system-assigned identity

[checkflow]

Describe the bug Hi, I am trying to use the sdk from an Azure Automation Python Runbook using a system-assigned identity. From the sdk code example i see that any credential method from azure-identity should work :

Here the code in the Runbook :

` import os import requests import logging

from azure.identity import DefaultAzureCredential from msgraph.core import GraphClient

logging.basicConfig(format='%(asctime)s %(levelname)s %(message)s', datefmt='%m/%d/%Y %I:%M:%S %p', level=logging.DEBUG)

print(os.environ)

credential = DefaultAzureCredential()

client = GraphClient(credential=credential)

result = client.get('/users', params={ '$select': 'displayName', '$top': '10' }, )

print(result.json()) `

The credentials are not retrieved using azure-identity DefaultAzureCredential or ManagedIdentityCredential :

Failed 08/28/2021 06:39:48 AM INFO No environment configuration found. 08/28/2021 06:39:48 AM INFO ManagedIdentityCredential will use Cloud Shell managed identity 08/28/2021 06:39:48 AM WARNING EnvironmentCredential.get_token failed: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.Traceback (most recent call last): File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_internal\decorators.py", line 27, in wrapper token = fn(*args, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_credentials\environment.py", line 115, in get_token raise CredentialUnavailableError(message=message)azure.identity._exceptions.CredentialUnavailableError: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. 08/28/2021 06:39:48 AM INFO DefaultAzureCredential - EnvironmentCredential is unavailable 08/28/2021 06:39:48 AM INFO Request URL: 'http://127.0.0.1:40079/oauth2/token' 08/28/2021 06:39:48 AM INFO Request method: 'POST' 08/28/2021 06:39:48 AM INFO Request headers: 08/28/2021 06:39:48 AM INFO 'Metadata': 'REDACTED' 08/28/2021 06:39:48 AM INFO 'User-Agent': 'azsdk-python-identity/1.6.0 Python/3.8.0 (Windows-10-10.0.17134-SP0)' 08/28/2021 06:39:48 AM INFO A body is sent with the request 08/28/2021 06:39:48 AM DEBUG Starting new HTTP connection (1): 127.0.0.1:40079 08/28/2021 06:39:58 AM DEBUG http://127.0.0.1:40079 "POST /oauth2/token HTTP/1.1" 500 None 08/28/2021 06:39:58 AM INFO Response status: 500 08/28/2021 06:39:58 AM INFO Response headers: 08/28/2021 06:39:58 AM INFO 'Transfer-Encoding': 'chunked' 08/28/2021 06:39:58 AM INFO 'Content-Type': 'application/json; charset=utf-8' 08/28/2021 06:39:58 AM INFO 'Server': 'Microsoft-HTTPAPI/2.0' 08/28/2021 06:39:58 AM INFO 'Date': 'Sat, 28 Aug 2021 06:39:58 GMT' 08/28/2021 06:39:58 AM INFO Request URL: 'http://127.0.0.1:40079/oauth2/token' 08/28/2021 06:39:58 AM INFO Request method: 'POST' 08/28/2021 06:39:58 AM INFO Request headers: 08/28/2021 06:39:58 AM INFO 'Metadata': 'REDACTED' 08/28/2021 06:39:58 AM INFO 'User-Agent': 'azsdk-python-identity/1.6.0 Python/3.8.0 (Windows-10-10.0.17134-SP0)' 08/28/2021 06:39:58 AM INFO A body is sent with the request 08/28/2021 06:40:04 AM DEBUG http://127.0.0.1:40079 "POST /oauth2/token HTTP/1.1" 500 None 08/28/2021 06:40:04 AM INFO Response status: 500 08/28/2021 06:40:04 AM INFO Response headers: 08/28/2021 06:40:04 AM INFO 'Transfer-Encoding': 'chunked' 08/28/2021 06:40:04 AM INFO 'Content-Type': 'application/json; charset=utf-8' 08/28/2021 06:40:04 AM INFO 'Server': 'Microsoft-HTTPAPI/2.0' 08/28/2021 06:40:04 AM INFO 'Date': 'Sat, 28 Aug 2021 06:40:04 GMT' 08/28/2021 06:40:06 AM INFO Request URL: 'http://127.0.0.1:40079/oauth2/token' 08/28/2021 06:40:06 AM INFO Request method: 'POST' 08/28/2021 06:40:06 AM INFO Request headers: 08/28/2021 06:40:06 AM INFO 'Metadata': 'REDACTED' 08/28/2021 06:40:06 AM INFO 'User-Agent': 'azsdk-python-identity/1.6.0 Python/3.8.0 (Windows-10-10.0.17134-SP0)' 08/28/2021 06:40:06 AM INFO A body is sent with the request 08/28/2021 06:40:12 AM DEBUG http://127.0.0.1:40079 "POST /oauth2/token HTTP/1.1" 500 None 08/28/2021 06:40:12 AM INFO Response status: 500 08/28/2021 06:40:12 AM INFO Response headers: 08/28/2021 06:40:12 AM INFO 'Transfer-Encoding': 'chunked' 08/28/2021 06:40:12 AM INFO 'Content-Type': 'application/json; charset=utf-8' 08/28/2021 06:40:12 AM INFO 'Server': 'Microsoft-HTTPAPI/2.0' 08/28/2021 06:40:12 AM INFO 'Date': 'Sat, 28 Aug 2021 06:40:12 GMT' 08/28/2021 06:40:16 AM INFO Request URL: 'http://127.0.0.1:40079/oauth2/token' 08/28/2021 06:40:16 AM INFO Request method: 'POST' 08/28/2021 06:40:16 AM INFO Request headers: 08/28/2021 06:40:16 AM INFO 'Metadata': 'REDACTED' 08/28/2021 06:40:16 AM INFO 'User-Agent': 'azsdk-python-identity/1.6.0 Python/3.8.0 (Windows-10-10.0.17134-SP0)' 08/28/2021 06:40:16 AM INFO A body is sent with the request 08/28/2021 06:40:22 AM DEBUG http://127.0.0.1:40079 "POST /oauth2/token HTTP/1.1" 500 None 08/28/2021 06:40:22 AM INFO Response status: 500 08/28/2021 06:40:22 AM INFO Response headers: 08/28/2021 06:40:22 AM INFO 'Transfer-Encoding': 'chunked' 08/28/2021 06:40:22 AM INFO 'Content-Type': 'application/json; charset=utf-8' 08/28/2021 06:40:22 AM INFO 'Server': 'Microsoft-HTTPAPI/2.0' 08/28/2021 06:40:22 AM INFO 'Date': 'Sat, 28 Aug 2021 06:40:22 GMT' 08/28/2021 06:40:22 AM WARNING CloudShellCredential.get_token failed: Unexpected response "{'Message': 'Failed to get MSI token for account ceef7fcc-2a79-498a-b3b1-e1737014fd24 and resource .default.'}"Traceback (most recent call last): File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_internal\get_token_mixin.py", line 72, in get_token token = self._request_token(*scopes) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_credentials\cloud_shell.py", line 51, in _request_token return self._client.request_token(*scopes, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_internal\managed_identity_client.py", line 124, in request_token token = self._process_response(response, request_time) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_internal\managed_identity_client.py", line 78, in _process_response raise ClientAuthenticationError(azure.core.exceptions.ClientAuthenticationError: Unexpected response "{'Message': 'Failed to get MSI token for account ceef7fcc-2a79-498a-b3b1-e1737014fd24 and resource .default.'