@microsoft/vscode-azext-azureauth 2.4.1 → 3.0.0

package/AzureFederatedCredentialsGuide.md

@@ -0,0 +1,174 @@
+# Setting up workflow identity federation with Azure DevOps
+
+This guide describes how to set up your Azure DevOps (ADO) and Azure environment to leverage [workflow identity federation](https://learn.microsoft.com/entra/workload-id/workload-identity-federation), enabling you to use
+`AzureDevOpsSubscriptionProvider` provided in this section. See the [README](README.md#azure-devops-subscription-provider) for more details.
+
+## 1. Create a new service principal
+
+Create a new service principal on which you will assign the necessary permissions. In this example, we use an app registration:
+
+1. Navigate to the [App Registrations](https://ms.portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) page on the Azure portal
+2. Click on `New Registration`
+
+    ![New Registration](guide-imgs/app_registration.jpg)
+
+3. Assign any name
+4. Make sure to select the first option for the account type (`Accounts in this organization directory only (Microsoft only - Single tenant)`)
+5. Leave the Redirect URI and Service Tree ID fields empty
+6. Click on `Register`
+
+    ![Register an application](guide-imgs/app_registration_2.jpg)
+
+## 2. Create a new Azure DevOps (ADO) Service Connection:
+
+Create a new ADO service connection under your organization's project. In this example, we create it under the DevDiv project:
+
+ 1. Navigate to the [organization's (DevDiv) ADO page](https://devdiv.visualstudio.com/DevDiv)
+ 2. Navigate to the settings page by clicking on the gear icon on the bottom left
+ 3. Select the ["service connections"](https://devdiv.visualstudio.com/DevDiv/_settings/adminservices) blade from the panel on the left
+
+    ![Select service connection](guide-imgs/service_connection_1.jpg)
+
+ 4. Create a new service connection by clicking on the `New service connection` button
+
+   ![Click on new service connection](guide-imgs/service_connection_2.jpg)
+
+ 5. Select `Azure Resource Manager` as the type
+ 6. Select `Workload Identity federation (manual)` for the authentication type
+ 7. Provide a new name for your new service connection
+ 8. Click on `Next`
+ 9.  This will create a new draft service connection, with the `issuer` and `subject identifier` fields already filled in.
+ 10. Leave this window open while you finish the next step, which will require those `issuer` and `subject identifier` fields, then you will return to this window to finish creating the service principal
+
+   ![Draft service connectoin screen](guide-imgs/service_connection_3.jpg)
+
+## 3. Create a federated credential:
+
+Create a new "federated credential" on your service principal to connect it to your new service connection:
+
+ 1. Navigate back to the Azure Portal page for your service connection (app registration) from step 1
+ 2. Navigate to the `Certificates & secrets` blade
+ 3. Navigate to the `Federated credentials` tab
+ 4. Click on the `Add credential` button
+
+   ![Add federated credential](guide-imgs/credential_1.jpg)
+
+ 5. For the scenario, select `Other issuer`
+ 6. For the `issuer` and `subject identifier` fields, fill in with the details of your draft service connection from the previous step
+ 7. Select a new name for your new federated credential
+
+    ![Fill in issuer, subject identifier, and name fields](guide-imgs/credential_2.jpg)
+
+ 8. Click on `Add`
+
+## 4. (Temporary but required) Grant your service principal reader role on the desired subscription:
+
+This step is not required for running your tests, but _is_ required to finish creating the service connection. This should be revoked after successful creation of the service connection and only necessary roles applied to the service principal.
+
+ 1. On the Azure Portal, navigate to the page for the subscription you want the service principal to have access to.
+ 2. Navigate to the `Access control (IAM)` blade
+
+    ![access control tab](guide-imgs/subscription_1.jpg)
+
+ 3. Navigate to the `Roles` tab
+ 4. Click on the `+ Add` button, and choose `Add role assignment`
+
+   ![add role](guide-imgs/subscription_2.jpg)
+
+ 5. Choose `Reader` and click `Next`
+ 6. Choose `User, group, or service principal`, then click on `+ Select members`
+
+   ![select members](guide-imgs/subscription_3.jpg)
+
+ 7. Select your service principal from step 1
+ 8. Click on `Review and assign`
+
+## 5. Finish creating your service connection:
+
+Finish creating the draft service connection you created in step 2.
+
+ 1. Navigate back to your draft service connection from step 2
+ 2. For Environment, select `Azure Cloud`
+ 3. For Scope Level, choose `Subscription`
+ 4. Under `Subscription Id`, and `Subscription Name`, write the subscription ID and name (must provide both) for the desired subscription
+ 5. For `Service Principal Id`, provide the `Application (client) ID` of your app registration from step 1 (can be found in the `Overview` blade)
+ 6. For the `Tenant ID`, provide the `Directory (tenant) ID` of your app registration from step 1 (can be found in `Overview` blade)
+ 7. Click on `Verify and save`
+
+## 6. Revoke unnecessary read access and assign only necessary roles
+
+Revoke the `Reader` role on the subscription for the service connection after it is created. This is no longer necessary.
+
+ 1. Navigate to `Access control (IAM)` blade.
+ 2. Under the `Role assignments` tab, find the role assignment corresponding to the App registered on step 1
+ 3. Click on `Remove` then `Yes`
