrets.SP2_CLIENT_SECRET }}","tenantId":"${{ secrets.OIDC_SP2_TENANT_ID }}"}'
+        allow-no-subscriptions: true
+        enable-AzPSSession: true
+
+    - name: Run Azure Cli
+      run: |
+        az account show --output none
+
+    - name: Run Azure PowerShell
+      uses: azure/powershell@v2
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            if(-not $checkResult){
+                throw "Not all checks passed!"
+            }
+
+  InDockerTest:
+    runs-on: ubuntu-latest
+    container: ubuntu:24.04
+    environment: Automation test
+    steps:
+    - name: 'Checking out repo code'
+      uses: actions/checkout@v4
+
+    - name: Set Node.js 20.x for GitHub Action
+      uses: actions/setup-node@v4
+      with:
+        node-version: 20.x
+      
+    - name: Install Azure CLI
+      run: |
+        apt-get update
+        apt-get install -y curl
+        curl -sL https://aka.ms/InstallAzureCLIDeb | bash
+        
+    - name: Check Azure CLI Version
+      run: |
+        az --version
+
+    - name: Install Powershell
+      run: |
+        apt-get update
+        apt-get install -y wget
+        wget https://ftp.debian.org/debian/pool/main/i/icu/libicu72_72.1-3_amd64.deb
+        dpkg -i libicu72_72.1-3_amd64.deb
+        wget https://github.com/PowerShell/PowerShell/releases/download/v7.5.0/powershell_7.5.0-1.deb_amd64.deb
+        dpkg -i powershell_7.5.0-1.deb_amd64.deb
+
+    - name: Check Powershell Version
+      shell: pwsh
+      run: |
+        $PSVersionTable
+
+    - name: Install Azure Powershell
+      shell: pwsh
+      run: |
+        Install-Module -Name Az -Repository PSGallery -Force
+
+    - name: Check Azure Powershell Version
+      shell: pwsh
+      run: |
+        Get-Module -ListAvailable Az
+
+    - name: 'Validate build'
+      run: |
+        npm install
+        npm run build
+        
+    - name: 'Run L0 tests'
+      run: |
+        npm run test
+
+    - name: Login with individual parameters
+      uses: ./
+      with:
+        client-id: ${{ secrets.SP1_CLIENT_ID }}
+        tenant-id: ${{ secrets.SP1_TENANT_ID }}
+        subscription-id: ${{ secrets.SP1_SUBSCRIPTION_ID }}
+        enable-AzPSSession: true
+
+    - name: Run Azure Cli again
+      run: |
+        az group list --output none
+
+    - name: Run Azure PowerShell again
+      uses: azure/powershell@v2
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+          $checkResult = Get-AzResourceGroup

.github/workflows/azure-login-pr-check.yml

@@ -1,26 +1,25 @@
 name: pr-check
 
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - master
       - 'releases/*'
 jobs:
    az-login-test:
-     environment: Automation test
      runs-on: windows-latest
      steps:
        - name: Checkout from PR branch  
-         uses: actions/checkout@v2
+         uses: actions/checkout@v4
          with: 
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}
 
-         # Using 12.x version as an example
-       - name: Set Node.js 12.x for GitHub Action
-         uses: actions/setup-node@v1
+         # Using 20.x version as an example
+       - name: Set Node.js 20.x for GitHub Action
+         uses: actions/setup-node@v4
          with:
-           node-version: 12.x
+           node-version: 20.x
 
        - name: installing node_modules
          run: npm install 
@@ -28,45 +27,5 @@ jobs:
        - name: Build GitHub Action
          run: npm run build
          
-       - name: 'Az CLI login with subscription'
-         uses: ./
-         with:
-            creds: ${{ secrets.AZURE_CREDENTIALS }}
-          
-       - run: |
-             az account show
-  #          az webapp list
-
-       - name: 'Az CLI login without subscription'
-         uses: ./
-         with:
-           creds: ${{ secrets.AZURE_CREDENTIALS_NO_SUB }}
-           allow-no-subscriptions: true
-
-       - run: |
-           az account show
-
-       - name: 'Azure PowerShell login with subscription'
-         uses: ./
-         with:
-           creds: ${{ secrets.AZURE_CREDENTIALS }}
-           enable-AzPSSession: true
-
-       - uses: azure/powershell@v1
-         with:
-           inlineScript: "Get-AzContext"
-           azPSVersion: "latest"
-
-       - name: 'Azure PowerShell login without subscription'
-         uses: ./
-         with:
-           creds: ${{secrets.AZURE_CREDENTIALS_NO_SUB}}
-           enable-AzPSSession: true
-           allow-no-subscriptions: true
-
-       - uses: azure/powershell@v1
-         with:
-           inlineScript: "Get-AzContext"
-           azPSVersion: "latest"
-          
-      
+       - name: Run mock test
+         run: npm run test

.github/workflows/ci.yml

@@ -1,3 +1,5 @@
+name: Build and Test
+
 on:
   pull_request:
     branches:
@@ -16,13 +18,18 @@ jobs:
     steps:
 
     - name: 'Checking out repo code'
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
+
+    - name: Set Node.js 20.x for GitHub Action
+      uses: actions/setup-node@v4
+      with:
+        node-version: 20.x
 
     - name: 'Validate build'
       run: |
         npm install
         npm run build
-        
+
     - name: 'Run L0 tests'
       run: |
         npm run test

.github/workflows/codeql.yml

@@ -6,6 +6,11 @@ on:
   schedule:
     - cron: '0 19 * * 0'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   CodeQL-Build:
 
@@ -14,28 +19,18 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
+      uses: actions/checkout@v4
 
-    # If this run was triggered by a pull request event, then checkout
-    # the head of the pull request instead of the merge commit.
-    - run: git checkout HEAD^2
-      if: ${{ github.event_name == 'pull_request' }}
-      
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      # Override language selection by uncommenting this and choosing your languages
-      # with:
-      #   languages: go, javascript, csharp, python, cpp, java
+      uses: github/codeql-action/init@v3
+      with:
+        languages: javascript
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -49,4 +44,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v3

.github/workflows/defaultLabels.yml

@@ -14,7 +14,7 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
           
-      - uses: actions/stale@v3
+      - uses: actions/stale@v8
         name: Setting issue as idle
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -25,7 +25,7 @@ jobs:
           operations-per-run: 100
           exempt-issue-labels: 'backlog'
           
-      - uses: actions/stale@v3
+      - uses: actions/stale@v8
         name: Setting PR as idle
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -34,3 +34,15 @@ jobs:
           days-before-stale: 14
           days-before-close: -1
           operations-per-run: 100
+
+      - uses: actions/stale@v8
+        name: Close issue with no feedback for 20 days
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          close-issue-message: 'This issue has been labeled as `needs-author-feedback` for 20 days with no activity. We will close it for now. If you require additional assistance, please feel free to reopen it with the required information.'
+          days-before-stale: -1
+          days-before-close: 20
+          stale-issue-label: 'needs-author-feedback'
+          only-issue-labels: 'needs-author-feedback'
+          close-issue-reason: 'completed'
+          operations-per-run: 100

.github/workflows/markdownlint.yml

@@ -0,0 +1,18 @@
+name: Markdownlint
+
+on: [push, pull_request]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+      - name: Run Markdownlint
+        run: |
+          npm i -g markdownlint-cli2
+          markdownlint-cli2 "**/*.md"

.gitignore

@@ -1,330 +1,99 @@
-## Ignore Visual Studio temporary files, build results, and
-## files generated by popular Visual Studio add-ons.
-##
-## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
+# Dependency directory
+node_modules
 
-# User-specific files
-*.suo
-*.user
-*.userosscache
-*.sln.docstates
-
-# User-specific files (MonoDevelop/Xamarin Studio)
-*.userprefs
-
-# Build results
-[Dd]ebug/
-[Dd]ebugPublic/
-[Rr]elease/
-[Rr]eleases/
-x64/
-x86/
-bld/
-[Bb]in/
-[Oo]bj/
-[Ll]og/
-
-# Visual Studio 2015/2017 cache/options directory
-.vs/
-# Uncomment if you have tasks that create the project's static files in wwwroot
-#wwwroot/
-
-# Visual Studio 2017 auto generated files
-Generated\ Files/
-
-# MSTest test Results
-[Tt]est[Rr]esult*/
-[Bb]uild[Ll]og.*
-
-# NUNIT
-*.VisualState.xml
-TestResult.xml
-
-# Build Results of an ATL Project
-[Dd]ebugPS/
-[Rr]eleasePS/
-dlldata.c
-
-# Benchmark Results
-BenchmarkDotNet.Artifacts/
-
-# .NET Core
-project.lock.json
-project.fragment.lock.json
-artifacts/
-**/Properties/launchSettings.json
-
-# StyleCop
-StyleCopReport.xml
-
-# Files built by Visual Studio
-*_i.c
-*_p.c
-*_i.h
-*.ilk
-*.meta
-*.obj
-*.iobj
-*.pch
-*.pdb
-*.ipdb
-*.pgc
-*.pgd
-*.rsp
-*.sbr
-*.tlb
-*.tli
-*.tlh
-*.tmp
-*.tmp_proj
+# Rest pulled from https://github.com/github/gitignore/blob/master/Node.gitignore
+# Logs
+logs
 *.log
-*.vspscc
-*.vssscc
-.builds
-*.pidb
-*.svclog
-*.scc
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
 
-# Chutzpah Test files
-_Chutzpah*
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
 
-# Visual C++ cache files
-ipch/
-*.aps
-*.ncb
-*.opendb
-*.opensdf
-*.sdf
-*.cachefile
-*.VC.db
-*.VC.VC.opendb
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
 
-# Visual Studio profiler
-*.psess
-*.vsp
-*.vspx
-*.sap
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
 
-# Visual Studio Trace Files
-*.e2e
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
 
-# TFS 2012 Local Workspace
-$tf/
+# nyc test coverage
+.nyc_output
 
-# Guidance Automation Toolkit
-*.gpState
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
 
-# ReSharper is a .NET coding add-in
-_ReSharper*/
-*.[Rr]e[Ss]harper
-*.DotSettings.user
+# Bower dependency directory (https://bower.io/)
+bower_components
 
-# JustCode is a .NET coding add-in
-.JustCode
+# node-waf configuration
+.lock-wscript
 
-# TeamCity is a build add-in
-_TeamCity*
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
 
-# DotCover is a Code Coverage Tool
-*.dotCover
+# Dependency directories
+jspm_packages/
 
-# AxoCover is a Code Coverage Tool
-.axoCover/*
-!.axoCover/settings.json
+# TypeScript v1 declaration files
+typings/
 
-# Visual Studio code coverage results
-*.coverage
-*.coveragexml
+# TypeScript cache
+*.tsbuildinfo
 
-# NCrunch
-_NCrunch_*
-.*crunch*.local.xml
-nCrunchTemp_*
+# Optional npm cache directory
+.npm
 
-# MightyMoose
-*.mm.*
-AutoTest.Net/
+# Optional eslint cache
+.eslintcache
 
-# Web workbench (sass)
-.sass-cache/
+# Optional REPL history
+.node_repl_history
 
-# Installshield output folder
-[Ee]xpress/
+# Output of 'npm pack'
+*.tgz
 
-# DocProject is a documentation generator add-in
-DocProject/buildhelp/
-DocProject/Help/*.HxT
-DocProject/Help/*.HxC
-DocProject/Help/*.hhc
-DocProject/Help/*.hhk
-DocProject/Help/*.hhp
-DocProject/Help/Html2
-DocProject/Help/html
+# Yarn Integrity file
+.yarn-integrity
 
-# Click-Once directory
-publish/
+# dotenv environment variables file
+.env
+.env.test
 
-# Publish Web Output
-*.[Pp]ublish.xml
-*.azurePubxml
-# Note: Comment the next line if you want to checkin your web deploy settings,
-# but database connection strings (with potential passwords) will be unencrypted
-*.pubxml
-*.publishproj
+# parcel-bundler cache (https://parceljs.org/)
+.cache
 
-# Microsoft Azure Web App publish settings. Comment the next line if you want to
-# checkin your Azure Web App publish settings, but sensitive information contained
-# in these scripts will be unencrypted
-PublishScripts/
+# next.js build output
+.next
 
-# NuGet Packages
-*.nupkg
-# The packages folder can be ignored because of Package Restore
-**/[Pp]ackages/*
-# except build/, which is used as an MSBuild target.
-!**/[Pp]ackages/build/
-# Uncomment if necessary however generally it will be regenerated when needed
-#!**/[Pp]ackages/repositories.config
-# NuGet v3's project.json files produces more ignorable files
-*.nuget.props
-*.nuget.targets
+# nuxt.js build output
+.nuxt
 
-# Microsoft Azure Build Output
-csx/
-*.build.csdef
+# vuepress build output
+.vuepress/dist
 
-# Microsoft Azure Emulator
-ecf/
-rcf/
+# Serverless directories
+.serverless/
 
-# Windows Store app package directories and files
-AppPackages/
-BundleArtifacts/
-Package.StoreAssociation.xml
-_pkginfo.txt
-*.appx
+# FuseBox cache
+.fusebox/
 
-# Visual Studio cache files
-# files ending in .cache can be ignored
-*.[Cc]ache
-# but keep track of directories ending in .cache
-!*.[Cc]ache/
+# DynamoDB Local files
+.dynamodb/
 
-# Others
-ClientBin/
-~$*
-*~
-*.dbmdl
-*.dbproj.schemaview
-*.jfm
-*.pfx
-*.publishsettings
-orleans.codegen.cs
+# OS metadata
+.DS_Store
+Thumbs.db
 
-# Including strong name files can present a security risk 
-# (https://github.com/github/gitignore/pull/2483#issue-259490424)
-#*.snk
-
-# Since there are multiple workflows, uncomment next line to ignore bower_components
-# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
-#bower_components/
-
-# RIA/Silverlight projects
-Generated_Code/
-
-# Backup & report files from converting an old project file
-# to a newer Visual Studio version. Backup files are not needed,
-# because we have git ;-)
-_UpgradeReport_Files/
-Backup*/
-UpgradeLog*.XML
-UpgradeLog*.htm
-ServiceFabricBackup/
-*.rptproj.bak
-
-# SQL Server files
-*.mdf
-*.ldf
-*.ndf
-
-# Business Intelligence projects
-*.rdl.data
-*.bim.layout
-*.bim_*.settings
-*.rptproj.rsuser
-
-# Microsoft Fakes
-FakesAssemblies/
-
-# GhostDoc plugin setting file
-*.GhostDoc.xml
-
-# Node.js Tools for Visual Studio
-.ntvs_analysis.dat
-node_modules/
-
-# Visual Studio 6 build log
-*.plg
-
-# Visual Studio 6 workspace options file
-*.opt
-
-# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
-*.vbw
-
-# Visual Studio LightSwitch build output
-**/*.HTMLClient/GeneratedArtifacts
-**/*.DesktopClient/GeneratedArtifacts
-**/*.DesktopClient/ModelManifest.xml
-**/*.Server/GeneratedArtifacts
-**/*.Server/ModelManifest.xml
-_Pvt_Extensions
-
-# Paket dependency manager
-.paket/paket.exe
-paket-files/
-
-# FAKE - F# Make
-.fake/
-
-# JetBrains Rider
-.idea/
-*.sln.iml
-
-# CodeRush
-.cr/
-
-# Python Tools for Visual Studio (PTVS)
-__pycache__/
-*.pyc
-
-# Cake - Uncomment if you are using it
-# tools/**
-# !tools/packages.config
-
-# Tabs Studio
-*.tss
-
-# Telerik's JustMock configuration file
-*.jmconfig
-
-# BizTalk build output
-*.btp.cs
-*.btm.cs
-*.odx.cs
-*.xsd.cs
-
-# OpenCover UI analysis results
-OpenCover/
-
-# Azure Stream Analytics local run output 
-ASALocalRun/
-
-# MSBuild Binary and Structured Log
-*.binlog
-
-# NVidia Nsight GPU debugger configuration file
-*.nvuser
-
-# MFractors (Xamarin productivity tool) working folder 
-.mfractor/
+# Ignore built ts files
+__tests__/runner/*
+lib/**/*

.markdownlint-cli2.jsonc

@@ -0,0 +1,9 @@
+{
+  "config": {
+    "default": true,
+    "MD013": false
+  },
+  "ignores": [
+    "SECURITY.md"
+  ]
+}

CODE_OF_CONDUCT.md

@@ -7,3 +7,4 @@ Resources:
 - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
 - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
 - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
+- Employees can reach out at [aka.ms/opensource/moderation-support](https://aka.ms/opensource/moderation-support)

README.md

@@ -1,33 +1,283 @@
-# GitHub Actions for deploying to Azure
+# Azure Login Action
 
-## Automate your GitHub workflows using Azure Actions
+- [Azure Login Action](#azure-login-action)
+  - [Input Parameters](#input-parameters)
+    - [`client-id`](#client-id)
+    - [`subscription-id`](#subscription-id)
+    - [`tenant-id`](#tenant-id)
+    - [`creds`](#creds)
+    - [`enable-AzPSSession`](#enable-azpssession)
+    - [`environment`](#environment)
+    - [`allow-no-subscriptions`](#allow-no-subscriptions)
+    - [`audience`](#audience)
+    - [`auth-type`](#auth-type)
+  - [Workflow Examples](#workflow-examples)
+    - [Login With OpenID Connect (OIDC) \[Recommended\]](#login-with-openid-connect-oidc-recommended)
+    - [Login With a Service Principal Secret](#login-with-a-service-principal-secret)
+    - [Login With System-assigned Managed Identity](#login-with-system-assigned-managed-identity)
+    - [Login With User-assigned Managed Identity](#login-with-user-assigned-managed-identity)
+    - [Login to Azure US Government cloud](#login-to-azure-us-government-cloud)
+    - [Login to Azure Stack Hub](#login-to-azure-stack-hub)
+    - [Login without subscription](#login-without-subscription)
+    - [Enable/Disable the cleanup steps](#enabledisable-the-cleanup-steps)
+  - [Security hardening](#security-hardening)
+  - [Azure CLI dependency](#azure-cli-dependency)
+  - [Reference](#reference)
+    - [GitHub Action](#github-action)
+    - [GitHub Actions for deploying to Azure](#github-actions-for-deploying-to-azure)
+    - [Azure CLI Action](#azure-cli-action)
+    - [Azure PowerShell Action](#azure-powershell-action)
+  - [Contributing](#contributing)
 
-[GitHub Actions](https://help.github.com/en/articles/about-github-actions) gives you the flexibility to build an automated software development lifecycle workflow.
+With the [Azure Login Action](https://github.com/Azure/login), you can login to Azure and run [Azure CLI](https://learn.microsoft.com/cli/azure/) and [Azure PowerShell](https://learn.microsoft.com/powershell/azure) scripts.
 
