Web Account Manger (WAM) Login Failed within an Azure Government Context

[benatsb]

This is autogenerated. Please review and update as needed.

Describe the bug

The following announcement was posted during a login process and so I wanted to test it.. it did not work within an Azure Government context.

Announcement 
[Windows only] Starting in May 2023, Azure CLI will authenticate using the [Web Account Manager](https://learn.microsoft.com/windows/uwp/security/web-account-manager) (WAM) broker by default.

To help us collect feedback on the new login experience, you may opt-in to use WAM by running the following commands:

az config set core.allow_broker=true
az account clear
az login

I added the set cloud environment before login.

az config set core.allow_broker=true
az account clear
az cloud set --name AzureUSGovernment
az login

Command Name az login

Errors:

Please select the account you want to log in with.
The command failed with an unexpected error. Here is the traceback:
MsalRuntime won't work unless this one more redirect_uri is registered to current app: ms-appx-web://Microsoft.AAD.BrokerPlugin/04b07795-8ddb-461a-bbee-02f9e1bf7b46
Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 663, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 697, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 333, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 139, in login
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 154, in login
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 153, in login_with_auth_code
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1813, in acquire_token_interactive
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1924, in _acquire_token_interactive_via_broker
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/broker.py", line 187, in _signin_interactively
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/broker.py", line 89, in _convert_result
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/broker.py", line 55, in _convert_error
msal.broker.RedirectUriError: MsalRuntime won't work unless this one more redirect_uri is registered to current app: ms-appx-web://Microsoft.AAD.BrokerPlugin/04b07795-8ddb-461a-bbee-02f9e1bf7b46
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues
To open a new issue, please run `az feedback`

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Put any pre-requisite steps here...

  az config set core.allow_broker=true
  az account clear
  az cloud set --name AzureUSGovernment
  az login

Expected Behavior

If this an Azure AD team issue, please note the login process does not work for Azure Government till it is resolved, especially if WAM is going to be turned on by default this month.

Expected a successful login with the WAM login method. It appears the app/resource within Azure Government AAD environments, isn't full setup or present for this login method.

Environment Summary

Windows-10-10.0.22000-SP0
Python 3.10.10
Installer: MSI

azure-cli 2.46.0

Additional Context

Azure AD snippets that might help identify the issue:

MFA reported error (accepted FIDO2 login, but this error occurred):

The reply address is missing, misconfigured, or does not match reply addresses configured for the application. Try out the resolution listed at https://docs.microsoft.com/azure/active-directory/application-sign-in-problem-federated-sso-gallery#the-reply-address-does-not-match-the-reply-addresses-configured-for-the-application. If you still see issues, contact the application owner or app admin.

---
Request ID  
3c910170-dbdb-4c71-959f-ff0e36431d00
Correlation ID  
c2c5b1b5-8f6e-45c0-8dd7-dce89f17efe1
Authentication requirement  
Multifactor authentication
Status  
Failure
Continuous access evaluation    
No
Sign-in error code  
50011
Failure reason  
The {redirectTerm} '{replyAddress}' specified in the request does not match the {redirectTerm}s configured for the application '{identifier}'. Make sure the {redirectTerm} sent in the request matches one added to your application in the Azure portal. Navigate to {akamsLink} to learn more about how to fix this. {detail}
Additional Details  
Developer error - the app is attempting to sign in without the necessary or correct authentication parameters.

---

User type   
Member
Cross tenant access type    
None
Application 
Microsoft Azure CLI
Application ID  
04b07795-8ddb-461a-bbee-02f9e1bf7b46
Resource    
Windows Azure Service Management API - Duplicate
Resource ID 
797f4846-ba00-4fd7-ba43-dac1f8f63013

[azure-client-tools-bot-prd[bot]]

Hi @benatsb,

2.46.0 is not the latest Azure CLI(2.48.1).

Please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[benatsb]

I upgraded to azure-cli 2.48.1, and still the same error occurs.

[IanKemp]

Was an issue with version 2.61.0, fixed in 2.64.0.