+ 4. You can then assign the required roles to specific resources only if required, instead of assigning `Reader` role to the entire subscription.
+
+## 7. Create a dummy Key Vault
+
+A dummy Key vault step is required to propagate the necessary environment variables in the context of the pipeline.
+
+ 1. Create a new Key Vault resource in the subscription you want to test on
+ 2. Give it a new name as appropriate. You can keep the default settings
+
+    ![Create key vault](guide-imgs/dummy_kv.jpg)
+
+## 8. Assign your service principal "key vault reader" role on the dummy Key Vault:
+
+ 1. Navigate to `Access control (IAM)` blade on your newly created dummy key vault
+
+   ![access control tab](guide-imgs/subscription_1.jpg)
+
+ 2. Navigate to the `Roles` tab
+ 3. Click on the `+ Add` button, and choose `Add role assignment`
+
+   ![add role](guide-imgs/subscription_2.jpg)
+
+ 4. Choose `Key Vault Reader` (**NOT** `Reader`) and click `Next`
+ 5. Choose `User, group, or service principal`, then click on `+ Select members`
+
+   ![select members](guide-imgs/subscription_3.jpg)
+
+ 6. Select your app registration from step 1
+ 7. Click on `Review and assign`
+
+## 9. Add the dummy Key Vault step in the pipeline
+
+To ensure that the appropriate env variables are propagated in the context of running the pipeline, a dummy Key Vault step is required in that pipeline:
+
+ 1. In the desired pipeline's `.yml` file, add a step as below. The `azureSubscription` field should correspond to the name of your service connection from step 2, while the `keyVaultName` field should correspond to the dummy key vault created in step 7:
+
+     ```yml
+      # This gives the TestServiceConnection service connection access to this pipeline.
+     - task: AzureKeyVault@1
+       displayName: 'Authorize TestServiceConnection service connection'
+       inputs:
+         azureSubscription: 'TestServiceConnection'
+         KeyVaultName: 'TestDummyKeyVault'
+     ```
+
+ 2. In the step which runs your code (e.g., the npm test step), make sure that the `$(System.AccessToken)` variable is manually propagated as a `SYSTEM_ACCESSTOKEN` environment variable. All other required environment variables should be propagated automatically:
+
+     ```yml
+     - task: Npm@1
+       displayName: "Test"
+       inputs:
+         command: custom
+         customCommand: test
+      env:
+         SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+        ```
+
+## 10. Pass the appropriate values to identify your service connection:
+
+The constructor for `AzureDevOpsSubscriptionProvider` expects three arguments in an initializer object in order to identify your service connection you setup in step 5.
+
+These are:
+
+- `serviceConnectionId`: The resource ID of the service connection created in step 2, which can be found on the `resourceId` field of the URL at the address bar, when viewing the service connection in the Azure DevOps portal
+- `domain`: The `Tenant ID` field of the service connection properties, which can be accessed by clicking "Edit" on the service connection page
+- `clientId`: The `Service Principal Id` field of the service connection properties, which can be accessed by clicking "Edit" on the service connection page
+
+  ![identifier values for service connection](guide-imgs/identifier_values.jpg)
+
+Make sure you pass an object containing these variables for the `new AzureDevOpsServiceProvider()` constructor. These values are _not_ secrets, so they can be set as environment variables, assigned as pipeline variables in ADO, accessed and assigned using an Azure Key Vault step, or even manually hardcoded in code (not recommended).

package/CHANGELOG.md

@@ -1,5 +1,29 @@
 # Change Log
 
+## 3.0.0 - 2024-09-19
+* [#1789](https://github.com/microsoft/vscode-azuretools/pull/1789) Change `getTenants` to be compatible with the new Azure Resources tenants view. This also includes a possible breaking change where an optional parameter `account` which when passed in `getTenants` will return the tenants associated with that single account. Otherwise `getTenants` will return the tenants for all authenticated accounts.
+
+## 2.5.0 - 2024-08-06
+
+* Add `getSessionWithScopes` to get a session that has the proper scoping instead of always the default management plane
+
+## 2.4.1 - 2024-05-15
+
+* [#1729](https://github.com/microsoft/vscode-azuretools/pull/1729) Change AzureDevOpsSubscriptionProvider so that it accepts values as arguments
+
+## 2.4.0 - 2024-05-07
+
+* [#1723](https://github.com/microsoft/vscode-azuretools/pull/1723) Implementation fo AzureSub provider that leverages federated credentials
+
+## 2.1.0 - 2023-12-13
+
+* Use management endpoint for scope by default to fix deploying app service projects with sovereign clouds
+
+## 2.0.0 - 2023-11-20
+
+* Switches to use `@azure/arm-resources-subscriptions` instead of `@azure/arm-subscriptions`. Potentially a breaking change so I revved the major version.
+* Fixes an issue where the `endpoint` wasn't set for the subscription client, breaking sovereign clouds
+
 ## 1.4.0 - 2023-11-03
 * [#1619](https://github.com/microsoft/vscode-azuretools/pull/1619) Make `getSession` synchronous to fix an issue that broke app service deployments
 

package/README.md

@@ -100,6 +100,47 @@ export declare function getConfiguredAzureEnv(): azureEnv.Environment & {
 export declare function setConfiguredAzureEnv(cloud: string | azureEnv.EnvironmentParameters, target?: vscode.ConfigurationTarget): Promise<void>;
 ```
 
