azure-powershell icon indicating copy to clipboard operation
azure-powershell copied to clipboard
verified publisher icon Azure

Account selection window pops up after Connect-AzAccount fails with "user canceled authentication"

Open qishengc opened this issue 1 year ago • 23 comments

Description

I was on Az.Accounts V2.13.1, and my script is working fine, but today after a latest update to Az.Accounts V3.0.0, Connect-AzAccount always succeeded with warning "WARNING: Unable to acquire token for tenant ..." , and although it looks like it connected successfully, no Az operations such as Get-AzSubscription could execute successfully, it reports the same warning:

Here are details:

  1. Way 1: user PSCredential
$Username='[email protected]' // example
$Password='example'
psCred = New-Object System.Management.Automation.PSCredential -ArgumentList ($Username, (ConvertTo-SecureString -String $Password -AsPlainText -Force)) 
Connect-AzAccount -Credential $psCred

Result:

Retrieving subscriptions for the selection...

[Announcements]
With the new Azure PowerShell login experience, you can select the subscription you want to use more easily. Learn more about it and its configuration at https://go.microsoft.com/fwlink/?linkid=2271909.

If you encounter any problem, please open an issue at: https://aka.ms/azpsissue

Subscription name                            Tenant
-----------------                            ------
Non-Prod PAYG AS on a830edad9050849paygmsit3 TEST_TEST_E3_SelfServiceHb_202306290544_85XBofcIeP

Even though it shows like connected successfully, run: Get-AzSubscription to test, got no result with below warning (Repeated in console):
WARNING: Unable to acquire token for tenant 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa' with error 'Authentication failed against tenant a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'.'
WARNING: Unable to acquire token for tenant 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa' with error 'Authentication failed against tenant a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'.'

image

  1. Way 2: Interactive login
 Connect-AzAccount -TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa

Result:

Please select the account you want to login with.

Connect-AzAccount: InteractiveBrowserCredential authentication failed: User canceled authentication.
Could not find tenant id for provided tenant domain 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'. Please ensure that the provided user is found in the provided tenant domain.

I have no chance to select any thing, the login window appears after the above message.

image

  1. Way 3: Use DeviceCode
Connect-AzAccount -DeviceCode

Result:

Please select the account you want to login with.

[Login to Azure] To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code AJEAZZDUG to authenticate.
Retrieving subscriptions for the selection...
WARNING: Unable to acquire token for tenant 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa' with error 'Authentication failed against tenant a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'.'

[Announcements]
With the new Azure PowerShell login experience, you can select the subscription you want to use more easily. Learn more about it and its configuration at https://go.microsoft.com/fwlink/?linkid=2271909.

If you encounter any problem, please open an issue at: https://aka.ms/azpsissue

Subscription name                            Tenant
-----------------                            ------
Non-Prod PAYG AS on a830edad9050849paygmsit3 TEST_TEST_E3_SelfServiceHb_202306290544_85XBofcIeP

Even though it shows like connected successfully, run: Get-AzSubscription to test, got no result with below warning (Repeated in console): WARNING: Unable to acquire token for tenant 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa' with error 'Authentication failed against tenant a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'.' WARNING: Unable to acquire token for tenant 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa' with error 'Authentication failed against tenant a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'.'

