Get-AzAD cmdlets fail in Azure Dogfood with error: SharedTokenCacheCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter.

[abatishchev]

Description

Note: the target environment is Azure Dogfood:

PS> Get-AzEnvironment -Name Dogfood
Name    Resource Manager Url                           ActiveDirectory Authority      Type
----    --------------------                           -------------------------      ----
Dogfood https://api-dogfood.resources.windows-int.net/ https://login.windows-ppe.net/ User-defined

I tried multiple cmdlets:

• Get-AzADApplication
• Get-AzADServicePrincipal
• Get-AzADUser
• etc.

Regardless of the parameters passed (of lack of thereof), the error is always the same:

Line |
 210 |          Az.MSGraph.internal\Get-AzADUser @PSBoundParameters
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | SharedTokenCacheCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the
     | input parameter 'scope' is not valid. The scope MicrosoftGraphEndpointResourceId/.default offline_access openid profile is not valid. The scope format
     | is invalid. Scope must be in a valid URI form <https://example/scope> or a valid Guid <guid/scope>. Trace ID: 619bbdb8-4103-41a8-bdb8-9cdf7b0f0600
     | Correlation ID: 371040fc-2252-4cdb-abd2-ba972712cd61 Timestamp: 2022-05-13 02:05:30Z

This issue is blocking me from performing development duties.

Issue script & Debug output

PS C:\Program Files\PowerShell\7> $DebugPreference ='Continue'
PS C:\Program Files\PowerShell\7> Get-AzADApplication
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: Client side pagination is enabled for this cmdlet
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /applications
DEBUG: RequestCreated: /v1.0/applications
DEBUG: HeaderParametersAdded:
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/v1.0/applications

Headers:
x-ms-unique-id                : 4
x-ms-client-request-id        : 29b52b57-5292-4b39-bf08-b3aaebaa0023
CommandName                   : Az.MSGraph.internal\Get-AzADApplication
FullCommandName               : Get-AzADApplication_List
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v7.5.0,PSVersion/v7.2.3,Az.MSGraph/5.6.0

Body:

DEBUG: BeforeCall:
DEBUG: Finally:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: [CmdletException]: Received Exception with message 'AuthenticationFailedException - SharedTokenCacheCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope MicrosoftGraphEndpointResourceId/.default offline_access openid profile is not valid. The scope format is invalid. Scope must be in a valid URI form <https://example/scope> or a valid Guid <guid/scope>.
Trace ID: 569b5b05-3014-4993-a171-207e79530600
Correlation ID: 8796d8c2-e232-4297-9108-b8fe47c7a4d3
Timestamp: 2022-05-13 02:04:40Z :    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
   at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.SharedTokenCacheCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.GetAccessTokenAsync(String callerClassName, String parametersLog, TokenCredential tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken, String tenantId, String userId, String homeAccountId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass15_0.<AuthorizeRequest>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthorizeRequest(IAzureContext context, HttpRequestMessage request, CancellationToken cancellationToken, String endpointResourceIdKey, String endpointSuffixKey, Func`6 tokenAudienceConverter, IDictionary`2 extensibleParamters)
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthenticationHelper(IAzureContext context, String endpointResourceIdKey, String endpointSuffixKey, HttpRequestMessage request, CancellationToken cancelToken, Action cancelAction, Func`4 signal, Func`5 next, Func`6 tokenAudienceConverter)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass10_0.<<AddAuthorizeRequestHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass9_0.<<AddPatchRequestUriHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Module.SendAsync(HttpRequestMessage request, IEventListener callback, ISendAsync next)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication(String consistencyLevel, String Search, String Filter, Nullable`1 Count, String[] Orderby, String[] Select, String[] Expand, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Cmdlets.GetAzADApplication_List.ProcessRecordAsync()
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Cmdlets.GetAzADApplication_List.ProcessRecordAsync()'
DEBUG: CmdletException: AuthenticationFailedException - SharedTokenCacheCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope MicrosoftGraphEndpointResourceId/.default offline_access openid profile is not valid. The scope format is invalid. Scope must be in a valid URI form <https://example/scope> or a valid Guid <guid/scope>.
Trace ID: 569b5b05-3014-4993-a171-207e79530600
Correlation ID: 8796d8c2-e232-4297-9108-b8fe47c7a4d3
Timestamp: 2022-05-13 02:04:40Z :    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
   at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.SharedTokenCacheCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.GetAccessTokenAsync(String callerClassName, String parametersLog, TokenCredential tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken, String tenantId, String userId, String homeAccountId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass15_0.<AuthorizeRequest>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthorizeRequest(IAzureContext context, HttpRequestMessage request, CancellationToken cancellationToken, String endpointResourceIdKey, String endpointSuffixKey, Func`6 tokenAudienceConverter, IDictionary`2 extensibleParamters)
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthenticationHelper(IAzureContext context, String endpointResourceIdKey, String endpointSuffixKey, HttpRequestMessage request, CancellationToken cancelToken, Action cancelAction, Func`4 signal, Func`5 next, Func`6 tokenAudienceConverter)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass10_0.<<AddAuthorizeRequestHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass9_0.<<AddPatchRequestUriHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Module.SendAsync(HttpRequestMessage request, IEventListener callback, ISendAsync next)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication(String consistencyLevel, String Search, String Filter, Nullable`1 Count, String[] Orderby, String[] Select, String[] Expand, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Cmdlets.GetAzADApplication_List.ProcessRecordAsync()
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Cmdlets.GetAzADApplication_List.ProcessRecordAsync()
Get-AzADApplication_List: C:\Users\alexbat.REDMOND\OneDrive - Microsoft\Documents\PowerShell\Modules\Az.Resources\5.6.0\MSGraph.Autorest\custom\Get-AzADApplication.ps1:219