+## Azure DevOps Subscription Provider
+
+The auth package also exports `AzureDevOpsSubscriptionProvider`, a class which implements the `AzureSubscriptionProvider` interface, which authenticates via
+a federated Azure DevOps service connection, using [workflow identity federation](https://learn.microsoft.com/entra/workload-id/workload-identity-federation).
+
+This provider only works when running in the context of an Azure DevOps pipeline. It can be used to run end-to-end tests that require authentication to Azure,
+without having to manage any secrets, passwords or connection strings.
+
+The constructor expects an initializer object with three values set to identify your ADO service connection to be used for authentication.
+These are:
+
+- `serviceConnectionId`: The resource ID of your service connection, which can be found on the `resourceId` field of the URL at the address bar, when viewing the service connection in the Azure DevOps portal
+- `domain`: The `Tenant ID` field of the service connection properties, which can be accessed by clicking "Edit" on the service connection page
+- `clientId`: The `Service Principal Id` field of the service connection properties, which can be accessed by clicking "Edit" on the service connection page
+
+Here is an example code of how you might use `AzureDevOpsSubscriptionProvider`:
+
+```typescript
+import { AzureDevOpsSubscriptionProviderInitializer, AzureDevOpsSubscriptionProvider } from "@microsoft/vscode-azext-azureauth";
+
+const initializer: AzureDevOpsSubscriptionProviderInitializer = {
+    serviceConnectionId: "<REPLACE_WITH_SERVICE_CONNECTION_ID>",
+    domain: "<REPLACE_WITH_DOMAIN>",
+    clientId: "<REPLACE_WITH_CLIENT_ID>",
+}
+
+const subscriptionProvider = new AzureDevOpsSubscriptionProvider(initializer);
+
+const signedIn = await subscriptionProvider.signIn();
+if (!signedIn) {
+    throw new Error("Couldn't sign in");
+}
+
+const subscriptions = await subscriptionProvider.getSubscriptions();
+
+// logic on the subscriptions object
+```
+
+For more detailed steps on how to setup your Azure environment to use workflow identity federation and use this `AzureDevOpsSubscriptionProvider` object effectively,
+as well as the values needed to pass to `new AzureDevOpsSubscriptionProvider()`, please navigate to the workflow identity federation [guide](AzureFederatedCredentialsGuide.md).
+
 ## Logs
 