-With [GitHub Actions for Azure](https://github.com/Azure/actions/) you can create workflows that you can set up in your repository to build, test, package, release and **deploy** to Azure.
+Azure Login Action supports different ways of authentication with Azure.
 
-NOTE: you must have write permissions to the repository in question. If you're using a sample repository from Microsoft, be sure to first fork the repository to your own GitHub account.
+- Login with OpenID Connect (OIDC)
+- Login with a Service Principal Secret
+- Login with System-assigned Managed Identity
+- Login with User-assigned Managed Identity
 
-Get started today with a [free Azure account](https://azure.com/free/open-source).
+**We recommend using OIDC based authentication for increased security.**
 
-# GitHub Action for Azure Login
+> [!WARNING]
+> By default, the output of Azure CLI commands is printed to the stdout stream. Without redirecting the stdout stream, contents in it will be stored in the build log of the action. Configure Azure CLI to _not_ show output in the console screen or print in the log by setting the environment variable `AZURE_CORE_OUTPUT` to `none`. If you need the output of a specific command, override the default setting using the argument `--output` with your format of choice. For more information on output options with the Azure CLI, see [Format output](https://learn.microsoft.com/cli/azure/format-output-azure-cli).
 
-With the Azure login Action, you can automate your workflow to do an Azure login using [Azure service principal](https://docs.microsoft.com/azure/active-directory/develop/app-objects-and-service-principals) and run Azure CLI and Azure PowerShell scripts. You can leverage this action for the public or soverign clouds including Azure Government and Azure Stack Hub (using the `environment` parameter).
+** **
 
-By default, the action only logs in with the Azure CLI (using the `az login` command). To log in with the Az PowerShell module, set `enable-AzPSSession` to true. To login to Azure tenants without any subscriptions, set the optional parameter `allow-no-subscriptions` to true.
+> [!WARNING]
+> Avoid using managed identity login on self-hosted runners in public repositories. Managed identities enable secure authentication with Azure resources and obtain Microsoft Entra ID tokens without the need for explicit credential management. Any user can open pull requests against your repository and access your self-hosted runners without credentials. See more details in [self-hosted runner security](https://docs.github.com/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security).
 
-To login into one of the Azure Government clouds, set the optional parameter environment with supported cloud names AzureUSGovernment or AzureChinaCloud. If this parameter is not specified, it takes the default value AzureCloud and connect to the Azure Public Cloud. Additionally the parameter creds takes the Azure service principal created in the particular cloud to connect (Refer to Configure deployment credentials section below for details).
+## Input Parameters
 
-This repository contains GitHub Action for [Azure Login](https://github.com/Azure/login/blob/master/action.yml).
+|Parameter Name|Required?|Type|Default Value|Description|
+|---|---|---|---|---|
+|client-id|false|UUID||the client id of a service principal or a user-assigned managed identity|
+|subscription-id|false|UUID||the login subscription id|
+|tenant-id|false|UUID||the login tenant id|
+|creds|false|string||a json string for login with an Azure service principal|
+|enable-AzPSSession|false|boolean|false|if Azure PowerShell login is enabled|
+|environment|false|string|azurecloud|the Azure Cloud environment. For cloud environments other than the public cloud, the `audience` will also need to be updated.|
+|allow-no-subscriptions|false|boolean|false|if login without subscription is allowed|
+|audience|false|string|api://AzureADTokenExchange|the audience to get the JWT ID token from GitHub OIDC provider|
+|auth-type|false|string|SERVICE_PRINCIPAL|the auth type|
 
-## Sample workflow that uses Azure login action to run az cli
+### `client-id`
+
+The input parameter `client-id` specifies the login client id. It could be the client id of a service principal or a user-assigned managed identity.
+
+It's used in login with OpenID Connect (OIDC) and user-assigned managed identity.
+
+It's better to create a GitHub Action secret for this parameter when using it. Refer to [Using secrets in GitHub Actions](https://docs.github.com/actions/security-guides/using-secrets-in-github-actions).
+
+Refer to [Login With OpenID Connect (OIDC)](#login-with-openid-connect-oidc-recommended) and [Login With User-assigned Managed Identity](#login-with-user-assigned-managed-identity) for its usage.
+
+### `subscription-id`
+
+The input parameter `subscription-id` specifies the login subscription id.
+
+It's used in login with OpenID Connect (OIDC) and managed identity.
+
+It's better to create a GitHub Action secret for this parameter when using it. Refer to [Using secrets in GitHub Actions](https://docs.github.com/actions/security-guides/using-secrets-in-github-actions).
+
+Refer to [Login With OpenID Connect (OIDC)](#login-with-openid-connect-oidc-recommended), [Login With System-assigned Managed Identity](#login-with-system-assigned-managed-identity) and [Login With User-assigned Managed Identity](#login-with-user-assigned-managed-identity) for its usage.
+
+### `tenant-id`
+
+The input parameter `tenant-id` specifies the login tenant id.
+
+It's used in login with OpenID Connect (OIDC) and managed identity.
+
+It's better to create a GitHub Action secret for this parameter when using it. Refer to [Using secrets in GitHub Actions](https://docs.github.com/actions/security-guides/using-secrets-in-github-actions).
+
+Refer to [Login With OpenID Connect (OIDC)](#login-with-openid-connect-oidc-recommended), [Login With System-assigned Managed Identity](#login-with-system-assigned-managed-identity) and [Login With User-assigned Managed Identity](#login-with-user-assigned-managed-identity) for its usage.
+
+### `creds`
+
+> [!NOTE]
+>
+> If one of `client-id` and `subscription-id` and `tenant-id` is set, `creds` will be ignored.
+
+The value of input parameter `creds` is a string in json format, including the following values:
+
+```json
+{
+    "clientSecret":  "******",
+    "subscriptionId":  "******",
+    "tenantId":  "******",
+    "clientId":  "******"
+}
+```
+
+It's used in login with an Azure service principal.
+
+It's better to create a GitHub Action secret for this parameter when using it. Refer to [Using secrets in GitHub Actions](https://docs.github.com/actions/security-guides/using-secrets-in-github-actions).
+
+Refer to [Login With a Service Principal Secret](#login-with-a-service-principal-secret) for its usage.
+
+### `enable-AzPSSession`
+
+By default, Azure Login Action only logs in with the Azure CLI. To log in with the Azure PowerShell module, set `enable-AzPSSession` to true.
+
+Refer to [Login With OpenID Connect (OIDC)](#login-with-openid-connect-oidc-recommended) for its usage.
+
+### `environment`
+
+By default, Azure Login Action connects to the Azure Public Cloud (`AzureCloud`).
+
+To login to one of the Azure Government clouds or Azure Stack, set `environment` to one of the supported values `AzureUSGovernment` or `AzureChinaCloud` or `AzureGermanCloud` or `AzureStack`.
+
+The default [`audience`](#audience) for each of these clouds is different and will also need to be set if using anything other than the public environment.
+
+Refer to [Login to Azure US Government cloud](#login-to-azure-us-government-cloud) for its usage.
+
+### `allow-no-subscriptions`
+
+By default, Azure Login Action requires a `subscription-id`. To login to Azure tenants without any subscriptions, set `allow-no-subscriptions` to true.
+
+Refer to [Login without subscription](#login-without-subscription) for its usage.
+
+### `audience`
+
+Azure Login Action gets the JWT ID token from GitHub OIDC provider when login with OIDC. The default `audience` is `api://AzureADTokenExchange`. Users can specify a custom `audience`.
+
+### `auth-type`
+
+The input parameter `auth-type` specifies the type of authentication. The default value is `SERVICE_PRINCIPAL`. Users can specify it as `IDENTITY` for login with Managed Identity.
+
+Refer to [Login With System-assigned Managed Identity](#login-with-system-assigned-managed-identity) and [Login With User-assigned Managed Identity](#login-with-user-assigned-managed-identity) for its usage.
+
+## Workflow Examples
+
+### Login With OpenID Connect (OIDC) [Recommended]
+
+> [!NOTE]
+>
+> - Ensure the CLI version is 2.30 or above to support login with OIDC.
+> - By default, Azure access tokens issued during OIDC based login could have limited validity. Azure access token issued by Service Principal is expected to have an expiration of 1 hour by default. And with Managed Identities, it would be 24 hours. This expiration time is further configurable in Azure. Refer to [access-token lifetime](https://learn.microsoft.com/azure/active-directory/develop/access-tokens#access-token-lifetime) for more details.
+
+Before you use Azure Login Action with OIDC, you need to configure a federated identity credential on a service principal or a managed identity.
+
+- Prepare a service principal for Login with OIDC
+  - [Create a service principal and assign a role to it](https://learn.microsoft.com/entra/identity-platform/howto-create-service-principal-portal)
+  - [Configure a federated identity credential on an service principal](https://learn.microsoft.com/entra/workload-id/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azp#github-actions)
+- Prepare a user-assigned managed identity for Login with OIDC
+  - [Create a user-assigned managed identity and assign a role to it](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity)
+  - [Configure a federated identity credential on a user-assigned managed identity](https://learn.microsoft.com/entra/workload-id/workload-identity-federation-create-trust-user-assigned-managed-identity?pivots=identity-wif-mi-methods-azp#github-actions-deploying-azure-resources)
+
+After it, create GitHub Action secrets for following values: (Refer to [Using secrets in GitHub Actions](https://docs.github.com/actions/security-guides/using-secrets-in-github-actions).)
+
+- AZURE_CLIENT_ID: the service principal client ID or user-assigned managed identity client ID
+- AZURE_SUBSCRIPTION_ID: the subscription ID
+- AZURE_TENANT_ID: the tenant ID
+
+Now you can try the workflow to login with OIDC.
+
+> [!NOTE]
+>
+> In GitHub workflow, you should set `permissions:` with `id-token: write` at workflow level or job level based on whether the OIDC token is allowed be generated for all Jobs or a specific Job.
+
+- **The workflow sample to only run Azure CLI**
+
+```yaml
+# File: .github/workflows/workflow.yml
+
+name: Run Azure Login with OIDC
+on: [push]
+
+permissions:
+  id-token: write
+  contents: read
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Azure login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Azure CLI script
+        uses: azure/cli@v2
+        with:
+          azcliversion: latest
+          inlineScript: |
+            az account show
+```
+
+- **The workflow sample to run both Azure CLI and Azure PowerShell**
+
+```yaml
+# File: .github/workflows/workflow.yml
+
+name: Run Azure Login with OIDC
+on: [push]
+
+permissions:
+  id-token: write
+  contents: read
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Azure login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
+
+      - name: Azure CLI script
+        uses: azure/cli@v2
+        with:
+          azcliversion: latest
+          inlineScript: |
+            az account show
+
+      - name: Azure PowerShell script
+        uses: azure/powershell@v2
+        with:
+          azPSVersion: "latest"
+          inlineScript: |
+            Get-AzContext
+```
+
+### Login With a Service Principal Secret
+
+Before you login a service principal secret, you need to prepare a service principal with a secret.
+
+- [Create a service principal and assign a role to it](https://learn.microsoft.com/entra/identity-platform/howto-create-service-principal-portal)
+- [Create a new service principal client secret](https://learn.microsoft.com/entra/identity-platform/howto-create-service-principal-portal#option-3-create-a-new-client-secret)
+
+After it, create a GitHub Action secret `AZURE_CREDENTIALS` with the value like below: (Refer to [Using secrets in GitHub Actions](https://docs.github.com/actions/security-guides/using-secrets-in-github-actions).)
+
+```json
+{
+    "clientSecret":  "******",
+    "subscriptionId":  "******",
+    "tenantId":  "******",
+    "clientId":  "******"
+}
+```
+
+- clientSecret: the service principal client secret
+- subscriptionId: the subscription ID
+- tenantId: the tenant ID
+- clientId: the service principal client ID
+
+Now you can try the workflow to login with a service principal secret.
+
+- **The workflow sample to only run Azure CLI**
 
 ```yaml
 # File: .github/workflows/workflow.yml
 
 on: [push]
 
-name: AzureLoginSample
+name: Run Azure Login With a Service Principal Secret
 
 jobs:
 
@@ -35,205 +285,247 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - uses: azure/login@v1
+    - uses: azure/login@v2
       with:
         creds: ${{ secrets.AZURE_CREDENTIALS }}
 
-    - run: |
-        az webapp list --query "[?state=='Running']"
-```
-
-## Sample workflow that uses Azure login action to run Azure PowerShell
-
-```yaml
-# File: .github/workflows/workflow.yml
-
-on: [push]
-
-name: AzurePowerShellSample
-
-jobs:
-
-  build-and-deploy:
-    runs-on: ubuntu-latest
-    steps:
-
-    - name: Login via Az module
-      uses: azure/login@v1
+    - name: Azure CLI script
+      uses: azure/cli@v2
       with:
-        creds: ${{secrets.AZURE_CREDENTIALS}}
-        enable-AzPSSession: true
-
-    - name: Run Az CLI script
-      run: |
-        az webapp list --query "[?state=='Running']"
-
-    - name: Run Azure PowerShell script
-      uses: azure/powershell@v1
-      with:
-        azPSVersion: '3.1.0'
+        azcliversion: latest
         inlineScript: |
-          Get-AzVM -ResourceGroupName "ActionsDemo"
+          az account show
 ```
 
