Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.

[clumsyhands]

Describe the bug

What does this error mean? There is nothing online about it? I receive this error when running "az ad app" commands from a local Az CLI

Related command

az login az ad app list

Errors

cli.azure.cli.core.azclierror: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown. az_command_data_logger: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.

Issue script & Debug output

cli.azure.cli.core.util: Response status: 401 cli.azure.cli.core.util: Response headers: cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked' cli.azure.cli.core.util: 'Content-Type': 'application/json' cli.azure.cli.core.util: 'Content-Encoding': 'gzip' cli.azure.cli.core.util: 'Vary': 'Accept-Encoding' cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000' cli.azure.cli.core.util: 'request-id': 'ce3b4e87-736c-49ef-ad15-e1a49e05cb35' cli.azure.cli.core.util: 'client-request-id': 'ce3b4e87-736c-49ef-ad15-e1a49e05cb35' cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"UK South","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"LO1PEPF00001D5B"}}' cli.azure.cli.core.util: 'WWW-Authenticate': 'Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", error_description="Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenCreatedWithOutdatedPolicies", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzE4MTkwMTQyIn0sInhtc19ycF9pcGFkZHIiOnsidmFsdWUiOiIyMC42OC4yNDEuMzAifX19", PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjA1NjEyNTAxRDRFN0NGM0Q3RjYxOUUxNjMxQTQ4MDg1OTQyMTMyQjMifQ.eyJ0cyI6MTcxODE5MDEyMH0.M98MqWkUpDJpYBdGbUsbUKm_B28m-sYDP-BWgwWQY7qYvBrmsJmqDdZdDndeafHxfqlXoEhrIH-d8A2ahr1R--VIWBYEw53-l2uubWCFQOq6VrjbXCSB-hsOOu4uB86uhTD39yG_m5GuyVcVVtYZye2Ex6MHJzAzTwzcBmVrNxG3U9iXUR32dzP9l8dZhOaM7HaUHze9A_W1Efhv4BG2O82_a84U-GhPueo3jqn_H90VdBLup736XWcT6Gy2K6Fqp1sazW1qTJNwRFZaayMllYeBzSfjmBDBpMRjbe843IPEyH0blTfmDqWLgEbIgqgsl0mJUD4IBzW6ZFkdfKHWuA"' cli.azure.cli.core.util: 'Date': 'Wed, 12 Jun 2024 11:02:22 GMT' cli.azure.cli.core.util: Response content: cli.azure.cli.core.util: {"error":{"code":"InvalidAuthenticationToken","message":"Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.","innerError":{"date":"2024-06-12T11:02:22","request-id":"ce3b4e87-736c-49ef-ad15-e1a49e05cb35","client-request-id":"ce3b4e87-736c-49ef-ad15-e1a49e05cb35"}}}

Expected behavior

az ad app list should run without errors

Environment Summary

azure-cli 2.61.0

core 2.61.0 telemetry 1.1.0

Extensions: azure-devops 1.0.1

Dependencies: msal 1.28.0 azure-mgmt-resource 23.1.1

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[SeanKilleen]

In case it's helpful to triangulate, I am now getting this error as of this morning using the azuread terraform provider with nothing having changed in my Terraform code. I'm filing something over there but I'll link it here.

[TimHodkin]

Hi,

I am seeing this same issue over the last few days.

I have found that bypassing a conditional access policy we have that is blocking based on geo network locations it then works fine. I could not make this work without bypassing this policy. To my knowledge we have not modified this CA in quite some time and is only blocking limited countries.

I am also seeing this with the AZ powershell module. Anything that tries to lookup Entra based object or references seems to fail.

`Get-AzRoleassignment: SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user <USER>. Ensure that you have authenticated with a deveolper fool that supports Azure single sign on. realm: authorization_uri: https://logni.microsoftonline.com/common/oath2/authorize client_id: 0000003-0000-0000-c000-000000000000 error_description: Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied error: insufficient_claims

`

[durankeeley]

Just been hit with the same. 2 days ago was fine. now with no change to the code I get this with Terraform:

 Error: Retrieving Application with object ID "88b184d2-1b2c-45a2-86f9-cdae5f79c005"
│
│   with module.apim_instance.azuread_application.aad_application,
│   on ..\..\..\..\modules\azure\azure-apim\main.tf line 36, in resource "azuread_application" "aad_application":
│   36: resource "azuread_application" "aad_application" {
│
│ ApplicationsClient.BaseClient.Get(): unexpected status 401 with OData error: InvalidAuthenticationToken: Exception of
│ type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.
╵

same if I use az ad app list

Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.

Tried to exclude myself in all Conditional Access but that didn't help

[Natasha-Kohli]

In case it's helpful to triangulate, I am now getting this error as of this morning using the azuread terraform provider with nothing having changed in my Terraform code. I'm filing something over there but I'll link it here.

I've been getting the same error everyone else has occasionally. As per Sean's linked issue, there is nothing I do that fixes the error other than time. It's hard to tell if logging out and logging back in is actually fixing anything

[seblatre]

For those who are reaching this issue like me, I was able to workaround it by setting the env variable AZURE_IDENTITY_DISABLE_CP1=1 prior to call the az ad sp... (export AZURE_IDENTITY_DISABLE_CP1=1 in Linux env)

[psinghca]

Same issue with all 'az ad' commands. No conditional policy or MFA on the account.

Resolution for me: Remove your .azure folder from the root (linux) and do the az login again to resolve it.

[ashtmMSFT]

I'm intermittently seeing this exception while logged into az cli as a service principal (clientId + clientSecret) in a tenant with no Azure subscriptions while running commands to add/remove Entra ID users.

I first started seeing the exception after disabling and then re-enabling the service principal in the tenant.

az logout and/or az account clear followed by a fresh az login does not resolve the issue. Only waiting an indeterminate amount of time seems to fix the issue. My experience aligns with others in the thread in that the issue seems intermittent. I can't consistently repro it.

None of the workarounds proposed in the thread worked on my end.

I suspect this is likely an issue with Graph / the Entra ID service and not the az cli tool. Is there a good place for logging and tracking issues for Graph?

[drdamour]

$env:AZURE_IDENTITY_DISABLE_CP1=1 worked for me...not sure what it did... :(

[Exe0]

Same issue with all 'az ad' commands. No conditional policy or MFA on the account.

Resolution for me: Remove your .azure folder from the root (linux) and do the az login again to resolve it.

I had the same issue on Windows and closing all terminals as well as all VS Code instances, then deleting the ".azure" folder in my user directory resolved it for me.

[inaun]

Same issue with all 'az ad' commands. No conditional policy or MFA on the account. Resolution for me: Remove your .azure folder from the root (linux) and do the az login again to resolve it.

I had the same issue on Windows and closing all terminals as well as all VS Code instances, then deleting the ".azure" folder in my user directory resolved it for me.

I hit this yesterday. Removing .azure folder did not resolve issue for me. A new .azure folder was created, and still same issue.

[inaun]

AZURE_IDENTITY_DISABLE_CP1

This did not work for me.

[inaun]

I had to set the environment variable AZURE_IDENTITY_DISABLE_CP1 = 1, then delete the .azure folder in the users directory. After that it worked (just doing one or the other did not fix the problem for me).

[microsoft-github-policy-service[bot]]

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!