image

Issue script & Debug output

$DebugPreference='Continue'
Get-AzSubscription
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:12 PM - GetAzureRMSubscriptionCommand begin processing with ParameterSet 'ListByIdInTenant'.
DEBUG: 11:36:12 PM - using account id 'automation@***.onmicrosoft.com'...
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [DisableInstanceDiscovery], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [EnableLoginByWam], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:12 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'[email protected]'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 002f97b6-87e4-452d-8b47-c4d7b2eef2f8] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 002f97b6-87e4-452d-8b47-c4d7b2eef2f8] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 002f97b6-87e4-452d-8b47-c4d7b2eef2f8] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 002f97b6-87e4-452d-8b47-c4d7b2eef2f8] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 002f97b6-87e4-452d-8b47-c4d7b2eef2f8] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [RuntimeBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 197572b7-1a7e-4392-9f9d-fa162e7eefb3] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] Returning 1 accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] MSAL MSAL.CoreCLR with assembly version '4.60.3.0'. CorrelationId(a6f4c117-599e-4d30-8000-83ab3cfb3e33)
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] LoginHint provided: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] Account provided: True
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] ForceRefresh: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - a6f4c117-599e-4d30-8000-83ab3cfb3e33
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] Broker is configured and enabled, attempting to use broker instead.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] Can invoke broker. Will attempt to acquire token with broker.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0001]      WARNING SetAuthorityString:98     Initializing authority from string 'https://login.microsoftonline.com/a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa/' without authority type, defaulting to MsSts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      ERROR   ErrorInternalImpl:134     Created an error: 5vt4a, StatusInternal::AccountNotFound, InternalEvent::None, Error Code 0, Context 'Account with id '(pii)' not found'
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:393      Printing Telemetry for Correlation ID: a6f4c117-599e-4d30-8000-83ab3cfb3e33
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: start_time, Value: 2024-05-22T06:36:12.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: api_name, Value: ReadAccountById
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: was_request_throttled, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: authority_type, Value: Unknown
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: msal_version, Value: 1.1.0+local
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: correlation_id, Value: a6f4c117-599e-4d30-8000-83ab3cfb3e33
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: broker_app_used, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: stop_time, Value: 2024-05-22T06:36:12.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: all_error_tags, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: msalruntime_version, Value: 0.16.0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: api_error_code, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: api_error_tag, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: api_status_code, Value: StatusInternal::AccountNotFound
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: api_error_context, Value: Account with id '(pii)' not found
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: is_successful, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: request_duration, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [RuntimeBroker] Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] Exception type: Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: wam_no_account_for_id
HTTP StatusCode 0
CorrelationId a6f4c117-599e-4d30-8000-83ab3cfb3e33
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

DEBUG: SharedTokenCacheCredential.GetToken was unable to retrieve an access token. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user [email protected]. Ensure that you have authenticated with a developer tool that supports Azure single sign on.
 ---> Microsoft.Identity.Client.MsalUiRequiredException (0x80131500): Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
WARNING: Unable to acquire token for tenant 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa' with error 'Authentication failed against tenant a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'.'
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [DisableInstanceDiscovery], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [EnableLoginByWam], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:12 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'[email protected]'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 92c130e5-19e2-413b-ab5c-6109629873bc] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 92c130e5-19e2-413b-ab5c-6109629873bc] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 92c130e5-19e2-413b-ab5c-6109629873bc] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 92c130e5-19e2-413b-ab5c-6109629873bc] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 92c130e5-19e2-413b-ab5c-6109629873bc] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [RuntimeBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - bd4ad8a7-d588-4a61-9921-8eb04f00724e] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] Returning 1 accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] MSAL MSAL.CoreCLR with assembly version '4.60.3.0'. CorrelationId(455ca45e-0cc8-495f-9bfa-e8904288fd25)
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] LoginHint provided: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] Account provided: True
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] ForceRefresh: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - 455ca45e-0cc8-495f-9bfa-e8904288fd25
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] Broker is configured and enabled, attempting to use broker instead.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] Can invoke broker. Will attempt to acquire token with broker.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0001]      WARNING SetAuthorityString:98     Initializing authority from string 'https://login.microsoftonline.com/a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa/' without authority type, defaulting to MsSts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      ERROR   ErrorInternalImpl:134     Created an error: 5vt4a, StatusInternal::AccountNotFound, InternalEvent::None, Error Code 0, Context 'Account with id '(pii)' not found'
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:393      Printing Telemetry for Correlation ID: 455ca45e-0cc8-495f-9bfa-e8904288fd25
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: start_time, Value: 2024-05-22T06:36:12.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: api_name, Value: ReadAccountById
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: was_request_throttled, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: authority_type, Value: Unknown
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: msal_version, Value: 1.1.0+local
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: correlation_id, Value: 455ca45e-0cc8-495f-9bfa-e8904288fd25
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: broker_app_used, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: stop_time, Value: 2024-05-22T06:36:12.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: all_error_tags, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: msalruntime_version, Value: 0.16.0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: api_error_code, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: api_error_tag, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: api_status_code, Value: StatusInternal::AccountNotFound
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: api_error_context, Value: Account with id '(pii)' not found
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: is_successful, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: request_duration, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [RuntimeBroker] Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] Exception type: Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: wam_no_account_for_id
HTTP StatusCode 0
CorrelationId 455ca45e-0cc8-495f-9bfa-e8904288fd25
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