-## Sample to connect to Azure US Government cloud
+- **The workflow sample to run both Azure CLI and Azure PowerShell**
 
 ```yaml
-    - name: Login to Azure US Gov Cloud with CLI
-      uses: azure/login@v1
-      with:
-        creds: ${{ secrets.AZURE_US_GOV_CREDENTIALS }}
-        environment: 'AzureUSGovernment'
-        enable-AzPSSession: false
-    - name: Login to Azure US Gov Cloud with Az Powershell
-      uses: azure/login@v1
-      with:
-        creds: ${{ secrets.AZURE_US_GOV_CREDENTIALS }}
-        environment: 'AzureUSGovernment'
-        enable-AzPSSession: true
-```
-
-Refer to the [Azure PowerShell](https://github.com/azure/powershell) Github action to run your Azure PowerShell scripts.
-
-## Sample Azure Login workflow that to run az cli on Azure Stack Hub
-
-```yaml
-
 # File: .github/workflows/workflow.yml
 
 on: [push]
 
-name: AzureLoginSample
+name: Run Azure Login With a Service Principal Secret
 
 jobs:
 
   build-and-deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: azure/login@v1
+
+    - uses: azure/login@v2
+      with:
+        creds: ${{ secrets.AZURE_CREDENTIALS }}
+        enable-AzPSSession: true
+
+    - name: Azure CLI script
+      uses: azure/cli@v2
+      with:
+        azcliversion: latest
+        inlineScript: |
+          az account show
+
+    - name: Azure PowerShell script
+      uses: azure/powershell@v2
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+          Get-AzWebApp
+```
+
+If you want to pass subscription ID, tenant ID, client ID, and client secret as individual parameters instead of bundling them in a single JSON object to address the [security concerns](https://docs.github.com/actions/security-guides/encrypted-secrets), below snippet can help with the same.
+
+```yaml
+  - uses: azure/login@v2
+    with:
+      creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+```
+
+### Login With System-assigned Managed Identity
+
+> [!NOTE]
+>
+> "Login With System-assigned Managed Identity" is only supported on GitHub self-hosted runners and the self-hosted runners need to be hosted by Azure virtual machines.
+
+Before you login with system-assigned managed identity, you need to create an Azure virtual machine to host the GitHub self-hosted runner.
+
+- Create an Azure virtual machine
+  - [Create a Windows virtual machine](https://learn.microsoft.com/azure/virtual-machines/windows/quick-create-portal)
+  - [Create a Linux virtual machine](https://learn.microsoft.com/azure/virtual-machines/linux/quick-create-portal?tabs=ubuntu)
+- [Configure system-assigned managed identity on the Azure virtual machine](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/qs-configure-portal-windows-vm#system-assigned-managed-identity)
+- Install required softwares on the Azure virtual machine
+  - [Install PowerShell](https://learn.microsoft.com/powershell/scripting/install/installing-powershell)
+  - [Install Azure CLI](https://learn.microsoft.com/cli/azure/install-azure-cli)
+    - If you want to run Azure CLI Action, [Install Docker](https://docs.docker.com/engine/install/).
+  - [Install Azure PowerShell](https://learn.microsoft.com/powershell/azure/install-azure-powershell)
+- [Configure the Azure virtual machine as a GitHub self-hosted runner](https://docs.github.com/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)
+
+After it, create GitHub Action secrets for following values: (Refer to [Using secrets in GitHub Actions](https://docs.github.com/actions/security-guides/using-secrets-in-github-actions).)
+
+- AZURE_SUBSCRIPTION_ID: the Subscription ID
+- AZURE_TENANT_ID: the Tenant ID
+
+Now you can try the workflow to login with system-assigned managed identity.
+
+- **The workflow sample to run both Azure CLI and Azure PowerShell**
+
+```yaml
+# File: .github/workflows/workflow.yml
+
+name: Run Azure Login with System-assigned Managed Identity
+on: [push]
+
+jobs:
+  build-and-deploy:
+    runs-on: self-hosted
+    steps:
+      - name: Azure login
+        uses: azure/login@v2
+        with:
+          auth-type: IDENTITY
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
+
+      # Azure CLI Action only supports linux self-hosted runners for now.
+      # If you want to execute the Azure CLI script on a windows self-hosted runner, you can execute it directly in `run`.
+      - name: Azure CLI script
+        uses: azure/cli@v2
+        with:
+          azcliversion: latest
+          inlineScript: |
+            az account show
+
+      - name: Azure PowerShell script
+        uses: azure/powershell@v2
+        with:
+          azPSVersion: "latest"
+          inlineScript: |
+            Get-AzContext
+            Get-AzResourceGroup
+```
+
+### Login With User-assigned Managed Identity
+
+> [!NOTE]
+>
+> "Login With User-assigned Managed Identity" is only supported on GitHub self-hosted runners and the self-hosted runners need to be hosted by Azure virtual machines.
+
+Before you login with User-assigned managed identity, you need to create an Azure virtual machine to host the GitHub self-hosted runner.
+
+- Create an Azure virtual machine
+  - [Create a Windows virtual machine](https://learn.microsoft.com/azure/virtual-machines/windows/quick-create-portal)
+  - [Create a Linux virtual machine](https://learn.microsoft.com/azure/virtual-machines/linux/quick-create-portal?tabs=ubuntu)
+- [Create a user-assigned managed identity and assign a role to it](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity)
+- [Configure user-assigned managed identity on the Azure virtual machine](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/qs-configure-portal-windows-vm#user-assigned-managed-identity)
+- Install required softwares on the Azure virtual machine
+  - [Install PowerShell](https://learn.microsoft.com/powershell/scripting/install/installing-powershell)
+  - [Install Azure CLI](https://learn.microsoft.com/cli/azure/install-azure-cli)
+    - If you want to run Azure CLI Action, [Install Docker](https://docs.docker.com/engine/install/).
+  - [Install Azure PowerShell](https://learn.microsoft.com/powershell/azure/install-azure-powershell)
+- [Configure the Azure virtual machine as a GitHub self-hosted runner](https://docs.github.com/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)
+
+After it, create GitHub Action secrets for following values: (Refer to [Using secrets in GitHub Actions](https://docs.github.com/actions/security-guides/using-secrets-in-github-actions).)
+
+- AZURE_CLIENT_ID: the user-assigned managed identity client ID
+- AZURE_SUBSCRIPTION_ID: the subscription ID
+- AZURE_TENANT_ID: the tenant ID
+
+Now you can try the workflow to login with user-assigned managed identity.
+
+- **The workflow sample to run both Azure CLI and Azure PowerShell**
+
+```yaml
+# File: .github/workflows/workflow.yml
+
+name: Run Azure Login with User-assigned Managed Identity
+on: [push]
+
+jobs:
+  build-and-deploy:
+    runs-on: self-hosted
+    steps:
+      - name: Azure login
+        uses: azure/login@v2
+        with:
+          auth-type: IDENTITY
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
+
+      # Azure CLI Action only supports linux self-hosted runners for now.
+      # If you want to execute the Azure CLI script on a windows self-hosted runner, you can execute it directly in `run`.
+      - name: Azure CLI script
+        uses: azure/cli@v2
+        with:
+          azcliversion: latest
+          inlineScript: |
+            az account show
+
+      - name: Azure PowerShell script
+        uses: azure/powershell@v2
+        with:
+          azPSVersion: "latest"
+          inlineScript: |
+            Get-AzContext
+```
+
+### Login to Azure US Government cloud
+
+```yaml
+# File: .github/workflows/workflow.yml
+
+on: [push]
+
+name: Login to Azure US Government cloud
+
+jobs:
+
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+
+    - uses: azure/login@v2
+      with:
+        creds: ${{ secrets.AZURE_CREDENTIALS }}
+        environment: 'AzureUSGovernment'
+        enable-AzPSSession: true
+```
+
+### Login to Azure Stack Hub
+
+```yaml
+# File: .github/workflows/workflow.yml
+
+on: [push]
+
+name: Login to Azure Stack Hub cloud
+
+jobs:
+
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+
+    - uses: azure/login@v2
       with:
         creds: ${{ secrets.AZURE_CREDENTIALS }}
         environment: 'AzureStack'
-
-    - run: |
-        az webapp list --query "[?state=='Running']"
-
+        enable-AzPSSession: true
 ```
-Refer to the [Azure Stack Hub Login Action Tutorial](https://docs.microsoft.com/en-us/azure-stack/user/ci-cd-github-action-login-cli?view=azs-2008) for more detailed instructions.
 
-## Configure deployment credentials:
+Refer to the [Azure Stack Hub Login Action Tutorial](https://learn.microsoft.com/azure-stack/user/ci-cd-github-action-login-cli) for more detailed instructions.
 
-The previous sample workflows depend on a [secrets](https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets) named `AZURE_CREDENTIALS` in your repository. The value of this secret is expected to be a JSON object that represents a service principal (an identifer for an application or process) that authenticates the workflow with Azure.
+### Login without subscription
 
-To function correctly, this service principal must be assigned the [Contributor]((https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#contributor)) role for the web app or the resource group that contains the web app.
-
-The following steps describe how to create the service principal, assign the role, and create a secret in your repository with the resulting credentials.
-
-1. Open the Azure Cloud Shell at [https://shell.azure.com](https://shell.azure.com). You can alternately use the [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli?view=azure-cli-latest) if you've installed it locally. (For more information on Cloud Shell, see the [Cloud Shell Overview](https://docs.microsoft.com/azure/cloud-shell/overview).)
-
-    1.1 **(Required ONLY when environment is Azure Stack Hub)** Run the following command to set the SQL Management endpoint to 'not supported'
-      ```bash
-
-      az cloud update -n {environmentName} --endpoint-sql-management https://notsupported
-
-      ```
-
-2. Use the [az ad sp create-for-rbac](https://docs.microsoft.com/cli/azure/ad/sp?view=azure-cli-latest#az_ad_sp_create_for_rbac) command to create a service principal and assign a Contributor role:
-
-    For web apps (also more secure)
-
-    ```azurecli
-    az ad sp create-for-rbac --name "{sp-name}" --sdk-auth --role contributor \
-        --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Web/sites/{app-name}
-    ```
-
-    For usage with other Azure services (Storage Accounts, Active Directory, etc.)
-
-    ```azurecli
-    az ad sp create-for-rbac --name "{sp-name}" --sdk-auth --role contributor \
-        --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group}
-    ```
-
-    Replace the following:
-      * `{sp-name}` with a suitable name for your service principal, such as the name of the app itself. The name must be unique within your organization.
-      * `{subscription-id}` with the subscription ID you want to use (found in Subscriptions in portal)
-      * `{resource-group}` the resource group containing the web app.
-      * [optional] `{app-name}` if you wish to have a tighter & more secure scope, use the first option and replace this with the name of the web app.
-
-    More info can be found [here](https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az_ad_sp_create_for_rbac).
-
-    This command invokes Azure Active Directory (via the `ad` part of the command) to create a service principal (via `sp`) specifically for [Role-Based Access Control (RBAC)](https://docs.microsoft.com/azure/role-based-access-control/overview) (via `create-for-rbac`).
-
-    The `--role` argument specifies the permissions to grant to the service principal at the specified `--scope`. In this case, you grant the built-in [Contributor](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#contributor) role at the scope of the web app in the specified resource group in the specified subscription. If desired, you can omit the part of the scope starting with `/providers/...` to grant the service principal the Contributor role for the entire resource group. For security purposes, however, it's always preferable to grant permissions at the most restrictive scope possible.
-
-3. When complete, the `az ad sp create-for-rbac` command displays JSON output in the following form (which is specified by the `--sdk-auth` argument):
-
-    ```json
-    {
-      "clientId": "<GUID>",
-      "clientSecret": "<CLIENT_SECRET_VALUE>",
-      "subscriptionId": "<GUID>",
-      "tenantId": "<GUID>",
-      (...)
-    }
-    ```
-
-4. In your repository, use **Add secret** to create a new secret named `AZURE_CREDENTIALS` (as shown in the example workflow), or using whatever name is in your workflow file.
-
-NOTE: While adding secret `AZURE_CREDENTIALS` make sure to add like this 
-
-         {"clientId": "<GUID>",
-          "clientSecret": "<CLIENT_SECRET_VALUE>",
-          "subscriptionId": "<GUID>",
-          "tenantId": "<GUID>",
-          (...)}
-
-   instead of  
-
-        {
-            "clientId": "<GUID>",
-            "clientSecret": "<CLIENT_SECRET_VALUE>",
-            "subscriptionId": "<GUID>",
-            "tenantId": "<GUID>",
-            (...)
-        }
-
-   to prevent unnecessary masking of `{ } ` in your logs which are in dictionary form.
-     
-5. Paste the entire JSON object produced by the `az ad sp create-for-rbac` command as the secret value and save the secret.
-
-NOTE: to manage service principals created with `az ad sp create-for-rbac`, visit the [Azure portal](https://portal.azure.com), navigate to your Azure Active Directory, then select **Manage** > **App registrations** on the left-hand menu. Your service principal should appear in the list. Select a principal to navigate to its properties. You can also manage role assignments using the [az role assignment](https://docs.microsoft.com/cli/azure/role/assignment?view=azure-cli-latest) command.
-
-NOTE: Currently there is no support for passing in the Subscription ID, Tenant ID, Client ID, and Client Secret as individual parameters instead of bundled in a single JSON object (creds).
-However, a simple workaround for users who need this option can be:
-```yaml
-  - uses: Azure/login@v1.1
-    with:
-      creds: '{"clientId":"${{ secrets.CLIENT_ID }}","clientSecret":"${{ secrets.CLIENT_SECRET }}","subscriptionId":"${{ secrets.SUBSCRIPTION_ID }}","tenantId":"${{ secrets.TENANT_ID }}"}'
-```
-In a similar way, any additional parameter can be addded to creds such as resourceManagerEndpointUrl for Azure Stack, for example.
-
-NOTE: If you want to hand craft your JSON object instead of using the output from the CLI command (for example, after using the UI to create the App Registration and Role assignment) the following fields are required:
-```json
-{
-  "clientId": "<GUID>",
-"tenantId": "<GUID>",
-"clientSecret": "<CLIENT_SECRET_VALUE>",
-"subscriptionId": "<GUID>",
-"resourceManagerEndpointUrl": "<URL>}
-```
-The resourceManagerEndpointUrl will be `https://management.azure.com/` if you are using the public azure cloud.
-
-## Support for using `allow-no-subscriptions` flag with az login
-
-Capability has been added to support access to tenants without subscriptions. This can be useful to run tenant level commands, such as `az ad`. The action accepts an optional parameter `allow-no-subscriptions` which is `false` by default.
+Capability has been added to support access to tenants without subscriptions for both OIDC and non-OIDC. This can be useful to run tenant level commands, such as `az ad`. The action accepts an optional parameter `allow-no-subscriptions` which is `false` by default.
 
 ```yaml
 # File: .github/workflows/workflow.yml
 
 on: [push]
 
-name: AzureLoginWithNoSubscriptions
+name: Run Azure Login without subscription
 
 jobs:
 
@@ -241,30 +533,176 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - uses: azure/login@v1
+    - name: Azure Login
+      uses: azure/login@v2
       with:
-        creds: ${{ secrets.AZURE_CREDENTIALS }}
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
         allow-no-subscriptions: true
+        enable-AzPSSession: true
+
+    - name: Azure CLI script
+      uses: azure/cli@v2
+      with:
+        azcliversion: latest
+        inlineScript: |
+          az account show
+
+    - name: Run Azure PowerShell
+      uses: azure/powershell@v2
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+          Get-AzContext
 ```
-## Az logout and security hardening
 
-This action doesn't implement ```az logout``` by default at the end of execution. However there is no way of tampering the credentials or account information because the github hosted runner is on a VM that will get reimaged for every customer run which gets everything deleted. But if the runner is self-hosted which is not github provided it is recommended to manually logout at the end of the workflow as shown below. More details on security of the runners can be found [here](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#hardening-for-self-hosted-runners).
+### Enable/Disable the cleanup steps
+
+In Azure Login Action, "cleanup" means cleaning up the login context. For security reasons, we recommend users run cleanup every time. But in some scenarios, users need flexible control over cleanup.
+
+Referring to [`runs` for JavaScript actions](https://docs.github.com/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#runs-for-javascript-actions), there are 3 steps in an action: `pre:`, `main:` and `post:`. Azure Login Action only implement 2 steps: `main:` and `post:`.
+
+There are 2 "cleanup" steps in Azure Login Action:
+
+- cleanup in `main:`
+  - It's **disabled** by default.
+  - Users can enable it by setting an env variable `AZURE_LOGIN_PRE_CLEANUP` to `true`.
+- cleanup in `post:`
+  - It's **enabled** by default.
+  - Users can disable it by setting an env variable `AZURE_LOGIN_POST_CLEANUP` to `false`.
+
+Azure Login Action use env variables to enable or disable cleanup steps. In GitHub Actions, there are three valid scopes for env variables.
+
+- [env](https://docs.github.com/actions/writing-workflows/workflow-syntax-for-github-actions#env)
+  - valid for all jobs in this workflow.
+- [jobs.<job_id>.env](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idenv)
+  - valid for all the steps in the job.
+- [jobs.<job_id>.steps[*].env](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsenv)
+  - only valid for the step in a job.
+
+We set `jobs.<job_id>.steps[*].env` for example. Users can set `env` or `jobs.<job_id>.env` for a wider scope.
+
+```yaml
+# File: .github/workflows/workflow.yml
+
+on: [push]
+
+name: Cleanup examples for Multiple Azure Login
+
+jobs:
+
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+
+    # enable cleanup for the 1st Azure Login
+    - name: Azure Login
+      uses: azure/login@v2
+      env:
+        AZURE_LOGIN_PRE_CLEANUP: true
+        AZURE_LOGIN_POST_CLEANUP: true
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        enable-AzPSSession: true    
+
+    # run some actions
+
+    # disable cleanup for all other Azure Login
+    - name: Azure Login 2
+      uses: azure/login@v2
+      env:
+        AZURE_LOGIN_PRE_CLEANUP: false
+        AZURE_LOGIN_POST_CLEANUP: false
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID_2 }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID_2 }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_2 }}
+        enable-AzPSSession: true   
+
+    # run other actions
+
+    # disable cleanup for all other Azure Login
+    - name: Azure Login 3
+      uses: azure/login@v2
+      env:
+        AZURE_LOGIN_PRE_CLEANUP: false
+        AZURE_LOGIN_POST_CLEANUP: false
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID_3 }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID_3 }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_3 }}
+        enable-AzPSSession: true   
+
+    # run other actions
 ```
-- name: Azure CLI script
-  uses: azure/CLI@v1
-  with:
-    azcliversion: 2.0.72
-    inlineScript: |
-      az logout
-      az cache purge
-      az account clear
+
+```yaml
+# File: .github/workflows/workflow.yml
+
+on: [push]
+
+name: Disable cleanup for GitHub Hosted Runners
+
+jobs:
+
+  deploy:
+    runs-on: [ubuntu-latest, self-hosted]
+    steps:
+
+    - name: Azure Login
+      uses: azure/login@v2
+      env:
+        AZURE_LOGIN_PRE_CLEANUP: ${{ startsWith(runner.name, 'GitHub Actions') }}
+        AZURE_LOGIN_POST_CLEANUP: ${{ startsWith(runner.name, 'GitHub Actions') }}
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        enable-AzPSSession: true    
+
+    # run some actions
+
 ```
-# Contributing
 
-This project welcomes contributions and suggestions.  Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. 
+## Security hardening
 
-For detailed developer guidelines, visit [developer guidelines for azure actions](https://github.com/Azure/actions/blob/main/docs/developer-guildelines.md).
+> [!WARNING]
+> When using self hosted runners it is possible to have multiple runners on a single VM. Currently if your runners share a single user on the VM each runner will share the same credentials. That means in detail that each runner is able to change the permissions of another run. As a workaround we propose to use one single VM user per runner. If you start the runner as a service, do not forget to add the [optional user argument](https://docs.github.com/actions/hosting-your-own-runners/managing-self-hosted-runners/configuring-the-self-hosted-runner-application-as-a-service#installing-the-service)
 
-When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
+## Azure CLI dependency
 
-This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
+Internally in this action, we use azure CLI and execute `az login` with the credentials provided through secrets. In order to validate the new azure CLI releases for this action, [canary test workflow](.github/workflows/azure-login-canary.yml) is written which will execute the action on [azure CLI's edge build](https://github.com/Azure/azure-cli#edge-builds) which will fail incase of any breaking change is being introduced in the new upcoming release. The test results can be posted on a slack or teams channel using the corresponding integrations. Incase of a failure, the concern will be raised to [azure-cli](https://github.com/Azure/azure-cli) for taking a necessary action and also the latest CLI installation will be postponed in [Runner VMs](https://github.com/actions/virtual-environments) as well for hosted runner to prevent the workflows failing due to the new CLI changes.
+
+## Reference
+
+### GitHub Action
+
+[GitHub Actions](https://docs.github.com/actions) gives you the flexibility to build an automated software development lifecycle workflow.
+
+### GitHub Actions for deploying to Azure
+
+With [GitHub Actions for Azure](https://github.com/Azure/actions/), you can create workflows that you can set up in your repository to build, test, package, release and **deploy** to Azure.
+
+### Azure CLI Action
+
+Refer to the [Azure CLI](https://github.com/azure/cli) GitHub Action to run your Azure CLI scripts.
+
+### Azure PowerShell Action
+
+Refer to the [Azure PowerShell](https://github.com/azure/powershell) GitHub Action to run your Azure PowerShell scripts.
+
+## Contributing
+
+This project welcomes contributions and suggestions.  Most contributions require you to agree to a
+Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
+the rights to use your contribution. For details, visit <https://cla.opensource.microsoft.com>.
+
+When you submit a pull request, a CLA bot will automatically determine whether you need to provide
+a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
+provided by the bot. You will only need to do this once across all repos using our CLA.
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
+contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.

