Regarding misleading AuthenticationFailedException - The current credential is not configured to acquire tokens for tenant....

[sachinjagdale]

trafficstars

Library name and version

Azure.Identity 1.7.+

Describe the bug

Scenario App => Storage Account/Blob service using AzureIdentity/ClientSecretCredential flow. Our app registered in Azure AD as single tenant only

Details We are using this library (ClientSecretCredential) to setup token credentials for calling blob service Below is configuration

Library

Azure.Identity 1.7.0

Language/Framework - .NET 8, C#

Configuration appsettings.json

"AzureAd":
{
 "Tenant": "<Tenant_Domain>"
"TenantId": <Tenant_Guid>
  .
  .

}

We use below code to setup blob service client.

Code snippet

var credential = new ClientSecretCredential(**config.Tenant**, config.ClientId, config.ClientSecret, tokenCredentialOptions);
BlobServiceClient mainClient = new BlobServiceClient(storageUri, credential);

This will setup credentials so as to call storage service from our app service.

This is the setup, and we are using valid Tenant while initializing credentials and our app is also not multitenant or does not require any other tenant

Expected behavior

AcquireToken calls to storage service should be successful . I

Calls working fine for version before 1.7.0

Started giving failures/intermittent issues after 1.7+

Actual behavior

Now we are getting Authentication exception while acquiring tokens, its intermittent

The current credential is not configured to acquire tokens for tenant "<TenantGuid>".

I understand check added in AZure.Idenityt (1.7+) for multitenant apps but due to this our existing apps flow started breaking, and we need major code changes to fix this

1. Library should treat Tenant domain/TenantId both as valid while acquiring tenant because both are valid to use for acquiring tenant
2. The exception is misleading as well, because caller itself used <Tenant_Domain> during setup of credentials. App is not multitenant either

Reproduction Steps

Provided as above

Environment

.NET 8 Azure Function App (Isolated)

[jsquire]

Hi @sachinjagdale. Thanks for reaching out and we regret that you're experiencing difficulties. Please provide the full error message and stack trace of the exception that you're seeing. Please also collect SDK logs for analysis.

[github-actions[bot]]

Hi @sachinjagdale. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[sachinjagdale]

@jsquire

As requested

Exception message

Error: The current credential is not configured to acquire tokens for tenant <TenantId>. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/multitenant/troubleshoot (GeneralError). For troubleshooting information, see https://aka.ms/azsdk/net/servicebus/exceptions/troubleshoot.

Stack Trace (SDK)

Azure.Identity.AuthenticationFailedException: at Azure.Identity.TenantIdResolver.Resolve (Azure.Identity, Version=1.10.4.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at Azure.Identity.ClientSecretCredential+<GetTokenAsync>d__19.MoveNext (Azure.Identity, Version=1.10.4.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow (Azure.Identity, Version=1.10.4.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at Azure.Identity.ClientSecretCredential+<GetTokenAsync>d__19.MoveNext (Azure.Identity, Version=1.10.4.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy+AccessTokenCache+<GetHeaderValueFromCredentialAsync>d__9.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy+AccessTokenCache+<GetHeaderValueAsync>d__6.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy+AccessTokenCache+<GetHeaderValueAsync>d__6.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy+<AuthenticateAndAuthorizeRequestAsync>d__12.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Storage.StorageBearerTokenChallengeAuthorizationPolicy+<AuthorizeRequestInternal>d__7.MoveNext (Azure.Storage.Blobs, Version=12.19.1.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy+<ProcessAsync>d__11.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy+<InnerProcessAsync>d__5.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.RedirectPolicy+<ProcessAsync>d__7.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.RetryPolicy+<ProcessAsync>d__5.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Core.Pipeline.RetryPolicy+<ProcessAsync>d__5.MoveNext (Azure.Core, Version=1.38.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Storage.Blobs.ContainerRestClient+<GetPropertiesAsync>d__11.MoveNext (Azure.Storage.Blobs, Version=12.19.1.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Storage.Blobs.BlobContainerClient+<GetPropertiesInternal>d__64.MoveNext (Azure.Storage.Blobs, Version=12.19.1.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Storage.Blobs.BlobContainerClient+<ExistsInternal>d__61.MoveNext (Azure.Storage.Blobs, Version=12.19.1.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at Azure.Storage.Blobs.BlobContainerClient+<ExistsAsync>d__60.MoveNext (Azure.Storage.Blobs, Version=12.19.1.0, Culture=neutral, PublicKeyToken=92742159e12e44c8) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e) at GetBlockBlobReferenceAsync>d__29.MoveNext

[christothes]

hi @sachinjagdale from your code snippet above:

var credential = new ClientSecretCredential(**config.Tenant**, config.ClientId, config.ClientSecret, tokenCredentialOptions);

It looks like you should be using config.TenantId

Can you try this and see if the problem continues?

[github-actions[bot]]

Hi @sachinjagdale. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[sachinjagdale]

hi @sachinjagdale from your code snippet above:

var credential = new ClientSecretCredential(**config.Tenant**, config.ClientId, config.ClientSecret, tokenCredentialOptions);

It looks like you should be using config.TenantId

Can you try this and see if the problem continues?

TenantId can resolve this. but we need to change this in multiple applications. Tenant and TenatID belongs to same AAD so both should work and even /token APIs allow both as valid identifiers for tenant.

[christothes]

Our API requires TenantId to match the one related to the resource. I believe this worked prior to version 1.7 because we did not validate that the tenantId matched. This is described in the changelog here

[github-actions[bot]]

Hi @sachinjagdale. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

[sachinjagdale]

Thank you.

If TenantId is only valid and not domain then this should be properly doumented, it did not look to me minor release change either. because it leads to mislead exceptions about additional tenants.

[christothes]

Hi @sachinjagdale - This is documented in the API documentation.

I'll go ahead and close this issue out.