[Bug] Public Client with Broker Cannot Acquire Token Silently from the Token Cache on a Machine Never Login With WAM

[msJinLei]

Library version used

• Microsoft.Identity.Client
• Microsoft.Identity.Client.Extensions.Msal
• Microsoft.Identity.Client.Broker

version 4.60.3.0

.NET version

.netstandards 2.0

Scenario

PublicClient - desktop app

Is this a new or an existing app?

The app is in production, and I have upgraded to a new version of MSAL

Issue description and reproduction steps

The user never login with a WAM on the machine

• create a public client with broker
• run AcquireTokenWithDeviceCodeAsync
• run AcquireTokenSilentAsync

Or

• login interactively with browser before
• create a public client with broker
• run AcquireTokenSilentAsync

Relevant code snippets

No response

Expected behavior

AcquireTokenSilentAsync returns an access token successfully but acctually returns an error

Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'niranjanb@xxxxx'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
136389b4-bf6a-4417-8559-aa9451eac8b8] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
136389b4-bf6a-4417-8559-aa9451eac8b8] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
136389b4-bf6a-4417-8559-aa9451eac8b8] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
136389b4-bf6a-4417-8559-aa9451eac8b8] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
136389b4-bf6a-4417-8559-aa9451eac8b8] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [RuntimeBroker]
ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
7caefd13-8142-4f4a-b4fb-a57f546d77f9] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] Found 1 cache accounts and 0
broker accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] Returning 1 accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] MSAL MSAL.CoreCLR with assembly version '4.60.3.0'. CorrelationId(68e20a0f-67d0-4258-92a8-5cbb42f9911f)
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] LoginHint provided: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] Account provided: True
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] ForceRefresh: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - 68e20a0f-67d0-4258-92a8-5cbb42f9911f
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] === Token Acquisition (SilentRequest) started:
  Scopes: https://management.core.windows.net//.default
 Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] Broker is configured and enabled, attempting to use broker instead.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] Can invoke broker. Will attempt to acquire token with broker.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0001] WARNING
SetAuthorityString:98 Initializing authority from string 'https://login.microsoftonline.com/$tenantId/' without authority
type, defaulting to MsSts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] ERROR
ErrorInternalImpl:134 Created an error: 5vt4a, StatusInternal::AccountNotFound, InternalEvent::None, Error Code 0, Context 'Account with id '(pii)' not
found'
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:393 Printing Telemetry for Correlation ID: 68e20a0f-67d0-4258-92a8-5cbb42f9911f
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: start_time, Value: 2024-05-21T11:14:02.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: api_name, Value: ReadAccountById
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: was_request_throttled, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: authority_type, Value: Unknown
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: msal_version, Value: 1.1.0+local
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: correlation_id, Value: 68e20a0f-67d0-4258-92a8-5cbb42f9911f
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: broker_app_used, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: stop_time, Value: 2024-05-21T11:14:02.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: all_error_tags, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: msalruntime_version, Value: 0.16.0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: api_error_code, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: api_error_tag, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: api_status_code, Value: StatusInternal::AccountNotFound
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: api_error_context, Value: Account with id '(pii)' not found
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: is_successful, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [MSAL:0002] INFO
LogTelemetryData:401 Key: request_duration, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z] [RuntimeBroker] Could not find a
WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.4645.0 Microsoft Windows 10.0.20348  [2024-05-21 11:14:02Z -
68e20a0f-67d0-4258-92a8-5cbb42f9911f] Exception type: Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: wam_no_account_for_id
HTTP StatusCode 0
CorrelationId 68e20a0f-67d0-4258-92a8-5cbb42f9911f
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.<ExecuteAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Utils.StopwatchService.<MeasureCodeBlockAsync>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__11.MoveNext()
DEBUG: SharedTokenCacheCredential.GetToken was unable to retrieve an access token. Scopes: [ https://management.core.windows.net//.default ]
ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): SharedTokenCacheCredential authentication unavailable. Token
acquisition failed for user [email protected]. Ensure that you have authenticated with a developer tool that supports Azure single sign on.
 ---> Microsoft.Identity.Client.MsalUiRequiredException (0x80131500): Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

The related issue reported before https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/563

[bgavrilMS]

I think this is similar to the issue reported by Azure CLI and fixed in MSAL Py, where device code flow doesn't use the broker.

[rayluo]

I think this is similar to the issue reported by Azure CLI and fixed in MSAL Py, where device code flow doesn't use the broker.

Indeed. It can be fixed by the accout_source behavior implemented in this MSAL Python PR.

[alaahusseiny]

Hello, do we have someone taking care of this bug ?

[daga05]

Hi, just following up on Alaa's reply. Do we have a contact for this bug or can we get an update? Thanks

[isra-fel]

I think this is similar to the issue reported by Azure CLI and fixed in MSAL Py, where device code flow doesn't use the broker.

Yeah, except for device code, we also have customers using username+password (ROPC) flow getting impacted. Supposedly all the flows that don't involve in the broker should still be able to acquire token silently.

[DeviJagannadh-TechDevp]

Hello team, any update on this issue?

Thanks

[mbukovich]

Hi team; I'm checking to see if there is any update on this issue.

[manuel-falcao-magalhaes]

Hi team, just wanted to check if there's an update on this issue, please.

[bgavrilMS]

@iulico-1 to comment

[iulico-1]

It seems to be a behavior that existed for quite some time (since broker integration was enabled). This is a feature ask to support device code flow outside the broker. A change to support ROPC with the broker is also being considered.

[msJinLei]

It seems to be a behavior that existed for quite some time (since broker integration was enabled). This is a feature ask to support device code flow outside the broker. A change to support ROPC with the broker is also being considered.

@iulico-1 We don't find it earlier the as the issue can be find only on the machine without WAM login but with WAM option enabled. We usually test in the following process and so it is the limitation of the test.

• Login with WAM
• Test subsequent operations

But we don't expect the behavior that we cannot acquire token silent with broker option when there is a valid token in the cache and so we don't test it in the direction.

The issue is a blocking issue for our product. Actually the customers using "ROPC and device code" flows cannot use Azure PowerShell when the issue is not fixed. The only way to workaround is to close WAM option.

[ashok672]

@msJinLei - The issue is understood now and we are actively working on the fix. Will update around mid next week on the progress and ETA for the final fix.

[msJinLei]

@ashok672 Thanks for letting us know! We are waiting for your progress.

[msJinLei]

@ashok672 Could you update the progress of the item? Thanks

[ashok672]

I am actively working on the fix. ETA for the fix to be checked in is by 06/14. I will see if I can release the fix as well within this time. If not, the release might take some more time, probably another 2 or 3 days.