__tests__/LoginConfig.test.ts

@@ -0,0 +1,272 @@
+import { LoginConfig } from "../src/common/LoginConfig";
+
+describe("LoginConfig Test", () => {
+
+    function setEnv(name: string, value: string) {
+        process.env[`INPUT_${name.replace(/ /g, '_').toUpperCase()}`] = value;
+    }
+
+    function cleanEnv() {
+        for (const envKey in process.env) {
+            if (envKey.startsWith('INPUT_')) {
+                delete process.env[envKey]
+            }
+        }
+    }
+
+    async function testCreds(creds:any){
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'false');
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+        setEnv('creds', JSON.stringify(creds));
+        let loginConfig = new LoginConfig();
+        try{
+            await loginConfig.initialize();
+            throw new Error("The last step should fail.");
+        }catch(error){
+            expect(error.message.includes("Not all parameters are provided in 'creds'.")).toBeTruthy();
+        }
+    }
+
+    function testValidateWithErrorMessage(loginConfig:LoginConfig, errorMessage:string){
+        try{
+            loginConfig.validate();
+            throw new Error("The last step should fail.");
+        }catch(error){
+            expect(error.message.includes(errorMessage)).toBeTruthy();
+        }
+    }
+
+    beforeEach(() => {
+        cleanEnv();
+    });
+
+    test('initialize with creds, lack of clientId', async () => {
+        let creds1 = {
+            // 'clientId': 'client-id',
+            'clientSecret': 'client-secret',
+            'tenantId': 'tenant-id',
+            'subscriptionId': 'subscription-id'
+        }
+        await testCreds(creds1);
+
+    });
+
+    test('initialize with creds, lack of clientSecret', async () => {
+        let creds1 = {
+            'clientId': 'client-id',
+            // 'clientSecret': 'client-secret',
+            'tenantId': 'tenant-id',
+            'subscriptionId': 'subscription-id'
+        }
+        await testCreds(creds1);
+
+    });
+
+    test('initialize with creds, lack of tenantId', async () => {
+        let creds1 = {
+            'clientId': 'client-id',
+            'clientSecret': 'client-secret',
+            // 'tenantId': 'tenant-id',
+            'subscriptionId': 'subscription-id'
+        }
+        await testCreds(creds1);
+
+    });
+   
+    test('initialize with creds, lack of subscriptionId, but allowNoSubscriptionsLogin=true', async () => {
+        let creds1 = {
+            'clientId': 'client-id',
+            'clientSecret': 'client-secret',
+            'tenantId': 'tenant-id',
+            // 'subscriptionId': 'subscription-id'
+        }
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'true');
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+        setEnv('creds', JSON.stringify(creds1));
+        let loginConfig = new LoginConfig();
+        await loginConfig.initialize();
+        expect(loginConfig.environment).toBe("azurecloud");
+        expect(loginConfig.enableAzPSSession).toBeTruthy();
+        expect(loginConfig.allowNoSubscriptionsLogin).toBeTruthy();
+        expect(loginConfig.authType).toBe("SERVICE_PRINCIPAL");
+        expect(loginConfig.servicePrincipalId).toBe("client-id");
+        expect(loginConfig.servicePrincipalSecret).toBe("client-secret");
+        expect(loginConfig.tenantId).toBe("tenant-id");
+        expect(loginConfig.subscriptionId).toBe(undefined);
+    });
+
+    test('initialize with creds', async () => {
+        let creds = {
+            'clientId': 'client-id',
+            'clientSecret': 'client-secret',
+            'tenantId': 'tenant-id',
+            'subscriptionId': 'subscription-id'
+        }
+
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'false');
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+        setEnv('creds', JSON.stringify(creds));
+
+        let loginConfig = new LoginConfig();
+        await loginConfig.initialize();
+        expect(loginConfig.environment).toBe("azurecloud");
+        expect(loginConfig.enableAzPSSession).toBeTruthy();
+        expect(loginConfig.allowNoSubscriptionsLogin).toBeFalsy();
+        expect(loginConfig.authType).toBe("SERVICE_PRINCIPAL");
+        expect(loginConfig.servicePrincipalId).toBe("client-id");
+        expect(loginConfig.servicePrincipalSecret).toBe("client-secret");
+        expect(loginConfig.tenantId).toBe("tenant-id");
+        expect(loginConfig.subscriptionId).toBe("subscription-id");
+    });
+
+    test('initialize with individual parameters', async () => {
+        setEnv('environment', 'azureusgovernment');
+        setEnv('enable-AzPSSession', 'false');
+        setEnv('allow-no-subscriptions', 'true');
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+        setEnv('tenant-id', 'tenant-id');
+        setEnv('subscription-id', 'subscription-id');
+        setEnv('client-id', 'client-id');
+
+        let loginConfig = new LoginConfig();
+        await loginConfig.initialize();
+        expect(loginConfig.environment).toBe("azureusgovernment");
+        expect(loginConfig.enableAzPSSession).toBeFalsy();
+        expect(loginConfig.allowNoSubscriptionsLogin).toBeTruthy();
+        expect(loginConfig.authType).toBe("SERVICE_PRINCIPAL");
+        expect(loginConfig.servicePrincipalId).toBe("client-id");
+        expect(loginConfig.tenantId).toBe("tenant-id");
+        expect(loginConfig.subscriptionId).toBe("subscription-id");
+    });
+
+    test('initialize with both creds and individual parameters', async () => {
+        setEnv('environment', 'azureusgovernment');
+        setEnv('enable-AzPSSession', 'false');
+        setEnv('allow-no-subscriptions', 'true');
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+
+        setEnv('tenant-id', 'tenant-id-aa');
+        setEnv('subscription-id', 'subscription-id-aa');
+        setEnv('client-id', 'client-id-aa');
+
+        let creds = {
+            'clientId': 'client-id-bb',
+            'clientSecret': 'client-secret-bb',
+            'tenantId': 'tenant-id-bb',
+            'subscriptionId': 'subscription-id-bb'
+        }
+        setEnv('creds', JSON.stringify(creds));
+
+        let loginConfig = new LoginConfig();
+        await loginConfig.initialize();
+        expect(loginConfig.environment).toBe("azureusgovernment");
+        expect(loginConfig.enableAzPSSession).toBeFalsy();
+        expect(loginConfig.allowNoSubscriptionsLogin).toBeTruthy();
+        expect(loginConfig.authType).toBe("SERVICE_PRINCIPAL");
+        expect(loginConfig.servicePrincipalId).toBe("client-id-aa");
+        expect(loginConfig.servicePrincipalSecret).toBeNull();
+        expect(loginConfig.tenantId).toBe("tenant-id-aa");
+        expect(loginConfig.subscriptionId).toBe("subscription-id-aa");
+    });
+
+    test('validate with wrong environment', async () => {
+        setEnv('environment', 'aWrongCloud');
+        setEnv('enable-AzPSSession', 'false');
+        setEnv('allow-no-subscriptions', 'true');
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+
+        setEnv('tenant-id', 'tenant-id');
+        setEnv('subscription-id', 'subscription-id');
+        setEnv('client-id', 'client-id');
+
+        let loginConfig = new LoginConfig();
+        await loginConfig.initialize();
+        testValidateWithErrorMessage(loginConfig, "Unsupported value 'awrongcloud' for environment is passed.");
+    });
+
+    test('validate with wrong authType', async () => {
+        setEnv('environment', 'azurestack');
+        setEnv('enable-AzPSSession', 'false');
+        setEnv('allow-no-subscriptions', 'true');
+        setEnv('auth-type', 'SERVICE-PRINCIPAL');
+
+        setEnv('tenant-id', 'tenant-id');
+        setEnv('subscription-id', 'subscription-id');
+        setEnv('client-id', 'client-id');
+
+        let loginConfig = new LoginConfig();
+        await loginConfig.initialize();
+        testValidateWithErrorMessage(loginConfig, "Unsupported value 'SERVICE-PRINCIPAL' for authentication type is passed.");
+    });
+
+    test('validate with SERVICE_PRINCIPAL, lack of tenant id', async () => {
+        setEnv('environment', 'azurestack');
+        setEnv('enable-AzPSSession', 'false');
+        setEnv('allow-no-subscriptions', 'true');
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+
+        // setEnv('tenant-id', 'tenant-id');
+        setEnv('subscription-id', 'subscription-id');
+        setEnv('client-id', 'client-id');
+
+        let loginConfig = new LoginConfig();
+        await loginConfig.initialize();
+        testValidateWithErrorMessage(loginConfig, "Using auth-type: SERVICE_PRINCIPAL. Not all values are present. Ensure 'client-id' and 'tenant-id' are supplied.");
+    });
+
+    test('validate with SERVICE_PRINCIPAL, lack of client id', async () => {
+        setEnv('environment', 'azurestack');
+        setEnv('enable-AzPSSession', 'false');
+        setEnv('allow-no-subscriptions', 'true');
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+
+        setEnv('tenant-id', 'tenant-id');
+        setEnv('subscription-id', 'subscription-id');
+        // setEnv('client-id', 'client-id');
+
+        let loginConfig = new LoginConfig();
+        await loginConfig.initialize();
+        testValidateWithErrorMessage(loginConfig, "Using auth-type: SERVICE_PRINCIPAL. Not all values are present. Ensure 'client-id' and 'tenant-id' are supplied.");
+    });
+
+    test('validate without subscriptionId and allowNoSubscriptionsLogin=false', async () => {
+        setEnv('environment', 'azurestack');
+        setEnv('enable-AzPSSession', 'false');
+        setEnv('allow-no-subscriptions', 'false');
+        setEnv('auth-type', 'IDENTITY');
+
+        // setEnv('subscription-id', 'subscription-id');
+
+        let loginConfig = new LoginConfig();
+        await loginConfig.initialize();
+        testValidateWithErrorMessage(loginConfig, "Ensure 'subscription-id' is supplied or 'allow-no-subscriptions' is 'true'.");
+    });
+
+    test('validate without subscriptionId and allowNoSubscriptionsLogin=true', async () => {
+        setEnv('environment', 'azurestack');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'true');
+        setEnv('auth-type', 'IDENTITY');
+
+        // setEnv('subscription-id', 'subscription-id');
+
+        let loginConfig = new LoginConfig();
+        await loginConfig.initialize();
+        loginConfig.validate();
+        expect(loginConfig.environment).toBe("azurestack");
+        expect(loginConfig.enableAzPSSession).toBeTruthy();
+        expect(loginConfig.allowNoSubscriptionsLogin).toBeTruthy();
+        expect(loginConfig.authType).toBe("IDENTITY");
+        expect(loginConfig.servicePrincipalId).toBe("");
+        expect(loginConfig.servicePrincipalSecret).toBeNull();
+        expect(loginConfig.tenantId).toBe("");
+        expect(loginConfig.subscriptionId).toBe("");
+    });
+
+});

__tests__/PowerShell/AzPSLogin.test.ts

@@ -0,0 +1,92 @@
+import * as os from 'os';
+
+import { AzPSLogin } from '../../src/PowerShell/AzPSLogin';
+import { LoginConfig } from '../../src/common/LoginConfig';
+import { AzPSConstants, AzPSUtils } from '../../src/PowerShell/AzPSUtils';
+
+let azpsLogin: AzPSLogin;
+jest.setTimeout(30000);
+
+beforeAll(() => {
+    var loginConfig = new LoginConfig();
+    loginConfig.servicePrincipalId = "servicePrincipalID";
+    loginConfig.servicePrincipalSecret = "servicePrincipalSecret";
+    loginConfig.tenantId = "tenantId";
+    loginConfig.subscriptionId = "subscriptionId";
+    azpsLogin = new AzPSLogin(loginConfig);
+});
+
+afterEach(() => {
+    jest.restoreAllMocks();
+});
+
+describe('Testing login', () => {
+    let loginSpy;
+    
+    beforeEach(() => {
+        loginSpy = jest.spyOn(azpsLogin, 'login');
+    });
+
+    test('ServicePrincipal login should pass', async () => {
+        loginSpy.mockImplementationOnce(() => Promise.resolve());
+        await azpsLogin.login();
+        expect(loginSpy).toHaveBeenCalled();
+    });
+});
+
+describe('Testing set module path', () => {
+    test('setDefaultPSModulePath should work', () => {
+        AzPSUtils.setPSModulePathForGitHubRunner();
+        const runner: string = process.env.RUNNER_OS || os.type();
+        if(runner.toLowerCase() === "linux"){
+            expect(process.env.PSModulePath).toContain(AzPSConstants.DEFAULT_AZ_PATH_ON_LINUX);
+        }
+        if(runner.toLowerCase().startsWith("windows")){
+            expect(process.env.PSModulePath).toContain(AzPSConstants.DEFAULT_AZ_PATH_ON_WINDOWS);
+        }
+    });
+
+});
+
+describe('Testing runPSScript', () => {
+    test('Get PowerShell Version', async () => {
+        let script = `try {
+            $ErrorActionPreference = "Stop"
+            $WarningPreference = "SilentlyContinue"
+            $output = @{}
+            $output['Success'] = $true
+            $output['Result'] = $PSVersionTable.PSVersion.ToString()
+        }
+        catch {
+            $output['Success'] = $false
+            $output['Error'] = $_.exception.Message
+        }
+        return ConvertTo-Json $output`;
+
+        let psVersion: string = await AzPSUtils.runPSScript(script);
+        expect(psVersion === null).toBeFalsy();
+    });
+
+    test('Get PowerShell Version with Wrong Name', async () => {
+        let script = `try {
+            $ErrorActionPreference = "Stop"
+            $WarningPreference = "SilentlyContinue"
+            $output = @{}
+            $output['Success'] = $true
+            $output['Result'] = $PSVersionTableWrongName.PSVersion.ToString()
+        }
+        catch {
+            $output['Success'] = $false
+            $output['Error'] = $_.exception.Message
+        }
+        return ConvertTo-Json $output`;
+
+        try{
+            await AzPSUtils.runPSScript(script);
+            throw new Error("The last step should fail.");
+        }catch(error){
+            expect(error.message.includes("Azure PowerShell login failed with error: You cannot call a method on a null-valued expression.")).toBeTruthy();
+        }
+    });
+
+});

