[Identity] Add support logging flag (#32135)

Signed-off-by: Paul Van Eck <[email protected]>

Author: pvaneck

sdk/identity/azure-identity/CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### Features Added
 
+- Added `enable_support_logging` as a keyword argument to credentials using MSAL's `PublicClientApplication`. This allows additional support logging which may contain PII. ([#32135](https://github.com/Azure/azure-sdk-for-python/pull/32135))
+
 ### Breaking Changes
 
 ### Bugs Fixed

sdk/identity/azure-identity/azure/identity/_credentials/browser.py

@@ -50,6 +50,9 @@ class InteractiveBrowserCredential(InteractiveCredential):
         https://login.microsoft.com/ to validate the authority. By setting this to **True**, the validation of the
         authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and
         trustworthy.
+    :keyword bool enable_support_logging: Enables additional support logging in the underlying MSAL library.
+        This logging potentially contains personally identifiable information and is intended to be used only for
+        troubleshooting purposes.
     :raises ValueError: invalid **redirect_uri**
 
     .. admonition:: Example:

sdk/identity/azure-identity/azure/identity/_credentials/device_code.py

@@ -54,6 +54,9 @@ class DeviceCodeCredential(InteractiveCredential):
         https://login.microsoft.com/ to validate the authority. By setting this to **True**, the validation of the
         authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and
         trustworthy.
+    :keyword bool enable_support_logging: Enables additional support logging in the underlying MSAL library.
+        This logging potentially contains personally identifiable information and is intended to be used only for
+        troubleshooting purposes.
 
     .. admonition:: Example:
 

sdk/identity/azure-identity/azure/identity/_credentials/user_password.py

@@ -44,6 +44,9 @@ class UsernamePasswordCredential(InteractiveCredential):
     :keyword List[str] additionally_allowed_tenants: Specifies tenants in addition to the specified "tenant_id"
         for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to
         acquire tokens for any tenant the application can access.
+    :keyword bool enable_support_logging: Enables additional support logging in the underlying MSAL library.
+        This logging potentially contains personally identifiable information and is intended to be used only for
+        troubleshooting purposes.
 
     .. admonition:: Example:
 

sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py

@@ -33,6 +33,7 @@ def __init__(
         authority: Optional[str] = None,
         disable_instance_discovery: Optional[bool] = None,
         tenant_id: Optional[str] = None,
+        enable_support_logging: Optional[bool] = None,
         **kwargs
     ) -> None:
         self._instance_discovery = None if disable_instance_discovery is None else not disable_instance_discovery
@@ -48,6 +49,7 @@ def __init__(
         self._allow_broker = allow_broker
         self._parent_window_handle = parent_window_handle
         self._enable_msa_passthrough = enable_msa_passthrough
+        self._enable_support_logging = enable_support_logging
         self._additionally_allowed_tenants = additionally_allowed_tenants or []
 
         self._client_applications: Dict[str, msal.ClientApplication] = {}
@@ -113,6 +115,7 @@ def _get_app(self, **kwargs: Any) -> msal.ClientApplication:
                 http_client=self._client,
                 instance_discovery=self._instance_discovery,
                 allow_broker=self._allow_broker,
+                enable_pii_log=self._enable_support_logging,
             )
 
         return client_applications_map[tenant_id]

sdk/identity/azure-identity/setup.py

@@ -61,7 +61,7 @@
     install_requires=[
         "azure-core<2.0.0,>=1.11.0",
         "cryptography>=2.5",
-        "msal<2.0.0,>=1.20.0",
+        "msal<2.0.0,>=1.24.0",
         "msal-extensions<2.0.0,>=0.3.0",
     ],
 )

sdk/identity/azure-identity/tests/test_interactive_credential.py

@@ -77,6 +77,31 @@ def validate_app_parameters(authority, client_id, **_):
     assert mock_client_application.call_count == 1, "credential didn't create an msal application"
 
 
+def test_enable_support_logging():
+    """The keyword argument for enabling PII in MSAL should be passed."""
+
+    record = AuthenticationRecord("tenant-id", "client-id", "localhost", "object.tenant", "username")
+
+    def validate_app_parameters(authority, client_id, **_):
+        # the 'authority' argument to msal.ClientApplication should be a URL of the form https://authority/tenant
+        assert authority == "https://{}/{}".format(record.authority, record.tenant_id)
+        assert client_id == record.client_id
+        return Mock(get_accounts=Mock(return_value=[]))
+
+    mock_client_application = Mock(wraps=validate_app_parameters)
+
+    credential = MockCredential(
+        authentication_record=record, disable_automatic_authentication=True, enable_support_logging=True
+    )
+    with pytest.raises(AuthenticationRequiredError):
+        with patch("msal.PublicClientApplication", mock_client_application):
+            credential.get_token("scope")
+
+    assert mock_client_application.call_count == 1, "credential didn't create an msal application"
+    _, kwargs = mock_client_application.call_args
+    assert kwargs["enable_pii_log"]
+
+
 def test_tenant_argument_overrides_record():
     """The 'tenant_ic' keyword argument should override a given record's value"""