azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard
verified publisher icon Azure

`az login` fails with "Please select the account you want to log in with" when using WAM

Open austindonnelly opened this issue 1 year ago • 7 comments

Describe the bug

az login fails with: WARNING: Please select the account you want to log in with.

If I disable WAM, then the browser popup happens, and there I can chose between my normal corp account, or my SC-Alt account.

Related command

az login

Errors

$ az login WARNING: Please select the account you want to log in with.

Issue script & Debug output

$ az login --debug DEBUG: cli.knack.cli: Command arguments: ['login', '--debug'] DEBUG: cli.knack.cli: init debug log: Cannot enable color. DEBUG: cli.knack.cli: Event: Cli.PreExecute [] DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0000017FB00AF880>, <function OutputProducer.on_global_arguments at 0x0000017FB02360C0>, <function CLIQuery.on_global_arguments at 0x0000017FB0263C40>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] DEBUG: cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile'] DEBUG: cli.azure.cli.core: Loading command modules: DEBUG: cli.azure.cli.core: Name Load Time Groups Commands DEBUG: cli.azure.cli.core: profile 0.021 2 8 DEBUG: cli.azure.cli.core: Total (1) 0.021 2 8 DEBUG: cli.azure.cli.core: Loaded 2 groups, 8 commands. DEBUG: cli.azure.cli.core: Found a match in the command table. DEBUG: cli.azure.cli.core: Raw command : login DEBUG: cli.azure.cli.core: Command table: login DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0000017FB318E340>] DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\austind.azure\commands\2024-06-17.15-42-36.login.15428.log'. INFO: az_command_data_logger: command args: login --debug DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x0000017FB31C67A0>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x0000017FB31F87C0>, <function register_cache_arguments..add_cache_arguments at 0x0000017FB31F8900>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x0000017FB0236160>, <function CLIQuery.handle_query_parameter at 0x0000017FB0263CE0>, <function register_ids_argument..parse_ids_arguments at 0x0000017FB31F8860>] DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\austind\.azure\msal_token_cache.bin', encrypt=True DEBUG: cli.azure.cli.core.auth.binary_cache: load: C:\Users\austind.azure\msal_http_cache.bin DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) INFO: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/organizations DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/organizations/kerberos', 'tenant_region_scope': None, 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} DEBUG: msal.application: Broker enabled? True DEBUG: msal.application: Falls back to broker._signin_interactively() WARNING: cli.azure.cli.core.auth.identity: Please select the account you want to log in with. DEBUG: msal.broker: [MSAL:0001] WARNING SetAuthorityString:98 Initializing authority from string 'https://login.microsoftonline.com/organizations' without authority type, defaulting to MsSts DEBUG: msal.broker: [MSAL:0002] INFO SetCorrelationId:273 Set correlation ID: 9a60c761-2d22-45a7-a419-d616e6bf9dfe DEBUG: msal.broker: [MSAL:0002] INFO ExecuteInteractiveRequest:1103 The original authority is 'https://login.microsoftonline.com/organizations' DEBUG: msal.broker: [MSAL:0002] WARNING TryNormalizeRealm:2295 No HomeAccountId provided to normalize the realm DEBUG: msal.broker: [MSAL:0002] INFO ExecuteInteractiveRequest:1114 The normalized realm is '' DEBUG: msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:191 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)' DEBUG: msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:191 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)' DEBUG: msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:215 Authority Realm: organizations DEBUG: msal.broker: [MSAL:0003] WARNING ReturnResponseDueToMissingParameter:643 Attempted to read cache with a non-normalized realm, access token and ID token reads will fail DEBUG: msal.broker: [MSAL:0003] WARNING ReadAccountById:227 Account id is empty - account not found

Expected behavior

az login should popup WAM, to let me chose which of my 2 accounts I'd like to use.