__tests__/PowerShell/AzPSScriptBuilder.test.ts

@@ -0,0 +1,153 @@
+import AzPSSCriptBuilder from "../../src/PowerShell/AzPSScriptBuilder";
+import { LoginConfig } from "../../src/common/LoginConfig";
+
+describe("Getting AzLogin PS script", () => {
+
+    function setEnv(name: string, value: string) {
+        process.env[`INPUT_${name.replace(/ /g, '_').toUpperCase()}`] = value;
+    }
+
+    function cleanEnv() {
+        for (const envKey in process.env) {
+            if (envKey.startsWith('INPUT_')) {
+                delete process.env[envKey]
+            }
+        }
+    }
+
+    beforeEach(() => {
+        cleanEnv();
+    });
+
+    test('getImportLatestModuleScript', () => {
+        expect(AzPSSCriptBuilder.getImportLatestModuleScript("TestModule")).toContain("(Get-Module -Name 'TestModule' -ListAvailable | Sort-Object Version -Descending | Select-Object -First 1).Path");
+        expect(AzPSSCriptBuilder.getImportLatestModuleScript("TestModule")).toContain("Import-Module -Name $latestModulePath");
+    });
+
+    test('getAzPSLoginScript for SP+secret with allowNoSubscriptionsLogin=true', () => {
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'true');
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+        let creds = {
+            'clientId': 'client-id',
+            'clientSecret': "client-secret",
+            'tenantId': 'tenant-id',
+            'subscriptionId': 'subscription-id'
+        }
+        setEnv('creds', JSON.stringify(creds));
+
+        let loginConfig = new LoginConfig();
+        loginConfig.initialize();
+        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
+            expect(loginScript.includes("$psLoginSecrets = ConvertTo-SecureString 'client-secret' -AsPlainText -Force; $psLoginCredential = New-Object System.Management.Automation.PSCredential('client-id', $psLoginSecrets); Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -Credential $psLoginCredential -InformationAction Ignore | out-null;")).toBeTruthy();
+            expect(loginMethod).toBe('service principal with secret');
+        });
+    });
+
+    test('getAzPSLoginScript for SP+secret with allowNoSubscriptionsLogin=true, secret with single-quote', () => {
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'true');
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+        let creds = {
+            'clientId': 'client-id',
+            'clientSecret': "client-se'cret",
+            'tenantId': 'tenant-id',
+            'subscriptionId': 'subscription-id'
+        }
+        setEnv('creds', JSON.stringify(creds));
+
+        let loginConfig = new LoginConfig();
+        loginConfig.initialize();
+        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
+            expect(loginScript.includes("$psLoginSecrets = ConvertTo-SecureString 'client-se''cret' -AsPlainText -Force; $psLoginCredential = New-Object System.Management.Automation.PSCredential('client-id', $psLoginSecrets); Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -Credential $psLoginCredential -InformationAction Ignore | out-null;")).toBeTruthy();
+            expect(loginMethod).toBe('service principal with secret');
+        });
+    });
+
+    test('getAzPSLoginScript for SP+secret with allowNoSubscriptionsLogin=false', () => {
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'false'); // same as true
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+        let creds = {
+            'clientId': 'client-id',
+            'clientSecret': 'client-secret',
+            'tenantId': 'tenant-id',
+            'subscriptionId': 'subscription-id'
+        }
+        setEnv('creds', JSON.stringify(creds));
+
+        let loginConfig = new LoginConfig();
+        loginConfig.initialize();
+        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
+            expect(loginScript.includes("$psLoginSecrets = ConvertTo-SecureString 'client-secret' -AsPlainText -Force; $psLoginCredential = New-Object System.Management.Automation.PSCredential('client-id', $psLoginSecrets); Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -Credential $psLoginCredential -InformationAction Ignore | out-null;")).toBeTruthy();
+            expect(loginMethod).toBe('service principal with secret');
+        });
+    });
+
+    test('getAzPSLoginScript for OIDC', () => {
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'false');
+        setEnv('tenant-id', 'tenant-id');
+        setEnv('subscription-id', 'subscription-id');
+        setEnv('client-id', 'client-id');
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+
+        let loginConfig = new LoginConfig();
+        loginConfig.initialize();
+        jest.spyOn(loginConfig, 'getFederatedToken').mockImplementation(async () => {loginConfig.federatedToken = "fake-token";});
+        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
+            expect(loginScript.includes("Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -ApplicationId 'client-id' -FederatedToken 'fake-token' -InformationAction Ignore | out-null;")).toBeTruthy();
+            expect(loginMethod).toBe('OIDC');
+        });
+    });
+
+    test('getAzPSLoginScript for System MI', () => {
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'false');
+        setEnv('subscription-id', 'subscription-id');
+        setEnv('auth-type', 'IDENTITY');
+
+        let loginConfig = new LoginConfig();
+        loginConfig.initialize();
+        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
+            expect(loginScript.includes("Connect-AzAccount -Identity -Environment 'azurecloud' -Subscription 'subscription-id'  -InformationAction Ignore | out-null;")).toBeTruthy();
+            expect(loginMethod).toBe('system-assigned managed identity');
+        });
+    });
+
+    test('getAzPSLoginScript for System MI without subscription id', () => {
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'false');
+        // setEnv('subscription-id', 'subscription-id');
+        setEnv('auth-type', 'IDENTITY');
+
+        let loginConfig = new LoginConfig();
+        loginConfig.initialize();
+        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
+            expect(loginScript.includes("Connect-AzAccount -Identity -Environment 'azurecloud'  -InformationAction Ignore | out-null;")).toBeTruthy();
+            expect(loginMethod).toBe('system-assigned managed identity');
+        });
+    });
+
+    test('getAzPSLoginScript for user-assigned MI', () => {
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'true');
+        setEnv('auth-type', 'IDENTITY');
+        setEnv('client-id', 'client-id');
+
+        let loginConfig = new LoginConfig();
+        loginConfig.initialize();
+        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
+            expect(loginScript.includes("Connect-AzAccount -Identity -Environment 'azurecloud' -AccountId 'client-id' -InformationAction Ignore | out-null;")).toBeTruthy();
+            expect(loginMethod).toBe('user-assigned managed identity');
+        });
+    });
+
+});

__tests__/PowerShell/ServicePrinicipalLogin.test.ts

@@ -1,38 +0,0 @@
-import { ServicePrincipalLogin } from '../../src/PowerShell/ServicePrincipalLogin';
-
-jest.mock('../../src/PowerShell/Utilities/Utils');
-jest.mock('../../src/PowerShell/Utilities/PowerShellToolRunner');
-let spnlogin: ServicePrincipalLogin;
-
-beforeAll(() => {
-    spnlogin = new ServicePrincipalLogin("servicePrincipalID", "servicePrinicipalkey", "tenantId", "subscriptionId", false, null, null);
-});
-
-afterEach(() => {
-    jest.restoreAllMocks();
-});
-
-describe('Testing initialize', () => {
-    let initializeSpy;
-    
-    beforeEach(() => {
-        initializeSpy = jest.spyOn(spnlogin, 'initialize');
-    });
-    test('ServicePrincipalLogin initialize should pass', async () => {
-        await spnlogin.initialize();
-        expect(initializeSpy).toHaveBeenCalled();
-    });
-});
-
-describe('Testing login', () => {
-    let loginSpy;
-    
-    beforeEach(() => {
-        loginSpy = jest.spyOn(spnlogin, 'login');
-    });
-    test('ServicePrincipal login should pass', async () => {
-        loginSpy.mockImplementationOnce(() => Promise.resolve());
-        await spnlogin.login();
-        expect(loginSpy).toHaveBeenCalled();
-    });
-});

__tests__/PowerShell/Utilities/ScriptBuilder.test.ts

@@ -1,25 +0,0 @@
-import ScriptBuilder from "../../../src/PowerShell/Utilities/ScriptBuilder";
-import Constants from "../../../src/PowerShell/Constants";
-
-describe("Getting AzLogin PS script" , () => {
-    const scheme = Constants.ServicePrincipal;
-    let args: any = {
-        servicePrincipalId: "service-principal-id",
-        servicePrincipalKey: "service-principal-key",
-        environment: "environment",
-        scopeLevel: Constants.Subscription,
-        subscriptionId: "subId",
-        allowNoSubscriptionsLogin: true
-    }
-
-    test("PS script should not set context while passing allowNoSubscriptionsLogin as true", () => {
-        const loginScript = new ScriptBuilder().getAzPSLoginScript(scheme, "tenant-id", args);
-        expect(loginScript.includes("Set-AzContext -SubscriptionId")).toBeFalsy();
-    });
-
-    test("PS script should set context while passing allowNoSubscriptionsLogin as false", () => {
-        args["allowNoSubscriptionsLogin"] = false;
-        const loginScript = new ScriptBuilder().getAzPSLoginScript(scheme, "tenant-id", args);
-        expect(loginScript.includes("Set-AzContext -SubscriptionId")).toBeTruthy();
-    });
-});

__tests__/PowerShell/Utilities/Utils.test.ts

@@ -1,45 +0,0 @@
-import Utils from '../../../src/PowerShell/Utilities/Utils';
-
-const version: string = '9.0.0';
-const moduleName: string = 'az';
-
-afterEach(() => {
-    jest.restoreAllMocks();
-});
-
-describe('Testing isValidVersion', () => {
-    const validVersion: string = '1.2.4';
-    const invalidVersion: string = 'a.bcd';
-
-    test('isValidVersion should be true', () => {
-        expect(Utils.isValidVersion(validVersion)).toBeTruthy();
-    });
-    test('isValidVersion should be false', () => {
-        expect(Utils.isValidVersion(invalidVersion)).toBeFalsy();
-    });
-});
-
-describe('Testing setPSModulePath', () => {
-    test('PSModulePath with azPSVersion non-empty', () => {
-        Utils.setPSModulePath(version);
-        expect(process.env.PSModulePath).toContain(version);
-    });
-    test('PSModulePath with azPSVersion empty', () => {
-        const prevPSModulePath = process.env.PSModulePath;
-        Utils.setPSModulePath();
-        expect(process.env.PSModulePath).not.toEqual(prevPSModulePath);
-    });
-});
-
-describe('Testing getLatestModule', () => {
-    let getLatestModuleSpy;
-
-    beforeEach(() => {
-        getLatestModuleSpy = jest.spyOn(Utils, 'getLatestModule');
-    });
-    test('getLatestModule should pass', async () => {
-        getLatestModuleSpy.mockImplementationOnce((_moduleName: string) => Promise.resolve(version));
-        await Utils.getLatestModule(moduleName);
-        expect(getLatestModuleSpy).toHaveBeenCalled();
-    });
-});

action.yml

@@ -1,25 +1,44 @@
 # Login to Azure subscription
 name: 'Azure Login'
-description: 'Authenticate to Azure and run your Az CLI or Az PowerShell based Actions or scripts. github.com/Azure/Actions'
-inputs: 
+description: 'Authenticate to Azure and run your Azure CLI or Azure PowerShell based actions or scripts.'
+inputs:
   creds:
     description: 'Paste output of `az ad sp create-for-rbac` as value of secret variable: AZURE_CREDENTIALS'
-    required: true
-  enable-AzPSSession: 
-    description: 'Set this value to true to enable Azure PowerShell Login in addition to Az CLI login'
+    required: false
+  client-id:
+    description: 'ClientId of the Azure Service principal created.'
+    required: false
+  tenant-id:
+    description: 'TenantId of the Azure Service principal created.'
+    required: false
+  subscription-id:
+    description: 'Azure subscriptionId'
+    required: false
+  enable-AzPSSession:
+    description: 'Set this value to true to enable Azure PowerShell Login in addition to Azure CLI login'
     required: false
     default: false
   environment:
     description: 'Name of the environment. Supported values are azurecloud, azurestack, azureusgovernment, azurechinacloud, azuregermancloud. Default being azurecloud'
     required: false
-    default: AzureCloud
+    default: azurecloud
   allow-no-subscriptions:
-    description: 'Set this value to true to enable support for accessing tenants without subscriptions'
+    description: 'Set this value to true to enable support for accessing tenants without subscriptions'
     required: false
     default: false
+  audience:
+    description: 'Provide audience field for access-token. Default value is api://AzureADTokenExchange'
+    required: false
+    default: 'api://AzureADTokenExchange'
+  auth-type:
+    description: 'The type of authentication. Supported values are SERVICE_PRINCIPAL, IDENTITY. Default value is SERVICE_PRINCIPAL'
+    required: false
+    default: 'SERVICE_PRINCIPAL'
 branding:
   icon: 'login.svg'
   color: 'blue'
 runs:
-  using: 'node12'
-  main: 'lib/main.js'
+  using: 'node20'
+  main: 'lib/main/index.js'
+  post-if: (!env.AZURE_LOGIN_POST_CLEANUP || env.AZURE_LOGIN_POST_CLEANUP != 'false')
+  post: 'lib/cleanup/index.js'

lib/PowerShell/Constants.js

@@ -1,14 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-class Constants {
-}
-exports.default = Constants;
-Constants.prefix = "az_";
-Constants.moduleName = "Az.Accounts";
-Constants.versionPattern = /[0-9]\.[0-9]\.[0-9]/;
-Constants.AzureCloud = "AzureCloud";
-Constants.Subscription = "Subscription";
-Constants.ServicePrincipal = "ServicePrincipal";
-Constants.Success = "Success";
-Constants.Error = "Error";
-Constants.AzVersion = "AzVersion";

lib/PowerShell/ServicePrincipalLogin.js

@@ -1,77 +0,0 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
-    return result;
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const core = __importStar(require("@actions/core"));
-const Utils_1 = __importDefault(require("./Utilities/Utils"));
-const PowerShellToolRunner_1 = __importDefault(require("./Utilities/PowerShellToolRunner"));
-const ScriptBuilder_1 = __importDefault(require("./Utilities/ScriptBuilder"));
-const Constants_1 = __importDefault(require("./Constants"));
-class ServicePrincipalLogin {
-    constructor(servicePrincipalId, servicePrincipalKey, tenantId, subscriptionId, allowNoSubscriptionsLogin, environment, resourceManagerEndpointUrl) {
-        this.servicePrincipalId = servicePrincipalId;
-        this.servicePrincipalKey = servicePrincipalKey;
-        this.tenantId = tenantId;
-        this.subscriptionId = subscriptionId;
-        this.environment = environment;
-        this.resourceManagerEndpointUrl = resourceManagerEndpointUrl;
-        this.allowNoSubscriptionsLogin = allowNoSubscriptionsLogin;
-    }
-    initialize() {
-        return __awaiter(this, void 0, void 0, function* () {
-            Utils_1.default.setPSModulePath();
-            const azLatestVersion = yield Utils_1.default.getLatestModule(Constants_1.default.moduleName);
-            core.debug(`Az Module version used: ${azLatestVersion}`);
-            Utils_1.default.setPSModulePath(`${Constants_1.default.prefix}${azLatestVersion}`);
-        });
-    }
-    login() {
-        return __awaiter(this, void 0, void 0, function* () {
-            let output = "";
-            const options = {
-                listeners: {
-                    stdout: (data) => {
-                        output += data.toString();
-                    }
-                }
-            };
-            const args = {
-                servicePrincipalId: this.servicePrincipalId,
-                servicePrincipalKey: this.servicePrincipalKey,
-                subscriptionId: this.subscriptionId,
-                environment: this.environment,
-                scopeLevel: ServicePrincipalLogin.scopeLevel,
-                allowNoSubscriptionsLogin: this.allowNoSubscriptionsLogin,
-                resourceManagerEndpointUrl: this.resourceManagerEndpointUrl
-            };
-            const script = new ScriptBuilder_1.default().getAzPSLoginScript(ServicePrincipalLogin.scheme, this.tenantId, args);
-            yield PowerShellToolRunner_1.default.init();
-            yield PowerShellToolRunner_1.default.executePowerShellScriptBlock(script, options);
-            const result = JSON.parse(output.trim());
-            if (!(Constants_1.default.Success in result)) {
-                throw new Error(`Azure PowerShell login failed with error: ${result[Constants_1.default.Error]}`);
-            }
-            console.log(`Azure PowerShell session successfully initialized`);
-        });
-    }
-}
-exports.ServicePrincipalLogin = ServicePrincipalLogin;
-ServicePrincipalLogin.scopeLevel = Constants_1.default.Subscription;
-ServicePrincipalLogin.scheme = Constants_1.default.ServicePrincipal;

lib/PowerShell/Utilities/PowerShellToolRunner.js

@@ -1,35 +0,0 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
-    return result;
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const io = __importStar(require("@actions/io"));
-const exec = __importStar(require("@actions/exec"));
-class PowerShellToolRunner {
-    static init() {
-        return __awaiter(this, void 0, void 0, function* () {
-            if (!PowerShellToolRunner.psPath) {
-                PowerShellToolRunner.psPath = yield io.which("pwsh", true);
-            }
-        });
-    }
-    static executePowerShellScriptBlock(scriptBlock, options = {}) {
-        return __awaiter(this, void 0, void 0, function* () {
-            yield exec.exec(`"${PowerShellToolRunner.psPath}" -Command`, [scriptBlock], options);
-        });
-    }
-}
-exports.default = PowerShellToolRunner;

lib/PowerShell/Utilities/ScriptBuilder.js

@@ -1,65 +0,0 @@
-"use strict";
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
-    return result;
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const core = __importStar(require("@actions/core"));
-const Constants_1 = __importDefault(require("../Constants"));
-class ScriptBuilder {
-    constructor() {
-        this.script = "";
-    }
-    getAzPSLoginScript(scheme, tenantId, args) {
-        let command = `Clear-AzContext -Scope Process;
-             Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue;`;
-        if (scheme === Constants_1.default.ServicePrincipal) {
-            if (args.environment.toLowerCase() == "azurestack") {
-                command += `Add-AzEnvironment -Name ${args.environment} -ARMEndpoint ${args.resourceManagerEndpointUrl} | out-null;`;
-            }
-            command += `Connect-AzAccount -ServicePrincipal -Tenant '${tenantId}' -Credential \
-            (New-Object System.Management.Automation.PSCredential('${args.servicePrincipalId}',(ConvertTo-SecureString '${args.servicePrincipalKey.replace("'", "''")}' -AsPlainText -Force))) \
-                -Environment '${args.environment}' | out-null;`;
-            if (args.scopeLevel === Constants_1.default.Subscription && !args.allowNoSubscriptionsLogin) {
-                command += `Set-AzContext -SubscriptionId '${args.subscriptionId}' -TenantId '${tenantId}' | out-null;`;
-            }
-        }
-        this.script += `try {
-            $ErrorActionPreference = "Stop"
-            $WarningPreference = "SilentlyContinue"
-            $output = @{}
-            ${command}
-            $output['${Constants_1.default.Success}'] = "true"
-        }
-        catch {
-            $output['${Constants_1.default.Error}'] = $_.exception.Message
-        }
-        return ConvertTo-Json $output`;
-        core.debug(`Azure PowerShell Login Script: ${this.script}`);
-        return this.script;
-    }
-    getLatestModuleScript(moduleName) {
-        const command = `Get-Module -Name ${moduleName} -ListAvailable | Sort-Object Version -Descending | Select-Object -First 1`;
-        this.script += `try {
-            $ErrorActionPreference = "Stop"
-            $WarningPreference = "SilentlyContinue"
-            $output = @{}
-            $data = ${command}
-            $output['${Constants_1.default.AzVersion}'] = $data.Version.ToString()
-            $output['${Constants_1.default.Success}'] = "true"
-        }
-        catch {
-            $output['${Constants_1.default.Error}'] = $_.exception.Message
-        }
-        return ConvertTo-Json $output`;
-        core.debug(`GetLatestModuleScript: ${this.script}`);
-        return this.script;
-    }
-}
-exports.default = ScriptBuilder;

