[Identity] Prepare patch 1.14.1 release (#50847)

* [Identity] Update AzurePowerShellCredential to handle Get-AzAccessToken breaking change (#50654)

* handle new format

* Update changelog

* Add new test

* Applied copilot suggestion

* Use different logic for WindowsPowershell

* Simplify logic and follow the migration guide pattern

* Update test after logic change in PowerShell script

* Prepare release script

* Patch instead of minor version increase

* Fix API compat version after mistakenly using version 1.15.0 when running the PrepareRelease script

* fix changelog

Author: JonathanCrd

sdk/identity/Azure.Identity/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Release History
 
+## 1.14.1 (2025-07-08)
+
+###  Bugs Fixed
+
+- Added support in AzurePowerShellCredential for the Az.Accounts 5.0.0+ (Az 14.0.0+) breaking change where Get-AzAccessToken returns PSSecureAccessToken with a SecureString Token property instead of plaintext.
+
 ## 1.14.0 (2025-05-13)
 
 ### Other Changes

sdk/identity/Azure.Identity/src/Azure.Identity.csproj

@@ -2,9 +2,9 @@
   <PropertyGroup>
     <Description>Provides APIs for authenticating to Microsoft Entra ID</Description>
     <AssemblyTitle>Microsoft Azure.Identity Component</AssemblyTitle>
-    <Version>1.14.0</Version>
+    <Version>1.14.1</Version>
     <!--The ApiCompatVersion is managed automatically and should not generally be modified manually.-->
-    <ApiCompatVersion>1.13.2</ApiCompatVersion>
+    <ApiCompatVersion>1.14.0</ApiCompatVersion>
     <PackageTags>Microsoft Azure Identity;$(PackageCommonTags)</PackageTags>
     <TargetFrameworks>$(RequiredTargetFrameworks)</TargetFrameworks>
     <NoWarn>$(NoWarn);3021;AZC0011</NoWarn>

sdk/identity/Azure.Identity/src/Credentials/AzurePowerShellCredential.cs

@@ -210,7 +210,8 @@ private static void CheckForErrors(string output, int exitCode)
 
         private static void ValidateResult(string output)
         {
-            if (output.IndexOf(@"<Property Name=""Token"" Type=""System.String"">", StringComparison.OrdinalIgnoreCase) < 0)
+            // Check for Token property in the XML output, regardless of the property type, to handle both legacy and new secure string format.
+            if (output.IndexOf(@"<Property Name=""Token""", StringComparison.OrdinalIgnoreCase) < 0)
             {
                 throw new CredentialUnavailableException("PowerShell did not return a valid response.");
             }
@@ -261,16 +262,24 @@ private void GetFileNameAndArguments(string resource, string tenantId, out strin
     $params['TenantId'] = '{tenantId}'
 }}
 
-$useSecureString = $m.Version -ge [version]'2.17.0'
-if ($useSecureString) {{
+# For Az.Accounts 2.17.0+ but below 5.0.0, explicitly request secure string
+if ($m.Version -ge [version]'2.17.0' -and $m.Version -lt [version]'5.0.0') {{
     $params['AsSecureString'] = $true
 }}
 
 $token = Get-AzAccessToken @params
 
 $customToken = New-Object -TypeName psobject
-if ($useSecureString) {{
-    $customToken | Add-Member -MemberType NoteProperty -Name Token -Value (ConvertFrom-SecureString -AsPlainText $token.Token)
+
+# If the token is a SecureString, convert to plain text using recommended pattern
+if ($token.Token -is [System.Security.SecureString]) {{
+    $ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($token.Token)
+    try {{
+        $plainToken = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)
+    }} finally {{
+        [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)
+    }}
+    $customToken | Add-Member -MemberType NoteProperty -Name Token -Value $plainToken
 }} else {{
     $customToken | Add-Member -MemberType NoteProperty -Name Token -Value $token.Token
 }}

sdk/identity/Azure.Identity/tests/AzurePowerShellCredentialsTests.cs

@@ -331,5 +331,35 @@ public void VerifyGetTokenScopeValidation(char testChar)
                 Assert.ThrowsAsync<AuthenticationFailedException>(async () => await credential.GetTokenAsync(tokenRequestContext), ScopeUtilities.InvalidScopeMessage);
             }
         }
+
+        [Test]
+        public async Task AuthenticateWithAzurePowerShellCredential_HandlesSecureStringToken()
+        {
+            var (expectedToken, expectedExpiresOn, processOutput) = CredentialTestHelpers.CreateTokenForAzurePowerShellSecureString(TimeSpan.FromSeconds(30));
+            var testProcess = new TestProcess { Output = processOutput };
+            AzurePowerShellCredential credential = InstrumentClient(
+                new AzurePowerShellCredential(
+                    new AzurePowerShellCredentialOptions(),
+                    CredentialPipeline.GetInstance(null),
+                    new TestProcessService(testProcess, true)));
+
+            AccessToken actualToken = await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default));
+
+            Assert.AreEqual(expectedToken, actualToken.Token);
+            Assert.AreEqual(expectedExpiresOn, actualToken.ExpiresOn);
+
+            // Verify PowerShell script checks for and handles Az.Accounts module version 5.0.0+
+            var match = System.Text.RegularExpressions.Regex.Match(testProcess.StartInfo.Arguments, "EncodedCommand\\s*\"([^\"]+)\"");
+            if (!match.Success)
+            {
+                throw new InvalidOperationException("Failed to extract the encoded command from the arguments.");
+            }
+            var commandString = match.Groups[1].Value;
+            var b = Convert.FromBase64String(commandString);
+            commandString = Encoding.Unicode.GetString(b);
+
+            Assert.That(commandString, Does.Contain("if ($token.Token -is [System.Security.SecureString])"));
+            Assert.That(commandString, Does.Contain("[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($token.Token)"));
+        }
     }
 }

sdk/identity/Azure.Identity/tests/CredentialTestHelpers.cs

@@ -79,6 +79,15 @@ public static (string Token, DateTimeOffset ExpiresOn, string Json) CreateTokenF
             return (token, expiresOn, xml);
         }
 
+        public static (string Token, DateTimeOffset ExpiresOn, string Json) CreateTokenForAzurePowerShellSecureString(TimeSpan expiresOffset)
+        {
+            var expiresOn = DateTimeOffset.FromUnixTimeSeconds(DateTimeOffset.UtcNow.Add(expiresOffset).ToUnixTimeSeconds());
+            var token = TokenGenerator.GenerateToken(Guid.NewGuid().ToString(), Guid.NewGuid().ToString(), Guid.NewGuid().ToString(), Guid.NewGuid().ToString(), expiresOn.UtcDateTime);
+            // Simulate Az 14.0+ output with secure string token as returned by our PowerShell script after conversion
+            var xml = @$"<Object Type=""System.Management.Automation.PSCustomObject""><Property Name=""Token"" Type=""System.String"">{token}</Property><Property Name=""ExpiresOn"" Type=""System.Int64"">{expiresOn.UtcDateTime.Ticks}</Property></Object>";
+            return (token, expiresOn, xml);
+        }
+
         public static (string Token, DateTimeOffset ExpiresOn, string Json) CreateTokenForVisualStudio() => CreateTokenForVisualStudio(TimeSpan.FromSeconds(30));
 
         public static (string Token, DateTimeOffset ExpiresOn, string Json) CreateTokenForVisualStudio(TimeSpan expiresOffset)