Az Accounts failure after token refresh: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.

[keystroke]

Description

Using (2.2.8 Az.Accounts) with Azure Stack Edge environment (this is a private cloud environment) we see an issue where authentication sessions stop working after 1 hour. The token gets refreshed, but it appears that Azure PS has the old access token in the shared token cache under the hood and fails to resolve the new access token.

The repro script we have looks like this:

Connect-AzAccount @params
Get-AzResourceGroup @params
sleep (60*60);
Get-AzResourceGroup
sleep 60;
Get-AzResourceGroup

We see below in debug output at the final step which indicates that there are multiple access tokens that could work and so it fails (full output of entire script in below section):

DEBUG: 7:18:10 PM - GetAzureResourceGroupCmdlet begin processing with ParameterSet 'GetByResourceGroupName'.
DEBUG: 7:18:10 PM - using account id 'EdgeArmUser@localhost'...
DEBUG: [Common.Authentication]: Authenticating using Account: 'EdgeArmUser@localhost', environment: 'AzDBE', tenant:
'c0257de7-538f-415c-993a-1b87a031879d'
DEBUG: 7:18:10 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'adfs',
Scopes:'https://management.dm1174469-903.microsoftdatabox.com//openid',
AuthorityHost:'https://login.dm1174469-903.microsoftdatabox.com/adfs/', UserId:'EdgeArmUser@localhost'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:
DEBUG: SharedTokenCacheCredential.GetToken was unable to retrieve an access token. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:  Exception:
Azure.Identity.AuthenticationFailedException (0x80131500): SharedTokenCacheCredential authentication failed: The cache
contains multiple tokens satisfying the requirements. Try to clear token cache.
 ---> Microsoft.Identity.Client.MsalClientException (0x80131500): The cache contains multiple tokens satisfying the
requirements. Try to clear token cache.
DEBUG: [Common.Authentication]: Received exception SharedTokenCacheCredential authentication failed: The cache contains
 multiple tokens satisfying the requirements. Try to clear token cache. , while authenticating.
Get-AzResourceGroup : Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set
up your Azure credentials.
    + CategoryInfo          : CloseError: (:) [Get-AzResourceGroup], ArgumentException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceGroupCmd
   let

DEBUG: AzureQoSEvent: CommandName - Get-AzResourceGroup; IsSuccess - False; Duration - 00:00:00.1016185; Exception -
Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure
credentials.;
DEBUG: Finish sending metric.
DEBUG: 7:18:11 PM - GetAzureResourceGroupCmdlet end processing.

We grabbed the full content of the token cache from the environment (this is transient test info), here is that state:

{
    "AccessToken": {
        "f1b55baf-df33-4e7e-ba18-95e8361c27d6-login.dm1174469-903.microsoftdatabox.com-accesstoken-1950a258-227b-4e31-a9cf-717495945fc2--openid offline_access profile https://management.dm1174469-903.microsoftdatabox.com//openid": {
            "home_account_id": "f1b55baf-df33-4e7e-ba18-95e8361c27d6",
            "environment": "login.dm1174469-903.microsoftdatabox.com",
            "client_id": "1950a258-227b-4e31-a9cf-717495945fc2",
            "secret": "[REDACTED]",
            "credential_type": "AccessToken",
            "target": "openid offline_access profile https://management.dm1174469-903.microsoftdatabox.com//openid",
            "cached_at": "1653613828",
            "expires_on": "1653617428",
            "extended_expires_on": "-62135596800",
            "ext_expires_on": "-62135596800"
        },
        "f1b55baf-df33-4e7e-ba18-95e8361c27d6-login.dm1174469-903.microsoftdatabox.com-accesstoken-1950a258-227b-4e31-a9cf-717495945fc2--https://management.dm1174469-903.microsoftdatabox.com//openid offline_access openid profile": {
            "home_account_id": "f1b55baf-df33-4e7e-ba18-95e8361c27d6",
            "environment": "login.dm1174469-903.microsoftdatabox.com",
            "client_id": "1950a258-227b-4e31-a9cf-717495945fc2",
            "secret": "[REDACTED]",
            "credential_type": "AccessToken",
            "target": "https://management.dm1174469-903.microsoftdatabox.com//openid offline_access openid profile",
            "cached_at": "1653617809",
            "expires_on": "1653621409",
            "extended_expires_on": "-62135596800",
            "ext_expires_on": "-62135596800"
        }
    },
    "RefreshToken": {
        "f1b55baf-df33-4e7e-ba18-95e8361c27d6-login.dm1174469-903.microsoftdatabox.com-refreshtoken-1950a258-227b-4e31-a9cf-717495945fc2--": {
            "home_account_id": "f1b55baf-df33-4e7e-ba18-95e8361c27d6",
            "environment": "login.dm1174469-903.microsoftdatabox.com",
            "client_id": "1950a258-227b-4e31-a9cf-717495945fc2",
            "secret": "[REDACTED]",
            "credential_type": "RefreshToken"
        }
    },
    "IdToken": {
        "f1b55baf-df33-4e7e-ba18-95e8361c27d6-login.dm1174469-903.microsoftdatabox.com-idtoken-1950a258-227b-4e31-a9cf-717495945fc2--": {
            "home_account_id": "f1b55baf-df33-4e7e-ba18-95e8361c27d6",
            "environment": "login.dm1174469-903.microsoftdatabox.com",
            "client_id": "1950a258-227b-4e31-a9cf-717495945fc2",
            "secret": "[REDACTED]",
            "credential_type": "IdToken"
        }
    },
    "Account": {
        "f1b55baf-df33-4e7e-ba18-95e8361c27d6-login.dm1174469-903.microsoftdatabox.com-": {
            "home_account_id": "f1b55baf-df33-4e7e-ba18-95e8361c27d6",
            "environment": "login.dm1174469-903.microsoftdatabox.com",
            "username": "EdgeArmUser@localhost",
            "name": "EdgeArmUser",
            "local_account_id": "f1b55baf-df33-4e7e-ba18-95e8361c27d6",
            "authority_type": "MSSTS"
        }
    },
    "AppMetadata": {
        "appmetadata-login.dm1174469-903.microsoftdatabox.com-1950a258-227b-4e31-a9cf-717495945fc2": {
            "environment": "login.dm1174469-903.microsoftdatabox.com",
            "client_id": "1950a258-227b-4e31-a9cf-717495945fc2"
        }
    }
}