 View the Microsoft Authentication extension logs by running the `Developer: Show Logs...` command from the VS Code command palette.

package/out/src/AzureAuthentication.d.ts

@@ -3,6 +3,13 @@ import type * as vscode from 'vscode';
  * Represents a means of obtaining authentication data for an Azure subscription.
  */
 export interface AzureAuthentication {
+    /**
+     * Gets a VS Code authentication session for an Azure subscription.
+     * Always uses the default scope, `https://management.azure.com/.default/` and respects `microsoft-sovereign-cloud.environment` setting.
+     *
+     * @returns A VS Code authentication session or undefined, if none could be obtained.
+     */
+    getSession(): vscode.ProviderResult<vscode.AuthenticationSession>;
     /**
      * Gets a VS Code authentication session for an Azure subscription.
      *
@@ -10,5 +17,5 @@ export interface AzureAuthentication {
      *
      * @returns A VS Code authentication session or undefined, if none could be obtained.
      */
-    getSession(scopes?: string[]): vscode.ProviderResult<vscode.AuthenticationSession>;
+    getSessionWithScopes(scopes: string[]): vscode.ProviderResult<vscode.AuthenticationSession>;
 }

package/out/src/AzureDevOpsSubscriptionProvider.js

@@ -119,6 +119,10 @@ class AzureDevOpsSubscriptionProvider {
                             subscriptionId: subscription.subscriptionId,
                             /* eslint-enable @typescript-eslint/no-non-null-assertion */
                             tenantId,
+                            account: {
+                                id: "test-account-id",
+                                label: "test-account",
+                            },
                         });
                     }
                     finally {
@@ -151,23 +155,25 @@ class AzureDevOpsSubscriptionProvider {
                 throw new Error('Not signed in');
             }
             const accessToken = ((_b = (yield ((_a = this._tokenCredential) === null || _a === void 0 ? void 0 : _a.getToken("https://management.azure.com/.default")))) === null || _b === void 0 ? void 0 : _b.token) || '';
+            const getSession = () => {
+                var _a, _b, _c, _d;
+                return {
+                    accessToken,
+                    id: ((_a = this._tokenCredential) === null || _a === void 0 ? void 0 : _a.tenantId) || '',
+                    account: {
+                        id: ((_b = this._tokenCredential) === null || _b === void 0 ? void 0 : _b.tenantId) || '',
+                        label: ((_c = this._tokenCredential) === null || _c === void 0 ? void 0 : _c.tenantId) || '',
+                    },
+                    tenantId: ((_d = this._tokenCredential) === null || _d === void 0 ? void 0 : _d.tenantId) || '',
+                    scopes: scopes || [],
+                };
+            };
             return {
                 client: new armSubs.SubscriptionClient(this._tokenCredential),
                 credential: this._tokenCredential,
                 authentication: {
-                    getSession: (_scopes) => {
-                        var _a, _b, _c, _d;
-                        return {
-                            accessToken,
-                            id: ((_a = this._tokenCredential) === null || _a === void 0 ? void 0 : _a.tenantId) || '',
-                            account: {
-                                id: ((_b = this._tokenCredential) === null || _b === void 0 ? void 0 : _b.tenantId) || '',
-                                label: ((_c = this._tokenCredential) === null || _c === void 0 ? void 0 : _c.tenantId) || '',
-                            },
-                            tenantId: ((_d = this._tokenCredential) === null || _d === void 0 ? void 0 : _d.tenantId) || '',
-                            scopes: scopes || [],
-                        };
-                    }
+                    getSession,
+                    getSessionWithScopes: getSession,
                 }
             };
         });

