Logging in to the Azure CLI does not provide access to `az devops` commands as expected

[mdekrey]

Logging in to the Azure CLI does not provide access to az devops commands as expected

Command Name az devops project list (Extension Name: azure-devops. Version: 0.23.0.)

Errors:

Before you can run Azure DevOps commands, you need to run the login command(az login if using AAD/MSA identity else az devops login if using PAT token) to setup credentials.  Please see https://aka.ms/azure-devops-cli-auth for more information.

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Log into the Azure cli using az login
• az devops project list

Expected Behavior

A list of projects in my devops organizations should be presented.

Environment Summary

Windows-10-10.0.22000-SP0
Python 3.8.9
Installer: MSI

azure-cli 2.34.1

Extensions:
azure-devops 0.23.0

Dependencies:
msal 1.16.0
azure-mgmt-resource 20.0.0

Additional Context

The link in the error message does not provide further information on using az login for using AAD/MSA identity.

[jikuja]

I've had similar issues.

One cause for this is https://github.com/Azure/azure-devops-cli-extension/blob/master/azure-devops/azext_devops/dev/common/services.py#L165 hiding issues with token fetch. Exceptions are logged only with debug level.

Other minor issue with the selection of default subscription. The code does not work ATM at all. PR coming soon.

[tharwan]

any workaround for this?

[jikuja]

If i remember correctly using az login --tenant <guid> should fix most of the issues:

• makes sure you are have tokens for tenant you want to use
• goes through MFA if needed

---

Extension tries tenant of the selected subscription first. That should decrease the amount of login issues. Sadly that feature does not work and looks like nobody works with PRs. Might be better using other tools for scripting.

---

other work: ticket about the state of the tooling: https://developercommunity.visualstudio.com/t/The-current-state-and-the-future-of-Az-C/10145300

Alternative tools:

• https://github.com/MethodsAndPractices/vsteam
• https://github.com/igoravl/TfsCmdlets

[v-soujanya]

Hi @mdekrey, Please find the below analysis for az login and az devops project list

1. az login : it will check for active subscriptions on portal.azure.com for your tenant. if you don't have the subscriptions / subscriptions expired, you need to provide PAT token to run the az devops commands. (az devops login)
2. az devops project list : Please provide PAT token then you can see the project list.

[tharwan]

If i remember correctly using az login --tenant <guid> should fix most of the issues:

• makes sure you are have tokens for tenant you want to use
• goes through MFA if needed

Extension tries tenant of the selected subscription first. That should decrease the amount of login issues. Sadly that feature does not work and looks like nobody works with PRs. Might be better using other tools for scripting.

other work: ticket about the state of the tooling: https://developercommunity.visualstudio.com/t/The-current-state-and-the-future-of-Az-C/10145300

Alternative tools:

• https://github.com/MethodsAndPractices/vsteam
• https://github.com/igoravl/TfsCmdlets

does not work for me

[jikuja]

Hi @mdekrey, Please find the below analysis for az login and az devops project list

1. az login : it will check for active subscriptions on portal.azure.com for your tenant. if you don't have the subscriptions / subscriptions expired, you need to provide PAT token to run the az devops commands. (az devops login)
2. az devops project list : Please provide PAT token then you can see the project list.

Not really true

1. AZ CLI does not use Azure portal
2. AZ ADO extension (does/)should not use subscription information by default a. Subscription information is only used if e.g. adding service connection to subscription
3. Azure Devops can be used without subscriptions a. That kind of limitation would not make any sense. It would block all workload that are not specific for Azure workloads b. az login --allow-no-subscriptions - this will create dummy subscription on AZ CLI internal data structures

Current AAD token authentication in this extension is really buggy by hiding information and error from user and should be rewritten. (Issue describing the problems coming soon)

[v-soujanya]

@mdekrey, we recently started working on the CLI service and we have checked the code if you have Azure active Directory/Microsoft account (AAD/MSA) you can see the "az devops project list" output by using "az login" otherwise you need to use "az devops login" (provide PAT) to see the "az devops project list".

[tharwan]

fixed for me in the current version

[ceciliasharp]

Updating Azure CLI fixes the problem. Run: "az upgrade"

[jikuja]

Updating Azure CLI fixes the problem. Run: "az upgrade"

Which version you updated from?

0.22.0 has some fixes but it was released over years ago.

---

Extension authentication is buggy(1)(2) and badly documented:

• does not mention you need to use az login --tenant <guid> with B2B guest accounts
• does not mention that running az account set -n <subscription> would make auth process faster and increases possibility that authentication will actually work: requires release with b3d0392d597a2

(1) https://github.com/Azure/azure-devops-cli-extension/commit/b3d0392d597a2eae5229e96059359d00fbb2e222 no new release after the commit (2) https://github.com/Azure/azure-devops-cli-extension/issues/1298

[ceciliasharp]

Updating Azure CLI fixes the problem. Run: "az upgrade"

Which version you updated from?

0.22.0 has some fixes but it was released over years ago.

Extension authentication is buggy(1)(2) and badly documented:

• does not mention you need to use az login --tenant <guid> with B2B guest accounts
• does not mention that running az account set -n <subscription> would make auth process faster and increases possibility that authentication will actually work: requires release with b3d0392

(1) b3d0392 no new release after the commit (2) #1298

I'm sorry but that information is gone... But I'm guessing that I have been running on the same version for some years now. But did now setup the option of auto-upgrade that the upgrade hinted about so now I will stay up-to-date :-)

[housten]

Spent all day on this till I stumbled upon this related issue

Ensure you run AZ Login through an elevated prompt the first time as it tries to install the Python keyring package!

[jikuja]

This might be the best way to authenticate with devsops extension:

Connect-AzAccount -tenant "xxxx" -Scope Process -DeviceAuth
$Env:AZURE_DEVOPS_EXT_PAT = (Get-AzAccessToken -ResourceUrl "499b84ac-1321-427f-aa17-267ca6975798").Token

# check your login
az devops project show --org "$ORG" -p "$PROJECT"

1. Yes, I mostly use Az Powershell because of the tenant/subscription selection on CLI is just awful
2. Using AZURE_DEVOPS_EXT_PAT environment variable makes devops extension to skip most of the authz logic
3. Az CLI has it's own commands to fetch authentication token so powershell is not needed: az account get-access-token
4. For Powershell -SkipContextPopulation might be good for login
5. For Az CLI --allow-no-subscriptions might be good for login