lib/PowerShell/Utilities/Utils.js

@@ -1,80 +0,0 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
-    return result;
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const os = __importStar(require("os"));
-const Constants_1 = __importDefault(require("../Constants"));
-const ScriptBuilder_1 = __importDefault(require("./ScriptBuilder"));
-const PowerShellToolRunner_1 = __importDefault(require("./PowerShellToolRunner"));
-class Utils {
-    /**
-     * Add the folder path where Az modules are present to PSModulePath based on runner
-     * @param azPSVersion
-     * If azPSVersion is empty, folder path in which all Az modules are present are set
-     * If azPSVersion is not empty, folder path of exact Az module version is set
-     */
-    static setPSModulePath(azPSVersion = "") {
-        let modulePath = "";
-        const runner = process.env.RUNNER_OS || os.type();
-        switch (runner.toLowerCase()) {
-            case "linux":
-                modulePath = `/usr/share/${azPSVersion}:`;
-                break;
-            case "windows":
-            case "windows_nt":
-                modulePath = `C:\\Modules\\${azPSVersion};`;
-                break;
-            case "macos":
-            case "darwin":
-                throw new Error(`OS not supported`);
-            default:
-                throw new Error(`Unknown os: ${runner.toLowerCase()}`);
-        }
-        process.env.PSModulePath = `${modulePath}${process.env.PSModulePath}`;
-    }
-    static getLatestModule(moduleName) {
-        return __awaiter(this, void 0, void 0, function* () {
-            let output = "";
-            const options = {
-                listeners: {
-                    stdout: (data) => {
-                        output += data.toString();
-                    }
-                }
-            };
-            yield PowerShellToolRunner_1.default.init();
-            yield PowerShellToolRunner_1.default.executePowerShellScriptBlock(new ScriptBuilder_1.default()
-                .getLatestModuleScript(moduleName), options);
-            const result = JSON.parse(output.trim());
-            if (!(Constants_1.default.Success in result)) {
-                throw new Error(result[Constants_1.default.Error]);
-            }
-            const azLatestVersion = result[Constants_1.default.AzVersion];
-            if (!Utils.isValidVersion(azLatestVersion)) {
-                throw new Error(`Invalid AzPSVersion: ${azLatestVersion}`);
-            }
-            return azLatestVersion;
-        });
-    }
-    static isValidVersion(version) {
-        return !!version.match(Constants_1.default.versionPattern);
-    }
-}
-exports.default = Utils;

lib/main.js

@@ -1,168 +0,0 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
-    return result;
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const core = __importStar(require("@actions/core"));
-const exec = __importStar(require("@actions/exec"));
-const io = __importStar(require("@actions/io"));
-const actions_secret_parser_1 = require("actions-secret-parser");
-const ServicePrincipalLogin_1 = require("./PowerShell/ServicePrincipalLogin");
-var azPath;
-var prefix = !!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT}` : "";
-var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT}` : "";
-function main() {
-    return __awaiter(this, void 0, void 0, function* () {
-        try {
-            // Set user agent variable
-            var isAzCLISuccess = false;
-            let usrAgentRepo = `${process.env.GITHUB_REPOSITORY}`;
-            let actionName = 'AzureLogin';
-            let userAgentString = (!!prefix ? `${prefix}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
-            let azurePSHostEnv = (!!azPSHostEnv ? `${azPSHostEnv}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
-            core.exportVariable('AZURE_HTTP_USER_AGENT', userAgentString);
-            core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azurePSHostEnv);
-            azPath = yield io.which("az", true);
-            let azureSupportedCloudName = new Set([
-                "azureusgovernment",
-                "azurechinacloud",
-                "azuregermancloud",
-                "azurecloud",
-                "azurestack"
-            ]);
-            let output = "";
-            const execOptions = {
-                listeners: {
-                    stdout: (data) => {
-                        output += data.toString();
-                    }
-                }
-            };
-            yield executeAzCliCommand("--version", true, execOptions);
-            core.debug(`az cli version used:\n${output}`);
-            let creds = core.getInput('creds', { required: true });
-            let secrets = new actions_secret_parser_1.SecretParser(creds, actions_secret_parser_1.FormatType.JSON);
-            let servicePrincipalId = secrets.getSecret("$.clientId", false);
-            let servicePrincipalKey = secrets.getSecret("$.clientSecret", true);
-            let tenantId = secrets.getSecret("$.tenantId", false);
-            let subscriptionId = secrets.getSecret("$.subscriptionId", false);
-            let resourceManagerEndpointUrl = secrets.getSecret("$.resourceManagerEndpointUrl", false);
-            let environment = core.getInput("environment").toLowerCase();
-            const enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true";
-            const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true";
-            if (!servicePrincipalId || !servicePrincipalKey || !tenantId) {
-                throw new Error("Not all values are present in the creds object. Ensure clientId, clientSecret and tenantId are supplied.");
-            }
-            if (!subscriptionId && !allowNoSubscriptionsLogin) {
-                throw new Error("Not all values are present in the creds object. Ensure subscriptionId is supplied.");
-            }
-            if (!azureSupportedCloudName.has(environment)) {
-                throw new Error("Unsupported value for environment is passed.The list of supported values for environment are ‘azureusgovernment', ‘azurechinacloud’, ‘azuregermancloud’, ‘azurecloud’ or ’azurestack’");
-            }
-            // Attempting Az cli login
-            if (environment == "azurestack") {
-                if (!resourceManagerEndpointUrl) {
-                    throw new Error("resourceManagerEndpointUrl is a required parameter when environment is defined.");
-                }
-                console.log(`Unregistering cloud: "${environment}" first if it exists`);
-                try {
-                    yield executeAzCliCommand(`cloud set -n AzureCloud`, true);
-                    yield executeAzCliCommand(`cloud unregister -n "${environment}"`, false);
-                }
-                catch (error) {
-                    console.log(`Ignore cloud not registered error: "${error}"`);
-                }
-                console.log(`Registering cloud: "${environment}" with ARM endpoint: "${resourceManagerEndpointUrl}"`);
-                try {
-                    let baseUri = resourceManagerEndpointUrl;
-                    if (baseUri.endsWith('/')) {
-                        baseUri = baseUri.substring(0, baseUri.length - 1); // need to remove trailing / from resourceManagerEndpointUrl to correctly derive suffixes below
-                    }
-                    let suffixKeyvault = ".vault" + baseUri.substring(baseUri.indexOf('.')); // keyvault suffix starts with .
-                    let suffixStorage = baseUri.substring(baseUri.indexOf('.') + 1); // storage suffix starts without .
-                    let profileVersion = "2019-03-01-hybrid";
-                    yield executeAzCliCommand(`cloud register -n "${environment}" --endpoint-resource-manager "${resourceManagerEndpointUrl}" --suffix-keyvault-dns "${suffixKeyvault}" --suffix-storage-endpoint "${suffixStorage}" --profile "${profileVersion}"`, false);
-                }
-                catch (error) {
-                    core.error(`Error while trying to register cloud "${environment}": "${error}"`);
-                }
-                console.log(`Done registering cloud: "${environment}"`);
-            }
-            yield executeAzCliCommand(`cloud set -n "${environment}"`, false);
-            console.log(`Done setting cloud: "${environment}"`);
-            // Attempting Az cli login
-            if (allowNoSubscriptionsLogin) {
-                let args = [
-                    "--allow-no-subscriptions",
-                    "--service-principal",
-                    "-u", servicePrincipalId,
-                    "-p", servicePrincipalKey,
-                    "--tenant", tenantId
-                ];
-                yield executeAzCliCommand(`login`, true, {}, args);
-            }
-            else {
-                let args = [
-                    "--service-principal",
-                    "-u", servicePrincipalId,
-                    "-p", servicePrincipalKey,
-                    "--tenant", tenantId
-                ];
-                yield executeAzCliCommand(`login`, true, {}, args);
-                args = [
-                    "--subscription",
-                    subscriptionId
-                ];
-                yield executeAzCliCommand(`account set`, true, {}, args);
-            }
-            isAzCLISuccess = true;
-            if (enableAzPSSession) {
-                // Attempting Az PS login
-                console.log(`Running Azure PS Login`);
-                const spnlogin = new ServicePrincipalLogin_1.ServicePrincipalLogin(servicePrincipalId, servicePrincipalKey, tenantId, subscriptionId, allowNoSubscriptionsLogin, environment, resourceManagerEndpointUrl);
-                yield spnlogin.initialize();
-                yield spnlogin.login();
-            }
-            console.log("Login successful.");
-        }
-        catch (error) {
-            if (!isAzCLISuccess) {
-                core.error("Az CLI Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
-            }
-            else {
-                core.error(`Azure PowerShell Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
-            }
-            core.setFailed(error);
-        }
-        finally {
-            // Reset AZURE_HTTP_USER_AGENT
-            core.exportVariable('AZURE_HTTP_USER_AGENT', prefix);
-            core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azPSHostEnv);
-        }
-    });
-}
-function executeAzCliCommand(command, silent, execOptions = {}, args = []) {
-    return __awaiter(this, void 0, void 0, function* () {
-        execOptions.silent = !!silent;
-        try {
-            yield exec.exec(`"${azPath}" ${command}`, args, execOptions);
-        }
-        catch (error) {
-            throw new Error(error);
-        }
-    });
-}
-main();

package.json

@@ -1,26 +1,29 @@
 {
   "name": "login",
-  "version": "1.1.0",
+  "version": "2.2.0",
   "description": "Login Azure wraps the az login, allowing for Azure actions to log into Azure",
-  "main": "lib/main.js",
+  "main": "lib/main/index.js",
   "scripts": {
-    "build": "tsc",
+    "build:main": "ncc build src/main.ts -o lib/main",
+    "build:cleanup": "ncc build src/cleanup.ts -o lib/cleanup",
+    "build": "npm run build:main && npm run build:cleanup",
     "test": "jest"
   },
-  "author": "Sumiran Aggarwal",
+  "author": "Microsoft",
   "license": "MIT",
   "devDependencies": {
-    "@types/jest": "^25.1.4",
-    "@types/node": "^12.7.11",
-    "jest": "^25.2.4",
-    "jest-circus": "^25.2.7",
-    "ts-jest": "^25.3.0",
-    "typescript": "^3.6.3"
+    "@types/jest": "^29.2.4",
+    "@types/node": "^20.11.1",
+    "@vercel/ncc": "^0.38.1",
+    "jest": "^29.3.1",
+    "jest-circus": "^29.3.1",
+    "ts-jest": "^29.0.3",
+    "typescript": "^4.9.4"
   },
   "dependencies": {
-    "@actions/core": "^1.2.6",
+    "@actions/core": "1.9.1",
     "@actions/exec": "^1.0.1",
     "@actions/io": "^1.0.1",
-    "actions-secret-parser": "^1.0.2"
+    "package-lock": "^1.0.3"
   }
 }

src/Cli/AzureCliLogin.ts

@@ -0,0 +1,186 @@
+import * as exec from '@actions/exec';
+import { LoginConfig } from "../common/LoginConfig";
+import { ExecOptions } from '@actions/exec/lib/interfaces';
+import * as core from '@actions/core';
+import * as io from '@actions/io';
+
+export class AzureCliLogin {
+    loginConfig: LoginConfig;
+    azPath: string;
+    loginOptions: ExecOptions;
+    azVersion: string;
+
+    constructor(loginConfig: LoginConfig) {
+        this.loginConfig = loginConfig;
+        this.loginOptions = defaultExecOptions();
+    }
+
+    async login() {
+        core.info(`Running Azure CLI Login.`);
+        this.azPath = await io.which("az", true);
+        core.debug(`Azure CLI path: ${this.azPath}`);
+
+        let output: string = "";
+        const execOptions: any = {
+            listeners: {
+                stdout: (data: Buffer) => {
+                    output += data.toString();
+                }
+            }
+        };
+
+        await this.executeAzCliCommand(["version"], true, execOptions);
+        core.debug(`Azure CLI version used:\n${output}`);
+        try {
+            this.azVersion = JSON.parse(output)["azure-cli"];
+        }
+        catch (error) {
+            core.warning("Failed to parse Azure CLI version.");
+        }
+        await this.registerAzurestackEnvIfNecessary();
+
+        await this.executeAzCliCommand(["cloud", "set", "-n", this.loginConfig.environment], false);
+        core.info(`Done setting cloud: "${this.loginConfig.environment}"`);
+
+        if (this.loginConfig.authType === LoginConfig.AUTH_TYPE_SERVICE_PRINCIPAL) {
+            let args = ["--service-principal",
+                "--username", this.loginConfig.servicePrincipalId,
+                "--tenant", this.loginConfig.tenantId
+            ];
+            if (this.loginConfig.servicePrincipalSecret) {
+                await this.loginWithSecret(args);
+            }
+            else {
+                await this.loginWithOIDC(args);
+            }
+        }
+        else {
+            let args = ["--identity"];
+            if (this.loginConfig.servicePrincipalId) {
+                await this.loginWithUserAssignedIdentity(args);
+            }
+            else {
+                await this.loginWithSystemAssignedIdentity(args);
+            }
+        }
+    }
+
+    async registerAzurestackEnvIfNecessary() {
+        if (this.loginConfig.environment != "azurestack") {
+            return;
+        }
+        if (!this.loginConfig.resourceManagerEndpointUrl) {
+            throw new Error("resourceManagerEndpointUrl is a required parameter when environment is defined.");
+        }
+
+        core.info(`Unregistering cloud: "${this.loginConfig.environment}" first if it exists`);
+        try {
+            await this.executeAzCliCommand(["cloud", "set", "-n", "AzureCloud"], true);
+            await this.executeAzCliCommand(["cloud", "unregister", "-n", this.loginConfig.environment], false);
+        }
+        catch (error) {
+            core.info(`Ignore cloud not registered error: "${error}"`);
+        }
+
+        core.info(`Registering cloud: "${this.loginConfig.environment}" with ARM endpoint: "${this.loginConfig.resourceManagerEndpointUrl}"`);
+        try {
+            let baseUri = this.loginConfig.resourceManagerEndpointUrl;
+            if (baseUri.endsWith('/')) {
+                baseUri = baseUri.substring(0, baseUri.length - 1); // need to remove trailing / from resourceManagerEndpointUrl to correctly derive suffixes below
+            }
+            let suffixKeyvault = ".vault" + baseUri.substring(baseUri.indexOf('.')); // keyvault suffix starts with .
+            let suffixStorage = baseUri.substring(baseUri.indexOf('.') + 1); // storage suffix starts without .
+            let profileVersion = "2019-03-01-hybrid";
+            await this.executeAzCliCommand(["cloud", "register", "-n", this.loginConfig.environment, "--endpoint-resource-manager", this.loginConfig.resourceManagerEndpointUrl, "--suffix-keyvault-dns", suffixKeyvault, "--suffix-storage-endpoint", suffixStorage, "--profile", profileVersion], false);
+        }
+        catch (error) {
+            core.error(`Error while trying to register cloud "${this.loginConfig.environment}"`);
+            throw error;
+        }
+
+        core.info(`Done registering cloud: "${this.loginConfig.environment}"`)
+    }
+
+    async loginWithSecret(args: string[]) {
+        core.info("Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.")
+        args.push(`--password=${this.loginConfig.servicePrincipalSecret}`);
+        await this.callCliLogin(args, 'service principal with secret');
+    }
+
+    async loginWithOIDC(args: string[]) {
+        await this.loginConfig.getFederatedToken();
+        args.push("--federated-token", this.loginConfig.federatedToken);
+        await this.callCliLogin(args, 'OIDC');
+    }
+
+    async loginWithUserAssignedIdentity(args: string[]) {
+        let azcliMinorVersion = 0;
+        try {
+            azcliMinorVersion = parseInt(this.azVersion.split('.')[1], 10);
+        }
+        catch (error) {
+            core.warning("Failed to parse the minor version of Azure CLI. Assuming the version is less than 2.69.0");
+        }
+        //From Azure-cli v2.69.0, `--username` is replaced with `--client-id`, `--object-id` or `--resource-id`: https://github.com/Azure/azure-cli/pull/30525
+        if (azcliMinorVersion < 69) {
+            args.push("--username", this.loginConfig.servicePrincipalId);
+        }
+        else {
+            args.push("--client-id", this.loginConfig.servicePrincipalId);
+        }
+        await this.callCliLogin(args, 'user-assigned managed identity');
+    }
+
+    async loginWithSystemAssignedIdentity(args: string[]) {
+        await this.callCliLogin(args, 'system-assigned managed identity');
+    }
+
+    async callCliLogin(args: string[], methodName: string) {
+        core.info(`Attempting Azure CLI login by using ${methodName}...`);
+        args.unshift("login");
+        if (this.loginConfig.allowNoSubscriptionsLogin) {
+            args.push("--allow-no-subscriptions");
+        }
+        await this.executeAzCliCommand(args, true, this.loginOptions);
+        if (this.loginConfig.subscriptionId) {
+            await this.setSubscription();
+        }
+        core.info(`Azure CLI login succeeds by using ${methodName}.`);
+    }
+
+    async setSubscription() {
+        let args = ["account", "set", "--subscription", this.loginConfig.subscriptionId];
+        await this.executeAzCliCommand(args, true, this.loginOptions);
+        core.info("Subscription is set successfully.");
+    }
+
+    async executeAzCliCommand(
+        args: string[],
+        silent?: boolean,
+        execOptions: any = {}) {
+        execOptions.silent = !!silent;
+        await exec.exec(`"${this.azPath}"`, args, execOptions);
+    }
+}
+
+function defaultExecOptions(): exec.ExecOptions {
+    return {
+        silent: true,
+        listeners: {
+            stderr: (data: Buffer) => {
+                let error = data.toString();
+                let startsWithWarning = error.toLowerCase().startsWith('warning');
+                let startsWithError = error.toLowerCase().startsWith('error');
+                // printing ERROR
+                if (error && error.trim().length !== 0 && !startsWithWarning) {
+                    if (startsWithError) {
+                        //removing the keyword 'ERROR' to avoid duplicates while throwing error
+                        error = error.slice(7);
+                    }
+                    core.error(error);
+                }
+            }
+        }
+    };
+}
+

