Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure CLI doesn't return token for scope: ERROR: (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112 #30491

Open
riosengineer opened this issue Dec 7, 2024 · 10 comments
Open

Azure CLI doesn't return token for scope: ERROR: (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112 #30491

riosengineer opened this issue Dec 7, 2024 · 10 comments
Assignees
@jiasli
Labels
AAD Account az login/account ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog

Comments

@riosengineer
Copy link

riosengineer commented Dec 7, 2024
edited
Loading

Describe the bug

Hi team,

I have an Entra App Registration with an Exposed API Scope and App Role associated with it. I've also associated the Microsoft Azure CLI Enterprise App with GUID 04b07795-8ddb-461a-bbee-02f9e1bf7b46 within the 'Authorized client applications` area of my app registration.

When trying to obtain an access token using this scope, I receive a strange and obstruse error: (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112 and when inspecting the AZURE CLI debug logs, I see an error about the auth being to the wrong tenant. It is not the wrong tenant, and I am logged in no problems.

Either way, the error is pretty unhelpful and doesn't offer much in the way of what is wrong. I am logged into Azure CLI, I am authenticated to the correct tenant, with the correct account.

This call works fine with the Azure Developer CLI using

azd auth login`
azd auth token --output json --scope api://MY_GUID/API.Access

Interestingly, AZD only works, if I add the Azure CLI Enterprise App as an Authorized Client application within the App Registrastion.

But it doesn't work for Azure CLI.

Related command

> az account get-access-token --resource api://MY_GUID/API.Access
(pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112
Please explicitly log in with:
az login --scope api://MY_GUID/API.Access/.default
  13:29:44  TestApiCall
 > az login --scope api://MY_GUID/API.Access/.default
Select the account you want to log in with. For more information on login with Azure CLI, see https://go.microsoft.com/fwlink/?linkid=2271136
(pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112
Please explicitly log in with:
az login

Errors

invalid_resource AADSTS500011: The resource principal named api://SANITISED/API.Access was not found in the tenant named SANITISED. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

Issue script & Debug output

Debug logging from Azure CLI when attempting this:

