Unable to run 'az ad user show --id [email protected]' on AzureML Ubuntu VM

[dunalduck0]

Describe the bug

I want to get my Entra ID programmingly via az ad user show --id [email protected]. When I run it on an AzureML Ubuntu VM (I ssh to this VM from my Windows workstation), I am getting error below. The same command runs successfully on my Window workstation.

cli.azure.cli.core.azclierror: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: 9e5ee058-55f2-43d4-8fdd-7ae130103000 Correlation ID: 12055c6b-cc04-4bce-a4d4-cab52a130fff Timestamp: 2024-06-29 06:24:36Z
az_command_data_logger: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: 9e5ee058-55f2-43d4-8fdd-7ae130103000 Correlation ID: 12055c6b-cc04-4bce-a4d4-cab52a130fff Timestamp: 2024-06-29 06:24:36Z

Another related symptom. I can run az login --use-device-code successfully on the Ubuntu VM. But if I add the option --scope https://graph.microsoft.com//.default, I am getting error below. The option works fine on my Windows worksation az login --scope https://graph.microsoft.com//.default.

Related command

az ad user show --id [email protected] az login --use-device-code --scope https://graph.microsoft.com//.default

Errors

See description above.

Issue script & Debug output

Here is the debug output for az ad user show --id [email protected] --debug

DEBUG: cli.knack.cli: Command arguments: ['ad', 'user', 'show', '--id', '[email protected]', '--debug'] DEBUG: cli.knack.cli: init debug log: Cannot enable color. DEBUG: cli.knack.cli: Event: Cli.PreExecute [] DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x746a8570c040>, <function OutputProducer.on_global_arguments at 0x746a856b6200>, <function CLIQuery.on_global_arguments at 0x746a856f3ce0>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] DEBUG: cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role'] DEBUG: cli.azure.cli.core: Loading command modules: DEBUG: cli.azure.cli.core: Name Load Time Groups Commands DEBUG: cli.azure.cli.core: role 0.004 17 61 DEBUG: cli.azure.cli.core: Total (1) 0.004 17 61 DEBUG: cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next'] DEBUG: cli.azure.cli.core: Loading extensions: DEBUG: cli.azure.cli.core: Name Load Time Groups Commands Directory DEBUG: cli.azure.cli.core: Total (0) 0.000 0 0
DEBUG: cli.azure.cli.core: Loaded 17 groups, 61 commands. DEBUG: cli.azure.cli.core: Found a match in the command table. DEBUG: cli.azure.cli.core: Raw command : ad user show DEBUG: cli.azure.cli.core: Command table: ad user show DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x746a84674e00>] DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/REDACT/.azure/commands/2024-06-29.06-51-17.ad_user_show.1062634.log'. INFO: az_command_data_logger: command args: ad user show --id {} --debug DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x746a846cf060>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x746a8472d1c0>, <function register_cache_arguments..add_cache_arguments at 0x746a8472d300>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x746a856b62a0>, <function CLIQuery.handle_query_parameter at 0x746a856f3d80>, <function register_ids_argument..parse_ids_arguments at 0x746a8472d260>] DEBUG: cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/ DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='/home/REDACT/.azure/msal_token_cache.json', encrypt=False DEBUG: cli.azure.cli.core.auth.binary_cache: load: /home/REDACT/.azure/msal_http_cache.bin DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) INFO: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47 DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} DEBUG: msal.application: Broker enabled? None DEBUG: cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://graph.microsoft.com//.default',), claims=None, kwargs={} DEBUG: msal.application: Found 1 RTs matching {'environment': 'login.microsoftonline.com', 'home_account_id': '.72f988bf-86f1-41af-91ab-2d7cd011db47', 'family_id': '1'} DEBUG: msal.telemetry: Generate or reuse correlation_id: b70b6628-f204-44de-aab3-c0e51e80cf10 DEBUG: msal.application: Cache attempts an RT DEBUG: msal.application: Refresh failed. invalid_grant: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: a3c52841-d43e-4d86-88e7-d0f2c3862b00 Correlation ID: 53263086-9034-477f-b299-66436a86d9d2 Timestamp: 2024-06-29 06:51:14Z DEBUG: msal.application: Found 1 RTs matching {'environment': 'login.microsoftonline.com', 'home_account_id': '.72f988bf-86f1-41af-91ab-2d7cd011db47', 'client_id': '04b07795-8ddb-461a-bbee-02f9e1bf7b46'} DEBUG: msal.telemetry: Generate or reuse correlation_id: b70b6628-f204-44de-aab3-c0e51e80cf10 DEBUG: msal.application: Cache attempts an RT DEBUG: msal.application: Refresh failed. invalid_grant: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: a3c52841-d43e-4d86-88e7-d0f2c3862b00 Correlation ID: 53263086-9034-477f-b299-66436a86d9d2 Timestamp: 2024-06-29 06:51:14Z DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last): File "/opt/az/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke cmd_result = self.invocation.execute(args) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 664, in execute raise ex File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 731, in _run_jobs_serially results.append(self._run_job(expanded_arg, cmd_copy)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 723, in _run_job return cmd_copy.exception_handler(ex) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/commands.py", line 51, in graph_err_handler raise ex File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 701, in _run_job result = cmd_copy(params) ^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 334, in call return self.handler(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 363, in handler show_exception_handler(ex) File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/arm.py", line 432, in show_exception_handler raise ex File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 361, in handler return op(**command_args) ^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/custom.py", line 1859, in show_user return client.user_get(upn_or_object_id) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 304, in user_get result = self._send("GET", "{}".format(_get_user_url(id_or_upn))) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send r = send_raw_request(self._cli_ctx, method, url, resource=self._resource, uri_parameters=param, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/util.py", line 983, in send_raw_request token_info, _, _ = profile.get_raw_token(resource) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/_profile.py", line 406, in get_raw_token sdk_token = credential.get_token(*scopes) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/auth/msal_authentication.py", line 74, in get_token check_result(result, scopes=scopes, claims=claims) File "/opt/az/lib/python3.11/site-packages/azure/cli/core/auth/util.py", line 139, in check_result aad_error_handler(result, **kwargs) File "/opt/az/lib/python3.11/site-packages/azure/cli/core/auth/util.py", line 43, in aad_error_handler raise AuthenticationError(error_description, msal_error=error, recommendation=login_message) azure.cli.core.azclierror.AuthenticationError: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: a3c52841-d43e-4d86-88e7-d0f2c3862b00 Correlation ID: 53263086-9034-477f-b299-66436a86d9d2 Timestamp: 2024-06-29 06:51:14Z