DEBUG: SharedTokenCacheCredential.GetToken was unable to retrieve an access token. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user [email protected]. Ensure that you have authenticated with a developer tool that supports Azure single sign on.
 ---> Microsoft.Identity.Client.MsalUiRequiredException (0x80131500): Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
WARNING: Unable to acquire token for tenant 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa' with error 'Authentication failed against tenant a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'.'
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:3.0.0; CommandName: Get-AzSubscription; PSVersion: 7.4.2; IsSuccess: True; Duration: 00:00:00.0749216; SanitizeDuration: 00:00:00
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:12 PM -

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     3.0.0                 Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefaul…
Script     0.3.2                 Az.CostManagement                   {Get-AzCostManagementExport, Get-AzCostManagementExportExecutionHis…
Script     7.1.0                 Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignmen…
Script     7.0.0                 Az.Storage                          {Add-AzRmStorageContainerLegalHold, Add-AzStorageAccountManagementP…

Error output

DEBUG: 11:36:46 PM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:46 PM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 11:36:46 PM - using account id '[email protected]'...
DEBUG: 11:36:46 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].


DEBUG: 11:36:46 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:46 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:3.0.0; CommandName: Resolve-AzError; PSVersion: 7.4.2; IsSuccess: True; Duration: 00:00:00.0019185; SanitizeDuration: 00:00:00
DEBUG: 11:36:46 PM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:46 PM - ResolveError end processing.

qishengc avatar May 22 '24 06:05 qishengc

Confirmed that the exact same command, with the exact same Entra ID account and tenant works as expected with Az.Accounts v2.19.0.

image

msqishengc avatar May 22 '24 06:05 msqishengc

I'm having the same issue.

bbz94 avatar May 22 '24 06:05 bbz94

Run this before Connect Az account resolved my issue: Update-AzConfig -EnableLoginByWam $false

Got it from https://github.com/Azure/azure-powershell/issues/24962 https://github.com/Azure/azure-powershell/issues/24962

msqishengc avatar May 22 '24 06:05 msqishengc

Run this before Connect Az account resolved my issue: Update-AzConfig -EnableLoginByWam $false

Got it from #24962 #24962

Helped to solve the problem.

bbz94 avatar May 22 '24 09:05 bbz94

Way 1 and Way 3 are reported by https://github.com/Azure/azure-powershell/issues/24963 and can be workarounded by disabling WAM for login Update-AzConfig -EnableLoginByWam $false.

Way 2 is new to us, could you share more about your environment?

  1. By "I have no chance to select any thing, the login window appears after the above message.", was the window a browser window or a windows native window (not your browser)?
  2. Does this happen all the time?
  3. Did it happen before or after you applied the workaround?

Thanks a lot

isra-fel avatar May 22 '24 10:05 isra-fel

Way 1 and Way 3 are reported by #24963 and can be workarounded by disabling WAM for login Update-AzConfig -EnableLoginByWam $false.

Way 2 is new to us, could you share more about your environment?

  1. By "I have no chance to select any thing, the login window appears after the above message.", was the window a browser window or a windows native window (not your browser)?
  2. Does this happen all the time?
  3. Did it happen before or after you applied the workaround?

