Connect-AzAccount expects Tenant-ID if account is available in multiple tenants [Breaks Backward Compatibility]

[bniranjanbhat]

Description

Using Connect-AzAccount with only subscription ID switch used to work earlier. However, with the latest version (2.10.2), it expects the TenantID also if the account is part of multiple tenants, this breaks backward compatibility.

NOTE: I have also seen another behavior:

1. Perform Connect-AzAccount with -Subscription and -TenantId parameters.
   • User logs in successfully
2. Perform Disconnect-AzAccount
   • User logs out successfully
3. Now, perform Connect-AzAccount with -Subscription only.
   • User can now login successfully.

Issue script & Debug output

PS C:\Users\niranjanb\Desktop\cluster_creation> Connect-AzAccount  -SubscriptionId cleansube
DEBUG: 10:01:36 AM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'UserWithSubscriptionId'.
DEBUG: 10:01:36 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 10:01:36 AM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 10:01:36 AM - No autosave setting detected in environment variable 'AzContextAutoSave'.
DEBUG: 10:01:36 AM - Using Autosave scope 'CurrentUser'
DEBUG: 10:01:36 AM - [InteractiveUserAuthenticator] Calling InteractiveBrowserCredential.AuthenticateAsync with TenantId:'', Scopes:'https://management.core.windows.net//.default',
AuthorityHost:'https://login.microsoftonline.com/', RedirectUri:'http://localhost:8400/'
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: Executing interactive authentication workflow inline.
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:36Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] MSAL MSAL.Desktop with assembly version '4.46.0.0'.
CorrelationId(9c44a93e-1c2a-45e2-8c18-1848e8650388)
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:36Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:36Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 9c44a93e-1c2a-45e2-8c18-1848e8650388
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:36Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] === Token Acquisition (InteractiveRequest) started:
  Scopes: https://management.core.windows.net//.default
 Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:36Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:36Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] Using legacy embedded browser.
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:40Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] [Legacy WebView] Redirect URI was reached. Stopping WebView
navigation...
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:40Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] An authorization code was retrieved from the /authorize endpoint.
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:40Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] Exchanging the auth code for tokens.
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:40Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
DEBUG: Request [62eda1f7-e19f-434b-9050-17334c009a33] POST https://login.microsoftonline.com/organizations/oauth2/v2.0/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
x-anchormailbox:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
Content-Type:application/x-www-form-urlencoded
x-ms-client-request-id:62eda1f7-e19f-434b-9050-17334c009a33
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.1 (.NET Framework 4.8.9075.0; Microsoft Windows 10.0.22621 )
client assembly: Azure.Identity
DEBUG: Response [62eda1f7-e19f-434b-9050-17334c009a33] 200 OK (00.8s)
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
client-request-id:REDACTED
x-ms-request-id:862ddd15-168a-4edc-965a-dfaec93e1100
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
X-XSS-Protection:REDACTED
Cache-Control:no-store, no-cache
Content-Type:application/json; charset=utf-8
Expires:-1
P3P:REDACTED
Set-Cookie:REDACTED
Date:Mon, 31 Oct 2022 04:31:40 GMT
Content-Length:5013
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] Checking client info returned from the server..
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] Saving token response to cache..
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] Saving AT in cache and removing overlapping ATs...
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] Looking for scopes for the authority in the cache which intersect
with https://management.core.windows.net//.default
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] Intersecting scope entries count - 1
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] Matching entries after filtering by user - 1
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] Saving Id Token and Account in cache ...
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] Saving RT in cache...
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] Not writing FRT in ADAL legacy cache.
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388]
 === Token Acquisition finished successfully:
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388]  AT expiration time: 10/31/2022 5:38:33 AM +00:00, scopes:
https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default. source: IdentityProvider
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 9c44a93e-1c2a-45e2-8c18-1848e8650388] Fetched access token from host login.microsoftonline.com.
DEBUG: InteractiveBrowserCredential.Authenticate succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2022-10-31T05:38:33.4383641+00:00
DEBUG: 10:01:41 AM - [MsalAccessToken] Calling InteractiveBrowserCredential.GetTokenAsync - Scopes:'https://management.core.windows.net//.default'
DEBUG: InteractiveBrowserCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 69dc1220-4773-43da-92cb-f51d070a43eb] MSAL MSAL.Desktop with assembly version '4.46.0.0'.
CorrelationId(69dc1220-4773-43da-92cb-f51d070a43eb)
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 69dc1220-4773-43da-92cb-f51d070a43eb] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 69dc1220-4773-43da-92cb-f51d070a43eb] LoginHint provided: False
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 69dc1220-4773-43da-92cb-f51d070a43eb] Account provided: True
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 69dc1220-4773-43da-92cb-f51d070a43eb] ForceRefresh: False
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 69dc1220-4773-43da-92cb-f51d070a43eb]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 69dc1220-4773-43da-92cb-f51d070a43eb
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 69dc1220-4773-43da-92cb-f51d070a43eb] === Token Acquisition (SilentRequest) started:
  Scopes: https://management.core.windows.net//.default
 Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 69dc1220-4773-43da-92cb-f51d070a43eb] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 69dc1220-4773-43da-92cb-f51d070a43eb] Access token is not expired. Returning the found cache entry.
[Current time (10/31/2022 04:31:41) - Expiration Time (10/31/2022 05:38:33 +00:00) - Extended Expiration Time (10/31/2022 05:38:33 +00:00)]
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 69dc1220-4773-43da-92cb-f51d070a43eb] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 69dc1220-4773-43da-92cb-f51d070a43eb] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 69dc1220-4773-43da-92cb-f51d070a43eb]
 === Token Acquisition finished successfully:
DEBUG: False MSAL 4.46.0.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2022-10-31 04:31:41Z - 69dc1220-4773-43da-92cb-f51d070a43eb]  AT expiration time: 10/31/2022 5:38:33 AM +00:00, scopes:
https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default. source: Cache
DEBUG: InteractiveBrowserCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2022-10-31T05:38:33.0000000+00:00
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/tenants?api-version=2021-01-01