We can see in the token cache that there are two access tokens, which are identical except different expiration times and the scopes are in a different order in the key for them.

It seems there is an issue either in how Az PS is interacting with MSAL or how MSAL is handling the token resolution. The user expectation is that this should just work - refreshing the access token using a refresh token and getting updated access token should not force user to sign-in again, it defeats the entire purpose of the refresh token.

Please help us understand if there is an issuing in Az PS or MSAL here.

Thanks!

Issue script & Debug output

[REDACTED]: PS C:\> $DebugPreference = 'Continue'

[REDACTED]: PS C:\> Connect-AzAccount -EnvironmentName $envName -Credential $cred -TenantId $tenantId
DEBUG: Sought all Az modules and got latest version 0.0.0
DEBUG: 6:10:27 PM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'UserWithCredential'.
DEBUG: 6:10:27 PM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 6:10:27 PM - No autosave setting detected in environment variable 'AzContextAutoSave'.
DEBUG: 6:10:27 PM - Using Autosave scope 'CurrentUser'
DEBUG: 6:10:27 PM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 6:10:27 PM - No autosave setting detected in environment variable 'AzContextAutoSave'.
DEBUG: 6:10:27 PM - Using Autosave scope 'CurrentUser'
DEBUG: 6:10:27 PM - [UsernamePasswordAuthenticator] Calling UsernamePasswordCredential.AuthenticateAsync -
TenantId:'adfs', Scopes:'https://management.dm1174469-903.microsoftdatabox.com//openid',
AuthorityHost:'https://login.dm1174469-903.microsoftdatabox.com/adfs/', UserId:'EdgeArmUser'
DEBUG: UsernamePasswordCredential.Authenticate invoked. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:
DEBUG: UsernamePasswordCredential.GetToken invoked. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:
DEBUG: Request [e24e4056-e398-486a-ab43-b4a67f7c8fc7] GET
https://login.dm1174469-903.microsoftdatabox.com/.well-known/webfinger?rel=REDACTED&resource=REDACTED
x-ms-client-request-id:e24e4056-e398-486a-ab43-b4a67f7c8fc7
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.4.0-beta.3 (.NET Framework 4.7.3910.0; Microsoft Windows 10.0.17763 )
client assembly: Azure.Identity
DEBUG: Response [e24e4056-e398-486a-ab43-b4a67f7c8fc7] 200 OK (00.6s)
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Content-Length:187
Cache-Control:no-cache
Content-Type:application/json; charset=utf-8
Date:Fri, 27 May 2022 01:10:27 GMT
Expires:-1
DEBUG: Request [b4677e49-287c-4792-bdde-2d89be54af61] POST
https://login.dm1174469-903.microsoftdatabox.com/adfs/oauth2/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-PKeyAuth:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
Content-Type:application/x-www-form-urlencoded
x-ms-client-request-id:b4677e49-287c-4792-bdde-2d89be54af61
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.4.0-beta.3 (.NET Framework 4.7.3910.0; Microsoft Windows 10.0.17763 )
client assembly: Azure.Identity
DEBUG: Response [b4677e49-287c-4792-bdde-2d89be54af61] 200 OK (00.2s)
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Content-Length:3850
Cache-Control:no-cache
Content-Type:application/json; charset=utf-8
Date:Fri, 27 May 2022 01:10:27 GMT
Expires:-1
DEBUG: UsernamePasswordCredential.GetToken succeeded. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:  ExpiresOn:
2022-05-27T02:10:28.0000000+00:00
DEBUG: UsernamePasswordCredential.Authenticate succeeded. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:  ExpiresOn:
2022-05-27T02:10:28.0000000+00:00
DEBUG: 6:10:28 PM - [MsalAccessToken] Calling UsernamePasswordCredential.GetTokenAsync -
