Force Get-AzAccessToken to always return SecureString as long as AsSecureString is set

[msJinLei]

Description

Mandatory Checklist

• Please choose the target release of Azure PowerShell. (⚠️Target release is a different concept from API readiness. Please click below links for details.)

  • General release
  • Public preview
  • Private preview
  • Engineering build
  • No need for a release

• Check this box to confirm: I have read the Submitting Changes section of CONTRIBUTING.md and reviewed the following information:

• SHOULD update ChangeLog.md file(s) appropriately
  • Update src/{{SERVICE}}/{{SERVICE}}/ChangeLog.md.
    • A snippet outlining the change(s) made in the PR should be written under the ## Upcoming Release header in the past tense.
  • Should not change ChangeLog.md if no new release is required, such as fixing test case only.
• SHOULD regenerate markdown help files if there is cmdlet API change. Instruction
• SHOULD have proper test coverage for changes in pull request.
• SHOULD NOT adjust version of module manually in pull request

[azure-client-tools-bot-prd]

Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status.

[Copilot]

Pull Request Overview

This PR ensures that Get-AzAccessToken will always output a SecureString when the AsSecureString flag is set, regardless of the plaintext environment variable, and updates both the changelog and tests to reflect this behavior.

• Respect the AsSecureString parameter before writing plaintext output
• Add a changelog entry for the upcoming release
• Refactor and extend tests to cover secure-string scenarios

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
src/Accounts/Accounts/Token/GetAzureRmAccessToken.cs	Modify condition to only write plaintext when AsSecureString is false
src/Accounts/Accounts/ChangeLog.md	Add an upcoming release note about forcing secure-string output
src/Accounts/Accounts.Test/AccessTokenCmdletTest.cs	Introduce CreateCommand() helper, remove unused fields, and add secure-string tests

Comments suppressed due to low confidence (1)

src/Accounts/Accounts.Test/AccessTokenCmdletTest.cs:87

• This test invokes the cmdlet without mocking the authentication factory, which may call real authentication logic. You should override AzureSession.Instance.AuthenticationFactory with factoryMock.Object in this test to ensure it returns the expected fake token.

public void TestGetAccessTokenAsPlainText()

[Copilot]

The first test sets the plaintext env var but never clears it, causing leakage into subsequent tests. Consider resetting or scoping the environment variable (e.g., clear it at the start or end of each test).

[Copilot]

Pull Request Overview

This PR modifies the Get-AzAccessToken cmdlet to ensure that when the AsSecureString parameter is set, the returned token is a SecureString even if the environment variable for plain text output is present.

• Updated logic in GetAzureRmAccessToken.cs to conditionally bypass plain text output when AsSecureString is specified.
• Refactored test code by introducing a helper method to create a consistent cmdlet instance and removed unused fields.
• Updated ChangeLog.md to reflect the behavioral change.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
src/Accounts/Accounts/Token/GetAzureRmAccessToken.cs	Changed condition in token output logic to check for AsSecureString before outputting.
src/Accounts/Accounts/ChangeLog.md	Added a changelog entry reflecting the update to SecureString token output behavior.
src/Accounts/Accounts.Test/AccessTokenCmdletTest.cs	Refactored test setup by introducing a CreateCommand helper and removed an unused field.

[Copilot]

[nitpick] Consider adding an inline comment explaining that the plain text output is intentionally bypassed when AsSecureString is set.

[Copilot]

Consider wrapping the assignment and restoration of AzureSession.Instance.AuthenticationFactory in a try–finally block to ensure test isolation even if exceptions occur.

Suggested change

	AzureSession.Instance.AuthenticationFactory = factoryMock.Object;
	// Act
	cmdlet.InvokeBeginProcessing();
	cmdlet.ExecuteCmdlet();
	cmdlet.InvokeEndProcessing();
	//Verify
	Assert.Single(mockedCommandRuntime.OutputPipeline);
	var outputPipeline = mockedCommandRuntime.OutputPipeline;
	Assert.Equal(expected.TenantId, ((PSSecureAccessToken)outputPipeline.First()).TenantId);
	Assert.Equal(expected.UserId, ((PSSecureAccessToken)outputPipeline.First()).UserId);
	try
	{
	AzureSession.Instance.AuthenticationFactory = factoryMock.Object;
	// Act
	cmdlet.InvokeBeginProcessing();
	cmdlet.ExecuteCmdlet();
	cmdlet.InvokeEndProcessing();
	//Verify
	Assert.Single(mockedCommandRuntime.OutputPipeline);
	var outputPipeline = mockedCommandRuntime.OutputPipeline;
	Assert.Equal(expected.TenantId, ((PSSecureAccessToken)outputPipeline.First()).TenantId);
	Assert.Equal(expected.UserId, ((PSSecureAccessToken)outputPipeline.First()).UserId);
	}
	finally
	{
	AzureSession.Instance.AuthenticationFactory = previousFactory;
	}