Headers:
x-ms-client-request-id        : af4df7bb-fb19-4ebd-a3eb-9633a56db79f
accept-language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
x-ms-ratelimit-remaining-tenant-reads: 11999
x-ms-request-id               : d50577b7-1a11-4a73-9e35-78d0ff086c8c
x-ms-correlation-request-id   : d50577b7-1a11-4a73-9e35-78d0ff086c8c
x-ms-routing-request-id       : CENTRALINDIA:20221031T043142Z:d50577b7-1a11-4a73-9e35-78d0ff086c8c
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Cache-Control                 : no-cache
Date                          : Mon, 31 Oct 2022 04:31:42 GMT

Body:
{
  "value": [
    {
      "id": "/tenants/cleantnenant",
      "tenantId": "cleantnenant",
      "countryCode": "US",
      "displayName": "Microsoft",
      "domains": [
        "drawbridge.com",
        "expresslogic.com",
        "euevents.microsoft.com",
        "nonprofits.microsoft.com",
        "benefits.microsoft.com",
        "forzaesports.com",
        "bons.ai",
        "bonsaiai.com",
        "bonsai.ai",
        "mobiledatalabs.com",
        "azmosa.io",
        "fslogix.com",
        "Howdy.ai",
        "Xoxco.com",
        "Botkit.ai",
        "glintinc.com",
        "maquette.ms",
        "tibazdev.microsoft.com",
        "mail.appcenter.ms",
        "Hexadite.com",
        "lobe.ai",
        "appcenter.ms",
        "github.com",
        "gearspop.com",
        "messages.microsoft.com",
        "flipgrid.com",
        "semanticmachines.com",
        "video2brain.com",
        "averesystems.com",
        "initiativegaming.com",
        "mail1.averesystems.com",
        "seaofthieves.com",
        "Intentional.com",
        "m12.vc",
        "email.bing.com",
        "playfab.com",
        "itsm.microsoft.com",
        "Windows.mail.microsoft.com",
        "smtphost.microsoft.com",
        "exmail.microsoft.com",
        "altvr.com",
        "altspacevr.com",
        "corp.microsoft.com",
        "cyclecomputing.com",
        "cloudyn.com",
        "nuget.org",
        "microsoftsmarthq.com.au",
        "lockbox.microsoft.com",
        "acompli.com",
        "domains.microsoft",
        "service.linkedin.com",
        "microsoft.com",
        "eventscommunication.microsoft.com",
        "deis.com",
        "Lynda.com",
        "Newsle.com",
        "linkedin.com",
        "myemailing.microsoft.com",

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.22621.608
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.608
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

Get-InstalledModule Az.Accounts -AllVersions

Version              Name                                Repository           Description
-------              ----                                ----------           -----------
2.10.2               Az.Accounts                         PSGallery            Microsoft Azure PowerShell - Accounts ..

Error output

Message        : The provided account asdfasd@asdfa.com does not have access to subscription ID "cleaned". Please try logging in with different credentials or a different
                 subscription ID. If a subscription is not specified, please check the configs by `Get-AzConfig`.
StackTrace     :    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantIdOrName, String subscriptionId, String
                 subscriptionName, SecureString password, Boolean skipValidation, Action`1 promptAction, String name, Boolean shouldPopulateContextList, Int32 maxContextPopulation, String authScope)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass127_2.<ExecuteCmdlet>b__5()
                    at System.Threading.Tasks.Task`1.InnerInvoke()
                    at System.Threading.Tasks.Task.Execute()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass127_0.<ExecuteCmdlet>b__1(AzureRmProfile localProfile, RMProfileClient profileClient, String name)
                    at Microsoft.Azure.Commands.Profile.Common.AzureContextModificationCmdlet.ModifyContext(Action`2 contextAction)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.SetContextWithOverwritePrompt(Action`3 setContextAction)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.Management.Automation.PSInvalidOperationException
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount  -SubscriptionId cleaned -verbose
Position       : At line:1 char:1
                 + Connect-AzAccount  -SubscriptionId cleaned ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[bemokraig]

I also ran into this, took some time to sort out when things that used to work suddenly don't.

[dingmeng-xue]

@bniranjanbhat and @bemokraig , I cannot reproduce the issue. Could you confirm the issue disappears when you use Az.Accounts 2.10.1 or 2.10.0?

[bniranjanbhat]

hey @dingmeng-xue I had mentioned this already:

The issue stops occurring if you did like below already once on the machine:

1. Perform Connect-AzAccount with -Subscription and -TenantId parameters.
   • User logs in successfully
2. Perform Disconnect-AzAccount
   • User logs out successfully
3. Now, perform Connect-AzAccount with -Subscription only. - User can now login successfully.

[dingmeng-xue]

@bniranjanbhat ,

After Disconnect-AzAccount and Clear-AzContext are executed, you can assume environment is clean. I cannot see the error after it.

The log shows below error. It's the reason I'd like to get your confirmation that you cannot see the same problem when you use old version. Your answer will help me to provide further analysis.

The provided account asdfasd@asdfa.com does not have access to subscription ID "cleaned". Please try logging in with different credentials or a different subscription ID.

[dingmeng-xue]

@bemokraig , please check whether your account can access multiple tenant. If one tenant requires stricter authentication approach than the first tenant picked up by Azure PowerShell, you will hit the problem.

So far, this issue can not be resolved on client side because AzureAD determines authN approach according to tenant setting and access policy. Client cannot determine it or predict which tenant needs stricter method.