Scopes:'https://management.dm1174469-903.microsoftdatabox.com//openid'
DEBUG: UsernamePasswordCredential.GetToken invoked. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:
DEBUG: Request [d469ca11-4e83-4f5d-92ef-c132b8978713] POST
https://login.dm1174469-903.microsoftdatabox.com/adfs/oauth2/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-PKeyAuth:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
Content-Type:application/x-www-form-urlencoded
x-ms-client-request-id:d469ca11-4e83-4f5d-92ef-c132b8978713
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.4.0-beta.3 (.NET Framework 4.7.3910.0; Microsoft Windows 10.0.17763 )
client assembly: Azure.Identity
DEBUG: Response [d469ca11-4e83-4f5d-92ef-c132b8978713] 200 OK (00.0s)
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Content-Length:3850
Cache-Control:no-cache
Content-Type:application/json; charset=utf-8
Date:Fri, 27 May 2022 01:10:27 GMT
Expires:-1
DEBUG: UsernamePasswordCredential.GetToken succeeded. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:  ExpiresOn:
2022-05-27T02:10:28.0000000+00:00
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.dm1174469-903.microsoftdatabox.com/subscriptions?api-version=2019-06-01

Headers:
x-ms-client-request-id        : 38187b72-eb60-450e-a646-eb5c873d06a7
accept-language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
x-ms-ratelimit-remaining-tenant-reads: 29999
x-ms-request-id               : a32be7d1-a56a-4f32-8f3a-4a9f5d7ef87d
x-ms-correlation-request-id   : a32be7d1-a56a-4f32-8f3a-4a9f5d7ef87d
x-ms-routing-request-id       : DBELOCAL:20220527T011033Z:a32be7d1-a56a-4f32-8f3a-4a9f5d7ef87d
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Cache-Control                 : no-cache
Date                          : Fri, 27 May 2022 01:10:32 GMT

Body:
{
  "value": [
    {
      "id": "/subscriptions/fc2a0f8c-736b-4142-8fa2-69b73e7d9d5c",
      "authorizationSource": "Legacy",
      "managedByTenants": [],
      "subscriptionId": "fc2a0f8c-736b-4142-8fa2-69b73e7d9d5c",
      "tenantId": "c0257de7-538f-415c-993a-1b87a031879d",
      "displayName": "Default Provider Subscription",
      "state": "Enabled",
      "subscriptionPolicies": {
        "locationPlacementId": "",
        "quotaId": "",
        "spendingLimit": "Off"
      }
    }
  ],
  "count": {
    "type": "Total",
    "value": 1
  }
}

DEBUG: AzureQoSEvent: CommandName - Connect-AzAccount; IsSuccess - True; Duration - 00:00:06.3522709
DEBUG: Finish sending metric.
DEBUG: 6:10:51 PM - ConnectAzureRmAccountCommand end processing.
Account               SubscriptionName              TenantId                             Environment
-------               ----------------              --------                             -----------
EdgeArmUser@localhost Default Provider Subscription c0257de7-538f-415c-993a-1b87a031879d AzDBE

[REDACTED]: PS C:\> $tok = Get-AzAccessToken
DEBUG: 6:11:03 PM - GetAzureRmAccessTokenCommand begin processing with ParameterSet 'KnownResourceTypeName'.
DEBUG: 6:11:03 PM - using account id 'EdgeArmUser@localhost'...
DEBUG: 6:11:03 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'adfs',
Scopes:'https://management.dm1174469-903.microsoftdatabox.com//openid',
AuthorityHost:'https://login.dm1174469-903.microsoftdatabox.com/adfs/', UserId:'EdgeArmUser@localhost'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:  ExpiresOn:
2022-05-27T02:10:28.0000000+00:00
DEBUG: AzureQoSEvent: CommandName - Get-AzAccessToken; IsSuccess - True; Duration - 00:00:00.1276096
DEBUG: Finish sending metric.
DEBUG: 6:11:04 PM - GetAzureRmAccessTokenCommand end processing.