30332 : 2024-12-07 13:38:24,458 : DEBUG : cli.knack.log : File logging enabled - writing logs to 'C:\Users\SANITISED\.azure\logs'.
30332 : 2024-12-07 13:38:24,458 : DEBUG : cli.knack.cli : Command arguments: ['account', 'get-access-token', '--resource', 'api://SANITISED/API.Access']
30332 : 2024-12-07 13:38:24,458 : DEBUG : cli.knack.cli : __init__ debug log:
Enable color in terminal.
30332 : 2024-12-07 13:38:24,458 : DEBUG : cli.knack.cli : Event: Cli.PreExecute []
30332 : 2024-12-07 13:38:24,459 : DEBUG : cli.knack.cli : Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x00000176DD9FB380>, <function OutputProducer.on_global_arguments at 0x00000176DDD9C0E0>, <function CLIQuery.on_global_arguments at 0x00000176DDDC14E0>]
30332 : 2024-12-07 13:38:24,461 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPreCommandTableCreate []
30332 : 2024-12-07 13:38:24,468 : DEBUG : cli.azure.cli.core : Modules found from index for 'account': ['azure.cli.command_modules.profile', 'azure.cli.command_modules.resource']
30332 : 2024-12-07 13:38:24,468 : DEBUG : cli.azure.cli.core : Loading command modules:
30332 : 2024-12-07 13:38:24,468 : DEBUG : cli.azure.cli.core : Name                  Load Time    Groups  Commands
30332 : 2024-12-07 13:38:24,473 : DEBUG : cli.azure.cli.core : profile                   0.005         2         8
30332 : 2024-12-07 13:38:25,430 : DEBUG : cli.azure.cli.core : resource                  0.957        52       232
30332 : 2024-12-07 13:38:25,430 : DEBUG : cli.azure.cli.core : Total (2)                 0.961        54       240
30332 : 2024-12-07 13:38:25,430 : DEBUG : cli.azure.cli.core : Loaded 53 groups, 240 commands.
30332 : 2024-12-07 13:38:25,430 : DEBUG : cli.azure.cli.core : Found a match in the command table.
30332 : 2024-12-07 13:38:25,431 : DEBUG : cli.azure.cli.core : Raw command  : account get-access-token
30332 : 2024-12-07 13:38:25,431 : DEBUG : cli.azure.cli.core : Command table: account get-access-token
30332 : 2024-12-07 13:38:25,431 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x00000176DEBB1D00>]
30332 : 2024-12-07 13:38:25,431 : DEBUG : cli.azure.cli.core.azlogging : metadata file logging enabled - writing logs to 'C:\Users\SANITISED\.azure\commands\2024-12-07.13-38-25.account_get-access-token.30332.log'.
30332 : 2024-12-07 13:38:25,432 : INFO : az_command_data_logger : command args: account get-access-token --resource {}
30332 : 2024-12-07 13:38:25,433 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x00000176DEC2D800>]
30332 : 2024-12-07 13:38:25,436 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPostArgumentLoad []
30332 : 2024-12-07 13:38:25,437 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x00000176DEC2D8A0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x00000176DEC2D9E0>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x00000176DEC2DA80>]
30332 : 2024-12-07 13:38:25,440 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnCommandTableLoaded []
30332 : 2024-12-07 13:38:25,440 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPreParseArgs []
30332 : 2024-12-07 13:38:25,441 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x00000176DDD9C180>, <function CLIQuery.handle_query_parameter at 0x00000176DDDC1580>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x00000176DEC2D940>]
30332 : 2024-12-07 13:38:25,496 : DEBUG : cli.azure.cli.core.auth.persistence : build_persistence: location='C:\\Users\\SANITISED\\.azure\\msal_token_cache.bin', encrypt=True
30332 : 2024-12-07 13:38:25,523 : DEBUG : cli.azure.cli.core.auth.binary_cache : load: C:\Users\SANITISED\.azure\msal_http_cache.bin
30332 : 2024-12-07 13:38:25,524 : DEBUG : urllib3.util.retry : Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
30332 : 2024-12-07 13:38:25,524 : DEBUG : msal.authority : Initializing with Entra authority: https://login.microsoftonline.com/SANITISED
30332 : 2024-12-07 13:38:25,524 : DEBUG : msal.authority : openid_config("https://login.microsoftonline.com/SANITISED/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/SANITISED/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/SANITISED/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/SANITISED/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/SANITISED/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/SANITISED/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/SANITISED/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/SANITISED/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
30332 : 2024-12-07 13:38:25,536 : DEBUG : msal.application : Broker enabled? True
30332 : 2024-12-07 13:38:25,541 : DEBUG : cli.azure.cli.core.auth.msal_credentials : UserCredential.get_token: scopes=('api://SANITISED/API.Access/.default',), claims=None, kwargs={}
30332 : 2024-12-07 13:38:25,565 : DEBUG : msal.broker : [MSAL:0001]	INFO   	LogTelemetryData:422	Printing Telemetry for Correlation ID: 280496ba-af22-4f84-9738-b0e629bff6b4
30332 : 2024-12-07 13:38:25,565 : DEBUG : msal.broker : [MSAL:0001]	INFO   	LogTelemetryData:430	Key: start_time, Value: 2024-12-07T13:38:25.000Z
30332 : 2024-12-07 13:38:25,565 : DEBUG : msal.broker : [MSAL:0001]	INFO   	LogTelemetryData:430	Key: api_name, Value: ReadAccountById
30332 : 2024-12-07 13:38:25,565 : DEBUG : msal.broker : [MSAL:0001]	INFO   	LogTelemetryData:430	Key: was_request_throttled, Value: false
30332 : 2024-12-07 13:38:25,565 : DEBUG : msal.broker : [MSAL:0001]	INFO   	LogTelemetryData:430	Key: authority_type, Value: Unknown
30332 : 2024-12-07 13:38:25,565 : DEBUG : msal.broker : [MSAL:0001]	INFO   	LogTelemetryData:430	Key: msal_version, Value: 1.1.0+local
30332 : 2024-12-07 13:38:25,565 : DEBUG : msal.broker : [MSAL:0001]	INFO   	LogTelemetryData:430	Key: correlation_id, Value: 280496ba-af22-4f84-9738-b0e629bff6b4
30332 : 2024-12-07 13:38:25,565 : DEBUG : msal.broker : [MSAL:0001]	INFO   	LogTelemetryData:430	Key: broker_app_used, Value: false
30332 : 2024-12-07 13:38:25,565 : DEBUG : msal.broker : [MSAL:0001]	INFO   	LogTelemetryData:430	Key: stop_time, Value: 2024-12-07T13:38:25.000Z
30332 : 2024-12-07 13:38:25,565 : DEBUG : msal.broker : [MSAL:0001]	INFO   	LogTelemetryData:430	Key: msalruntime_version, Value: 0.16.2
30332 : 2024-12-07 13:38:25,565 : DEBUG : msal.broker : [MSAL:0001]	INFO   	LogTelemetryData:430	Key: is_successful, Value: true
30332 : 2024-12-07 13:38:25,566 : DEBUG : msal.broker : [MSAL:0001]	INFO   	LogTelemetryData:430	Key: request_duration, Value: 0
30332 : 2024-12-07 13:38:25,566 : DEBUG : msal.broker : [MSAL:0002]	WARNING	SetAuthorityUri:78	Initializing authority from URI 'https://login.microsoftonline.com/SANITISED' without authority type, defaulting to MsSts
30332 : 2024-12-07 13:38:25,566 : DEBUG : msal.broker : [MSAL:0002]	INFO   	SetCorrelationId:258	Set correlation ID: 280496ba-af22-4f84-9738-b0e629bff6b4
30332 : 2024-12-07 13:38:25,566 : DEBUG : msal.broker : [MSAL:0002]	INFO   	EnqueueBackgroundRequest:1000	The original authority is 'https://login.microsoftonline.com/SANITISED'
30332 : 2024-12-07 13:38:25,566 : DEBUG : msal.broker : [MSAL:0002]	INFO   	ModifyAndValidateAuthParameters:243	Authority Realm: SANITISED
30332 : 2024-12-07 13:38:25,566 : DEBUG : msal.broker : [MSAL:0002]	WARNING	TryEnqueueMsaDeviceCredentialAcquisitionAndContinue:1052	MsaDeviceOperationProvider is not available. Not attempting to register the device.