Thanks a lot

I would simply repro on a new VM or Sandbox on Windows 11.

  1. Install PowerShell 7 with installer (according to https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.4)
  2. Open Powershell console, install the module: Install-Module -Name Az.Accounts -Force -Verbose -Scope CurrentUser -ErrorAction Stop -AllowClobber -SkipPublisherCheck -Repository PSGallery
  3. Run Connect-AzAccount or Connect-AzAccount with -TenantId **** parameter, both failed immediately with Sign in modal dialog opened, and if I dismiss the Sign in dialog, The console could not be focused anymore that I need to kill it by task manager.
image image

msqishengc avatar May 22 '24 20:05 msqishengc

For the record: the window pop-up-too-late issue was also reported by users of Azure CLI - https://github.com/Azure/azure-cli/issues/28997

isra-fel avatar May 23 '24 00:05 isra-fel

(I edited the title so that we can focus on the "user canceled authentication" error in this thread.)

We had reported this issue to the corresponding team. Latest status is: "The issue is caused by a bug in the account control logic, and it will return unexpected user cancel signal. We are working on it with our highest priority."

Again the workaround to this issue is to disable WAM by Update-AzConfig -EnableLoginByWam $false.

Will keep this updated.

isra-fel avatar May 27 '24 00:05 isra-fel

For us the update from v2 to v3 was causing the following error:

Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up
     | your Azure credentials. Authentication failed against tenant xxxxx.
     | User interaction is required. This may be due to the conditional access policy settings such as
     | multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun
     | 'Connect-AzAccount' with additional parameter '-TenantId xxxx.

using -EnableLoginByWam $false did not fix this until we ALSO used -LoginExperienceV2 Off

jflieben avatar May 27 '24 16:05 jflieben

Run this before Connect Az account resolved my issue: Update-AzConfig -EnableLoginByWam $false

Got it from #24962 #24962

Thank you for this. Was greeted by the below after I successfully logged in. After tinkering around came here. Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials. Authentication failed against tenant ID. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId ID'.

thesonofman0 avatar May 27 '24 18:05 thesonofman0

It seems this was rushed to release too early without more extensive testing.

slavizh avatar May 28 '24 06:05 slavizh

There seems to be an issue also when you run Login-Azaccount -tenantId inside VSCode terminal. It does not open this Windows UI for selecting account and it stays frozen without finishing the command. Setting -EnableLoginByWam $false resolves the problem as it switches to using the browser authentication.

slavizh avatar May 28 '24 06:05 slavizh

Yep - Microsoft - where's your testing?

Borgquite avatar May 29 '24 11:05 Borgquite

Any update on this issue?

Currently running with the workaround.

sxipper avatar May 30 '24 11:05 sxipper

Any update on this issue?

Currently running with the workaround.

The MSAL team is working intensely on the fix. We are going to release a new version after we get the fix version.

msJinLei avatar May 30 '24 13:05 msJinLei

As of 30 May we have same issue. Its stopped scripts from running. Running PS7.4.2 and Az 12.

JohnJDB avatar May 30 '24 14:05 JohnJDB

if i using Update-AzConfig -EnableLoginByWam $false i will get another error

D:\a\1\s\deploy\scripts\aad-register.ps1 : Cannot process argument transformation on parameter 'context'. Cannot 
convert the "System.Object[]" value of type "System.Object[]" to type 
"Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext".
At D:\a\1\s\deploy\scripts\deploy.ps1:919 char:29
+ ... ript:aadConfig = & (Join-Path $script:ScriptDir "aad-register.ps1") `

AiHaibara avatar Jun 03 '24 17:06 AiHaibara

if i using Update-AzConfig -EnableLoginByWam $false i will get another error

D:\a\1\s\deploy\scripts\aad-register.ps1 : Cannot process argument transformation on parameter 'context'. Cannot 
convert the "System.Object[]" value of type "System.Object[]" to type 
"Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext".
At D:\a\1\s\deploy\scripts\deploy.ps1:919 char:29
+ ... ript:aadConfig = & (Join-Path $script:ScriptDir "aad-register.ps1") `