Environment Summary

$ az --version azure-cli 2.61.0

core 2.61.0 telemetry 1.1.0

Dependencies: msal 1.28.0 azure-mgmt-resource 23.1.1

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\austind.azure\cliextensions'

Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb 6 2024, 22:03:32) [MSC v.1937 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

Work-around is to disable WAM:

az config set core.enable_broker_on_windows=false

austindonnelly avatar Jun 17 '24 14:06 austindonnelly

Thank you for opening this issue, we will look into it.

yonzhan avatar Jun 17 '24 14:06 yonzhan

+1

Mohamad-Hamamah-Shift avatar Jun 26 '24 09:06 Mohamad-Hamamah-Shift

+1

onionhammer avatar Jul 04 '24 14:07 onionhammer

+1

CharlesCara avatar Aug 23 '24 14:08 CharlesCara

I've updated to az version 2.63.0 and this no longer repros for me. I see WAM pop up and I get to chose which account to use.

$ az --version
azure-cli                         2.63.0

core                              2.63.0
telemetry                          1.1.0

Extensions:
azure-cli-ml                      1.41.0

Dependencies:
msal                              1.30.0
azure-mgmt-resource               23.1.1

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\austind\.azure\cliextensions'

Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb  6 2024, 21:52:07) [MSC v.1937 32 bit (Intel)]

austindonnelly avatar Aug 28 '24 12:08 austindonnelly

Same here. I followed this steps without success:

Sign into Azure interactively using the Azure CLI

Also, I tried to use the "Sign in to an organization" and it seems there's another issue related:

az login --use-device-code fails with "Sign in to an organisation"

andresospina0000 avatar Oct 16 '24 02:10 andresospina0000

This worked for me.

1st run the below code to manually input login info. It errored due to MFA requirement. Then I re-ran Connect-AzAccount and it worked.

$credential = Get-Credential Connect-AzAccount -Credential $credential

stevenpce avatar Oct 17 '24 00:10 stevenpce

The issue description contains no error message. WARNING: Please select the account you want to log in with. is not an error. It is only a warning indicating the WAM window is popped up.

Do you mean you are not seeing the WAM window?

jiasli avatar Oct 23 '24 06:10 jiasli

That's correct - there's no WAM popup. The az login prints the WARNING message, but exits without showing WAM UI.

Also, I should point out that this might depend on the version of Windows OS that's running. I can no longer repro this bug, and I'm running Windows 11 24H2 (OS Build 26120.2130) That's the ge_release_upr.

austindonnelly avatar Oct 24 '24 08:10 austindonnelly

Seeing this error via Powershell ISE and VCode on Windows 10 22H2

VSCode version 1.94.2 system setup

Name Value

PSVersion 7.4.6 PSEdition Core

az login
Select the account you want to log in with. For more information on login with Azure CLI, see https://go.microsoft.com/fwlink/?linkid=2271136
Unexpected exception while waiting for accounts control to finish: '(pii)'. Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 528315211
Please explicitly log in with:
az login

ISE - PSVersion 5.1.19041.5129

 C:\windows\system32> az login
az : WARNING: Select the account you want to log in with. For more information on login with Azure CLI, see https://go.microsoft.com/fwlink/?linkid=2271136
At line:1 char:1
+ az login
+ ~~~~~~~~
    + CategoryInfo          : NotSpecified: (WARNING: Select...?linkid=2271136:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
 
ERROR: Unexpected exception while waiting for accounts control to finish: '(pii)'. Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 528315211
Please explicitly log in with:
az login

az cli 2.66.0 installed via MSI

md7648 avatar Nov 14 '24 09:11 md7648

Just got this myslef.

It turns out a graphical login prompt is raised in the background. After minimizing all my windows i found it in the background.

MattHarrisUltima avatar Aug 28 '25 07:08 MattHarrisUltima

Please let me know if you need any more information.

When I do an az login the login prompt appears at the back of other windows open with no notification.

I found this out just by luck

MattHarrisUltima avatar Nov 21 '25 08:11 MattHarrisUltima

I can no longer repro this bug

austindonnelly avatar Nov 28 '25 11:11 austindonnelly