src/PowerShell/AzPSLogin.ts

@@ -0,0 +1,24 @@
+import * as core from '@actions/core';
+
+import AzPSScriptBuilder from './AzPSScriptBuilder';
+import { AzPSUtils } from './AzPSUtils';
+import { LoginConfig } from '../common/LoginConfig';
+
+export class AzPSLogin {
+    loginConfig: LoginConfig;
+
+    constructor(loginConfig: LoginConfig) {
+        this.loginConfig = loginConfig;
+    }
+
+    async login() {
+        core.info(`Running Azure PowerShell Login.`);
+        AzPSUtils.setPSModulePathForGitHubRunner();
+        await AzPSUtils.importLatestAzAccounts();
+        const [loginMethod, loginScript] = await AzPSScriptBuilder.getAzPSLoginScript(this.loginConfig);
+        core.info(`Attempting Azure PowerShell login by using ${loginMethod}...`);
+        core.debug(`Azure PowerShell Login Script: ${loginScript}`);
+        await AzPSUtils.runPSScript(loginScript);
+        console.log(`Running Azure PowerShell Login successfully.`);
+    }
+}

src/PowerShell/AzPSScriptBuilder.ts

@@ -0,0 +1,111 @@
+import { LoginConfig } from '../common/LoginConfig';
+
+export default class AzPSScriptBuilder {
+
+    static getImportLatestModuleScript(moduleName: string): string {
+        let script = `try {
+            $ErrorActionPreference = "Stop"
+            $WarningPreference = "SilentlyContinue"
+            $output = @{}
+            $latestModulePath = (Get-Module -Name '${moduleName}' -ListAvailable | Sort-Object Version -Descending | Select-Object -First 1).Path
+            Import-Module -Name $latestModulePath
+            $output['Success'] = $true
+            $output['Result'] = $latestModulePath
+        }
+        catch {
+            $output['Success'] = $false
+            $output['Error'] = $_.exception.Message
+        }
+        return ConvertTo-Json $output`;
+
+        return script;
+    }
+
+    static async getAzPSLoginScript(loginConfig: LoginConfig) {
+        let loginMethodName = "";
+        let commands = "";
+
+        if (loginConfig.environment.toLowerCase() == "azurestack") {
+            commands += `Add-AzEnvironment -Name '${loginConfig.environment}' -ARMEndpoint '${loginConfig.resourceManagerEndpointUrl}' | out-null;`;
+        }
+        if (loginConfig.authType === LoginConfig.AUTH_TYPE_SERVICE_PRINCIPAL) {
+            if (loginConfig.servicePrincipalSecret) {
+                commands += AzPSScriptBuilder.loginWithSecret(loginConfig);
+                loginMethodName = 'service principal with secret';
+            } else {
+                commands += await AzPSScriptBuilder.loginWithOIDC(loginConfig);
+                loginMethodName = "OIDC";
+            }
+        } else {
+            if (loginConfig.servicePrincipalId) {
+                commands += AzPSScriptBuilder.loginWithUserAssignedIdentity(loginConfig);
+                loginMethodName = 'user-assigned managed identity';
+            } else {
+                commands += AzPSScriptBuilder.loginWithSystemAssignedIdentity(loginConfig);
+                loginMethodName = 'system-assigned managed identity';
+            }
+        }
+
+        let script = `try {
+            $ErrorActionPreference = "Stop"
+            $WarningPreference = "SilentlyContinue"
+            $output = @{}
+            ${commands}
+            $output['Success'] = $true
+            $output['Result'] = ""
+        }
+        catch {
+            $output['Success'] = $false
+            $output['Error'] = $_.exception.Message
+        }
+        return ConvertTo-Json $output`;
+
+        return [loginMethodName, script];
+    }
+
+    private static loginWithSecret(loginConfig: LoginConfig): string {
+        let servicePrincipalSecret: string = loginConfig.servicePrincipalSecret.split("'").join("''");
+        let loginCmdlet = `$psLoginSecrets = ConvertTo-SecureString '${servicePrincipalSecret}' -AsPlainText -Force; `;
+        loginCmdlet += `$psLoginCredential = New-Object System.Management.Automation.PSCredential('${loginConfig.servicePrincipalId}', $psLoginSecrets); `;
+        
+        let cmdletSuffix = "-Credential $psLoginCredential";
+        loginCmdlet += AzPSScriptBuilder.psLoginCmdlet(loginConfig.authType, loginConfig.environment, loginConfig.tenantId, loginConfig.subscriptionId, cmdletSuffix);
+
+        return loginCmdlet;
+    }
+
+    private static async loginWithOIDC(loginConfig: LoginConfig) {
+        await loginConfig.getFederatedToken();
+        let cmdletSuffix = `-ApplicationId '${loginConfig.servicePrincipalId}' -FederatedToken '${loginConfig.federatedToken}'`;
+        return AzPSScriptBuilder.psLoginCmdlet(loginConfig.authType, loginConfig.environment, loginConfig.tenantId, loginConfig.subscriptionId, cmdletSuffix);
+    }
+
+    private static loginWithSystemAssignedIdentity(loginConfig: LoginConfig): string {
+        let cmdletSuffix = "";
+        return AzPSScriptBuilder.psLoginCmdlet(loginConfig.authType, loginConfig.environment, loginConfig.tenantId, loginConfig.subscriptionId, cmdletSuffix);
+    }
+
+    static loginWithUserAssignedIdentity(loginConfig: LoginConfig): string {
+        let cmdletSuffix = `-AccountId '${loginConfig.servicePrincipalId}'`;
+        return AzPSScriptBuilder.psLoginCmdlet(loginConfig.authType, loginConfig.environment, loginConfig.tenantId, loginConfig.subscriptionId, cmdletSuffix);
+    }
+
+    private static psLoginCmdlet(authType:string, environment:string, tenantId:string, subscriptionId:string, cmdletSuffix:string){
+        let loginCmdlet = `Connect-AzAccount `;
+        if(authType === LoginConfig.AUTH_TYPE_SERVICE_PRINCIPAL){
+            loginCmdlet += "-ServicePrincipal ";
+        }else{
+            loginCmdlet += "-Identity ";
+        }
+        loginCmdlet += `-Environment '${environment}' `;
+        if(tenantId){
+            loginCmdlet += `-Tenant '${tenantId}' `;
+        }
+        if(subscriptionId){
+            loginCmdlet += `-Subscription '${subscriptionId}' `;
+        }
+        loginCmdlet += `${cmdletSuffix} -InformationAction Ignore | out-null;`;
+        return loginCmdlet;
+    }
+}
+

src/PowerShell/AzPSUtils.ts

@@ -0,0 +1,85 @@
+import * as core from '@actions/core';
+import * as os from 'os';
+import * as path from 'path';
+import * as exec from '@actions/exec';
+import * as io from '@actions/io';
+import AzPSScriptBuilder from './AzPSScriptBuilder';
+
+interface PSResultType {
+    Result: string;
+    Success: boolean;
+    Error: string;
+}
+
+export class AzPSConstants {
+    static readonly DEFAULT_AZ_PATH_ON_LINUX: string = '/usr/share';
+    static readonly DEFAULT_AZ_PATH_ON_WINDOWS: string = 'C:\\Modules';
+    static readonly AzAccounts: string = "Az.Accounts";
+    static readonly PowerShell_CmdName = "pwsh";
+}
+
+export class AzPSUtils {
+    static async setPSModulePathForGitHubRunner() {
+        const runner: string = process.env.RUNNER_OS || os.type();
+        switch (runner.toLowerCase()) {
+            case "linux":
+                AzPSUtils.pushPSModulePath(AzPSConstants.DEFAULT_AZ_PATH_ON_LINUX);
+                break;
+            case "windows":
+            case "windows_nt":
+                AzPSUtils.pushPSModulePath(AzPSConstants.DEFAULT_AZ_PATH_ON_WINDOWS);
+                break;
+            case "macos":
+            case "darwin":
+                core.warning(`Skip setting the default PowerShell module path for OS ${runner.toLowerCase()}.`);
+                break;
+            default:
+                core.warning(`Skip setting the default PowerShell module path for unknown OS ${runner.toLowerCase()}.`);
+                break;
+        }
+    }
+    
+    private static pushPSModulePath(psModulePath: string) {
+        process.env.PSModulePath = `${psModulePath}${path.delimiter}${process.env.PSModulePath}`;
+        core.debug(`Set PSModulePath as ${process.env.PSModulePath}`);
+    }
+    
+    static async importLatestAzAccounts() {
+        let importLatestAccountsScript: string = AzPSScriptBuilder.getImportLatestModuleScript(AzPSConstants.AzAccounts);
+        core.debug(`The script to import the latest Az.Accounts: ${importLatestAccountsScript}`);
+        let azAccountsPath: string = await AzPSUtils.runPSScript(importLatestAccountsScript);
+        core.debug(`The latest Az.Accounts used: ${azAccountsPath}`);
+    }
+
+    static async runPSScript(psScript: string): Promise<string> {
+        let outputString: string = "";
+        let commandStdErr = false;
+        const options: any = {
+            silent: true,
+            listeners: {
+                stdout: (data: Buffer) => {
+                    outputString += data.toString();
+                },
+                stderr: (data: Buffer) => {
+                    let error = data.toString();
+                    if (error && error.trim().length !== 0) {
+                        commandStdErr = true;
+                        core.error(error);
+                    }
+                }
+            }
+        };
+
+        let psPath: string = await io.which(AzPSConstants.PowerShell_CmdName, true);
+        await exec.exec(`"${psPath}"`, ["-Command", psScript], options)
+        if (commandStdErr) {
+            throw new Error('Azure PowerShell login failed with errors.');
+        }
+        const result: PSResultType = JSON.parse(outputString.trim());
+        console.log(result);
+        if (!(result.Success)) {
+            throw new Error(`Azure PowerShell login failed with error: ${result.Error}`);
+        }
+        return result.Result;
+    }
+}

src/PowerShell/Constants.ts

@@ -1,13 +0,0 @@
-export default class Constants {
-    static readonly prefix: string = "az_";
-    static readonly moduleName: string = "Az.Accounts";
-    static readonly versionPattern = /[0-9]\.[0-9]\.[0-9]/;
-
-    static readonly AzureCloud: string = "AzureCloud";
-    static readonly Subscription: string = "Subscription";
-    static readonly ServicePrincipal: string = "ServicePrincipal";
-
-    static readonly Success: string = "Success";
-    static readonly Error: string = "Error";
-    static readonly AzVersion: string = "AzVersion";
-}

src/PowerShell/IAzurePowerShellSession.ts

@@ -1,4 +0,0 @@
-interface IAzurePowerShellSession {
-    initialize();
-    login();
-}

src/PowerShell/ServicePrincipalLogin.ts

@@ -1,71 +0,0 @@
-import * as core from '@actions/core';
-
-import Utils from './Utilities/Utils';
-import PowerShellToolRunner from './Utilities/PowerShellToolRunner';
-import ScriptBuilder from './Utilities/ScriptBuilder';
-import Constants from './Constants';
-
-export class ServicePrincipalLogin implements IAzurePowerShellSession {
-    static readonly scopeLevel: string = Constants.Subscription;
-    static readonly scheme: string = Constants.ServicePrincipal;
-    environment: string;
-    servicePrincipalId: string;
-    servicePrincipalKey: string;
-    tenantId: string;
-    subscriptionId: string;
-    resourceManagerEndpointUrl: string;
-    allowNoSubscriptionsLogin: boolean;
-
-    constructor(servicePrincipalId: string, 
-        servicePrincipalKey: string, 
-        tenantId: string, 
-        subscriptionId: string,
-        allowNoSubscriptionsLogin: boolean,
-        environment: string,
-        resourceManagerEndpointUrl: string) {
-        
-        this.servicePrincipalId = servicePrincipalId;
-        this.servicePrincipalKey = servicePrincipalKey;
-        this.tenantId = tenantId;
-        this.subscriptionId = subscriptionId;
-        this.environment = environment;
-        this.resourceManagerEndpointUrl = resourceManagerEndpointUrl;
-        this.allowNoSubscriptionsLogin = allowNoSubscriptionsLogin;
-    }
-
-    async initialize() {
-        Utils.setPSModulePath();
-        const azLatestVersion: string = await Utils.getLatestModule(Constants.moduleName);
-        core.debug(`Az Module version used: ${azLatestVersion}`);
-        Utils.setPSModulePath(`${Constants.prefix}${azLatestVersion}`);
-    }
-
-    async login() {
-        let output: string = "";
-        const options: any = {
-            listeners: {
-                stdout: (data: Buffer) => {
-                    output += data.toString();
-                }
-            }
-        };
-        const args: any = {
-            servicePrincipalId: this.servicePrincipalId,
-            servicePrincipalKey: this.servicePrincipalKey,
-            subscriptionId: this.subscriptionId,
-            environment: this.environment,
-            scopeLevel: ServicePrincipalLogin.scopeLevel,
-            allowNoSubscriptionsLogin: this.allowNoSubscriptionsLogin,
-            resourceManagerEndpointUrl: this.resourceManagerEndpointUrl
-        }
-        const script: string = new ScriptBuilder().getAzPSLoginScript(ServicePrincipalLogin.scheme, this.tenantId, args);
-        await PowerShellToolRunner.init();
-        await PowerShellToolRunner.executePowerShellScriptBlock(script, options);
-        const result: any = JSON.parse(output.trim());
-        if (!(Constants.Success in result)) {
-            throw new Error(`Azure PowerShell login failed with error: ${result[Constants.Error]}`);
-        }
-        console.log(`Azure PowerShell session successfully initialized`);
-    }
-
-}

src/PowerShell/Utilities/PowerShellToolRunner.ts

@@ -1,16 +0,0 @@
-import * as io from '@actions/io';
-import * as exec from '@actions/exec';
-
-export default class PowerShellToolRunner {
-    static psPath: string;
-
-    static async init() {
-        if(!PowerShellToolRunner.psPath) {
-            PowerShellToolRunner.psPath = await io.which("pwsh", true);
-        }
-    }
-
-    static async executePowerShellScriptBlock(scriptBlock: string, options: any = {}) {
-        await exec.exec(`"${PowerShellToolRunner.psPath}" -Command`, [scriptBlock], options)
-    }
-}

src/PowerShell/Utilities/ScriptBuilder.ts

@@ -1,54 +0,0 @@
-import * as core from '@actions/core';
-
-import Constants from "../Constants";
-
-export default class ScriptBuilder {
-    script: string = "";
-
-    getAzPSLoginScript(scheme: string, tenantId: string, args: any): string {
-        let command = `Clear-AzContext -Scope Process;
-             Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue;`;
-        if (scheme === Constants.ServicePrincipal) {
-            if (args.environment.toLowerCase() == "azurestack") {
-                command += `Add-AzEnvironment -Name ${args.environment} -ARMEndpoint ${args.resourceManagerEndpointUrl} | out-null;`;
-            }
-            command += `Connect-AzAccount -ServicePrincipal -Tenant '${tenantId}' -Credential \
-            (New-Object System.Management.Automation.PSCredential('${args.servicePrincipalId}',(ConvertTo-SecureString '${args.servicePrincipalKey.replace("'", "''")}' -AsPlainText -Force))) \
-                -Environment '${args.environment}' | out-null;`;
-            if (args.scopeLevel === Constants.Subscription && !args.allowNoSubscriptionsLogin) {
-                command += `Set-AzContext -SubscriptionId '${args.subscriptionId}' -TenantId '${tenantId}' | out-null;`;
-            }
-        }
-        this.script += `try {
-            $ErrorActionPreference = "Stop"
-            $WarningPreference = "SilentlyContinue"
-            $output = @{}
-            ${command}
-            $output['${Constants.Success}'] = "true"
-        }
-        catch {
-            $output['${Constants.Error}'] = $_.exception.Message
-        }
-        return ConvertTo-Json $output`;
-        core.debug(`Azure PowerShell Login Script: ${this.script}`);
-        return this.script;
-    }
-
-    getLatestModuleScript(moduleName: string): string {
-        const command: string = `Get-Module -Name ${moduleName} -ListAvailable | Sort-Object Version -Descending | Select-Object -First 1`;
-        this.script += `try {
-            $ErrorActionPreference = "Stop"
-            $WarningPreference = "SilentlyContinue"
-            $output = @{}
-            $data = ${command}
-            $output['${Constants.AzVersion}'] = $data.Version.ToString()
-            $output['${Constants.Success}'] = "true"
-        }
-        catch {
-            $output['${Constants.Error}'] = $_.exception.Message
-        }
-        return ConvertTo-Json $output`;
-        core.debug(`GetLatestModuleScript: ${this.script}`);
-        return this.script;
-    }
-}

src/PowerShell/Utilities/Utils.ts

@@ -1,61 +0,0 @@
-import * as os from 'os';
-
-import Constants from '../Constants';
-import ScriptBuilder from './ScriptBuilder';
-import PowerShellToolRunner from './PowerShellToolRunner';
-
-export default class Utils {
-    /**
-     * Add the folder path where Az modules are present to PSModulePath based on runner
-     * @param azPSVersion
-     * If azPSVersion is empty, folder path in which all Az modules are present are set
-     * If azPSVersion is not empty, folder path of exact Az module version is set
-     */
-    static setPSModulePath(azPSVersion: string = "") {
-        let modulePath: string = "";
-        const runner: string = process.env.RUNNER_OS || os.type();
-        switch (runner.toLowerCase()) {
-            case "linux":
-                modulePath = `/usr/share/${azPSVersion}:`;
-                break;
-            case "windows":
-            case "windows_nt":
-                modulePath = `C:\\Modules\\${azPSVersion};`;
-                break;
-            case "macos":
-            case "darwin":
-                throw new Error(`OS not supported`);
-            default:
-                throw new Error(`Unknown os: ${runner.toLowerCase()}`);
-        }
-        process.env.PSModulePath = `${modulePath}${process.env.PSModulePath}`;
-    }
-
-    static async getLatestModule(moduleName: string): Promise<string> {
-        let output: string = "";
-        const options: any = {
-            listeners: {
-                stdout: (data: Buffer) => {
-                    output += data.toString();
-                }
-            }
-        };
-        await PowerShellToolRunner.init();
-        await PowerShellToolRunner.executePowerShellScriptBlock(new ScriptBuilder()
-                                .getLatestModuleScript(moduleName), options);
-        const result = JSON.parse(output.trim());
-        if (!(Constants.Success in result)) {
-            throw new Error(result[Constants.Error]);
-        }
-        const azLatestVersion: string = result[Constants.AzVersion];
-        if (!Utils.isValidVersion(azLatestVersion)) {
-            throw new Error(`Invalid AzPSVersion: ${azLatestVersion}`);
-        }
-        return azLatestVersion;
-    }
-
-    static isValidVersion(version: string): boolean {
-        return !!version.match(Constants.versionPattern);
-    }
-}
-