package/out/src/AzureSubscription.d.ts

@@ -1,6 +1,7 @@
 import type { TokenCredential } from '@azure/core-auth';
 import type { Environment } from '@azure/ms-rest-azure-env';
-import type { AzureAuthentication } from './AzureAuthentication';
+import * as vscode from "vscode";
+import { AzureAuthentication } from './AzureAuthentication';
 /**
  * A type representing an Azure subscription ID, not including the tenant ID.
  */
@@ -41,4 +42,8 @@ export interface AzureSubscription {
      * The credential for authentication to this subscription. Compatible with Azure track 2 SDKs.
      */
     readonly credential: TokenCredential;
+    /**
+     * The account associated with this subscription.
+     */
+    readonly account: vscode.AuthenticationSessionAccountInformation;
 }

package/out/src/AzureSubscriptionProvider.d.ts

@@ -1,6 +1,6 @@
+import type { TenantIdDescription } from '@azure/arm-resources-subscriptions';
 import type * as vscode from 'vscode';
 import type { AzureSubscription } from './AzureSubscription';
-import type { TenantIdDescription } from '@azure/arm-resources-subscriptions';
 /**
  * An interface for obtaining Azure subscription information
  */
@@ -9,9 +9,11 @@ export interface AzureSubscriptionProvider {
      * Gets a list of tenants available to the user.
      * Use {@link isSignedIn} to check if the user is signed in to a particular tenant.
      *
+     * @param account - Optionally pass in a specific account to get tenants for.
+     *
      * @returns A list of tenants.
      */
-    getTenants(): Promise<TenantIdDescription[]>;
+    getTenants(account?: vscode.AuthenticationSessionAccountInformation): Promise<TenantIdDescription[]>;
     /**
      * Gets a list of Azure subscriptions available to the user.
      *

package/out/src/VSCodeAzureSubscriptionProvider.d.ts

@@ -1,7 +1,7 @@
 import type { TenantIdDescription } from '@azure/arm-resources-subscriptions';
 import * as vscode from 'vscode';
-import type { AzureSubscription, SubscriptionId, TenantId } from './AzureSubscription';
-import type { AzureSubscriptionProvider } from './AzureSubscriptionProvider';
+import { AzureSubscription, SubscriptionId, TenantId } from './AzureSubscription';
+import { AzureSubscriptionProvider } from './AzureSubscriptionProvider';
 /**
  * A class for obtaining Azure subscription information using VSCode's built-in authentication
  * provider.
@@ -17,9 +17,11 @@ export declare class VSCodeAzureSubscriptionProvider extends vscode.Disposable i
      * Gets a list of tenants available to the user.
      * Use {@link isSignedIn} to check if the user is signed in to a particular tenant.
      *
+     * @param account (Optional) A specific account to get tenants for. If not provided, all accounts will be used.
+     *
      * @returns A list of tenants.
      */
-    getTenants(): Promise<TenantIdDescription[]>;
+    getTenants(account?: vscode.AuthenticationSessionAccountInformation): Promise<TenantIdDescription[]>;
     /**
      * Gets a list of Azure subscriptions available to the user.
      *
@@ -87,6 +89,7 @@ export declare class VSCodeAzureSubscriptionProvider extends vscode.Disposable i
      * Gets the subscriptions for a given tenant.
      *
      * @param tenantId The tenant ID to get subscriptions for.
+     * @param account The account to get the subscriptions for.
      *
      * @returns The list of subscriptions for the tenant.
      */
@@ -95,6 +98,7 @@ export declare class VSCodeAzureSubscriptionProvider extends vscode.Disposable i
      * Gets a fully-configured subscription client for a given tenant ID
      *
      * @param tenantId (Optional) The tenant ID to get a client for
+     * @param account The account that you would like to get the session for
      *
      * @returns A client, the credential used by the client, and the authentication function
      */