30332 : 2024-12-07 13:38:25,568 : DEBUG : msal.broker : [MSAL:0003]	INFO   	StorageTokenResponse:84	StorageTokenResponse account constructor invoked. This is only expected in Runtime flows
30332 : 2024-12-07 13:38:25,571 : DEBUG : msal.broker : [MSAL:0003]	WARNING	DiscardAccessAndIdTokensIfUnusable:808	No access token found in the cache
30332 : 2024-12-07 13:38:25,573 : DEBUG : msal.broker : [MSAL:0003]	WARNING	StorageTokenResponse:15	No credentials found in the cache
30332 : 2024-12-07 13:38:25,584 : DEBUG : msal.broker : [MSAL:0003]	WARNING	GetPlatformPropertiesFromStorage:2013	No account found in cache.
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	ERROR  	ErrorInternalImpl:134	Created an error: 4usqa, StatusInternal::IncorrectConfiguration, InternalEvent::None, Error Code 3399614475, Context '(pii)'
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:422	Printing Telemetry for Correlation ID: 280496ba-af22-4f84-9738-b0e629bff6b4
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: start_time, Value: 2024-12-07T13:38:25.000Z
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: api_name, Value: AcquireTokenSilently
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: was_request_throttled, Value: false
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: authority_type, Value: AAD
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: read_token, Value: ID
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: msal_version, Value: 1.1.0+local
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: api_status_code, Value: StatusInternal::IncorrectConfiguration
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: client_id, Value: SANITISED
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: correlation_id, Value: 280496ba-af22-4f84-9738-b0e629bff6b4
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: broker_app_used, Value: true
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: stop_time, Value: 2024-12-07T13:38:26.000Z
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: all_error_tags, Value: 4usqa|4usqa
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: msalruntime_version, Value: 0.16.2
30332 : 2024-12-07 13:38:26,281 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: original_authority, Value: https://login.microsoftonline.com/SANITISED
30332 : 2024-12-07 13:38:26,282 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: request_eligible_for_broker, Value: true
30332 : 2024-12-07 13:38:26,282 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: additional_query_parameters_count, Value: 0
30332 : 2024-12-07 13:38:26,282 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: storage_read, Value: DAC|DID|DAMD
30332 : 2024-12-07 13:38:26,282 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: is_successful, Value: false
30332 : 2024-12-07 13:38:26,282 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: wam_telemetry, Value: {"x_ms_clitelem":"1,500011,0,87283.2723,","ui_visible":false,"server_error_code":500011,"scope":"profile api://SANITISED/API.Access/.default offline_access openid","redirect_uri":"ms-appx-web://Microsoft.AAD.BrokerPlugin/SANITISED","provider_id":"https://login.windows.net","oauth_error_code":"invalid_resource","http_status":400,"http_event_count":1,"http_content_type":"application/json; charset=utf-8","http_content_size":795,"device_join":"aadj","correlation_id":"{280496ba-af22-4f84-9738-b0e629bff6b4}","client_id":"SANITISED","cache_event_count":0,"broker_version":"10.0.22621.4391","authority":"https://login.microsoftonline.com/SANITISED","api_error_code":-895352821,"account_join_on_start":"secondary","account_join_on_end":"secondary","silent_code":0,"silent_bi_sub_code":0,"silent_message":"","silent_status":0,"is_cached":0}
30332 : 2024-12-07 13:38:26,282 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: auth_flow, Value: Broker
30332 : 2024-12-07 13:38:26,282 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: broker_error_location, Value: 4usqa
30332 : 2024-12-07 13:38:26,282 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: api_error_code, Value: 3399614475
30332 : 2024-12-07 13:38:26,282 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: api_error_tag, Value: 4usqa
30332 : 2024-12-07 13:38:26,282 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: api_error_context, Value: (pii)
30332 : 2024-12-07 13:38:26,282 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: authorization_type, Value: WindowsIntegratedAuth
30332 : 2024-12-07 13:38:26,282 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:430	Key: request_duration, Value: 714
30332 : 2024-12-07 13:38:26,282 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:435	Printing Execution Flow:
30332 : 2024-12-07 13:38:26,282 : DEBUG : msal.broker : [MSAL:0003]	INFO   	LogTelemetryData:443	{"t":"4s7uc","tid":2,"ts":0,"l":2},{"t":"4sufd","tid":2,"ts":0,"s":2,"l":2},{"t":"4swgg","tid":2,"ts":0,"s":1,"l":2},{"t":"4swgf","tid":2,"ts":0,"s":1,"l":2},{"t":"4swgi","tid":3,"ts":0,"s":1,"l":2},{"t":"8b2yn","tid":3,"ts":0,"l":2},{"t":"8dqkx","tid":3,"ts":0,"l":2},{"t":"8dqik","tid":3,"ts":0,"l":2},{"t":"4q2di","tid":3,"ts":0,"l":2},{"t":"4qnng","tid":3,"ts":0,"l":2,"a":2,"ie":0},{"t":"4qnnf","tid":3,"ts":1,"l":2,"a":2,"ie":1},{"t":"8dqit","tid":3,"ts":2,"l":2},{"t":"8b2ht","tid":3,"ts":2,"l":2},{"t":"4qnno","tid":3,"ts":2,"l":2,"a":2,"ie":0},{"t":"4qnnn","tid":3,"ts":5,"l":2,"a":2,"ie":1},{"t":"8dqir","tid":3,"ts":5,"l":2},{"t":"4qwi1","tid":3,"ts":5,"l":2},{"t":"4qnna","tid":3,"ts":5,"l":2,"a":2,"ie":0},{"t":"4qnm9","tid":3,"ts":6,"l":2,"a":2,"ie":1},{"t":"8dqip","tid":3,"ts":6,"l":2},{"t":"4qnno","tid":3,"ts":6,"l":2,"a":2,"ie":0},{"t":"4qnnn","tid":3,"ts":6,"l":2,"a":2,"ie":1},{"t":"8b2hu","tid":3,"ts":7,"l":2},{"t":"5b8fg","tid":3,"ts":17,"l":2},{"t":"8dqk0","tid":3,"ts":17,"l":2},{"t":"4qnng","tid":3,"ts":17,"l":2,"a":2,"ie":0},{"t":"4qnnf","tid":3,"ts":18,"l":2,"a":2,"ie":1},{"t":"8dqjd","tid":3,"ts":18,"l":2},{"t":"694nj","tid":3,"ts":18,"l":2,"a":10,"ie":0},{"t":"4vw1f","tid":3,"ts":18,"l":2},{"t":"4wqnh","tid":3,"ts":18,"l":2},{"t":"4vw1c","tid":3,"ts":34,"l":2},{"t":"4vw1b","tid":3,"ts":34,"l":2},{"t":"4wqnk","tid":3,"ts":34,"l":2},{"t":"6omfm","tid":3,"ts":43,"l":2},{"t":"4vw1a","tid":3,"ts":43,"l":2},{"t":"4wqnf","tid":3,"ts":43,"l":2},{"t":"4wqm5","tid":3,"ts":59,"l":2},{"t":"4wqm6","tid":3,"ts":59,"l":2},{"t":"4u9jc","tid":3,"ts":714,"l":2},{"t":"58yep","tid":3,"ts":715,"l":2},{"t":"694nk","tid":3,"ts":715,"l":2,"a":10,"ie":1},{"t":"8dqk1","tid":3,"ts":715,"l":2},{"t":"646u1","tid":3,"ts":715,"l":2}
30332 : 2024-12-07 13:38:26,355 : DEBUG : cli.azure.cli.core.azclierror : Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 666, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 733, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 703, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 336, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 83, in get_access_token
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 465, in get_raw_token
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/msal_credentials.py", line 68, in get_token
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 149, in check_result
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 53, in aad_error_handler
azure.cli.core.azclierror.AuthenticationError: (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112

