yugangw-msft
commented
6 years ago For MFA, you have to use interactive login through az login w/o -u. This requirement comes from AAD token service, not CLI.
Closed davidobrien1985 closed 4 years ago
yugangw-msft
commented
6 years ago For MFA, you have to use interactive login through az login w/o -u. This requirement comes from AAD token service, not CLI.
davidobrien1985
commented
6 years ago Sorry if I wasn't clear.
Interactive AND non-interactive fail with MFA.
Sent from my iPhone
On 4 Aug 2018, at 2:05 am, Yugang Wang notifications@github.com<mailto:notifications@github.com> wrote:
For MFA, you have to use interactive login through az login w/o -u. This requirement comes from AAD token service, not CLI.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-cli/issues/6962#issuecomment-410299981, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AIKIGZaRtyc6hjM6tKyAlLX21_sXU9nKks5uNHSwgaJpZM4Vt50X.
yugangw-msft
commented
6 years ago Are you able to login in to portal? If yes, can you try az login again?
davidobrien1985
commented
6 years ago Yes, all fine via the portal and cloud shell.
Only CLI on my local is broken.
Sent from my iPhone
On 4 Aug 2018, at 7:27 am, Yugang Wang notifications@github.com<mailto:notifications@github.com> wrote:
Are you able to login in to portal? If yes, can you try az login again?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-cli/issues/6962#issuecomment-410380775, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AIKIGdZDEY3JLjyEcXrgWuow8eOLbpcpks5uNMAogaJpZM4Vt50X.
yugangw-msft
commented
6 years ago This is an error from AAD server which I shall clarify with service team.
AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'At the same time, in browser, can you log out the portal and run "az login" again? The goal is to clear the old cache associated with non MFA accounts, and force a new authentication flow.
yugangw-msft
commented
6 years ago if still not working, can you send the correlation id displayed in the browser to me at yugangw at microsoft dot com? It is needed for AAD team to diagnose for the root cause.
davidobrien1985
commented
6 years ago I just sent you an email to your microsoft address.
From: Yugang Wang notifications@github.com
Sent: Saturday, 4 August 2018 8:55 AM
To: Azure/azure-cli azure-cli@noreply.github.com
Cc: David O'Brien me@david-obrien.net; Author author@noreply.github.com
Subject: Re: [Azure/azure-cli] az login fails due to MFA (#6962)
if still not working, can you send the correlation id displayed in the browser to me at yugangw at microsoft dot com? It is needed for AAD team to diagnose for the root cause.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-cli/issues/6962#issuecomment-410396155, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AIKIGdGlORkbmQ9TsmrPa8ZOxlQlzH2xks5uNNSygaJpZM4Vt50X.
NateB2
commented
6 years ago I'm having this exact issue on azure-cli version 2.0.30. First noticed it a couple days ago.
yugangw-msft
commented
6 years ago 2.0.30 might be a bit too old CLI version, but regardless can you send me the error at yugangw at microsoft dot com as well? Once confirmed is the same error code, I will submit a support ticket. Also did your tenant admin make any recent change such as location condition policies?
NateB2
commented
6 years ago I tried again after updating to 2.0.43, and at first received the same error, but then after running it several times it mysteriously disappeared and everything seems to be working fine. Weird.
yugangw-msft
commented
6 years ago I can reproduce this behavior by doing:
I ended up fixing this by re-opening the browser and re-login to the portal, which triggered the wizard for me to configure all needed for MFA authentication. After that, "az login" works again. Hope this help.
yugangw-msft
commented
6 years ago Closing. No actions I can take from CLI's end to make it better, the issue is on the browser ui caches old auth configurations. If more users report the same error I will transfer to AAD/ESTS team who owns the whole browser based authentication flow.
imran2489
commented
5 years ago Hi,
I too face similar issue. If i try to access my web app outside Microsoft office environment i getting prompted with MFA. But if i try using my application inside MS environment it just asks me basic authentication and allows access. But in this case since i didn't do MFA when i try to access Azure APIs it throws below error:
err :AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'.
So everytime i have to clear browser cache, Login via Azure portal which asks for MFA and then access my site. Which is quite painful.
Any help appreciated.
sjentzsch
commented
5 years ago @yugangw-msft - In our organization we face the same issue:
az login, when using with a MFA-enabled account in AzureCloud (EU), leads to
Note, we have launched a browser for you to login. For old experience with device code, use "az login --use-device-code"
You have logged in. Now let us find all the subscriptions to which you have access...
Failed to authenticate '{'additional_properties': {}, 'id': '/tenants/XXX', 'tenant_id': 'XXX'}' due to error 'Get Token request returned http error: 400 and server response: {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access 'XXX'.\r\nTrace ID: XXX\r\nCorrelation ID: XXX\r\nTimestamp: 2019-02-05 13:03:27Z","error_codes":[50076],"timestamp":"2019-02-05 13:03:27Z","trace_id":"XXX","correlation_id":"XXX","suberror":"basic_action"}'
No subscriptions were found for 'None'. If this is expected, use '--allow-no-subscriptions' to have tenant level accessesWhen I log in via Browser manually it asks me for MFA, I confirm, re-try with az login then it works.
