search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.03k stars 3.01k forks source link

Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown. #29155

Open clumsyhands opened 5 months ago

clumsyhands commented 5 months ago

Describe the bug

What does this error mean? There is nothing online about it? I receive this error when running "az ad app" commands from a local Az CLI

Related command

az login az ad app list

Errors

cli.azure.cli.core.azclierror: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown. az_command_data_logger: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.

Issue script & Debug output

cli.azure.cli.core.util: Response status: 401 cli.azure.cli.core.util: Response headers: cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked' cli.azure.cli.core.util: 'Content-Type': 'application/json' cli.azure.cli.core.util: 'Content-Encoding': 'gzip' cli.azure.cli.core.util: 'Vary': 'Accept-Encoding' cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000' cli.azure.cli.core.util: 'request-id': 'ce3b4e87-736c-49ef-ad15-e1a49e05cb35' cli.azure.cli.core.util: 'client-request-id': 'ce3b4e87-736c-49ef-ad15-e1a49e05cb35' cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"UK South","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"LO1PEPF00001D5B"}}' cli.azure.cli.core.util: 'WWW-Authenticate': 'Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", error_description="Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenCreatedWithOutdatedPolicies", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzE4MTkwMTQyIn0sInhtc19ycF9pcGFkZHIiOnsidmFsdWUiOiIyMC42OC4yNDEuMzAifX19", PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjA1NjEyNTAxRDRFN0NGM0Q3RjYxOUUxNjMxQTQ4MDg1OTQyMTMyQjMifQ.eyJ0cyI6MTcxODE5MDEyMH0.M98MqWkUpDJpYBdGbUsbUKm_B28m-sYDP-BWgwWQY7qYvBrmsJmqDdZdDndeafHxfqlXoEhrIH-d8A2ahr1R--VIWBYEw53-l2uubWCFQOq6VrjbXCSB-hsOOu4uB86uhTD39yG_m5GuyVcVVtYZye2Ex6MHJzAzTwzcBmVrNxG3U9iXUR32dzP9l8dZhOaM7HaUHze9A_W1Efhv4BG2O82_a84U-GhPueo3jqn_H90VdBLup736XWcT6Gy2K6Fqp1sazW1qTJNwRFZaayMllYeBzSfjmBDBpMRjbe843IPEyH0blTfmDqWLgEbIgqgsl0mJUD4IBzW6ZFkdfKHWuA"' cli.azure.cli.core.util: 'Date': 'Wed, 12 Jun 2024 11:02:22 GMT' cli.azure.cli.core.util: Response content: cli.azure.cli.core.util: {"error":{"code":"InvalidAuthenticationToken","message":"Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.","innerError":{"date":"2024-06-12T11:02:22","request-id":"ce3b4e87-736c-49ef-ad15-e1a49e05cb35","client-request-id":"ce3b4e87-736c-49ef-ad15-e1a49e05cb35"}}}

Expected behavior

az ad app list should run without errors

Environment Summary

azure-cli 2.61.0

core 2.61.0 telemetry 1.1.0

Extensions: azure-devops 1.0.1

Dependencies: msal 1.28.0 azure-mgmt-resource 23.1.1

Additional context

No response

yonzhan commented 5 months ago

Thank you for opening this issue, we will look into it.

SeanKilleen commented 5 months ago

In case it's helpful to triangulate, I am now getting this error as of this morning using the azuread terraform provider with nothing having changed in my Terraform code. I'm filing something over there but I'll link it here.

TimHodkin commented 5 months ago

Hi,

I am seeing this same issue over the last few days.

I have found that bypassing a conditional access policy we have that is blocking based on geo network locations it then works fine. I could not make this work without bypassing this policy. To my knowledge we have not modified this CA in quite some time and is only blocking limited countries.

I am also seeing this with the AZ powershell module. Anything that tries to lookup Entra based object or references seems to fail.

`Get-AzRoleassignment: SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user . Ensure that you have authenticated with a deveolper fool that supports Azure single sign on. realm: authorization_uri: https://logni.microsoftonline.com/common/oath2/authorize client_id: 0000003-0000-0000-c000-000000000000 error_description: Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied error: insufficient_claims

`

durankeeley commented 5 months ago

Just been hit with the same. 2 days ago was fine. now with no change to the code I get this with Terraform:

 Error: Retrieving Application with object ID "88b184d2-1b2c-45a2-86f9-cdae5f79c005"
│
│   with module.apim_instance.azuread_application.aad_application,
│   on ..\..\..\..\modules\azure\azure-apim\main.tf line 36, in resource "azuread_application" "aad_application":
│   36: resource "azuread_application" "aad_application" {
│
│ ApplicationsClient.BaseClient.Get(): unexpected status 401 with OData error: InvalidAuthenticationToken: Exception of
│ type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.
╵

same if I use az ad app list

Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.

Tried to exclude myself in all Conditional Access but that didn't help

Natasha-Kohli commented 4 months ago

In case it's helpful to triangulate, I am now getting this error as of this morning using the azuread terraform provider with nothing having changed in my Terraform code. I'm filing something over there but I'll link it here.

I've been getting the same error everyone else has occasionally. As per Sean's linked issue, there is nothing I do that fixes the error other than time. It's hard to tell if logging out and logging back in is actually fixing anything

seblatre commented 4 months ago

For those who are reaching this issue like me, I was able to workaround it by setting the env variable AZURE_IDENTITY_DISABLE_CP1=1 prior to call the az ad sp... (export AZURE_IDENTITY_DISABLE_CP1=1 in Linux env)

psinghca commented 3 months ago

Same issue with all 'az ad' commands. No conditional policy or MFA on the account.

Resolution for me: Remove your .azure folder from the root (linux) and do the az login again to resolve it.

ashtmMSFT commented 1 month ago

I'm intermittently seeing this exception while logged into az cli as a service principal (clientId + clientSecret) in a tenant with no Azure subscriptions while running commands to add/remove Entra ID users.

I first started seeing the exception after disabling and then re-enabling the service principal in the tenant.

az logout and/or az account clear followed by a fresh az login does not resolve the issue. Only waiting an indeterminate amount of time seems to fix the issue. My experience aligns with others in the thread in that the issue seems intermittent. I can't consistently repro it.

None of the workarounds proposed in the thread worked on my end.

I suspect this is likely an issue with Graph / the Entra ID service and not the az cli tool. Is there a good place for logging and tracking issues for Graph?

drdamour commented 1 month ago

$env:AZURE_IDENTITY_DISABLE_CP1=1 worked for me...not sure what it did... :(