30332 : 2024-12-07 13:38:26,433 : ERROR : cli.azure.cli.core.azclierror : (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112
30332 : 2024-12-07 13:38:26,434 : ERROR : az_command_data_logger : (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112
30332 : 2024-12-07 13:38:26,435 : DEBUG : cli.knack.cli : Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x00000176DEBB1F80>]
30332 : 2024-12-07 13:38:26,435 : INFO : az_command_data_logger : exit code: 1
30332 : 2024-12-07 13:38:26,435 : INFO : cli.__main__ : Command ran in 3.020 seconds (init: 1.042, invoke: 1.978)
30332 : 2024-12-07 13:38:26,583 : INFO : telemetry.main : Begin splitting cli events and extra events, total events: 1
30332 : 2024-12-07 13:38:26,583 : INFO : telemetry.client : Accumulated 0 events. Flush the clients.
30332 : 2024-12-07 13:38:26,583 : INFO : telemetry.main : Finish splitting cli events and extra events, cli events: 1
30332 : 2024-12-07 13:38:26,584 : INFO : telemetry.save : Save telemetry record of length 4407 in cache file under C:\Users\SANITISED\.azure\telemetry\20241207133826583
30332 : 2024-12-07 13:38:26,584 : INFO : telemetry.main : Begin creating telemetry upload process.
30332 : 2024-12-07 13:38:26,585 : INFO : telemetry.process : Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\SANITISED\.azure C:\Users\SANITISED\.azure\telemetry\20241207133826583"
30332 : 2024-12-07 13:38:26,636 : INFO : telemetry.process : Return from creating process 32004
30332 : 2024-12-07 13:38:26,637 : INFO : telemetry.main : Finish creating telemetry upload process.
23668 : 2024-12-07 13:38:31,539 : DEBUG : cli.knack.log : File logging enabled - writing logs to 'C:\Users\SANITISED\.azure\logs'.
23668 : 2024-12-07 13:38:31,539 : DEBUG : cli.knack.cli : Command arguments: ['login', '--scope', 'api://SANITISED/API.Access/.default']
23668 : 2024-12-07 13:38:31,539 : DEBUG : cli.knack.cli : __init__ debug log:
Enable color in terminal.
23668 : 2024-12-07 13:38:31,539 : DEBUG : cli.knack.cli : Event: Cli.PreExecute []
23668 : 2024-12-07 13:38:31,540 : DEBUG : cli.knack.cli : Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0000026998F2B380>, <function OutputProducer.on_global_arguments at 0x00000269992CC0E0>, <function CLIQuery.on_global_arguments at 0x00000269992F14E0>]
23668 : 2024-12-07 13:38:31,541 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPreCommandTableCreate []
23668 : 2024-12-07 13:38:31,549 : DEBUG : cli.azure.cli.core : Modules found from index for 'login': ['azure.cli.command_modules.profile']
23668 : 2024-12-07 13:38:31,550 : DEBUG : cli.azure.cli.core : Loading command modules:
23668 : 2024-12-07 13:38:31,550 : DEBUG : cli.azure.cli.core : Name                  Load Time    Groups  Commands
23668 : 2024-12-07 13:38:31,554 : DEBUG : cli.azure.cli.core : profile                   0.005         2         8
23668 : 2024-12-07 13:38:31,555 : DEBUG : cli.azure.cli.core : Total (1)                 0.005         2         8
23668 : 2024-12-07 13:38:31,555 : DEBUG : cli.azure.cli.core : Loaded 2 groups, 8 commands.
23668 : 2024-12-07 13:38:31,555 : DEBUG : cli.azure.cli.core : Found a match in the command table.
23668 : 2024-12-07 13:38:31,555 : DEBUG : cli.azure.cli.core : Raw command  : login
23668 : 2024-12-07 13:38:31,555 : DEBUG : cli.azure.cli.core : Command table: login
23668 : 2024-12-07 13:38:31,555 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x000002699A081D00>]
23668 : 2024-12-07 13:38:31,555 : DEBUG : cli.azure.cli.core.azlogging : metadata file logging enabled - writing logs to 'C:\Users\SANITISED\.azure\commands\2024-12-07.13-38-31.login.23668.log'.
23668 : 2024-12-07 13:38:31,556 : INFO : az_command_data_logger : command args: login --scope {}
23668 : 2024-12-07 13:38:31,556 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x000002699A19D800>]
23668 : 2024-12-07 13:38:31,559 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPostArgumentLoad []
23668 : 2024-12-07 13:38:31,559 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x000002699A19D8A0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x000002699A19D9E0>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x000002699A19DA80>]
23668 : 2024-12-07 13:38:31,561 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnCommandTableLoaded []
23668 : 2024-12-07 13:38:31,561 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPreParseArgs []
23668 : 2024-12-07 13:38:31,561 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x00000269992CC180>, <function CLIQuery.handle_query_parameter at 0x00000269992F1580>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x000002699A19D940>]
23668 : 2024-12-07 13:38:31,683 : DEBUG : cli.azure.cli.core.auth.persistence : build_persistence: location='C:\\Users\\SANITISED\\.azure\\msal_token_cache.bin', encrypt=True
23668 : 2024-12-07 13:38:31,716 : DEBUG : cli.azure.cli.core.auth.binary_cache : load: C:\Users\SANITISED\.azure\msal_http_cache.bin
23668 : 2024-12-07 13:38:32,306 : DEBUG : urllib3.util.retry : Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
23668 : 2024-12-07 13:38:32,307 : DEBUG : msal.authority : Initializing with Entra authority: https://login.microsoftonline.com/organizations
23668 : 2024-12-07 13:38:32,307 : DEBUG : msal.authority : openid_config("https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/organizations/kerberos', 'tenant_region_scope': None, 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
23668 : 2024-12-07 13:38:32,320 : DEBUG : msal.application : Broker enabled? True
23668 : 2024-12-07 13:38:32,321 : DEBUG : msal.application : Falls back to broker._signin_interactively()
23668 : 2024-12-07 13:38:32,321 : WARNING : cli.azure.cli.core.auth.identity : Select the account you want to log in with. For more information on login with Azure CLI, see https://go.microsoft.com/fwlink/?linkid=2271136
23668 : 2024-12-07 13:38:32,332 : DEBUG : msal.broker : [MSAL:0001]	WARNING	SetAuthorityUri:78	Initializing authority from URI 'https://login.microsoftonline.com/organizations' without authority type, defaulting to MsSts
23668 : 2024-12-07 13:38:32,339 : DEBUG : msal.broker : [MSAL:0002]	INFO   	SetCorrelationId:258	Set correlation ID: 12a4e21e-54a3-436b-a196-9b1b15b1c575
23668 : 2024-12-07 13:38:32,341 : DEBUG : msal.broker : [MSAL:0002]	INFO   	ExecuteInteractiveRequest:1159	The original authority is 'https://login.microsoftonline.com/organizations'
23668 : 2024-12-07 13:38:32,341 : DEBUG : msal.broker : [MSAL:0002]	WARNING	TryNormalizeRealm:2420	No HomeAccountId provided to normalize the realm
23668 : 2024-12-07 13:38:32,341 : DEBUG : msal.broker : [MSAL:0002]	INFO   	ExecuteInteractiveRequest:1170	The normalized realm is ''
23668 : 2024-12-07 13:38:32,344 : DEBUG : msal.broker : [MSAL:0002]	INFO   	ModifyAndValidateAuthParameters:219	Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
23668 : 2024-12-07 13:38:32,344 : DEBUG : msal.broker : [MSAL:0002]	INFO   	ModifyAndValidateAuthParameters:219	Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
23668 : 2024-12-07 13:38:32,344 : DEBUG : msal.broker : [MSAL:0002]	INFO   	ModifyAndValidateAuthParameters:243	Authority Realm: organizations