}" 08/28/2021 06:40:22 AM WARNING ManagedIdentityCredential.get_token failed: Unexpected response "{'Message': 'Failed to get MSI token for account ceef7fcc-2a79-498a-b3b1-e1737014fd24 and resource .default.'}"Traceback (most recent call last): File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_internal\decorators.py", line 27, in wrapper token = fn(*args, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_credentials\managed_identity.py", line 88, in get_token return self._credential.get_token(*scopes, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_credentials\cloud_shell.py", line 43, in get_token return super(CloudShellCredential, self).get_token(*scopes, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_internal\get_token_mixin.py", line 72, in get_token token = self._request_token(*scopes) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_credentials\cloud_shell.py", line 51, in _request_token return self._client.request_token(*scopes, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_internal\managed_identity_client.py", line 124, in request_token token = self._process_response(response, request_time) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_internal\managed_identity_client.py", line 78, in _process_response raise ClientAuthenticationError(azure.core.exceptions.ClientAuthenticationError: Unexpected response "{'Message': 'Failed to get MSI token for account ceef7fcc-2a79-498a-b3b1-e1737014fd24 and resource .default.'}" 08/28/2021 06:40:22 AM WARNING DefaultAzureCredential.get_token failed: ManagedIdentityCredential raised unexpected error "Unexpected response "{'Message': 'Failed to get MSI token for account ceef7fcc-2a79-498a-b3b1-e1737014fd24 and resource .default.'}""Traceback (most recent call last): File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_credentials\chained.py", line 67, in get_token token = credential.get_token(*scopes, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_internal\decorators.py", line 27, in wrapper token = fn(*args, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_credentials\managed_identity.py", line 88, in get_token return self._credential.get_token(*scopes, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_credentials\cloud_shell.py", line 43, in get_token return super(CloudShellCredential, self).get_token(*scopes, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_internal\get_token_mixin.py", line 72, in get_token token = self._request_token(*scopes) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_credentials\cloud_shell.py", line 51, in _request_token return self._client.request_token(*scopes, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_internal\managed_identity_client.py", line 124, in request_token token = self._process_response(response, request_time) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_internal\managed_identity_client.py", line 78, in _process_response raise ClientAuthenticationError(azure.core.exceptions.ClientAuthenticationError: Unexpected response "{'Message': 'Failed to get MSI token for account ceef7fcc-2a79-498a-b3b1-e1737014fd24 and resource .default.'}" 08/28/2021 06:40:22 AM WARNING DefaultAzureCredential failed to retrieve a token from the included credentials.Attempted credentials: EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. ManagedIdentityCredential: Unexpected response "{'Message': 'Failed to get MSI token for account ceef7fcc-2a79-498a-b3b1-e1737014fd24 and resource .default.'}"Traceback (most recent call last): File "C:\Temp\54uiipza.zf1\de37e4d4-c609-4609-b52f-ff6d7d3d8aa5", line 17, in <module> result = client.get('/users', File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\msgraph\core\_graph_client.py", line 46, in wrapper return func(*args, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\msgraph\core\_graph_client.py", line 93, in get return self.graph_session.get(self._graph_url(url), **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\requests\sessions.py", line 546, in get return self.request('GET', url, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\requests\sessions.py", line 533, in request resp = self.send(prep, **send_kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\requests\sessions.py", line 646, in send r = adapter.send(request, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\msgraph\core\middleware\middleware.py", line 44, in send return self._first_middleware.send(request, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\msgraph\core\middleware\authorization.py", line 20, in send {'Authorization': 'Bearer {}'.format(self._get_access_token(context))} File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\msgraph\core\middleware\authorization.py", line 32, in _get_access_token return self.credential.get_token(*self.get_scopes(context))[0] File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_credentials\default.py", line 150, in get_token return super(DefaultAzureCredential, self).get_token(*scopes, **kwargs) File "C:\WPy64-3800\python-3.8.0.amd64\lib\site-packages\azure\identity\_credentials\chained.py", line 90, in get_token raise ClientAuthenticationError(message=message)azure.core.exceptions.ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.Attempted credentials: EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. ManagedIdentityCredential: Unexpected response "{'Message': 'Failed to get MSI token for account ceef7fcc-2a79-498a-b3b1-e1737014fd24 and resource .default.'}"