[REDACTED]: PS C:\> $tok.ExpiresOn.LocalDateTime

Thursday, May 26, 2022 7:10:28 PM

[REDACTED]: PS C:\> Get-AzResourceGroup | ft
DEBUG: 6:12:49 PM - GetAzureResourceGroupCmdlet begin processing with ParameterSet 'GetByResourceGroupName'.
DEBUG: 6:12:49 PM - using account id 'EdgeArmUser@localhost'...
DEBUG: [Common.Authentication]: Authenticating using Account: 'EdgeArmUser@localhost', environment: 'AzDBE', tenant:
'c0257de7-538f-415c-993a-1b87a031879d'
DEBUG: 6:12:49 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'adfs',
Scopes:'https://management.dm1174469-903.microsoftdatabox.com//openid',
AuthorityHost:'https://login.dm1174469-903.microsoftdatabox.com/adfs/', UserId:'EdgeArmUser@localhost'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:  ExpiresOn:
2022-05-27T02:10:28.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: 'c0257de7-538f-415c-993a-1b87a031879d',
UserId: 'EdgeArmUser@localhost'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.dm1174469-903.microsoftdatabox.com/subscriptions/fc2a0f8c-736b-4142-8fa2-69b73e7d9d5c/resourcegroups
?api-version=2020-06-01

Headers:
x-ms-client-request-id        : 5c64777b-700c-4c18-ae88-2b0161cad7f4
accept-language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
x-ms-ratelimit-remaining-subscription-reads: 29999
x-ms-request-id               : b766ba44-4271-406f-9240-69d4bf1c76b1
x-ms-correlation-request-id   : b766ba44-4271-406f-9240-69d4bf1c76b1
x-ms-routing-request-id       : DBELOCAL:20220527T011249Z:b766ba44-4271-406f-9240-69d4bf1c76b1
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Cache-Control                 : no-cache
Date                          : Fri, 27 May 2022 01:12:49 GMT

Body:
{
  "value": [
    {
      "id": "/subscriptions/fc2a0f8c-736b-4142-8fa2-69b73e7d9d5c/resourceGroups/ASERG",
      "name": "ASERG",
      "type": "Microsoft.Resources/resourceGroups",
      "location": "dbelocal",
      "properties": {
        "provisioningState": "Succeeded"
      }
    },
    {
      "id": "/subscriptions/fc2a0f8c-736b-4142-8fa2-69b73e7d9d5c/resourceGroups/RG1",
      "name": "RG1",
      "type": "Microsoft.Resources/resourceGroups",
      "location": "dbelocal",
      "properties": {
        "provisioningState": "Succeeded"
      }
    }
  ]
}

DEBUG: AzureQoSEvent: CommandName - Get-AzResourceGroup; IsSuccess - True; Duration - 00:00:00.1936138
DEBUG: Finish sending metric.
DEBUG: 6:13:09 PM - GetAzureResourceGroupCmdlet end processing.
ResourceGroupName Location ProvisioningState Tags TagsTable ResourceId
----------------- -------- ----------------- ---- --------- ----------
ASERG             dbelocal Succeeded                        /subscriptions/fc2a0f8c-736b-4142-8fa2-69b73e7d9d5c/reso...
RG1               dbelocal Succeeded                        /subscriptions/fc2a0f8c-736b-4142-8fa2-69b73e7d9d5c/reso...