I highly recommend forwarding this issue to AAD/ESTS team as you suggested.
yugangw-msft
commented
5 years ago @sjentzsch, I have forwarded this to the AAD group, thanks for the feedback. What we have experienced are confusing, indeed.
ghost
commented
5 years ago This will happen if your account is associated with multiple Azure AD's. It can exist as a member user in one Azure AD, and as a guest user in the other Azure AD. If the Azure AD that you are a guest user in requires MFA, this error will occur.
You can mitigate this 'problem' by adding the Azure AD tenant to the login:
az login --tenant [tenantid]
in your case:
az login --tenant 4253165e-ba77-4eaa-bd15-e7abb69a74ef
JeffBor
commented
5 years ago To add insult to injury, this is happening to an account/ID that is in multiple AAD directories-member and guest in others, MFA (via AAD) required on some, AND it is marked with risky logins from an expired trial of AAD Identity Protection. Needless to say, the conditional access is working :).
It seems to me that this is an ambiguous scenario, meaning AAD cannot determine if the ID can be "fully" authenticated across multiple directories, and naturally @tinod 's suggestion of adding the --tenant worked - the tenant used had no Identity Protection enabled and is not a guest. Specifying a tenant in which the ID is a guest and Identity Protection + MFA causes the AADSTS50076 error.
yonzhan
commented
5 years ago @jiasli please take a look.
Miles-Davies-HORIBA
commented
5 years ago I have the same problem. I am logged in to my companies Office 365 tenant but we have another tenant for Azure DevOps where I am a "guest" using my Office365 e-mail. My companies Office 365 has no MFA but the DevOps ADD has MFA. "az login" fails with "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access"
"az login --tenant "
This only started happening when I updated to latest az and devops. az-cli 2.0.75 devops 0.13.0. I am the owner of the feed I am trying to access so it should be fine.
If I set the $env:AZURE_DEVOPS_EXT_PAT to my PAT the command works just fine.
Bessonov
commented
4 years ago Is there any news on this topic? We need a way to login users on environments without a browser. @yugangw-msft
Bessonov
commented
4 years ago anyone? @yonzhan @qianwens @jiasli
jiasli
commented
4 years ago @Bessonov, you may use az login --use-device-code for user login or az login --service-principal for service principal login. Please see Create an Azure service principal with Azure CLI for details.
jiasli
commented
4 years ago @Miles-Davies-HORIBA , when you use az login --tenant "xxx.onmicrosoft.com", and get denied access to artifacts, what is the error? Is it the same or something else? +@bagga from DevOps team
jiasli
commented
4 years ago @JeffBor , in my test, I used --tenant with a tenant/directory that requires MFA and the browser did ask for MFA as expected. Could you try purging the browser cache and run az login --tenant again?
Miles-Davies-HORIBA
commented
4 years ago @Miles-Davies-HORIBA , when you use
az login --tenant "xxx.onmicrosoft.com", and get denied access to artifacts, what is the error? Is it the same or something else? +@bagga from DevOps team
I think my issue was caused by a bug in az which was fixed. It works fine for me with the latest
Bessonov
commented
4 years ago @jiasli thank you very much for your response! az login --use-device-code seems to be working!
mtricolici
commented
4 years ago Linux guys: if you have this kind of issue. Workaround is: install addon in your browser that modify UserAgent. Set it to a windows 10 ... and microsoft will allow logins.
william-hou-ca
commented
3 years ago Hi, Guys I meet the same problem. But in according to the info az shows, I used az login --tenant TENANT_ID to relogin in a web browser After that, everything is good. You could find your tenant_id in portal of active directory on section overview.
swiru95
commented
2 years ago I think the best option is to: 1) open the browser 2) login to azure portal - accept the policy with cookies etc. 3) run cli "az login" and then login - it should work
But for sure something is not working correctly with "az login" looks like it does not get the appropriate cookies/tokens. I will try to debug it someday :D
Mat8686
commented
2 years ago Try to use tenant ID when login in using CLI. Then you need to go through 2 steps of authentication.
CoolSpot
commented
2 months ago One thing that fixed this to me is to:
1) open portal
2) go to settings (cog icon)
3) click "star" icon next to your Default Directory
Now when running "az login", after logging in the browser, it will let you select a subscription:
Describe the bug
az logindoesn't work for me anymore with an MFA enabled user.To Reproduce
az login, alsoread -sp "Azure password: " AZ_PASS && echo && az login -u auobrien.david@outlook.com -p $AZ_PASSdoesn't work.Expected behavior I receive an MFA prompt on my phone.
Environment summary
az --versionazure-cli (2.0.43)Installed on WSL.