search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.04k stars 3.01k forks source link

Subscriptions not found when having AAD B2C setup #14390

Open egelke opened 4 years ago

egelke commented 4 years ago

Describe the bug When running: az login

It gives the warning

"The following tenants don't contain accessible subscriptions. Use 'az login --allow-no-subscriptions' to have tenant level access. 15ce3ddb-0ba0-4110-92f6-6f3da6910357"

It does not actually login.

In order for it to work I need to provide my tenant: az login -t egelke.net

To Reproduce Setup an AAD B2C as specified by the doc: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant Note that is did it quite a while ago and at that time it was mandatory to first create your tenant and then link it to your existing subscription.

Set the default directory in the azure portal to the corporate (not B2C) directory.

Run: az login

You should get the warning and not be logged in. Note that it might work in your case depending on the order the tenants are returned by the the https://management.azure.com/tenants?api-version=2020-01-01 service.

Expected behavior To find my subscription, without having to specify the tenant.

It is a very standard setup, I just have the ADD B2C service enabled in the documented way. There should be no issue for the CLI to handle this situation without the need provide any additional info.

Environment summary Linux-5.4.0-40-generic-x86_64-with-debian-bullseye-sid Python 3.6.10 Installer: DEB { "azure-cli": "2.8.0", "azure-cli-command-modules-nspkg": "2.0.3", "azure-cli-core": "2.8.0", "azure-cli-nspkg": "3.0.4", "azure-cli-telemetry": "1.0.4", "extensions": {} }

Additional context az login --debug learned that it first retrieves the list of tenant and then retrieves the subscriptions from both tenants. The first egelke.net tanant returns my subscription, but although the AAD B2C tenant (egelkeIdp.onmicrosoft.com) is linked to the same subscription the service does not return it. (I verified everyting via https://docs.microsoft.com/en-us/rest/api/resources/) In this particular case the CLI seems to have "forgotten" the subscriptions returned by the first tenant while it should have merged the 2 lists and find the sole subscription.

Below a snipped of the logs:

urllib3.connectionpool : Starting new HTTPS connection (1): management.azure.com:443 urllib3.connectionpool : https://management.azure.com:443 "GET /tenants?api-version=2019-06-01 HTTP/1.1" 200 348 msrest.http_logger : Response status: 200 msrest.http_logger : Response headers: msrest.http_logger : 'Cache-Control': 'no-cache' msrest.http_logger : 'Pragma': 'no-cache' msrest.http_logger : 'Content-Type': 'application/json; charset=utf-8' --snip-- msrest.http_logger : 'Date': 'Thu, 16 Jul 2020 06:41:04 GMT' msrest.http_logger : 'Content-Length': '348' msrest.http_logger : Response content: msrest.http_logger : {"value":[{"id":"/tenants/7aed0c3e-dc7c-4ac0-8e6b-c8cb344472fa","tenantId":"7aed0c3e-dc7c-4ac0-8e6b-c8cb344472fa","countryCode":"BE","displayName":"Egelke BVBA","domains":["egelke.net","share.egelke.net","www.egelke.net","egelke.onmicrosoft.com"],"tenantCategory":"Home"},{"id":"/tenants/15ce3ddb-0ba0-4110-92f6-6f3da6910357","tenantId":"15ce3ddb-0ba0-4110-92f6-6f3da6910357","countryCode":"BE","displayName":"Egelke BVBA","domains":["egelkeIdp.onmicrosoft.com"],"tenantCategory":"Home"}]} adal-python : 009b4e6a-42c1-4525-98e8-72a9ba9be42f - Authority:Performing instance discovery: ... adal-python : 009b4e6a-42c1-4525-98e8-72a9ba9be42f - Authority:Performing static instance discovery adal-python : 009b4e6a-42c1-4525-98e8-72a9ba9be42f - Authority:Authority validated via static instance discovery adal-python : 009b4e6a-42c1-4525-98e8-72a9ba9be42f - TokenRequest:Getting token from cache with refresh if necessary. adal-python : 009b4e6a-42c1-4525-98e8-72a9ba9be42f - CacheDriver:finding with query keys: {'_clientId': '...', 'userId': '...'} adal-python : 009b4e6a-42c1-4525-98e8-72a9ba9be42f - CacheDriver:Looking for potential cache entries: {'_clientId': '...', 'userId': '...'} adal-python : 009b4e6a-42c1-4525-98e8-72a9ba9be42f - CacheDriver:Found 3 potential entries. adal-python : 009b4e6a-42c1-4525-98e8-72a9ba9be42f - CacheDriver:Resource specific token found. --snip-- msrest.universal_http.requests : Configuring retry: max_retries=4, backoff_factor=0.8, max_backoff=90 msrest.async_paging : Paging async iterator protocol is not available for SubscriptionPaged msrest.http_logger : Request URL: 'https://management.azure.com/subscriptions?api-version=2019-06-01' msrest.http_logger : Request method: 'GET' msrest.http_logger : Request headers: msrest.http_logger : 'Accept': 'application/json' msrest.http_logger : 'accept-language': 'en-US' msrest.http_logger : 'User-Agent': 'python/3.6.10 (Linux-5.4.0-40-generic-x86_64-with-debian-bullseye-sid) msrest/0.6.9 msrest_azure/0.6.3 azure-mgmt-resource/10.0.0 Azure-SDK-For-Python AZURECLI/2.8.0 (DEB)' msrest.http_logger : Request body: msrest.http_logger : None msrest.universal_http : Configuring redirects: allow=True, max=30 msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None msrest.universal_http : Configuring proxies: '' msrest.universal_http : Evaluate proxies against ENV settings: True urllib3.connectionpool : Starting new HTTPS connection (1): management.azure.com:443 urllib3.connectionpool : https://management.azure.com:443 "GET /subscriptions?api-version=2019-06-01 HTTP/1.1" 200 431 msrest.http_logger : Response status: 200 msrest.http_logger : Response headers: msrest.http_logger : 'Cache-Control': 'no-cache' msrest.http_logger : 'Pragma': 'no-cache' msrest.http_logger : 'Content-Type': 'application/json; charset=utf-8' --snip-- msrest.http_logger : 'Date': 'Thu, 16 Jul 2020 06:41:05 GMT' msrest.http_logger : 'Content-Length': '431' msrest.http_logger : Response content: msrest.http_logger : {"value":[{"id":"/subscriptions/09aa7e5c-38b1-4cad-b283-e2aa6c411d25","authorizationSource":"Legacy, RoleBased","managedByTenants":[],"subscriptionId":"09aa7e5c-38b1-4cad-b283-e2aa6c411d25","tenantId":"7aed0c3e-dc7c-4ac0-8e6b-c8cb344472fa","displayName":"Betalen per gebruik","state":"Enabled","subscriptionPolicies":{"locationPlacementId":"Public_2014-09-01","quotaId":"PayAsYouGo_2014-09-01","spendingLimit":"Off"}}],"count":{"type":"Total","value":1}} adal-python : 2ade8d89-485d-4d7b-9c56-ac8ea1b5ed13 - Authority:Performing instance discovery: ... adal-python : 2ade8d89-485d-4d7b-9c56-ac8ea1b5ed13 - Authority:Performing static instance discovery adal-python : 2ade8d89-485d-4d7b-9c56-ac8ea1b5ed13 - Authority:Authority validated via static instance discovery adal-python : 2ade8d89-485d-4d7b-9c56-ac8ea1b5ed13 - TokenRequest:Getting token from cache with refresh if necessary. adal-python : 2ade8d89-485d-4d7b-9c56-ac8ea1b5ed13 - CacheDriver:finding with query keys: {'_clientId': '...', 'userId': '...'} adal-python : 2ade8d89-485d-4d7b-9c56-ac8ea1b5ed13 - CacheDriver:Looking for potential cache entries: {'_clientId': '...', 'userId': '...'} adal-python : 2ade8d89-485d-4d7b-9c56-ac8ea1b5ed13 - CacheDriver:Found 3 potential entries. adal-python : 2ade8d89-485d-4d7b-9c56-ac8ea1b5ed13 - CacheDriver:Resource specific token found. --snip-- msrest.universal_http.requests : Configuring retry: max_retries=4, backoff_factor=0.8, max_backoff=90 msrest.async_paging : Paging async iterator protocol is not available for SubscriptionPaged msrest.http_logger : Request URL: 'https://management.azure.com/subscriptions?api-version=2019-06-01' msrest.http_logger : Request method: 'GET' msrest.http_logger : Request headers: msrest.http_logger : 'Accept': 'application/json' msrest.http_logger : 'accept-language': 'en-US' msrest.http_logger : 'User-Agent': 'python/3.6.10 (Linux-5.4.0-40-generic-x86_64-with-debian-bullseye-sid) msrest/0.6.9 msrest_azure/0.6.3 azure-mgmt-resource/10.0.0 Azure-SDK-For-Python AZURECLI/2.8.0 (DEB)' msrest.http_logger : Request body: msrest.http_logger : None msrest.universal_http : Configuring redirects: allow=True, max=30 msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None msrest.universal_http : Configuring proxies: '' msrest.universal_http : Evaluate proxies against ENV settings: True urllib3.connectionpool : Starting new HTTPS connection (1): management.azure.com:443 urllib3.connectionpool : https://management.azure.com:443 "GET /subscriptions?api-version=2019-06-01 HTTP/1.1" 200 161 msrest.http_logger : Response status: 200 msrest.http_logger : Response headers: msrest.http_logger : 'Cache-Control': 'no-cache' msrest.http_logger : 'Pragma': 'no-cache' msrest.http_logger : 'Content-Type': 'application/json; charset=utf-8' --snip-- msrest.http_logger : 'Date': 'Thu, 16 Jul 2020 06:41:05 GMT' msrest.http_logger : 'Content-Length': '161' msrest.http_logger : Response content: msrest.http_logger : {"value":[],"count":{"type":"Total","value":0}} The following tenants don't contain accessible subscriptions. Use 'az login --allow-no-subscriptions' to have tenant level access. 15ce3ddb-0ba0-4110-92f6-6f3da6910357

yonzhan commented 4 years ago

add to S174

semireg commented 3 years ago

I have no idea what is wrong with my Azure account, but I had a similar issue where I needed to specify my tenant... but I didn't know what my tenant was... to find it, I looked at a subscription I wanted to use from the CLI and and noted the Default Directory. Let's say my account email was user@foo.com, then my Directory was userfoocom@onmicrosoft.com. Then, using this cli login worked:

az login -t userfoocom@onmicrosoft.com