package/out/src/VSCodeAzureSubscriptionProvider.js

@@ -22,8 +22,8 @@ var __asyncValues = (this && this.__asyncValues) || function (o) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VSCodeAzureSubscriptionProvider = void 0;
 const vscode = require("vscode");
-const NotSignedInError_1 = require("./NotSignedInError");
 const getSessionFromVSCode_1 = require("./getSessionFromVSCode");
+const NotSignedInError_1 = require("./NotSignedInError");
 const configuredAzureEnv_1 = require("./utils/configuredAzureEnv");
 const EventDebounce = 5 * 1000; // 5 seconds
 /**
@@ -71,30 +71,51 @@ class VSCodeAzureSubscriptionProvider extends vscode.Disposable {
      * Gets a list of tenants available to the user.
      * Use {@link isSignedIn} to check if the user is signed in to a particular tenant.
      *
+     * @param account (Optional) A specific account to get tenants for. If not provided, all accounts will be used.
+     *
      * @returns A list of tenants.
      */
-    getTenants() {
-        var _a, e_1, _b, _c;
+    getTenants(account) {
+        var _a, e_1, _b, _c, _d, e_2, _e, _f;
         return __awaiter(this, void 0, void 0, function* () {
-            const { client } = yield this.getSubscriptionClient();
             const results = [];
             try {
-                for (var _d = true, _e = __asyncValues(client.tenants.list()), _f; _f = yield _e.next(), _a = _f.done, !_a;) {
-                    _c = _f.value;
-                    _d = false;
+                for (var _g = true, _h = __asyncValues(account ? [account] : yield vscode.authentication.getAccounts((0, configuredAzureEnv_1.getConfiguredAuthProviderId)())), _j; _j = yield _h.next(), _a = _j.done, !_a;) {
+                    _c = _j.value;
+                    _g = false;
                     try {
-                        const tenant = _c;
-                        results.push(tenant);
+                        account = _c;
+                        const { client } = yield this.getSubscriptionClient(account, undefined, undefined);
+                        try {
+                            for (var _k = true, _l = (e_2 = void 0, __asyncValues(client.tenants.list())), _m; _m = yield _l.next(), _d = _m.done, !_d;) {
+                                _f = _m.value;
+                                _k = false;
+                                try {
+                                    const tenant = _f;
+                                    results.push(tenant);
+                                }
+                                finally {
+                                    _k = true;
+                                }
+                            }
+                        }
+                        catch (e_2_1) { e_2 = { error: e_2_1 }; }
+                        finally {
+                            try {
+                                if (!_k && !_d && (_e = _l.return)) yield _e.call(_l);
+                            }
+                            finally { if (e_2) throw e_2.error; }
+                        }
                     }
                     finally {
-                        _d = true;
+                        _g = true;
                     }
                 }
             }
             catch (e_1_1) { e_1 = { error: e_1_1 }; }
             finally {
                 try {
-                    if (!_d && !_a && (_b = _e.return)) yield _b.call(_e);
+                    if (!_g && !_a && (_b = _h.return)) yield _b.call(_h);
                 }
                 finally { if (e_1) throw e_1.error; }
             }
@@ -120,20 +141,23 @@ class VSCodeAzureSubscriptionProvider extends vscode.Disposable {
             const results = [];
             try {
                 this.suppressSignInEvents = true;
-                // Get the list of tenants
-                for (const tenant of yield this.getTenants()) {
-                    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-                    const tenantId = tenant.tenantId;
-                    // If filtering is enabled, and the current tenant is not in that list, then skip it
-                    if (shouldFilterTenants && !tenantIds.includes(tenantId)) {
-                        continue;
-                    }
-                    // If the user is not signed in to this tenant, then skip it
-                    if (!(yield this.isSignedIn(tenantId))) {
-                        continue;
+                // Get the list of tenants from each account
+                const accounts = yield vscode.authentication.getAccounts((0, configuredAzureEnv_1.getConfiguredAuthProviderId)());
+                for (const account of accounts) {
+                    for (const tenant of yield this.getTenants(account)) {
+                        // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+                        const tenantId = tenant.tenantId;
+                        // If filtering is enabled, and the current tenant is not in that list, then skip it
+                        if (shouldFilterTenants && !tenantIds.includes(tenantId)) {
+                            continue;
+                        }
+                        // If the user is not signed in to this tenant, then skip it
