search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.91k stars 2.88k forks source link

Unable to run 'az ad user show --id xxx@microsoft.com' on AzureML Ubuntu VM #29282

Open dunalduck0 opened 6 days ago

dunalduck0 commented 6 days ago

Describe the bug

I want to get my Entra ID programmingly via az ad user show --id xxxx@microsoft.com. When I run it on an AzureML Ubuntu VM (I ssh to this VM from my Windows workstation), I am getting error below. The same command runs successfully on my Window workstation.

cli.azure.cli.core.azclierror: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: 9e5ee058-55f2-43d4-8fdd-7ae130103000 Correlation ID: 12055c6b-cc04-4bce-a4d4-cab52a130fff Timestamp: 2024-06-29 06:24:36Z
az_command_data_logger: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: 9e5ee058-55f2-43d4-8fdd-7ae130103000 Correlation ID: 12055c6b-cc04-4bce-a4d4-cab52a130fff Timestamp: 2024-06-29 06:24:36Z

Another related symptom. I can run az login --use-device-code successfully on the Ubuntu VM. But if I add the option --scope https://graph.microsoft.com//.default, I am getting error below. The option works fine on my Windows worksation az login --scope https://graph.microsoft.com//.default.

image

Related command

az ad user show --id xxxx@microsoft.com az login --use-device-code --scope https://graph.microsoft.com//.default

Errors

See description above.

Issue script & Debug output

Here is the debug output for az ad user show --id xxxx@microsoft.com --debug

DEBUG: cli.knack.cli: Command arguments: ['ad', 'user', 'show', '--id', 'REDACT@microsoft.com', '--debug'] DEBUG: cli.knack.cli: init debug log: Cannot enable color. DEBUG: cli.knack.cli: Event: Cli.PreExecute [] DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x746a8570c040>, <function OutputProducer.on_global_arguments at 0x746a856b6200>, <function CLIQuery.on_global_arguments at 0x746a856f3ce0>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] DEBUG: cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role'] DEBUG: cli.azure.cli.core: Loading command modules: DEBUG: cli.azure.cli.core: Name Load Time Groups Commands DEBUG: cli.azure.cli.core: role 0.004 17 61 DEBUG: cli.azure.cli.core: Total (1) 0.004 17 61 DEBUG: cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next'] DEBUG: cli.azure.cli.core: Loading extensions: DEBUG: cli.azure.cli.core: Name Load Time Groups Commands Directory DEBUG: cli.azure.cli.core: Total (0) 0.000 0 0
DEBUG: cli.azure.cli.core: Loaded 17 groups, 61 commands. DEBUG: cli.azure.cli.core: Found a match in the command table. DEBUG: cli.azure.cli.core: Raw command : ad user show DEBUG: cli.azure.cli.core: Command table: ad user show DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x746a84674e00>] DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/REDACT/.azure/commands/2024-06-29.06-51-17.ad_user_show.1062634.log'. INFO: az_command_data_logger: command args: ad user show --id {} --debug DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x746a846cf060>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x746a8472d1c0>, <function register_cache_arguments..add_cache_arguments at 0x746a8472d300>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x746a856b62a0>, <function CLIQuery.handle_query_parameter at 0x746a856f3d80>, <function register_ids_argument..parse_ids_arguments at 0x746a8472d260>] DEBUG: cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/ DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='/home/REDACT/.azure/msal_token_cache.json', encrypt=False DEBUG: cli.azure.cli.core.auth.binary_cache: load: /home/REDACT/.azure/msal_http_cache.bin DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) INFO: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47 DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} DEBUG: msal.application: Broker enabled? None DEBUG: cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://graph.microsoft.com//.default',), claims=None, kwargs={} DEBUG: msal.application: Found 1 RTs matching {'environment': 'login.microsoftonline.com', 'home_account_id': '****.72f988bf-86f1-41af-91ab-2d7cd011db47', 'family_id': '1'} DEBUG: msal.telemetry: Generate or reuse correlation_id: b70b6628-f204-44de-aab3-c0e51e80cf10 DEBUG: msal.application: Cache attempts an RT DEBUG: msal.application: Refresh failed. invalid_grant: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: a3c52841-d43e-4d86-88e7-d0f2c3862b00 Correlation ID: 53263086-9034-477f-b299-66436a86d9d2 Timestamp: 2024-06-29 06:51:14Z DEBUG: msal.application: Found 1 RTs matching {'environment': 'login.microsoftonline.com', 'home_account_id': '****.72f988bf-86f1-41af-91ab-2d7cd011db47', 'client_id': '04b07795-8ddb-461a-bbee-02f9e1bf7b46'} DEBUG: msal.telemetry: Generate or reuse correlation_id: b70b6628-f204-44de-aab3-c0e51e80cf10 DEBUG: msal.application: Cache attempts an RT DEBUG: msal.application: Refresh failed. invalid_grant: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: a3c52841-d43e-4d86-88e7-d0f2c3862b00 Correlation ID: 53263086-9034-477f-b299-66436a86d9d2 Timestamp: 2024-06-29 06:51:14Z DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last): File "/opt/az/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke cmd_result = self.invocation.execute(args) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 664, in execute raise ex File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 731, in _run_jobs_serially results.append(self._run_job(expanded_arg, cmd_copy)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 723, in _run_job return cmd_copy.exception_handler(ex) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/commands.py", line 51, in graph_err_handler raise ex File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 701, in _run_job result = cmd_copy(params) ^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 334, in call return self.handler(args, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 363, in handler show_exception_handler(ex) File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/arm.py", line 432, in show_exception_handler raise ex File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 361, in handler return op(command_args) ^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/custom.py", line 1859, in show_user return client.user_get(upn_or_object_id) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 304, in user_get result = self._send("GET", "{}".format(_get_user_url(id_or_upn))) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send r = send_raw_request(self._cli_ctx, method, url, resource=self._resource, uri_parameters=param, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/util.py", line 983, in send_raw_request tokeninfo, , _ = profile.get_raw_token(resource) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/_profile.py", line 406, in get_raw_token sdk_token = credential.get_token(scopes) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/az/lib/python3.11/site-packages/azure/cli/core/auth/msal_authentication.py", line 74, in get_token check_result(result, scopes=scopes, claims=claims) File "/opt/az/lib/python3.11/site-packages/azure/cli/core/auth/util.py", line 139, in check_result aad_error_handler(result, **kwargs) File "/opt/az/lib/python3.11/site-packages/azure/cli/core/auth/util.py", line 43, in aad_error_handler raise AuthenticationError(error_description, msal_error=error, recommendation=login_message) azure.cli.core.azclierror.AuthenticationError: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: a3c52841-d43e-4d86-88e7-d0f2c3862b00 Correlation ID: 53263086-9034-477f-b299-66436a86d9d2 Timestamp: 2024-06-29 06:51:14Z