src/cleanup.ts

@@ -0,0 +1,19 @@
+import * as core from '@actions/core';
+import { setUserAgent, cleanupAzCLIAccounts, cleanupAzPSAccounts } from './common/Utils'; 
+
+async function cleanup() {
+    try {
+        setUserAgent();
+        await cleanupAzCLIAccounts();
+        if(core.getInput('enable-AzPSSession').toLowerCase() === "true"){
+            await cleanupAzPSAccounts();
+        }
+    }
+    catch (error) {
+        core.warning(`Login cleanup failed with ${error}. Cleanup will be skipped.`);
+        core.debug(error.stack);
+    }
+}
+
+cleanup();
+

src/common/LoginConfig.ts

@@ -0,0 +1,138 @@
+import * as core from '@actions/core';
+
+export class LoginConfig {
+    static readonly AUTH_TYPE_SERVICE_PRINCIPAL = "SERVICE_PRINCIPAL";
+    static readonly AUTH_TYPE_IDENTITY = "IDENTITY";
+    static readonly azureSupportedCloudName = new Set([
+        "azureusgovernment",
+        "azurechinacloud",
+        "azuregermancloud",
+        "azurecloud",
+        "azurestack"]);
+
+    static readonly azureSupportedAuthType = new Set([
+        LoginConfig.AUTH_TYPE_SERVICE_PRINCIPAL,
+        LoginConfig.AUTH_TYPE_IDENTITY]);
+
+    authType: string;
+    servicePrincipalId: string;
+    servicePrincipalSecret: string;
+    tenantId: string;
+    subscriptionId: string;
+    resourceManagerEndpointUrl: string;
+    allowNoSubscriptionsLogin: boolean;
+    environment: string;
+    enableAzPSSession: boolean;
+    audience: string;
+    federatedToken: string;
+
+    async initialize() {
+        this.environment = core.getInput("environment").toLowerCase();
+        this.enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true";
+        this.allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true";
+        this.authType = core.getInput('auth-type').toUpperCase();
+
+        this.servicePrincipalId = core.getInput('client-id', { required: false });
+        this.servicePrincipalSecret = null;
+        this.tenantId = core.getInput('tenant-id', { required: false });
+        this.subscriptionId = core.getInput('subscription-id', { required: false });
+
+        this.readParametersFromCreds();
+
+        this.audience = core.getInput('audience', { required: false });
+        this.federatedToken = null;
+
+        this.mask(this.servicePrincipalId);
+        this.mask(this.servicePrincipalSecret);
+    }
+
+    private readParametersFromCreds() {
+        let creds = core.getInput('creds', { required: false });
+        if (!creds) {
+            return;
+        }
+        let secrets = JSON.parse(creds);
+
+        if(this.authType != LoginConfig.AUTH_TYPE_SERVICE_PRINCIPAL){
+            return;
+        }
+
+        if (this.servicePrincipalId || this.tenantId || this.subscriptionId) {
+            core.warning("At least one of the parameters 'client-id', 'subscription-id' or 'tenant-id' is set. 'creds' will be ignored.");
+            return;
+        }
+
+        core.debug('Reading creds in JSON...');
+        this.servicePrincipalId = this.servicePrincipalId ? this.servicePrincipalId : secrets.clientId;
+        this.servicePrincipalSecret = secrets.clientSecret;
+        this.tenantId = this.tenantId ? this.tenantId : secrets.tenantId; 
+        this.subscriptionId = this.subscriptionId ? this.subscriptionId : secrets.subscriptionId;
+        this.resourceManagerEndpointUrl = secrets.resourceManagerEndpointUrl;
+        if (!this.servicePrincipalId || !this.servicePrincipalSecret || !this.tenantId) {
+            throw new Error("Not all parameters are provided in 'creds'. Double-check if all keys are defined in 'creds': 'clientId', 'clientSecret', 'tenantId'.");
+        }
+    }
+
+    async getFederatedToken() {
+        try {
+            this.federatedToken = await core.getIDToken(this.audience);
+            this.mask(this.federatedToken);
+        }
+        catch (error) {
+            core.error("Failed to fetch federated token from GitHub. Please make sure to give write permissions to id-token in the workflow.");
+            throw error;
+        }
+        try {
+            let [issuer, subjectClaim, audience, jobWorkflowRef] = await jwtParser(this.federatedToken);
+            core.info("Federated token details:\n issuer - " + issuer + "\n subject claim - " + subjectClaim + "\n audience - " + audience + "\n job_workflow_ref - " + jobWorkflowRef);
+        }
+        catch (error) {
+            core.warning(`Failed to parse the federated token. Error: ${error}`);
+        }
+    }
+
+    validate() {
+        if (!LoginConfig.azureSupportedCloudName.has(this.environment)) {
+            throw new Error(`Unsupported value '${this.environment}' for environment is passed. The list of supported values for environment are '${Array.from(LoginConfig.azureSupportedCloudName).join("', '")}'. `);
+        }
+        if (!LoginConfig.azureSupportedAuthType.has(this.authType)) {
+            throw new Error(`Unsupported value '${this.authType}' for authentication type is passed. The list of supported values for auth-type are '${Array.from(LoginConfig.azureSupportedAuthType).join("', '")}'.`);
+        }
+        if (this.authType === LoginConfig.AUTH_TYPE_SERVICE_PRINCIPAL) {
+            if (!this.servicePrincipalId || !this.tenantId) {
+                throw new Error(`Using auth-type: ${LoginConfig.AUTH_TYPE_SERVICE_PRINCIPAL}. Not all values are present. Ensure 'client-id' and 'tenant-id' are supplied.`);
+            }
+        }
+        if (!this.subscriptionId && !this.allowNoSubscriptionsLogin) {
+            throw new Error("Ensure 'subscription-id' is supplied or 'allow-no-subscriptions' is 'true'.");
+        }
+    }
+
+    mask(parameterValue: string) {
+        if (parameterValue) {
+            core.setSecret(parameterValue);
+        }
+    }
+}
+
+async function jwtParser(federatedToken: string) {
+    let tokenPayload = federatedToken.split('.')[1];
+    let bufferObj = Buffer.from(tokenPayload, "base64");
+    let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
+    const JWT_CLAIM_ISSUER = 'iss';
+    const JWT_CLAIM_SUBJECT = 'sub';
+    const JWT_CLAIM_AUDIENCE = 'aud';
+    const JWT_CLAIM_JOB_WORKFLOW_REF = 'job_workflow_ref';
+    const requiredClaims = [
+        JWT_CLAIM_ISSUER,
+        JWT_CLAIM_SUBJECT,
+        JWT_CLAIM_AUDIENCE,
+        JWT_CLAIM_JOB_WORKFLOW_REF
+    ];
+    for (const claim of requiredClaims) {
+        if (!decodedPayload[claim]) {
+            throw new Error(`The claim '${claim}' is missing from the token payload`);
+        }
+    }
+    return [decodedPayload[JWT_CLAIM_ISSUER], decodedPayload[JWT_CLAIM_SUBJECT], decodedPayload[JWT_CLAIM_AUDIENCE], decodedPayload[JWT_CLAIM_JOB_WORKFLOW_REF]];   
+}   

src/common/Utils.ts

@@ -0,0 +1,30 @@
+import * as core from '@actions/core';
+import * as exec from '@actions/exec';
+import * as io from '@actions/io';
+import * as crypto from 'crypto';
+import { AzPSConstants, AzPSUtils } from '../PowerShell/AzPSUtils';
+
+export function setUserAgent(): void {
+    let usrAgentRepo = crypto.createHash('sha256').update(`${process.env.GITHUB_REPOSITORY}`).digest('hex');
+    let actionName = 'AzureLogin';
+    process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`;
+    process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`;
+}
+
+export async function cleanupAzCLIAccounts(): Promise<void> {
+    let azPath = await io.which("az", true);
+    core.debug(`Azure CLI path: ${azPath}`);
+    core.info("Clearing azure cli accounts from the local cache.");
+    await exec.exec(`"${azPath}"`, ["account", "clear"]);  
+}
+
+export async function cleanupAzPSAccounts(): Promise<void> {
+    let psPath: string = await io.which(AzPSConstants.PowerShell_CmdName, true);
+    core.debug(`PowerShell path: ${psPath}`);
+    core.debug("Importing Azure PowerShell module.");
+    AzPSUtils.setPSModulePathForGitHubRunner();
+    await AzPSUtils.importLatestAzAccounts();
+    core.info("Clearing azure powershell accounts from the local cache.");
+    await exec.exec(`"${psPath}"`, ["-Command", "Clear-AzContext", "-Scope", "Process"]);
+    await exec.exec(`"${psPath}"`, ["-Command", "Clear-AzContext", "-Scope", "CurrentUser", "-Force", "-ErrorAction", "SilentlyContinue"]);
+}

src/main.ts

@@ -1,176 +1,40 @@
-import * as core from '@actions/core';
-import * as exec from '@actions/exec';
-import * as io from '@actions/io';
-import { FormatType, SecretParser } from 'actions-secret-parser';
-import { ServicePrincipalLogin } from './PowerShell/ServicePrincipalLogin';
-
-var azPath: string;
-var prefix = !!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT}` : "";
-var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT}` : "";
-
-async function main() {
-    try {
-        // Set user agent variable
-        var isAzCLISuccess = false;
-        let usrAgentRepo = `${process.env.GITHUB_REPOSITORY}`;
-        let actionName = 'AzureLogin';
-        let userAgentString = (!!prefix ? `${prefix}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
-        let azurePSHostEnv = (!!azPSHostEnv ? `${azPSHostEnv}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
-        core.exportVariable('AZURE_HTTP_USER_AGENT', userAgentString);
-        core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azurePSHostEnv);
-
-        azPath = await io.which("az", true);
-        
-        let azureSupportedCloudName = new Set([
-            "azureusgovernment", 
-            "azurechinacloud", 
-            "azuregermancloud",
-            "azurecloud",
-            "azurestack"]);
-
-        let output: string = "";
-        const execOptions: any = {
-            listeners: {
-                stdout: (data: Buffer) => {
-                    output += data.toString();
-                }
-            }
-        };
-        await executeAzCliCommand("--version", true, execOptions);
-        core.debug(`az cli version used:\n${output}`);
-    
-        let creds = core.getInput('creds', { required: true });
-        let secrets = new SecretParser(creds, FormatType.JSON);
-        let servicePrincipalId = secrets.getSecret("$.clientId", false);
-        let servicePrincipalKey = secrets.getSecret("$.clientSecret", true);
-        let tenantId = secrets.getSecret("$.tenantId", false);
-        let subscriptionId = secrets.getSecret("$.subscriptionId", false);
-        let resourceManagerEndpointUrl = secrets.getSecret("$.resourceManagerEndpointUrl", false);
-        let environment = core.getInput("environment").toLowerCase();
-        const enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true";
-        const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true";
-
-        if (!servicePrincipalId || !servicePrincipalKey || !tenantId) {
-            throw new Error("Not all values are present in the creds object. Ensure clientId, clientSecret and tenantId are supplied.");
-        }
-
-        if (!subscriptionId && !allowNoSubscriptionsLogin) {
-            throw new Error("Not all values are present in the creds object. Ensure subscriptionId is supplied.");
-        }
-        
-       if (!azureSupportedCloudName.has(environment)){
-            throw new Error("Unsupported value for environment is passed.The list of supported values for environment are ‘azureusgovernment', ‘azurechinacloud’, ‘azuregermancloud’, ‘azurecloud’ or ’azurestack’");
-       }
-    
-        // Attempting Az cli login
-        if (environment == "azurestack") {
-            if (!resourceManagerEndpointUrl) {
-                throw new Error("resourceManagerEndpointUrl is a required parameter when environment is defined.");
-            }
-
-            console.log(`Unregistering cloud: "${environment}" first if it exists`);
-            try {
-                await executeAzCliCommand(`cloud set -n AzureCloud`, true);
-                await executeAzCliCommand(`cloud unregister -n "${environment}"`, false);
-            }
-            catch (error) {
-                console.log(`Ignore cloud not registered error: "${error}"`);
-            }
-
-            console.log(`Registering cloud: "${environment}" with ARM endpoint: "${resourceManagerEndpointUrl}"`);
-            try {
-                let baseUri = resourceManagerEndpointUrl;
-                if (baseUri.endsWith('/')) {
-                    baseUri = baseUri.substring(0, baseUri.length-1); // need to remove trailing / from resourceManagerEndpointUrl to correctly derive suffixes below
-                }
-                let suffixKeyvault = ".vault" + baseUri.substring(baseUri.indexOf('.')); // keyvault suffix starts with .
-                let suffixStorage = baseUri.substring(baseUri.indexOf('.')+1); // storage suffix starts without .
-                let profileVersion = "2019-03-01-hybrid";
-                await executeAzCliCommand(`cloud register -n "${environment}" --endpoint-resource-manager "${resourceManagerEndpointUrl}" --suffix-keyvault-dns "${suffixKeyvault}" --suffix-storage-endpoint "${suffixStorage}" --profile "${profileVersion}"`, false);
-            } 
-            catch (error) {
-                core.error(`Error while trying to register cloud "${environment}": "${error}"`);
-            }
-
-            console.log(`Done registering cloud: "${environment}"`)
-        }
-    
-        await executeAzCliCommand(`cloud set -n "${environment}"`, false);
-        console.log(`Done setting cloud: "${environment}"`);
-
-        // Attempting Az cli login
-        if (allowNoSubscriptionsLogin) {
-            let args = [
-                "--allow-no-subscriptions",
-                "--service-principal",
-                "-u", servicePrincipalId,
-                "-p", servicePrincipalKey,
-                "--tenant", tenantId
-            ];
-            await executeAzCliCommand(`login`, true, {}, args);
-        }
-        else {
-            let args = [
-                "--service-principal",
-                "-u", servicePrincipalId,
-                "-p", servicePrincipalKey,
-                "--tenant", tenantId
-            ];
-            await executeAzCliCommand(`login`, true, {}, args);
-            args = [
-                "--subscription",
-                subscriptionId
-            ];
-            await executeAzCliCommand(`account set`, true, {}, args);
-        }
-
-        isAzCLISuccess = true;
-        if (enableAzPSSession) {
-            // Attempting Az PS login
-            console.log(`Running Azure PS Login`);
-            const spnlogin: ServicePrincipalLogin = new ServicePrincipalLogin(
-                servicePrincipalId, 
-                servicePrincipalKey, 
-                tenantId, 
-                subscriptionId, 
-                allowNoSubscriptionsLogin,
-                environment, 
-                resourceManagerEndpointUrl);
-            await spnlogin.initialize();
-            await spnlogin.login();
-        }
-
-        console.log("Login successful.");    
-    }
-    catch (error) {
-        if (!isAzCLISuccess) {
-            core.error("Az CLI Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
-        } 
-        else {
-            core.error(`Azure PowerShell Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
-        }
-        core.setFailed(error);
-    }
-    finally {
-        // Reset AZURE_HTTP_USER_AGENT
-        core.exportVariable('AZURE_HTTP_USER_AGENT', prefix);
-        core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azPSHostEnv);
-    }
-}
-
-async function executeAzCliCommand(
-    command: string, 
-    silent?: boolean, 
-    execOptions: any = {}, 
-    args: any = []) {
-    
-    execOptions.silent = !!silent;
-    try {
-        await exec.exec(`"${azPath}" ${command}`, args,  execOptions); 
-    }
-    catch (error) {
-        throw new Error(error);
-    }
-}
-
-main();
+import * as core from '@actions/core';
+import { cleanupAzCLIAccounts, cleanupAzPSAccounts, setUserAgent } from './common/Utils';
+import { AzPSLogin } from './PowerShell/AzPSLogin';
+import { LoginConfig } from './common/LoginConfig';
+import { AzureCliLogin } from './Cli/AzureCliLogin';
+
+async function main() {
+    try {
+        setUserAgent();
+        const preCleanup: string = process.env.AZURE_LOGIN_PRE_CLEANUP;
+        if ('true' == preCleanup) {
+            await cleanupAzCLIAccounts();
+            if (core.getInput('enable-AzPSSession').toLowerCase() === "true") {
+                await cleanupAzPSAccounts();
+            }
+        }
+
+        // prepare the login configuration
+        var loginConfig = new LoginConfig();
+        await loginConfig.initialize();
+        await loginConfig.validate();
+
+        // login to Azure CLI
+        var cliLogin = new AzureCliLogin(loginConfig);
+        await cliLogin.login();
+
+        //login to Azure PowerShell
+        if (loginConfig.enableAzPSSession) {
+            var psLogin: AzPSLogin = new AzPSLogin(loginConfig);
+            await psLogin.login();
+        }
+    }
+    catch (error) {
+        core.setFailed(`Login failed with ${error}. Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information.`);
+        core.debug(error.stack);
+    }
+}
+
+main();
+