azure-dev icon indicating copy to clipboard operation
azure-dev copied to clipboard
verified publisher icon Azure

`azd pipeline config` - device is required to be managed to access this resource

Open v-hongli1 opened this issue 3 years ago • 5 comments

Describe the issue: Failed when we try to run the command azd pipeline config and azd pipeline config --provider azdo

Besides, it is a similar error with https://github.com/Azure/azure-dev/issues/768.

Repro Steps:

  1. Run azd login
  2. Run bash ./test-templates.sh -t Azure-Sample/todo-nodejs-mongo-swa-func -b pr/551 -c false
  3. Run azd pipeline config or azd pipeline config --provider azdo

Error Message: image

Environment: OS: DevContainer in VS Code Template: https://github.com/Azure-Samples/todo-nodejs-mongo-swa-func https://github.com/Azure-Samples/todo-python-mongo-swa-func

Expected behavior: Run command: azd pipeline config and azd pipeline config --provider azdo can success

@jongio for notification.

v-hongli1 avatar Oct 11 '22 10:10 v-hongli1

@vhvb1989 can you triage this? Seems like folks are running into this often?. Any fixes or improvements on docs we could make?

rajeshkamal5050 avatar Oct 11 '22 16:10 rajeshkamal5050

This is not really an azd issue.

Explanation: Conditional Access policy can be set up for Azure subscriptions. When this policy is enabled for a tenant (Azure Subscription), there are specific rules which determine the min requirements for logging in to the Azure Subscription (or to specific operations/areas within the subscription)

In this case, @hongli750210, you are trying to log in to an Azure subscription and access the Active Directory operations (to create Service Principals) which requires that the device that is used to login to Azure is managed by the Tenant. An example of this is the Microsoft tenant. If you want to login with your Microsoft account to the Azure portal (requires Active directory), you first need to enroll/register your device/computer/browser-session with your tenant, so it becomes managed by the Organization.

In order to fix this, make sure that you can log in to Azure with the device you are using. For example, if you are using DevContainer in VS Code, it means you might be running a Linux distribution with docker and connecting VSCode to it. Run a browser from the container and try to access the Azure Portal with your account. That would validate the device and enroll/register it to Azure Tenant

I will try to see if we can do any changes to the container to support this. If not, we should document that azd pipeline config is not supported from the devContainer

vhvb1989 avatar Oct 11 '22 16:10 vhvb1989

@vhvb1989

  1. After investigating, we found that azd detects it's in devcontainer and logs in with --use-device-code. About this issue, we can run a browser from the container through the az login method. After testing, the issue is no longer reproduced, do you think this way is feasible, or do you have the other way?

  2. Back to the way of logging in with the --use-device-code, there are currently two environments that use this way to log in.

  • Devcontainer: After failing to execute azd pipeline config, we can run az login --scope https://graph.microsoft.com//.default to re-authenticate, and tests can pass.
  • Codespace: When we run the command above, but it can not re-authenticate successfully.
  1. For the Linux Ubuntu 20.04 environment: At present, the two login methods of az login and az login --use-device-code will have the error message: device is required to be managed to access this resource when executing azd pipeline config.

Do you have any ideas to fix this issue in codespace and Linux environment?

zedy-wj avatar Oct 13 '22 09:10 zedy-wj

Do you have any ideas to fix this issue in codespace and Linux environment?

Please skip this environments for now. We need to make azd to return an error and mention that pipeline config is not supported for those configurations.

Until that is done, please skip those scenarios from pipeline config tests to unblock

vhvb1989 avatar Oct 17 '22 21:10 vhvb1989

@puicchan or @savannahostrowski - We may want to publish known issue on this one until fixed.

jongio avatar Oct 20 '22 17:10 jongio

@puicchan @vhvb1989 can we also add this to the known issues?

rajeshkamal5050 avatar Oct 28 '22 16:10 rajeshkamal5050

Removing blocker for this one. Since it is getting tracked under,

  • https://github.com/Azure/azure-dev/issues/957 which is a blocker for the release.

rajeshkamal5050 avatar Oct 31 '22 22:10 rajeshkamal5050

Hannah has added to Dev Hub.

puicchan avatar Nov 02 '22 22:11 puicchan

If we use az login method, this issue is no longer reproduce in devcontainer and Linux desktop. Besides, we will skip the azd pipeline config test in codespace. If you have no other question, we will close this issue.

Notes: Using az login in codespace and Linux environments requires port forwarding. Please refer to https://github.com/Azure/azure-dev/issues/1006#issuecomment-1293088916 for details.

zedy-wj avatar Nov 03 '22 09:11 zedy-wj