azure-cli
azure-cli copied to clipboard
Azure
az account get-access-token doesnt seem to work in multi-tenant scenarios correctly
az feedbackauto-generates most of the information requested below, as of CLI version 2.0.62
Describe the bug
If you log in to az cli with multiple tenants, and then run az account get-access-token with --tenant-id, it fails to retrieve the tenant. However, if you use --subscription with a subscription in that tenant, it works.
To Reproduce
az login (into tenant A) az login --device-code (into tenant B) az account get-access-token --scope "https://vault.azure.net/.default" --tenant <id of tenant B> az account get-access-token --scope "https://vault.azure.net/.default" --tenant <id of tenant A> az account get-access-token --scope "https://vault.azure.net/.default" --subscription <subscription in tenant A>
Here, the first get-access-token call succeeds, the second fails, and the third succeeds.
Expected behavior
All three get-access-token calls succeed
Environment summary
az cli 2.33.0 running on WSL2
Additional context
Could you give more information on how the second command fails? Any error, output?
az account get-access-token --scope "https://vault.azure.net/.default" --tenant "<redacted tenant A>"
AADSTS50020: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/<redacted tenant B>/' does not exist in tenant 'Microsoft' and cannot access the application '04b07795-8ddb-461a-bbee-02f9e1bf7b46'(Microsoft Azure CLI) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Trace ID: 4a296d31-eab2-4719-a474-4c4f852b0100
Correlation ID: 8a2d8304-11b7-42df-ba85-4491756a9780
Timestamp: 2022-02-08 22:03:22Z
To re-authenticate, please run:
az login --scope https://vault.azure.net/.default
Also, i just noticed that my original post didnt escape the angle brackets correctly- updated in place for clarity
@yonzhan @jiasli Do you have any update here? This issue is still requiring us to use a custom AzureCliCredential wrapper that handles this behavior correctly as the one shipped with the Azure.Identity package does not handle this correctly.
I think I figured out the problem. You log into 2 tenants with 2 different users. After that, you can get expected token with --subscription, but not with --tenant.
There will be no error when the current user belongs to both tenants:
> az account get-access-token --scope "https://vault.azure.net/.default" --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47
{
"accessToken": <Decoded: "tid": "72f988bf-86f1-41af-91ab-2d7cd011db47">,
"expiresOn": "2022-12-07 11:36:29.000000",
"tenant": "72f988bf-86f1-41af-91ab-2d7cd011db47",
"tokenType": "Bearer"
}
> az account get-access-token --scope "https://vault.azure.net/.default" --tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a
{
"accessToken": <Decoded: "tid": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a">,
"expiresOn": "2022-12-07 11:17:30.000000",
"tenant": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
"tokenType": "Bearer"
}
The tenant ID provided with --tenant matches the tenant ID of the access token.
I got the same error if the current user doesn't exist in the provided --tenant:
> az account get-access-token --scope "https://vault.azure.net/.default" --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47
AADSTS50020: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/' does not exist in tenant 'Microsoft' and cannot access the application '04b07795-8ddb-461a-bbee-02f9e1bf7b46'(Microsoft Azure CLI) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Trace ID: 988ded24-207a-4a5d-9d98-680f78610100
Correlation ID: e33352c9-d0e4-4b0b-876b-9bcedbb9da27
Timestamp: 2022-12-07 02:27:18Z
Interactive authentication is needed. Please run:
az login --scope https://vault.azure.net/.default
This is because we disabled tenanted passthrough due to security:
- https://github.com/Azure/azure-cli/issues/23255
The reason why subscription ID can be used to select user identity is because subscription ID is the primary key of the list from az account list, but tenant ID is not. Tenant ID can lead to ambiguity. Imagine 2 entries for different users contain the same tenant ID, which user identity should we use?
- [subA], tenantA, userA
- [subB], tenantA, userB
So the behavior can be summarized as
- If
--subscriptionis provided, the user identity matching that--subscriptionis used - If
--tenantis provided, the current user identity is used
This is how the user identity is selected (by --subscription or the current account):
https://github.com/Azure/azure-cli/blob/060b414d8ac5e4d8f4fc17cc2e23c2154c762226/src/azure-cli-core/azure/cli/core/_profile.py#L362
--tenant is then applied to the selected user identity:
https://github.com/Azure/azure-cli/blob/060b414d8ac5e4d8f4fc17cc2e23c2154c762226/src/azure-cli-core/azure/cli/core/_profile.py#L382
The help message also tells the same:
> az account get-access-token -h
Command
az account get-access-token : Get a token for utilities to access Azure.
The token will be valid for at least 5 minutes with the maximum at 60 minutes. If the
subscription argument isn't specified, the current account is used.
Also see
- https://github.com/Azure/azure-cli/issues/15005
- https://github.com/Azure/azure-cli/issues/13285
This topic was also previously discussed in https://github.com/Azure/azure-devops-cli-extension/pull/1226