23668 : 2024-12-07 13:38:32,344 : DEBUG : msal.broker : [MSAL:0002]	WARNING	TryEnqueueMsaDeviceCredentialAcquisitionAndContinue:1052	MsaDeviceOperationProvider is not available. Not attempting to register the device.
23668 : 2024-12-07 13:38:32,345 : DEBUG : msal.broker : [MSAL:0003]	WARNING	ReturnResponseDueToMissingParameter:693	Attempted to read cache with a non-normalized realm, access token and ID token reads will fail
23668 : 2024-12-07 13:38:32,346 : DEBUG : msal.broker : [MSAL:0003]	WARNING	ReadAccountById:227	Account id is empty - account not found
23668 : 2024-12-07 13:38:38,877 : DEBUG : msal.broker : [MSAL:0004]	ERROR  	ErrorInternalImpl:134	Created an error: 4usqa, StatusInternal::IncorrectConfiguration, InternalEvent::None, Error Code 3399614475, Context '(pii)'
23668 : 2024-12-07 13:38:38,877 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:422	Printing Telemetry for Correlation ID: 12a4e21e-54a3-436b-a196-9b1b15b1c575
23668 : 2024-12-07 13:38:38,877 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: start_time, Value: 2024-12-07T13:38:32.000Z
23668 : 2024-12-07 13:38:38,877 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: api_name, Value: SignInInteractively
23668 : 2024-12-07 13:38:38,877 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: was_request_throttled, Value: false
23668 : 2024-12-07 13:38:38,877 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: authority_type, Value: Unknown
23668 : 2024-12-07 13:38:38,877 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: msal_version, Value: 1.1.0+local
23668 : 2024-12-07 13:38:38,877 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: api_status_code, Value: StatusInternal::IncorrectConfiguration
23668 : 2024-12-07 13:38:38,877 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: client_id, Value: SANITISED
23668 : 2024-12-07 13:38:38,877 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: correlation_id, Value: 12a4e21e-54a3-436b-a196-9b1b15b1c575
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: broker_app_used, Value: true
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: stop_time, Value: 2024-12-07T13:38:38.000Z
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: all_error_tags, Value: 4usqa
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: msalruntime_version, Value: 0.16.2
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: original_authority, Value: https://login.microsoftonline.com/organizations
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: request_eligible_for_broker, Value: true
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: additional_query_parameters_count, Value: 2
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: read_token_last_error, Value: missing required parameter
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: auth_flow, Value: Broker
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: ui_event_count, Value: 1
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: wam_telemetry, Value: {"x_ms_clitelem":"1,500011,0,99883.4689,","ui_visible":false,"server_error_code":500011,"scope":"profile api://SANITISED/API.Access/.default offline_access openid","redirect_uri":"ms-appx-web://Microsoft.AAD.BrokerPlugin/SANITISED","provider_id":"https://login.windows.net","oauth_error_code":"invalid_resource","http_status":400,"http_event_count":1,"http_content_type":"application/json; charset=utf-8","http_content_size":795,"device_join":"aadj","correlation_id":"{12a4e21e-54a3-436b-a196-9b1b15b1c575}","client_id":"SANITISED","cache_event_count":0,"broker_version":"10.0.22621.4391","authority":"https://login.microsoftonline.com/organizations","api_error_code":-895352821,"account_join_on_start":"secondary","account_join_on_end":"secondary","silent_code":3399614475,"silent_bi_sub_code":0,"silent_message":"V2Error: invalid_resource AADSTS500011: The resource principal named api://SANITISED/API.Access was not found in the tenant named SANITISED. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: 555c8222-bdc6-4875-bd6e-22a644a42f00 Correlation ID: 12a4e21e-54a3-436b-a196-9b1b15b1c575 Timestamp: 2024-12-07 13:38:39Z","silent_mats":{"x_ms_clitelem":"1,500011,0,99883.4689,","ui_visible":false,"server_error_code":500011,"scope":"profile api://SANITISED/API.Access/.default offline_access openid","redirect_uri":"ms-appx-web://Microsoft.AAD.BrokerPlugin/SANITISED","provider_id":"https://login.windows.net","oauth_error_code":"invalid_resource","http_status":400,"http_event_count":1,"http_content_type":"application/json; charset=utf-8","http_content_size":795,"device_join":"aadj","correlation_id":"{12a4e21e-54a3-436b-a196-9b1b15b1c575}","client_id":"SANITISED","cache_event_count":0,"broker_version":"10.0.22621.4391","authority":"https://login.microsoftonline.com/organizations","api_error_code":-895352821,"account_join_on_start":"secondary","account_join_on_end":"secondary"},"silent_status":5,"is_cached":0}
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: authorization_type, Value: Interactive
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: api_error_code, Value: 3399614475
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: api_error_tag, Value: 4usqa
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: api_error_context, Value: (pii)
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: is_successful, Value: false
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:430	Key: request_duration, Value: 6536
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:435	Printing Execution Flow:
23668 : 2024-12-07 13:38:38,878 : DEBUG : msal.broker : [MSAL:0004]	INFO   	LogTelemetryData:443	{"t":"646u1","tid":2,"ts":0,"l":2},{"t":"4s7ub","tid":2,"ts":0,"l":2},{"t":"4sufd","tid":2,"ts":1,"s":2,"l":2},{"t":"4swgg","tid":2,"ts":1,"s":1,"l":2},{"t":"4swgf","tid":2,"ts":1,"s":1,"l":2},{"t":"4swgi","tid":3,"ts":1,"s":1,"l":2},{"t":"8dqim","tid":3,"ts":1,"l":2},{"t":"8dqkl","tid":3,"ts":2,"l":2,"a":9,"ie":0},{"t":"54uxe","tid":2,"ts":2,"l":2},{"t":"4wqm9","tid":4,"ts":5850,"l":2},{"t":"4o9ak","tid":4,"ts":5850,"l":2},{"t":"4o9ai","tid":4,"ts":5856,"l":2},{"t":"8dqkn","tid":4,"ts":6533,"l":2,"a":5,"ie":1},{"t":"8dqko","tid":4,"ts":6533,"l":2,"a":9,"ie":1},{"t":"646u1","tid":4,"ts":6533,"l":2}
23668 : 2024-12-07 13:38:39,202 : DEBUG : cli.azure.cli.core.azclierror : Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 666, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 733, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 703, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 336, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 173, in login
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 176, in login
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 173, in login_with_auth_code
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 149, in check_result
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 53, in aad_error_handler
azure.cli.core.azclierror.AuthenticationError: (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112