[REDACTED]: PS C:\> sleep (60*60); Get-AzResourceGroup | ft

DEBUG: 7:16:49 PM - GetAzureResourceGroupCmdlet begin processing with ParameterSet 'GetByResourceGroupName'.
DEBUG: 7:16:49 PM - using account id 'EdgeArmUser@localhost'...
DEBUG: [Common.Authentication]: Authenticating using Account: 'EdgeArmUser@localhost', environment: 'AzDBE', tenant:
'c0257de7-538f-415c-993a-1b87a031879d'
DEBUG: 7:16:49 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'adfs',
Scopes:'https://management.dm1174469-903.microsoftdatabox.com//openid',
AuthorityHost:'https://login.dm1174469-903.microsoftdatabox.com/adfs/', UserId:'EdgeArmUser@localhost'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:
DEBUG: Request [85295504-6c62-4bb0-89c7-34ae11d237ee] GET
https://login.dm1174469-903.microsoftdatabox.com/.well-known/webfinger?rel=REDACTED&resource=REDACTED
x-ms-client-request-id:85295504-6c62-4bb0-89c7-34ae11d237ee
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.4.0-beta.3 (.NET Framework 4.7.3910.0; Microsoft Windows 10.0.17763 )
client assembly: Azure.Identity
DEBUG: Response [85295504-6c62-4bb0-89c7-34ae11d237ee] 200 OK (00.0s)
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Content-Length:187
Cache-Control:no-cache
Content-Type:application/json; charset=utf-8
Date:Fri, 27 May 2022 02:16:49 GMT
Expires:-1
DEBUG: Request [2e84ddc9-0cf7-4771-82b0-b1b088966cc3] POST
https://login.dm1174469-903.microsoftdatabox.com/adfs/oauth2/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-PKeyAuth:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
Content-Type:application/x-www-form-urlencoded
x-ms-client-request-id:2e84ddc9-0cf7-4771-82b0-b1b088966cc3
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.4.0-beta.3 (.NET Framework 4.7.3910.0; Microsoft Windows 10.0.17763 )
client assembly: Azure.Identity
DEBUG: Response [2e84ddc9-0cf7-4771-82b0-b1b088966cc3] 200 OK (00.0s)
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Content-Length:3850
Cache-Control:no-cache
Content-Type:application/json; charset=utf-8
Date:Fri, 27 May 2022 02:16:49 GMT
Expires:-1
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:  ExpiresOn:
2022-05-27T03:16:49.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: 'c0257de7-538f-415c-993a-1b87a031879d',
UserId: 'EdgeArmUser@localhost'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.dm1174469-903.microsoftdatabox.com/subscriptions/fc2a0f8c-736b-4142-8fa2-69b73e7d9d5c/resourcegroups
?api-version=2020-06-01

Headers:
x-ms-client-request-id        : 85b5aeb8-cb39-49b9-a9ff-0a383e28b781
accept-language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
x-ms-ratelimit-remaining-subscription-reads: 29995
x-ms-request-id               : adbaa4e1-181c-4240-a8bd-9fcab78a389e
x-ms-correlation-request-id   : adbaa4e1-181c-4240-a8bd-9fcab78a389e
x-ms-routing-request-id       : DBELOCAL:20220527T021649Z:adbaa4e1-181c-4240-a8bd-9fcab78a389e
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Cache-Control                 : no-cache
Date                          : Fri, 27 May 2022 02:16:49 GMT

Body:
{
  "value": [
    {
      "id": "/subscriptions/fc2a0f8c-736b-4142-8fa2-69b73e7d9d5c/resourceGroups/ASERG",
      "name": "ASERG",
      "type": "Microsoft.Resources/resourceGroups",
      "location": "dbelocal",
      "properties": {
        "provisioningState": "Succeeded"
      }
    },
    {
      "id": "/subscriptions/fc2a0f8c-736b-4142-8fa2-69b73e7d9d5c/resourceGroups/RG1",
      "name": "RG1",
      "type": "Microsoft.Resources/resourceGroups",
      "location": "dbelocal",
      "properties": {
        "provisioningState": "Succeeded"
      }
    }
  ]
}

DEBUG: AzureQoSEvent: CommandName - Get-AzResourceGroup; IsSuccess - True; Duration - 00:00:00.0918894

[REDACTED]: PS C:\> sleep 60; Get-AzResourceGroup | ft

DEBUG: 7:18:10 PM - GetAzureResourceGroupCmdlet begin processing with ParameterSet 'GetByResourceGroupName'.
DEBUG: 7:18:10 PM - using account id 'EdgeArmUser@localhost'...
DEBUG: [Common.Authentication]: Authenticating using Account: 'EdgeArmUser@localhost', environment: 'AzDBE', tenant:
'c0257de7-538f-415c-993a-1b87a031879d'
DEBUG: 7:18:10 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'adfs',
Scopes:'https://management.dm1174469-903.microsoftdatabox.com//openid',
AuthorityHost:'https://login.dm1174469-903.microsoftdatabox.com/adfs/', UserId:'EdgeArmUser@localhost'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:
DEBUG: SharedTokenCacheCredential.GetToken was unable to retrieve an access token. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:  Exception:
Azure.Identity.AuthenticationFailedException (0x80131500): SharedTokenCacheCredential authentication failed: The cache
contains multiple tokens satisfying the requirements. Try to clear token cache.
 ---> Microsoft.Identity.Client.MsalClientException (0x80131500): The cache contains multiple tokens satisfying the
requirements. Try to clear token cache.
DEBUG: [Common.Authentication]: Received exception SharedTokenCacheCredential authentication failed: The cache contains
 multiple tokens satisfying the requirements. Try to clear token cache. , while authenticating.
Get-AzResourceGroup : Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set
up your Azure credentials.
    + CategoryInfo          : CloseError: (:) [Get-AzResourceGroup], ArgumentException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceGroupCmd
   let

