AzureAD
[Bug] Authentication Fails with `Response_Status.Status_AccountUnusable`
Upstream issue: https://github.com/Azure/azure-cli/issues/30405
The error message is:
Account has previously been signed out of this application.. Status: Response_Status.Status_AccountUnusable, Error code: 0, Tag: 540940121
It is weird the error code is 0.
We ran into this same issue during RC testing of a deliverable. After a couple of hours of investigation, we were able to lock it down to a simple repro in which the user is attempting to list the App Config resources in their account. Specifically:
(1) User has personal subscription (e.g. Visual Studio MSDN subscription based on their Hotmail account). (2) User has an app configuration resource group with resources in it. (3) User is logged in through az login (with --tenant flag). (4) User runs the following .NET code on a clean machine (a new DevBox) using VSCode Insiders build:
// Use DefaultAzureCredential which automatically detects and uses the appropriate credentials
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { TenantId = "tenant_id" });
Console.WriteLine("Authenticating with Azure using DefaultAzureCredential...");
// Create ArmClient instance which is the entry point for ARM operations
var armClient = new ArmClient(credential);
// Get all subscriptions the credential has access to
SubscriptionCollection subscriptions = armClient.GetSubscriptions();
// Iterate through each subscription
Console.WriteLine("\nScanning subscriptions for App Configuration resources...");
int totalAppConfigs = 0;
await foreach (SubscriptionResource subscription in subscriptions.GetAllAsync())
{
Console.WriteLine($"\nSubscription: {subscription.Data.DisplayName} ({subscription.Id})");
int subscriptionAppConfigs = 0;
// Get all App Configuration resources in this subscription directly
await foreach (var store in subscription.GetAppConfigurationStoresAsync())
{
// Display information about each App Configuration instance
Console.WriteLine($" - Name: {store.Data.Name}");
Console.WriteLine($" Location: {store.Data.Location}");
Console.WriteLine($" Endpoint: {store.Data.Endpoint}");
Console.WriteLine($" Provisioning State: {store.Data.ProvisioningState}");
subscriptionAppConfigs++;
totalAppConfigs++;
}
if (subscriptionAppConfigs == 0)
{
Console.WriteLine(" No App Configuration resources found in this subscription.");
}
else
{
Console.WriteLine($" Found {subscriptionAppConfigs} App Configuration resource(s) in this subscription.");
}
}
Console.WriteLine($"\nTotal App Configuration resources across all subscriptions: {totalAppConfigs}");
}
==> Resulting behavior: Login error: ERROR: Account has previously been signed out of this application.
Looking online, we found several issues that indicated that disabling WAP might work around this. Disabling WAM (az account clear; az config set core.enable_broker_on_windows=false; az login --tenant (tenant)) indeed leads to a successful run.
We expect many customers to be using WAM so we would like to escalate this, please.
@MattGertz , I am not sure whether what you reported is the same case. ~(1) The error message in your case was different than the one mentioned in the original report.~ I misspoke. (2) In your case, did your error occur in your step 4 when you were using Azure Identity .Net? And does its DefaultAzureCredential invoke Azure CLI somehow? I am not familiar that pattern. This may deserve its dedicate github issue here.
In any case, you may reach out to @ashok672 for follow-up.
I'm considering close this issue. Status_AccountUnusable will be triggered if the user signed out. A sign out flag will be added to the account object, when trying to use the account our library will throw this error. So, it's hard to say it's an "unexpected Status_AccountUnusable "
Also, MattGertz mentioned he also hit the issue, by checking the logs I did not see any Status_AccountUnusable errors.
I'd like to hear from you @jiasli , @MattGertz