23668 : 2024-12-07 13:38:39,271 : ERROR : cli.azure.cli.core.azclierror : (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112
23668 : 2024-12-07 13:38:39,271 : ERROR : az_command_data_logger : (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112
23668 : 2024-12-07 13:38:39,272 : DEBUG : cli.knack.cli : Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x000002699A081F80>]
23668 : 2024-12-07 13:38:39,272 : INFO : az_command_data_logger : exit code: 1
23668 : 2024-12-07 13:38:39,273 : INFO : cli.__main__ : Command ran in 8.904 seconds (init: 1.171, invoke: 7.733)
23668 : 2024-12-07 13:38:39,401 : INFO : telemetry.main : Begin splitting cli events and extra events, total events: 1
23668 : 2024-12-07 13:38:39,401 : INFO : telemetry.client : Accumulated 0 events. Flush the clients.
23668 : 2024-12-07 13:38:39,401 : INFO : telemetry.main : Finish splitting cli events and extra events, cli events: 1
23668 : 2024-12-07 13:38:39,402 : INFO : telemetry.save : Save telemetry record of length 4367 in cache file under C:\Users\SANITISED\.azure\telemetry\20241207133839401
23668 : 2024-12-07 13:38:39,402 : INFO : telemetry.main : Begin creating telemetry upload process.
23668 : 2024-12-07 13:38:39,403 : INFO : telemetry.process : Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\SANITISED\.azure C:\Users\SANITISED\.azure\telemetry\20241207133839401"
23668 : 2024-12-07 13:38:39,446 : INFO : telemetry.process : Return from creating process 10368
23668 : 2024-12-07 13:38:39,446 : INFO : telemetry.main : Finish creating telemetry upload process.