DEBUG: AzureQoSEvent: CommandName - Get-AzResourceGroup; IsSuccess - False; Duration - 00:00:00.1016185; Exception -
Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure
credentials.;
DEBUG: Finish sending metric.
DEBUG: 7:18:11 PM - GetAzureResourceGroupCmdlet end processing.

[REDACTED]: PS C:\> Get-AzAccessToken

DEBUG: 7:20:33 PM - GetAzureRmAccessTokenCommand begin processing with ParameterSet 'KnownResourceTypeName'.
DEBUG: 7:20:33 PM - using account id 'EdgeArmUser@localhost'...
DEBUG: 7:20:33 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'adfs',
Scopes:'https://management.dm1174469-903.microsoftdatabox.com//openid',
AuthorityHost:'https://login.dm1174469-903.microsoftdatabox.com/adfs/', UserId:'EdgeArmUser@localhost'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:
DEBUG: SharedTokenCacheCredential.GetToken was unable to retrieve an access token. Scopes: [
https://management.dm1174469-903.microsoftdatabox.com//openid ] ParentRequestId:  Exception:
Azure.Identity.AuthenticationFailedException (0x80131500): SharedTokenCacheCredential authentication failed: The cache
contains multiple tokens satisfying the requirements. Try to clear token cache.
 ---> Microsoft.Identity.Client.MsalClientException (0x80131500): The cache contains multiple tokens satisfying the
requirements. Try to clear token cache.
Get-AzAccessToken : SharedTokenCacheCredential authentication failed: The cache contains multiple tokens satisfying
the requirements. Try to clear token cache.
At line:1 char:9
+ $tok2 = Get-AzAccessToken
+         ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Get-AzAccessToken], AuthenticationFailedException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.GetAzureRmAccessTokenCommand

DEBUG: AzureQoSEvent: CommandName - Get-AzAccessToken; IsSuccess - False; Duration - 00:00:00.0524482; Exception -
SharedTokenCacheCredential authentication failed: The cache contains multiple tokens satisfying the requirements. Try
to clear token cache. ;
DEBUG: Finish sending metric.
DEBUG: 7:20:50 PM - GetAzureRmAccessTokenCommand end processing.

Environment data

Name Value
---- -----
PSVersion 5.1.17763.10814
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.10814
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Module versions

ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 2.2.8 Az.Accounts {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Conn...
Script 0.11.0 Az.Resources {Add-AzADGroupMember, Export-AzResourceGroup, Get-AzADAppC...

Error output

Message        : SharedTokenCacheCredential authentication failed: The cache contains multiple tokens satisfying the 
                 requirements. Try to clear token cache. 
StackTrace     :    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
                    at Azure.Identity.SharedTokenCacheCredential.<GetTokenImplAsync>d__21.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.SharedTokenCacheCredential.<GetTokenAsync>d__20.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.<GetAccessTokenAsync>d__33.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzu
                 reAccount account, IAzureEnvironment environment, String tenant, SecureString password, String 
                 promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
                    at Microsoft.Azure.Commands.Profile.GetAzureRmAccessTokenCommand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : Azure.Identity.AuthenticationFailedException
InvocationInfo : {Get-AzAccessToken}
Line           : $tok2 = Get-AzAccessToken
Position       : At line:1 char:9
                 + $tok2 = Get-AzAccessToken
                 +         ~~~~~~~~~~~~~~~~~
HistoryId      : 28

