azureauth ado token command returns PAT's which seems unexpected

[dggsax]

There's logic in the azureauth ado token command that checks for environment variables AZUREAUTH_ADO_PAT and SYSTEM_ACCESSTOKEN.

microsoft-authentication-cli/src/AzureAuth/Commands/Ado/CommandToken.cs

Lines 92 to 99 in 5520cb0

	// First attempt using a PAT.
	var pat = PatFromEnv.Get(env);
	if (pat.Exists)
	{
	logger.LogDebug($"Using PAT from env var {pat.EnvVarSource}");
	logger.LogInformation(FormatToken(pat.Value, this.Output, Authorization.Basic));
	return 0;
	}

While returning SYSTEM_ACCESSTOKEN makes sense, I was surprised to see it returning the PAT variable if it's set, which was a little unexpected given the token subcommand. I did see a case for one of our customers where SYSTEM_ACCESSTOKEN was set to a PAT which also is unexpected.

Perhaps there could be a flag for the command to ignore environment variables?

[kyle-rader-msft]

SYSTEM_ACCESSTOKEN is always set to a PAT in Azure Devops Pipelines. PAT's themselves are still authentication tokens, so that is by design.

The context of the ado token command is specifically around making it easy for developer tools to run locally on developer machines and in azure devops pipelines, hence the choice for those 2 env vars. When authenticating to ADO, you can use a PAT or a JWT - both are auth tokens, they happen to use different http Header formats.

A flag to ignore them would be a fine addon.