To Reproduce Steps to reproduce the behavior:

1. Create a system-assigned identity from an Azure automation account
2. Grant "User.Read.All" on Microsoft Graph following this tutorial [https://docs.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-app?tabs=azure-cli%2Ccommand-line], i granted authorizations on Microsoft Graph to the system-assigned identity :
3. Execute Runbook with code example
4. See error

Expected behavior Credential working with managed identity and list of Azure AD users retrieved .

AB#10908

[checkflow]

Any idea on a solution ?

[samwelkanda]

Hi @checkflow. Thank you for reporting this issue.

I am trying to replicate the problem you are facing. Are you using the latest version of the library? That should be v0.2.2

[checkflow]

Hello @samwelkanda , thanks for your reply. Yes it's v0.2.2

`.venv/bin/python -m pip show msgraph-core

Name: msgraph-core Version: 0.2.2 Summary: Core component of the Microsoft Graph Python SDK consisting of HTTP/Graph Client and a configurable middleware pipeline (Preview). Home-page: https://github.com/microsoftgraph/msgraph-sdk-python-core Author: Microsoft Author-email: [email protected] License: Location: Requires: Required-by:`

[samwelkanda]

@checkflow I'm following this up with internal teams as it does not seem to be an issue with our sdk. I will revert with feedback.

[checkflow]

hi @samwelkanda, no news from your internal teams ?

[jdamata]

Attempting to do the same as above from a managed identity inside a azure function app gives me this error:

ManagedIdentityCredential.get_token failed: Unexpected response "{'exceptionMessage': 'AADSTS500011: The resource principal named .default was not found in the tenant named Default Directory. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant

@checkflow Did you end up figuring out the issue?

[checkflow]

@jdamata no, i ended up using a classic Service Principal credential (with Azure Automation, one is created automatically when you create the account) :

1/ I added a client secret to the SP

2/ and i used the python class ClientSecretCredential from azure.Identity python SDK module (with tenant / client / secret from SP) in my python3 Runbook :

credential = ClientSecretCredential(tenant_id=tenant_id, client_id=app_id, client_secret=client_secret) client = msgraph.core.GraphClient(credential=credential)

3/ Then i do what i want with the client.

[hurtn]

Hello, I am facing the same issue when trying to use DefaultAzureCredential in function app with system assigned managed identity enabled. Any update on this bug please?

[pkeogh]

I also encountered this issue while attempting to use a System Managed Identity.

Looking forward to using Python Azure Functions to access Graph APIs via a managed identity when this is resolved.

[pobop]

I got the same issue with an user assign identity and finally solved it with adding a scope

credentials = ManagedIdentityCredential(client_id="redacted")
graph_client = GraphClient(credential=credentials, scopes=["https://graph.microsoft.com"])

Inspired from https://github.com/microsoftgraph/msgraph-sdk-python-core/issues/106

[isvargasmsft]

Hello @checkflow, my apologies for the delays in attending this issue.

Would you be so kind to try using the newest version of the SDK, please? Let me know if the issue persists.

[isvargasmsft]

Hello @checkflow,

I'll be closing this issue for now. My sincere apologies for the delays in our response. Please use the newest version of the SDK and stay tuned for the GA version coming soon.

Feel free to reach out again if you find an issue with the new SDK.

Kind regards,

Isaac Vargas