Environment data

Name                           Value
----                           -----
PSVersion                      7.2.3
PSEdition                      Core
GitCommitId                    7.2.3
OS                             Microsoft Windows 10.0.19044
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

Get-Module Az.Resources

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     5.6.0                 Az.Resources

Error output

Attached: Resolve-AzError.txt

[dingmeng-xue]

When you use the latest version of Az.Resource, AzAD feature is using MSGraph API. So you need to configure below 2 parameters when you add environment.

• [-MicrosoftGraphEndpointResourceId <String>]
• [-MicrosoftGraphUrl <String>]

[abatishchev]

@dingmeng-xue thanks for explanation. will update my local setup.

[abatishchev]

@dingmeng-xue I've set them to the same values:

GraphUrl                                          : https://graph.ppe.windows.net/
GraphEndpointResourceId                           : https://graph.ppe.windows.net/

and

MicrosoftGraphEndpointResourceId https://graph.ppe.windows.net/
MicrosoftGraphUrl                https://graph.ppe.windows.net/

Now when I call:

Get-AzADApplication -ApplicationId 93923bbd-d15c-4a3d-a81f-546112110fa2

I'm getting an error:

{
    "odata.error": {
        "code": "Request_DataContractVersionMissing",
        "message": {
            "lang": "en",
            "value": "The specified api-version is invalid. The value must exactly match a supported version."
        }
    }
}

Debug output:

DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: Client side pagination is enabled for this cmdlet
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /applications?$filter=appId%20eq%20%2793923bbd-d15c-4a3d-a81f-546112110fa2%27
DEBUG: RequestCreated: /v1.0/applications?$filter=appId%20eq%20%2793923bbd-d15c-4a3d-a81f-546112110fa2%27
DEBUG: HeaderParametersAdded:
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.ppe.windows.net/v1.0/applications?$filter=appId eq %2793923bbd-d15c-4a3d-a81f-546112110fa2%27