Expected behavior

I expect a valid JWT token response from my scope. This works with AzD CLI.

Environment Summary

> az --version
azure-cli                         2.67.0

core                              2.67.0
telemetry                          1.1.0

Dependencies:
msal                              1.31.0
azure-mgmt-resource               23.1.1

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\SANITISED\.azure\cliextensions'

Python (Windows) 3.12.7 (tags/v3.12.7:0b05ead, Oct  1 2024, 03:06:41) [MSC v.1941 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal


Your CLI is up-to-date.

Additional context

Initially raised an issue with the Azure SDK for dotnet team as I spotted this whilst trying to use the DefaultAzureCredential() class for authentication locally when developing/debugging dotnet Azure PaaS code where we can use az login for local dev, and managed identity when the code runs in the PaaS context. Issue: Azure/azure-sdk-for-net#47412
@riosengineer riosengineer added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Dec 7, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented Dec 7, 2024

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group labels Dec 7, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Account az login/account AAD labels Dec 7, 2024
@yonzhan yonzhan added this to the Backlog milestone Dec 7, 2024
@yonzhan yonzhan removed the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Dec 7, 2024
@riosengineer
Copy link
Author

Hi, is there anyone who could advise? @yonzhan

@danmacode
Copy link

Hi, is there anyone who could advise? @yonzhan

Hi, did you solve your issue?

@riosengineer
Copy link
Author

Hi, is there anyone who could advise? @yonzhan

Hi, did you solve your issue?

I have not no. I can get a token from Azure Developer CLI via a scope, but not via Azure CLI still.

@danmacode
Copy link

danmacode commented Jan 13, 2025
edited
Loading

Hi, is there anyone who could advise? @yonzhan

Hi, did you solve your issue?

I have not no. I can get a token from Azure Developer CLI via a scope, but not via Azure CLI still.

I found the same error code when trying to acquire a token:

ERROR: (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112
Please explicitly log in with:
az login --scope api://00000000-yyyy-yyyy-yyyy-000000000000/Users.Read.All/.default

But using az login --scope didn't let me obtain the token afterwards (I received the same error code)

Instead, to obtain the accessToken what I'm doing is fist logging into the Tenant where the scope lives, using the tenantId, then acquiring an accessToken with just the --scope parameter and scope GUID

az login --allow-no-subscriptions --tenant "00000000-xxxx-xxxx-xxxx-000000000000" 
$token = az account get-access-token --scope "api://00000000-yyyy-yyyy-yyyy-000000000000/Users.Read.All/.default" -o json | ConvertFrom-Json

Alternatively, login with the same scope then get the token:

az login --allow-no-subscriptions --scope "api://00000000-yyyy-yyyy-yyyy-000000000000/Users.Read.All/.default"
$token = az account get-access-token --scope "api://00000000-yyyy-yyyy-yyyy-000000000000/Users.Read.All/.default" -o json | ConvertFrom-Json

@riosengineer
Copy link
Author

Hi, is there anyone who could advise? @yonzhan

Hi, did you solve your issue?

I have not no. I can get a token from Azure Developer CLI via a scope, but not via Azure CLI still.

I found the same error code when trying to acquire a token:

ERROR: (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112
Please explicitly log in with:
az login --scope api://00000000-yyyy-yyyy-yyyy-000000000000/Users.Read.All/.default

But using az login --scope didn't let me obtain the token afterwards (I received the same error code)

Instead, to obtain the accessToken what I'm doing is fist logging into the Tenant where the scope lives, using the tenantId, then acquiring an accessToken with just the --scope parameter and scope GUID

az login --allow-no-subscriptions --tenant "00000000-xxxx-xxxx-xxxx-000000000000"
$token = az account get-access-token --scope "api://00000000-yyyy-yyyy-yyyy-000000000000/Users.Read.All/.default" -o json | ConvertFrom-Json

That did indeed work! Which is great. Thanks for the pointer there. Although I am unsure why I have to explicitly state the tenant cmdlet syntax, given this particular account is only logging into one tenant, it has access to no other. Feels like I shouldn't have to do that. I understand if the account had access to multiple tenants.

@danmacode
Copy link

danmacode commented Jan 13, 2025
edited
Loading

Hi, is there anyone who could advise? @yonzhan

Hi, did you solve your issue?

I have not no. I can get a token from Azure Developer CLI via a scope, but not via Azure CLI still.

