yonzhan
commented
3 months ago Thank you for opening this issue, we will look into it.
Open clumsyhands opened 3 months ago
yonzhan
commented
3 months ago Thank you for opening this issue, we will look into it.
SeanKilleen
commented
3 months ago In case it's helpful to triangulate, I am now getting this error as of this morning using the azuread terraform provider with nothing having changed in my Terraform code. I'm filing something over there but I'll link it here.
TimHodkin
commented
3 months ago Hi,
I am seeing this same issue over the last few days.
I have found that bypassing a conditional access policy we have that is blocking based on geo network locations it then works fine. I could not make this work without bypassing this policy. To my knowledge we have not modified this CA in quite some time and is only blocking limited countries.
I am also seeing this with the AZ powershell module. Anything that tries to lookup Entra based object or references seems to fail.
`Get-AzRoleassignment: SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user
`
durankeeley
commented
3 months ago Just been hit with the same. 2 days ago was fine. now with no change to the code I get this with Terraform:
Error: Retrieving Application with object ID "88b184d2-1b2c-45a2-86f9-cdae5f79c005"
│
│ with module.apim_instance.azuread_application.aad_application,
│ on ..\..\..\..\modules\azure\azure-apim\main.tf line 36, in resource "azuread_application" "aad_application":
│ 36: resource "azuread_application" "aad_application" {
│
│ ApplicationsClient.BaseClient.Get(): unexpected status 401 with OData error: InvalidAuthenticationToken: Exception of
│ type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.
╵same if I use az ad app list
Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.Tried to exclude myself in all Conditional Access but that didn't help
Natasha-Kohli
commented
3 months ago In case it's helpful to triangulate, I am now getting this error as of this morning using the azuread terraform provider with nothing having changed in my Terraform code. I'm filing something over there but I'll link it here.
I've been getting the same error everyone else has occasionally. As per Sean's linked issue, there is nothing I do that fixes the error other than time. It's hard to tell if logging out and logging back in is actually fixing anything
seblatre
commented
2 months ago For those who are reaching this issue like me, I was able to workaround it by setting the env variable AZURE_IDENTITY_DISABLE_CP1=1 prior to call the az ad sp...
(export AZURE_IDENTITY_DISABLE_CP1=1 in Linux env)
psinghca
commented
2 months ago Same issue with all 'az ad' commands. No conditional policy or MFA on the account.
Resolution for me: Remove your .azure folder from the root (linux) and do the az login again to resolve it.
Describe the bug
What does this error mean? There is nothing online about it? I receive this error when running "az ad app" commands from a local Az CLI
Related command
az login az ad app list
Errors
cli.azure.cli.core.azclierror: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown. az_command_data_logger: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.
Issue script & Debug output
cli.azure.cli.core.util: Response status: 401 cli.azure.cli.core.util: Response headers: cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked' cli.azure.cli.core.util: 'Content-Type': 'application/json' cli.azure.cli.core.util: 'Content-Encoding': 'gzip' cli.azure.cli.core.util: 'Vary': 'Accept-Encoding' cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000' cli.azure.cli.core.util: 'request-id': 'ce3b4e87-736c-49ef-ad15-e1a49e05cb35' cli.azure.cli.core.util: 'client-request-id': 'ce3b4e87-736c-49ef-ad15-e1a49e05cb35' cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"UK South","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"LO1PEPF00001D5B"}}' cli.azure.cli.core.util: 'WWW-Authenticate': 'Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", error_description="Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenCreatedWithOutdatedPolicies", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzE4MTkwMTQyIn0sInhtc19ycF9pcGFkZHIiOnsidmFsdWUiOiIyMC42OC4yNDEuMzAifX19", PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjA1NjEyNTAxRDRFN0NGM0Q3RjYxOUUxNjMxQTQ4MDg1OTQyMTMyQjMifQ.eyJ0cyI6MTcxODE5MDEyMH0.M98MqWkUpDJpYBdGbUsbUKm_B28m-sYDP-BWgwWQY7qYvBrmsJmqDdZdDndeafHxfqlXoEhrIH-d8A2ahr1R--VIWBYEw53-l2uubWCFQOq6VrjbXCSB-hsOOu4uB86uhTD39yG_m5GuyVcVVtYZye2Ex6MHJzAzTwzcBmVrNxG3U9iXUR32dzP9l8dZhOaM7HaUHze9A_W1Efhv4BG2O82_a84U-GhPueo3jqn_H90VdBLup736XWcT6Gy2K6Fqp1sazW1qTJNwRFZaayMllYeBzSfjmBDBpMRjbe843IPEyH0blTfmDqWLgEbIgqgsl0mJUD4IBzW6ZFkdfKHWuA"' cli.azure.cli.core.util: 'Date': 'Wed, 12 Jun 2024 11:02:22 GMT' cli.azure.cli.core.util: Response content: cli.azure.cli.core.util: {"error":{"code":"InvalidAuthenticationToken","message":"Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.","innerError":{"date":"2024-06-12T11:02:22","request-id":"ce3b4e87-736c-49ef-ad15-e1a49e05cb35","client-request-id":"ce3b4e87-736c-49ef-ad15-e1a49e05cb35"}}}
Expected behavior
az ad app list should run without errors
Environment Summary
azure-cli 2.61.0
core 2.61.0 telemetry 1.1.0
Extensions: azure-devops 1.0.1
Dependencies: msal 1.28.0 azure-mgmt-resource 23.1.1
Additional context
No response