ERROR: cli.azure.cli.core.azclierror: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: a3c52841-d43e-4d86-88e7-d0f2c3862b00 Correlation ID: 53263086-9034-477f-b299-66436a86d9d2 Timestamp: 2024-06-29 06:51:14Z ERROR: az_command_data_logger: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: a3c52841-d43e-4d86-88e7-d0f2c3862b00 Correlation ID: 53263086-9034-477f-b299-66436a86d9d2 Timestamp: 2024-06-29 06:51:14Z Interactive authentication is needed. Please run: az login --scope https://graph.microsoft.com//.default DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x746a84675080>] INFO: az_command_data_logger: exit code: 1 INFO: cli.main: Command ran in 0.291 seconds (init: 0.148, invoke: 0.142) INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1 INFO: telemetry.client: Accumulated 0 events. Flush the clients. INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1 INFO: telemetry.save: Save telemetry record of length 3995 in cache INFO: telemetry.main: Begin creating telemetry upload process. INFO: telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.11/site-packages/azure/cli/telemetry/init.py /home/REDACT/.azure" INFO: telemetry.process: Return from creating process INFO: telemetry.main: Finish creating telemetry upload process.

Expected behavior

az ad user show --id [email protected] should run successfully on AzureML Ubuntu VM

Environment Summary

azure-cli 2.61.0 core 2.61.0 telemetry 1.1.0 Extensions: ml 2.26.1 Dependencies: msal 1.28.0 azure-mgmt-resource 23.1.1

Python location '/opt/az/bin/python3' Extensions directory '/home/REDACT/.azure/cliextensions' Python (Linux) 3.11.8 (main, May 16 2024, 03:47:28) [GCC 11.4.0] Legal docs and information: aka.ms/AzureCliLegal Your CLI is up-to-date.

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[jiasli]

https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes doesn't document AADSTS530003, but I guess it is the same issue as https://learn.microsoft.com/en-us/cli/azure/microsoft-graph-migration#graph-command-fails-with-aadsts50005-or-aadsts53000, that is, Microsoft tenant (72f988bf-86f1-41af-91ab-2d7cd011db47) doesn't allow using device code flow to access Microsoft Graph.

There is a feature request https://github.com/Azure/azure-cli/issues/22776 to show the signed in account's object ID, but that feature request was suspended due to several unsettled security discussions. You may follow https://github.com/Azure/azure-cli/issues/22776#issue-1264203875 to retrieve the object ID from the access token.

[dunalduck0]

https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes doesn't document AADSTS530003, but I guess it is the same issue as https://learn.microsoft.com/en-us/cli/azure/microsoft-graph-migration#graph-command-fails-with-aadsts50005-or-aadsts53000, that is, Microsoft tenant (72f988bf-86f1-41af-91ab-2d7cd011db47) doesn't allow using device code flow to access Microsoft Graph.

There is a feature request #22776 to show the signed in account's object ID, but that feature request was suspended due to several unsettled security discussions. You may follow #22776 (comment) to retrieve the object ID from the access token.

Thank you @jiasli for the workaround. Do you have a similar to az ad sp list?

[jiasli]

You may use the same approach to get the object ID for a service principal. If this is not what you want, what information do you want to extract from az ad sp list?

[dunalduck0]

@jiasli The approach works for my own object ID because I can az login as myself. But I cannot az login as other objects, such as a service principal for a workspace named 'gcrllama2ws'. I cannot get access token tied to gcrllama2ws and thus cannot apply the same approach to extract object ID of gcrllama2ws from access token. Am I correct?

[jiasli]

I cannot get access token tied to gcrllama2ws

Why can't? Is there any error when running az account get-access-token?

[dunalduck0]

@jiasli az account get-access-token only return ID for the current user who logged in with az login. It does not return ID for other entities. So there is no error when running az account get-token-token. But you can only get ID for yourself, not any service principal entity such as 'gcrllama2ws'.

[jiasli]

I cannot az login as other objects, such as a service principal for a workspace named 'gcrllama2ws'.

What is the relationship between the login service principal and gcrllama2ws?

If gcrllama2ws is different from the login service principal, you need to assign Application.Read.All permission to the login service principal in order to run az ad sp list. This is the designed behavior of Microsoft Graph.

[dunalduck0]

I am not sure if I understand the question "What is the relationship between the login service principal and gcrllama2ws?". What I am trying to do is:

• az login with my SC-Alt account, e.g. [email protected]
• az ad sp list --display-name gcrllama2ws which is blocked by AADSTS70043

So I guess the "login service principal" is my extra ID, not really a service principal, and not an app either. I am not sure if I could assign my extra ID the role of "Application.Read.All". But that's an interesting idea.