search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.03k stars 3.01k forks source link

`az login` fails with "Please select the account you want to log in with" when using WAM #29188

Open austindonnelly opened 5 months ago

austindonnelly commented 5 months ago

Describe the bug

az login fails with: WARNING: Please select the account you want to log in with.

If I disable WAM, then the browser popup happens, and there I can chose between my normal corp account, or my SC-Alt account.

Related command

az login

Errors

$ az login WARNING: Please select the account you want to log in with.

Issue script & Debug output

$ az login --debug DEBUG: cli.knack.cli: Command arguments: ['login', '--debug'] DEBUG: cli.knack.cli: init debug log: Cannot enable color. DEBUG: cli.knack.cli: Event: Cli.PreExecute [] DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0000017FB00AF880>, <function OutputProducer.on_global_arguments at 0x0000017FB02360C0>, <function CLIQuery.on_global_arguments at 0x0000017FB0263C40>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] DEBUG: cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile'] DEBUG: cli.azure.cli.core: Loading command modules: DEBUG: cli.azure.cli.core: Name Load Time Groups Commands DEBUG: cli.azure.cli.core: profile 0.021 2 8 DEBUG: cli.azure.cli.core: Total (1) 0.021 2 8 DEBUG: cli.azure.cli.core: Loaded 2 groups, 8 commands. DEBUG: cli.azure.cli.core: Found a match in the command table. DEBUG: cli.azure.cli.core: Raw command : login DEBUG: cli.azure.cli.core: Command table: login DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0000017FB318E340>] DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\austind.azure\commands\2024-06-17.15-42-36.login.15428.log'. INFO: az_command_data_logger: command args: login --debug DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x0000017FB31C67A0>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x0000017FB31F87C0>, <function register_cache_arguments..add_cache_arguments at 0x0000017FB31F8900>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x0000017FB0236160>, <function CLIQuery.handle_query_parameter at 0x0000017FB0263CE0>, <function register_ids_argument..parse_ids_arguments at 0x0000017FB31F8860>] DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\austind\.azure\msal_token_cache.bin', encrypt=True DEBUG: cli.azure.cli.core.auth.binary_cache: load: C:\Users\austind.azure\msal_http_cache.bin DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) INFO: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/organizations DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/organizations/kerberos', 'tenant_region_scope': None, 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} DEBUG: msal.application: Broker enabled? True DEBUG: msal.application: Falls back to broker._signin_interactively() WARNING: cli.azure.cli.core.auth.identity: Please select the account you want to log in with. DEBUG: msal.broker: [MSAL:0001] WARNING SetAuthorityString:98 Initializing authority from string 'https://login.microsoftonline.com/organizations' without authority type, defaulting to MsSts DEBUG: msal.broker: [MSAL:0002] INFO SetCorrelationId:273 Set correlation ID: 9a60c761-2d22-45a7-a419-d616e6bf9dfe DEBUG: msal.broker: [MSAL:0002] INFO ExecuteInteractiveRequest:1103 The original authority is 'https://login.microsoftonline.com/organizations' DEBUG: msal.broker: [MSAL:0002] WARNING TryNormalizeRealm:2295 No HomeAccountId provided to normalize the realm DEBUG: msal.broker: [MSAL:0002] INFO ExecuteInteractiveRequest:1114 The normalized realm is '' DEBUG: msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:191 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)' DEBUG: msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:191 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)' DEBUG: msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:215 Authority Realm: organizations DEBUG: msal.broker: [MSAL:0003] WARNING ReturnResponseDueToMissingParameter:643 Attempted to read cache with a non-normalized realm, access token and ID token reads will fail DEBUG: msal.broker: [MSAL:0003] WARNING ReadAccountById:227 Account id is empty - account not found

Expected behavior

az login should popup WAM, to let me chose which of my 2 accounts I'd like to use.

Environment Summary

$ az --version azure-cli 2.61.0

core 2.61.0 telemetry 1.1.0

Dependencies: msal 1.28.0 azure-mgmt-resource 23.1.1

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\austind.azure\cliextensions'

Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb 6 2024, 22:03:32) [MSC v.1937 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

Work-around is to disable WAM:

az config set core.enable_broker_on_windows=false

yonzhan commented 5 months ago

Thank you for opening this issue, we will look into it.

Mohamad-Hamamah-Shift commented 5 months ago

+1

onionhammer commented 4 months ago

+1

CharlesCara commented 3 months ago

+1

austindonnelly commented 3 months ago

I've updated to az version 2.63.0 and this no longer repros for me. I see WAM pop up and I get to chose which account to use.

$ az --version
azure-cli                         2.63.0

core                              2.63.0
telemetry                          1.1.0

Extensions:
azure-cli-ml                      1.41.0

Dependencies:
msal                              1.30.0
azure-mgmt-resource               23.1.1

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\austind\.azure\cliextensions'

Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb  6 2024, 21:52:07) [MSC v.1937 32 bit (Intel)]
andresospina0000 commented 1 month ago

Same here. I followed this steps without success:

Sign into Azure interactively using the Azure CLI

Also, I tried to use the "Sign in to an organization" and it seems there's another issue related:

az login --use-device-code fails with "Sign in to an organisation"

stevenpce commented 1 month ago

This worked for me.

1st run the below code to manually input login info. It errored due to MFA requirement. Then I re-ran Connect-AzAccount and it worked.

$credential = Get-Credential Connect-AzAccount -Credential $credential

jiasli commented 1 month ago

The issue description contains no error message. WARNING: Please select the account you want to log in with. is not an error. It is only a warning indicating the WAM window is popped up.

Do you mean you are not seeing the WAM window?

austindonnelly commented 1 month ago

That's correct - there's no WAM popup. The az login prints the WARNING message, but exits without showing WAM UI.

Also, I should point out that this might depend on the version of Windows OS that's running. I can no longer repro this bug, and I'm running Windows 11 24H2 (OS Build 26120.2130) That's the ge_release_upr.

md7648 commented 2 weeks ago

Seeing this error via Powershell ISE and VCode on Windows 10 22H2

VSCode version 1.94.2 system setup

Name Value

PSVersion 7.4.6 PSEdition Core

az login
Select the account you want to log in with. For more information on login with Azure CLI, see https://go.microsoft.com/fwlink/?linkid=2271136
Unexpected exception while waiting for accounts control to finish: '(pii)'. Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 528315211
Please explicitly log in with:
az login

ISE - PSVersion 5.1.19041.5129 

 C:\windows\system32> az login
az : WARNING: Select the account you want to log in with. For more information on login with Azure CLI, see https://go.microsoft.com/fwlink/?linkid=2271136
At line:1 char:1
+ az login
+ ~~~~~~~~
    + CategoryInfo          : NotSpecified: (WARNING: Select...?linkid=2271136:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

ERROR: Unexpected exception while waiting for accounts control to finish: '(pii)'. Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 528315211
Please explicitly log in with:
az login

az cli 2.66.0 installed via MSI