Message        : The cache contains multiple tokens satisfying the requirements. Try to clear token cache. 
StackTrace     :    at Microsoft.Identity.Client.TokenCache.GetSingleResult(AuthenticationRequestParameters 
                 requestParams, IEnumerable`1 filteredItems)
                    at Microsoft.Identity.Client.TokenCache.<Microsoft-Identity-Client-ITokenCacheInternal-FindAccessTo
                 kenAsync>d__63.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Identity.Client.Cache.CacheSessionManager.<FindAccessTokenAsync>d__6.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at 
                 Microsoft.Identity.Client.Internal.Requests.Silent.CacheSilentStrategy.<ExecuteAsync>d__12.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.<ExecuteAsync>d__5.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.<ExecuteAsync>d__5.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__13.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Identity.Client.ApiConfig.Executors.ClientApplicationBaseExecutor.<ExecuteAsync>d__2.M
                 oveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.<ExecuteAsync>d__0`1.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.MsalPublicClient.<AcquireTokenSilentAsync>d__7.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.SharedTokenCacheCredential.<GetTokenImplAsync>d__21.MoveNext()
Exception      : Microsoft.Identity.Client.MsalClientException
InvocationInfo : {Get-AzAccessToken}
Line           : $tok2 = Get-AzAccessToken
Position       : At line:1 char:9
                 + $tok2 = Get-AzAccessToken
                 +         ~~~~~~~~~~~~~~~~~
HistoryId      : 28

   HistoryId: 26

Message        : Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up 
                 your Azure credentials.
StackTrace     :    at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.Handle
                 Exception(ExceptionDispatchInfo capturedException)
                    at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.Execut
                 eCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.ArgumentException
InvocationInfo : {Get-AzResourceGroup}
Line           : 
Position       : 
HistoryId      : 26

Message        : SharedTokenCacheCredential authentication failed: The cache contains multiple tokens satisfying the 
                 requirements. Try to clear token cache. 
StackTrace     :    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
                    at Azure.Identity.SharedTokenCacheCredential.<GetTokenImplAsync>d__21.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.SharedTokenCacheCredential.<GetTokenAsync>d__20.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.<GetAccessTokenAsync>d__33.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzu
                 reAccount account, IAzureEnvironment environment, String tenant, SecureString password, String 
                 promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
                    at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.GetServiceClientC
                 redentials(IAzureContext context, String targetEndpoint)
Exception      : Azure.Identity.AuthenticationFailedException
InvocationInfo : {Get-AzResourceGroup}
Line           : 
Position       : 
HistoryId      : 26

Message        : The cache contains multiple tokens satisfying the requirements. Try to clear token cache. 
StackTrace     :    at Microsoft.Identity.Client.TokenCache.GetSingleResult(AuthenticationRequestParameters 
                 requestParams, IEnumerable`1 filteredItems)
                    at Microsoft.Identity.Client.TokenCache.<Microsoft-Identity-Client-ITokenCacheInternal-FindAccessTo
                 kenAsync>d__63.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Identity.Client.Cache.CacheSessionManager.<FindAccessTokenAsync>d__6.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at 
                 Microsoft.Identity.Client.Internal.Requests.Silent.CacheSilentStrategy.<ExecuteAsync>d__12.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.<ExecuteAsync>d__5.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.<ExecuteAsync>d__5.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__13.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Identity.Client.ApiConfig.Executors.ClientApplicationBaseExecutor.<ExecuteAsync>d__2.M
                 oveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.<ExecuteAsync>d__0`1.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.MsalPublicClient.<AcquireTokenSilentAsync>d__7.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.SharedTokenCacheCredential.<GetTokenImplAsync>d__21.MoveNext()
Exception      : Microsoft.Identity.Client.MsalClientException
InvocationInfo : {Get-AzResourceGroup}
Line           : 
Position       : 
HistoryId      : 26

[keystroke]

• @ssel for any follow-up / to provide additional details

[dingmeng-xue]

Hi @keystroke , as you have seen 2 elements in the token cache and they may let client cannot get the correct access token, I suspect it is an issue in MSAL. However Az.Accounts 2.2.8 is too old and you cannot get MSAL support. My suggestion is you can remove token cache and login again if you cannnot use the latest version of Az.Accounts.

Disconnect-AzAccount
Clear-AzContext

[keystroke]

@dingmeng-xue having user clear token cache and re-sign-in every hour is not a good user experience as that defeats the purpose of refresh tokens. What version of MSAL is in latest Azure PS?

@ssel is ASE locked to version 2.2.8 for Azure PowerShell? Can we try to see if it repros using the latest version (even if unsupported in general for ASE the sign-in and get resource group flows should be functional)?

[ssel]

• @sselhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fssel&data=05%7C01%7Cssel%40microsoft.com%7Ce67f1afb8c8c4135341408da47f839c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637901428694388375%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sUVkdZzsKaVG0PFAHF0NHoewkLUsIL6xmRA60ZuZMuM%3D&reserved=0 is ASE locked to version 2.2.8 for Azure PowerShell?