+                        if (!(yield this.isSignedIn(tenantId))) {
+                            continue;
+                        }
+                        // For each tenant, get the list of subscriptions
+                        results.push(...yield this.getSubscriptionsForTenant(tenantId, account));
                     }
-                    // For each tenant, get the list of subscriptions
-                    results.push(...yield this.getSubscriptionsForTenant(tenantId));
                 }
             }
             finally {
@@ -217,13 +241,14 @@ class VSCodeAzureSubscriptionProvider extends vscode.Disposable {
      * Gets the subscriptions for a given tenant.
      *
      * @param tenantId The tenant ID to get subscriptions for.
+     * @param account The account to get the subscriptions for.
      *
      * @returns The list of subscriptions for the tenant.
      */
-    getSubscriptionsForTenant(tenantId) {
-        var _a, e_2, _b, _c;
+    getSubscriptionsForTenant(tenantId, account) {
+        var _a, e_3, _b, _c;
         return __awaiter(this, void 0, void 0, function* () {
-            const { client, credential, authentication } = yield this.getSubscriptionClient(tenantId);
+            const { client, credential, authentication } = yield this.getSubscriptionClient(account, tenantId, undefined);
             const environment = (0, configuredAzureEnv_1.getConfiguredAzureEnv)();
             const subscriptions = [];
             try {
@@ -242,6 +267,7 @@ class VSCodeAzureSubscriptionProvider extends vscode.Disposable {
                             subscriptionId: subscription.subscriptionId,
                             /* eslint-enable @typescript-eslint/no-non-null-assertion */
                             tenantId: tenantId,
+                            account: account
                         });
                     }
                     finally {
@@ -249,12 +275,12 @@ class VSCodeAzureSubscriptionProvider extends vscode.Disposable {
                     }
                 }
             }
-            catch (e_2_1) { e_2 = { error: e_2_1 }; }
+            catch (e_3_1) { e_3 = { error: e_3_1 }; }
             finally {
                 try {
                     if (!_d && !_a && (_b = _e.return)) yield _b.call(_e);
                 }
-                finally { if (e_2) throw e_2.error; }
+                finally { if (e_3) throw e_3.error; }
             }
             return subscriptions;
         });
@@ -263,13 +289,14 @@ class VSCodeAzureSubscriptionProvider extends vscode.Disposable {
      * Gets a fully-configured subscription client for a given tenant ID
      *
      * @param tenantId (Optional) The tenant ID to get a client for
+     * @param account The account that you would like to get the session for
      *
      * @returns A client, the credential used by the client, and the authentication function
      */
-    getSubscriptionClient(tenantId, scopes) {
+    getSubscriptionClient(account, tenantId, scopes) {
         return __awaiter(this, void 0, void 0, function* () {
             const armSubs = yield Promise.resolve().then(() => require('@azure/arm-resources-subscriptions'));
-            const session = yield (0, getSessionFromVSCode_1.getSessionFromVSCode)(scopes, tenantId, { createIfNone: false, silent: true });
+            const session = yield (0, getSessionFromVSCode_1.getSessionFromVSCode)(scopes, tenantId, { createIfNone: false, silent: true, account });
             if (!session) {
                 throw new NotSignedInError_1.NotSignedInError();
             }
@@ -287,7 +314,10 @@ class VSCodeAzureSubscriptionProvider extends vscode.Disposable {
                 client: new armSubs.SubscriptionClient(credential, { endpoint }),
                 credential: credential,
                 authentication: {
-                    getSession: () => session
+                    getSession: () => session,
+                    getSessionWithScopes: (scopes) => {
+                        return (0, getSessionFromVSCode_1.getSessionFromVSCode)(scopes, tenantId, { createIfNone: false, silent: true, account });
+                    },
                 }
             };
         });

package/out/src/getSessionFromVSCode.js

@@ -14,8 +14,8 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getSessionFromVSCode = void 0;
-const configuredAzureEnv_1 = require("./utils/configuredAzureEnv");
 const vscode = require("vscode");
+const configuredAzureEnv_1 = require("./utils/configuredAzureEnv");
 function ensureEndingSlash(value) {
     return value.endsWith('/') ? value : `${value}/`;
 }

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@microsoft/vscode-azext-azureauth",
     "author": "Microsoft Corporation",
-    "version": "2.4.1",
+    "version": "3.0.0",
     "description": "Azure authentication helpers for Visual Studio Code",
     "tags": [
         "azure",
@@ -41,7 +41,7 @@
         "@types/node-fetch": "2.6.7",
         "@types/semver": "^7.3.9",
         "@types/uuid": "^9.0.1",
-        "@types/vscode": "1.76.0",
+        "@types/vscode": "1.93.0",
         "@typescript-eslint/eslint-plugin": "^5.53.0",
         "@vscode/test-electron": "^2.3.8",
         "eslint": "^8.34.0",