I found the same error code when trying to acquire a token:

ERROR: (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112
Please explicitly log in with:
az login --scope api://00000000-yyyy-yyyy-yyyy-000000000000/Users.Read.All/.default

But using az login --scope didn't let me obtain the token afterwards (I received the same error code)
Instead, to obtain the accessToken what I'm doing is fist logging into the Tenant where the scope lives, using the tenantId, then acquiring an accessToken with just the --scope parameter and scope GUID
az login --allow-no-subscriptions --tenant "00000000-xxxx-xxxx-xxxx-000000000000"
$token = az account get-access-token --scope "api://00000000-yyyy-yyyy-yyyy-000000000000/Users.Read.All/.default" -o json | ConvertFrom-Json

That did indeed work! Which is great. Thanks for the pointer there. Although I am unsure why I have to explicitly state the tenant cmdlet syntax, given this particular account is only logging into one tenant, it has access to no other. Feels like I shouldn't have to do that. I understand if the account had access to multiple tenants.

Sorry, I've edited my message, you can either specify a login via --tenant, or, --scope (2nd snippet).

You're right, specifying the tenant doesn't make sense in this context. Using the --scope login is better, unless you want to keep using azure-cli commands at the tenant level in the same session, after getting the scoped token.

@riosengineer
Copy link
Author

Hi, is there anyone who could advise? @yonzhan

Hi, did you solve your issue?

I have not no. I can get a token from Azure Developer CLI via a scope, but not via Azure CLI still.

I found the same error code when trying to acquire a token:

ERROR: (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112
Please explicitly log in with:
az login --scope api://00000000-yyyy-yyyy-yyyy-000000000000/Users.Read.All/.default

But using az login --scope didn't let me obtain the token afterwards (I received the same error code)
Instead, to obtain the accessToken what I'm doing is fist logging into the Tenant where the scope lives, using the tenantId, then acquiring an accessToken with just the --scope parameter and scope GUID
az login --allow-no-subscriptions --tenant "00000000-xxxx-xxxx-xxxx-000000000000"
$token = az account get-access-token --scope "api://00000000-yyyy-yyyy-yyyy-000000000000/Users.Read.All/.default" -o json | ConvertFrom-Json

That did indeed work! Which is great. Thanks for the pointer there. Although I am unsure why I have to explicitly state the tenant cmdlet syntax, given this particular account is only logging into one tenant, it has access to no other. Feels like I shouldn't have to do that. I understand if the account had access to multiple tenants.

Sorry, I've edited my message, you can either specify a login via --tenant, or, --scope (2nd snippet).

You're right, specifying the tenant doesn't make sense in this context. Using the --scope login is better, unless you want to keep using azure-cli commands at the tenant level in the same session, after getting the scoped token.

Thanks for this. Strangely, it now seems to work with just az login under a fresh terminal session. No idea what's going on now, it works which is great. Now I need to understand why the DefaultAzureCredential class still says 'Please run az login to set up account'. Before, it was almost understandable as I couldn't get a token reply directly from Azure CLI natively. However, now I can, so the DefaultAzureCredential class should also work. Will see what the SDK team say in my other issue.

I still think the Azure CLI team could improve the debug response on this, as it didn't make much sense to me why it didn't work for me

@jiasli jiasli changed the title Azure CLI doesn't return token for scope Azure CLI doesn't return token for scope: ERROR: (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112 Jan 14, 2025
@jiasli
Copy link
Member

jiasli commented Jan 14, 2025

When trying to obtain an access token using this scope, I receive a strange and obstruse error: (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112

Either way, the error is pretty unhelpful and doesn't offer much in the way of what is wrong.

I fully understand the error message (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112 is not helpful. This is tracked by AzureAD/microsoft-authentication-library-for-python#698.

I see an error about the auth being to the wrong tenant. It is not the wrong tenant, and I am logged in no problems.

I am not sure if it is due to Entra's propagation latency or WAM. Could you turn off WAM and see if it works: https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-interactively#sign-in-with-web-account-manager-wam-on-windows

Instead, to obtain the accessToken what I'm doing is fist logging into the Tenant where the scope lives, using the tenantId, then acquiring an accessToken with just the --scope parameter and scope GUID

For az login, --tenant and --scope are not mutually exclusive. You can use them together to meet the tenant's requirements such as MFA in the initial interactive authentication.

@jiasli jiasli mentioned this issue Jan 14, 2025
Open
@riosengineer
Copy link
Author

When trying to obtain an access token using this scope, I receive a strange and obstruse error: (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112

Either way, the error is pretty unhelpful and doesn't offer much in the way of what is wrong.

I fully understand the error message (pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112 is not helpful. This is tracked by AzureAD/microsoft-authentication-library-for-python#698.

I see an error about the auth being to the wrong tenant. It is not the wrong tenant, and I am logged in no problems.

I am not sure if it is due to Entra's propagation latency or WAM. Could you turn off WAM and see if it works: https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-interactively#sign-in-with-web-account-manager-wam-on-windows

Instead, to obtain the accessToken what I'm doing is fist logging into the Tenant where the scope lives, using the tenantId, then acquiring an accessToken with just the --scope parameter and scope GUID

For az login, --tenant and --scope are not mutually exclusive. You can use them together to meet the tenant's requirements such as MFA in the initial interactive authentication.

Thanks. It seems to work both ways, with or without WAM now - I can't seem to replicate that error from prior however it could be a cache thing since running the cmdlets from danmacode.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
AAD Account az login/account ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@jiasli @riosengineer @danmacode @yonzhan