The reason for the old PS version is that the resource providers used by ARM Lite on ASE don't support the latest API versions used by those in the cloud.

For the latest, it's documented that customers should use this to install Az:

            Install-Module Az -RequiredVersion 1.10.0

I'm not sure how the "Install-Module Az" version maps to the Az.Accounts version.

Scott

From: Bryant @.> Sent: Monday, June 6, 2022 1:08 PM To: Azure/azure-powershell @.> Cc: Scott Seligman @.>; Mention @.> Subject: Re: [Azure/azure-powershell] Az Accounts failure after token refresh: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials. (Issue #18382)

@dingmeng-xuehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdingmeng-xue&data=05%7C01%7Cssel%40microsoft.com%7Ce67f1afb8c8c4135341408da47f839c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637901428694388375%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2F2A5zeQryLRpsdWRr%2BZZwvfWxvR1pYe85Y8wiWTmM6A%3D&reserved=0 having user clear token cache and re-sign-in every hour is not a good user experience as that defeats the purpose of refresh tokens. What version of MSAL is in latest Azure PS?

@sselhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fssel&data=05%7C01%7Cssel%40microsoft.com%7Ce67f1afb8c8c4135341408da47f839c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637901428694388375%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sUVkdZzsKaVG0PFAHF0NHoewkLUsIL6xmRA60ZuZMuM%3D&reserved=0 is ASE locked to version 2.2.8 for Azure PowerShell? Can we try to see if it repros using the latest version (even if unsupported in general for ASE the sign-in and get resource group flows should be functional)?

- Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fazure-powershell%2Fissues%2F18382%23issuecomment-1147865930&data=05%7C01%7Cssel%40microsoft.com%7Ce67f1afb8c8c4135341408da47f839c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637901428694388375%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=otgJtp1DAvINKKiu0ZxdH5loTEf9einAIUsz7B3URnc%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAEACKHUGV5XLAHTD2O2GI2LVNZLBFANCNFSM5XTGDV6A&data=05%7C01%7Cssel%40microsoft.com%7Ce67f1afb8c8c4135341408da47f839c1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637901428694388375%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=usY%2BitxlSRatnFW6R81xJG7JZec1LXdONWU0vsHPMUs%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.***>

[dingmeng-xue]

@keystroke , It's true that AzureStack cannot use the latest version. Could you stable reproduce this issue? If yes, I believe we can ask MSAL team to look into it and provide suggestion. Otherwise, it is pretty challenging. Current version of Az.Account (2.8.0) is using MSAL 2.19.3

[ssel]

Yes, I believe I can reliably reproduce this.

By the way, once this happens the only way I've found to recover is to open a new PS session. I've tried Clear-AzContext, removing msal.cache, and SharedTokenCacheProvider.ClearCache, but I continue to get "The cache contains multiple tokens satisfying the requirements" within the original PS session.

Thanks, Scott

From: Dingmeng Xue @.> Sent: Wednesday, June 8, 2022 7:23 PM To: Azure/azure-powershell @.> Cc: Scott Seligman @.>; Mention @.> Subject: Re: [Azure/azure-powershell] Az Accounts failure after token refresh: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials. (Issue #18382)

@keystrokehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkeystroke&data=05%7C01%7Cssel%40microsoft.com%7C9441477a74744568258b08da49bf0b5d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637903382128461556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m%2FiB%2BMa6HewXprTKFlPaixroAAH5PMlbiqK41sHcnZY%3D&reserved=0 , It's true that AzureStack cannot use the latest version. Could you stable reproduce this issue? If yes, I believe we can ask MSAL team to look into it and provide suggestion. Otherwise, it is pretty challenging. Current version of Az.Account (2.8.0) is using MSAL 2.19.3

- Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fazure-powershell%2Fissues%2F18382%23issuecomment-1150599641&data=05%7C01%7Cssel%40microsoft.com%7C9441477a74744568258b08da49bf0b5d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637903382128461556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eceDRUIRGpyIG%2B%2BBDKshhZ8AcM1vOC6MbeSMRczewR0%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAEACKHWBMDUGX6TPOA7CPK3VOFISDANCNFSM5XTGDV6A&data=05%7C01%7Cssel%40microsoft.com%7C9441477a74744568258b08da49bf0b5d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637903382128461556%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=D9eacxy5F4ECsISpGBqFCvN%2BWCxRp67lTc%2FslcFPHsQ%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.***>