ERROR: cli.azure.cli.core.azclierror: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: a3c52841-d43e-4d86-88e7-d0f2c3862b00 Correlation ID: 53263086-9034-477f-b299-66436a86d9d2 Timestamp: 2024-06-29 06:51:14Z ERROR: az_command_data_logger: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: a3c52841-d43e-4d86-88e7-d0f2c3862b00 Correlation ID: 53263086-9034-477f-b299-66436a86d9d2 Timestamp: 2024-06-29 06:51:14Z Interactive authentication is needed. Please run: az login --scope https://graph.microsoft.com//.default DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x746a84675080>] INFO: az_command_data_logger: exit code: 1 INFO: cli.main: Command ran in 0.291 seconds (init: 0.148, invoke: 0.142) INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1 INFO: telemetry.client: Accumulated 0 events. Flush the clients. INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1 INFO: telemetry.save: Save telemetry record of length 3995 in cache INFO: telemetry.main: Begin creating telemetry upload process. INFO: telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.11/site-packages/azure/cli/telemetry/init.py /home/REDACT/.azure" INFO: telemetry.process: Return from creating process INFO: telemetry.main: Finish creating telemetry upload process.

Expected behavior

az ad user show --id xxxx@microsoft.com should run successfully on AzureML Ubuntu VM

Environment Summary

azure-cli 2.61.0 core 2.61.0 telemetry 1.1.0 Extensions: ml 2.26.1 Dependencies: msal 1.28.0 azure-mgmt-resource 23.1.1

Python location '/opt/az/bin/python3' Extensions directory '/home/REDACT/.azure/cliextensions' Python (Linux) 3.11.8 (main, May 16 2024, 03:47:28) [GCC 11.4.0] Legal docs and information: aka.ms/AzureCliLegal Your CLI is up-to-date.

Additional context

No response

yonzhan commented 6 days ago

Thank you for opening this issue, we will look into it.

jiasli commented 4 days ago

https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes doesn't document AADSTS530003, but I guess it is the same issue as https://learn.microsoft.com/en-us/cli/azure/microsoft-graph-migration#graph-command-fails-with-aadsts50005-or-aadsts53000, that is, Microsoft tenant (72f988bf-86f1-41af-91ab-2d7cd011db47) doesn't allow using device code flow to access Microsoft Graph.

There is a feature request https://github.com/Azure/azure-cli/issues/22776 to show the signed in account's object ID, but that feature request was suspended due to several unsettled security discussions. You may follow https://github.com/Azure/azure-cli/issues/22776#issue-1264203875 to retrieve the object ID from the access token.

dunalduck0 commented 3 days ago

https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes doesn't document AADSTS530003, but I guess it is the same issue as https://learn.microsoft.com/en-us/cli/azure/microsoft-graph-migration#graph-command-fails-with-aadsts50005-or-aadsts53000, that is, Microsoft tenant (72f988bf-86f1-41af-91ab-2d7cd011db47) doesn't allow using device code flow to access Microsoft Graph.

There is a feature request #22776 to show the signed in account's object ID, but that feature request was suspended due to several unsettled security discussions. You may follow #22776 (comment) to retrieve the object ID from the access token.

Thank you @jiasli for the workaround. Do you have a similar to az ad sp list?

jiasli commented 3 days ago

You may use the same approach to get the object ID for a service principal. If this is not what you want, what information do you want to extract from az ad sp list?

dunalduck0 commented 1 hour ago

@jiasli The approach works for my own object ID because I can az login as myself. But I cannot az login as other objects, such as a service principal for a workspace named 'gcrllama2ws'. I cannot get access token tied to gcrllama2ws and thus cannot apply the same approach to extract object ID of gcrllama2ws from access token. Am I correct?