DefaultAzureCredentials throws exception

[eddynaka]

Hello,

I'm trying to use DefaultAzureCredentials to authenticate to Redis using the following snippet:

var configurationOptions = await ConfigurationOptions
        .Parse("redislocation:6380")
        .ConfigureForAzureWithTokenCredentialAsync("my_guid", new DefaultAzureCredential());
var connectionMultiplexer = await ConnectionMultiplexer.ConnectAsync(configurationOptions);
Console.WriteLine("Hello, World!");

Expected behavior

When I run the ConsoleApp, to be able to connect into AzureRedisCache

Current behavior

Throwing exception

Azure.Identity.CredentialUnavailableException: 'DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot
- EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
- WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
- ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
Status: 400 (Bad Request)

Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
Server: IMDS/150.870.65.1103
Date: Mon, 13 Nov 2023 19:03:19 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 68

- Process "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\IDE\CommonExtensions\Microsoft\Asal\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS004: Unable to get access token.  'WAM Error  
 Error Code: 3399614466 
 Error Message: IncorrectConfiguration 
 WAM Error Message: V2Error: invalid_request AADSTS65002: Consent between first party application 'my_guid' and first party resource 'acca5fbb-b7e4-4009-81f1-37e38fd66d78' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: f56176a9-1bda-4036-b9fc-bb8bee96ac00 Correlation ID: e1f3e288-95e0-49ed-b285-6600d1864b7c Timestamp: 2023-11-13 19:03:26Z 
 Internal Error Code: 557973643 
 Possible causes: 
- Invalid redirect uri - ensure you have configured the following url in the application registration in Azure Portal: ms-appx-web://microsoft.aad.brokerplugin/04f0c124-f2bc-4f59-8241-bf6df9866bbd 
'.
- Please run 'az login' to set up account
- Please run 'Connect-AzAccount' to set up account.
- Please run 'azd auth login' from a command prompt to authenticate before using this credential.'

[lsannicolas]

Can you confirm if you have added that "my_guid" to your environment? I was able to repro this when I removed my account linked to my GUID by signing out of Visual Studio, running az logout, and running Disconnect-AzAccount

[eddynaka]

Hi @lsannicolas,

What do you mean by environment?

[lsannicolas]

Like are you running this on a local dev machine? Or on an Azure VM?

[eddynaka]

Hi,

I'm currently running on my local PC. VS2022.

[lsannicolas]

Were you able to add the account/identity linked to the 'my_guid' to your local pc? Like is it signed into Visual Studio?

From this doc(https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python) it mentions that defaultazurecredential will determine the identity based on environment

[eddynaka]

Yes, I'm signed on VS.

And, to be sure, I tested something similar, using AzureStorage with DefaultAzureCredentials, and it works fine

[philon-msft]

Only Managed Identities or Service Principals that have been granted access to the cache via the 'Data Access Configuration' view will be allowed to connect. You'll need to sign into VS with one of those, or configure your machine so that DefaultAzureCredential picks up one of those identities.

https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-azure-active-directory-for-authentication https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#environment-variables

[eddynaka]

Are there plans to support users as well? Similar to other resource types (AzureStorage, for example).

[philon-msft]

A user account can be used as a Service Principal that is granted access to a cache. For instructions see: https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-azure-active-directory-for-authentication