Headers:
x-ms-unique-id                : 11
x-ms-client-request-id        : 41d25330-0a0a-4cae-b815-c425e0557e61
CommandName                   : Az.MSGraph.internal\Get-AzADApplication
FullCommandName               : Get-AzADApplication_List
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v7.5.0,PSVersion/v7.2.3,Az.MSGraph/5.6.0

Body:

DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
ocp-aad-diagnostics-server-name: UgaKXz1mgWlhPwesiRHyMV4LMKWIFD/BzqfJSEXiKZk=
request-id                    : b0febf0b-6781-4ed6-b684-01485a936962
client-request-id             : 41d25330-0a0a-4cae-b815-c425e0557e61
X-Powered-By                  : ASP.NET
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Access-Control-Allow-Origin   : *
Duration                      : 42810
Date                          : Tue, 17 May 2022 01:38:56 GMT

Body:
{
  "odata.error": {
    "code": "Request_DataContractVersionMissing",
    "message": {
      "lang": "en",
      "value": "The specified api-version is invalid. The value must exactly match a supported version."
    }
  }
}

DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
Get-AzADApplication_List: C:\Users\abatishchev\OneDrive\Documents\PowerShell\Modules\Az.Resources\5.6.0\MSGraph.Autorest\custom\Get-AzADApplication.ps1:219
Line |
 219 |      Az.MSGraph.internal\Get-AzADApplication @PSBoundParameters
     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The server responded with a Request Error, Status: BadRequest

DEBUG: [Finally]: Getting exception 'Microsoft.Azure.Commands.Common.Exceptions.AzPSCloudException: InternalException' from response
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: AzureQoSEvent: Module: Az.Resources:5.6.0; CommandName: Get-AzADApplication; PSVersion: 7.2.3; IsSuccess: False; Duration: 00:00:00.8826886; Exception: InternalException;

[dingmeng-xue]

Hi Abatishchev, We don't own service or test environment. We cannot answer your question. You have to ask MSGraph team what version is supported. Azure PowerShell doesn't support configurable API version no matter in product environment or test environment. If version is not 1.0, you need to use Invoke-AzRestMethod to send request to MSGraph directly.

[ohadschn]

When you use the latest version of Az.Resource, AzAD feature is using MSGraph API. So you need to configure below 2 parameters when you add environment.

• [-MicrosoftGraphEndpointResourceId <String>]
• [-MicrosoftGraphUrl <String>]

@dingmeng-xue this doesn't work for built-in environments:

Set-AzEnvironment -Name AzureCloud -MicrosoftGraphEndpointResourceId "https://graph.microsoft.com/" -MicrosoftGraphUrl "https://graph.microsoft.com/v1.0/" Set-AzEnvironment: Cannot change built-in or discovered environment AzureCloud.

I guess we can duplicate the built-in environments as a workaround but ideally we won't have to and they would already include the Azure Graph properties out of the box:

$graphEnabledEnv = Get-AzEnvironment -Name AzureCloud
$graphEnabledEnv.Name = "AzureCloudGraph"
$graphEnabledEnv | Add-AzEnvironment -MicrosoftGraphEndpointResourceId "https://graph.microsoft.com/" -MicrosoftGraphUrl "https://graph.microsoft.com/v1.0/"
Connect-AzAccount -Environment "AzureCloudGraph"

EDIT oh I think I get it now, the built-in environments already have these here:

(Get-AzEnvironment -Name AzureCloud).ExtendedProperties.MicrosoftGraphEndpointResourceId
(Get-AzEnvironment -Name AzureCloud).ExtendedProperties.MicrosoftGraphUrl

[faix]

In case anyone has further issues with trying to use Get-AzAD cmdlets in Azure Dogfood its because the guidance above no longer works as the endpoints for Microsoft Graph are actually different: -GraphUrl "https://graph.ppe.windows.net/" -GraphEndpointResourceId "https://graph.ppe.windows.net/" -MicrosoftGraphEndpointResourceId "https://graph.microsoft-ppe.com/" -MicrosoftGraphUrl "https://graph.microsoft-ppe.com/v1.0/"