@AiHaibara Could you provide the cmdlet that run into the error?

msJinLei avatar Jun 04 '24 07:06 msJinLei

if i using Update-AzConfig -EnableLoginByWam $false i will get another error

D:\a\1\s\deploy\scripts\aad-register.ps1 : Cannot process argument transformation on parameter 'context'. Cannot 
convert the "System.Object[]" value of type "System.Object[]" to type 
"Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext".
At D:\a\1\s\deploy\scripts\deploy.ps1:919 char:29
+ ... ript:aadConfig = & (Join-Path $script:ScriptDir "aad-register.ps1") `

@AiHaibara Could you provide the cmdlet that run into the error?

the deploy item already deleted now, not sure but seems only these error otherwise it be catched and not print. but it seems working now using Update-AzConfig -EnableLoginByWam $false and with install and import some specify requireversion module Az 11.3.1 Microsoft.Graph 2.16.0

AiHaibara avatar Jun 04 '24 07:06 AiHaibara

if i using Update-AzConfig -EnableLoginByWam $false i will get another error

D:\a\1\s\deploy\scripts\aad-register.ps1 : Cannot process argument transformation on parameter 'context'. Cannot 
convert the "System.Object[]" value of type "System.Object[]" to type 
"Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext".
At D:\a\1\s\deploy\scripts\deploy.ps1:919 char:29
+ ... ript:aadConfig = & (Join-Path $script:ScriptDir "aad-register.ps1") `

@AiHaibara Could you provide the cmdlet that run into the error?

the deploy item already deleted now, not sure but seems only these error otherwise it be catched and not print. but it seems working now using Update-AzConfig -EnableLoginByWam $false and with install and import some specify requireversion module Az 11.3.1 Microsoft.Graph 2.16.0

To resolve your issue, could try the latest version and send the debug log to us so that we can check it? thanks

msJinLei avatar Jun 05 '24 00:06 msJinLei

if i using Update-AzConfig -EnableLoginByWam $false i will get another error

D:\a\1\s\deploy\scripts\aad-register.ps1 : Cannot process argument transformation on parameter 'context'. Cannot 
convert the "System.Object[]" value of type "System.Object[]" to type 
"Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext".
At D:\a\1\s\deploy\scripts\deploy.ps1:919 char:29
+ ... ript:aadConfig = & (Join-Path $script:ScriptDir "aad-register.ps1") `

@AiHaibara Could you provide the cmdlet that run into the error?

the deploy item already deleted now, not sure but seems only these error otherwise it be catched and not print. but it seems working now using Update-AzConfig -EnableLoginByWam $false and with install and import some specify requireversion module Az 11.3.1 Microsoft.Graph 2.16.0

To resolve your issue, could try the latest version and send the debug log to us so that we can check it? thanks

sorry for some delay, but it seems i can't reproduce this when i using without using target version.

AiHaibara avatar Jun 14 '24 04:06 AiHaibara

Run this before Connect Az account resolved my issue: Update-AzConfig -EnableLoginByWam $false

Got it from #24962 #24962

thanks man, you nail it.

wab-id avatar Jun 14 '24 13:06 wab-id

Thanks a lot , I solved the issue with the command Update-AzConfig -EnableLoginByWam $false.

nicoarapaul avatar Jul 09 '24 10:07 nicoarapaul

For the 3 issues mentioned by the current item

  1. should be the same of https://github.com/Azure/azure-powershell/issues/25028, mitigated by Az.Accounts 3.0.1
  2. is expected to be fixed by 3.0.1 if not please report to me
  3. mitigated by Az.Accounts 3.0.1, fixed by https://github.com/Azure/azure-powershell/pull/25618 Close the issue

msJinLei avatar Aug 08 '24 07:08 msJinLei