Get-AzKeyVaultSecret: Your Azure Credential have not been set up or have expired

[v-bafa]

Description

• Repro steps

  Connect-AzAccount
  Get-AzKeyVaultSecret -VaultName "xxx" -Name "xxx"

  Got following error:

  Get-AzKeyVaultSecret: Your Azure credentials have not been set up or have expired, 
  please run Connect-AzAccount to set up your Azure credentials.
  SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user xxx. Ensure that you have authenticated with a developer tool that supports Azure single sign on.

  Tried with Connect-AzAccount -TenantID xxx -SubscriptionID xxx and not working either.

Issue script & Debug output

DEBUG: 7:41:38 PM - GetAzureKeyVaultSecret begin processing with ParameterSet 'ByVaultName'.
DEBUG: 7:41:38 PM - using account id 'xxx'...
DEBUG: 7:41:38 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: 'xxx', environment: 'AzureCloud', tenant: 'xxx'
DEBUG: 7:41:38 PM - [ConfigManager] Got nothing from [EnableLoginByWam], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 7:41:38 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'xxx', Scopes:'https://vault.azure.net/.default', AuthorityHost:'https://xxxxxxx/', UserId:'xxx'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - eeeaf514-5f70-45ee-8de1-8252674a45dd] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - eeeaf514-5f70-45ee-8de1-8252674a45dd] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - eeeaf514-5f70-45ee-8de1-8252674a45dd] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - eeeaf514-5f70-45ee-8de1-8252674a45dd] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - eeeaf514-5f70-45ee-8de1-8252674a45dd] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z] Returning 1 accounts
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] MSAL MSAL.NetCore with assembly version '4.49.1.0'. CorrelationId(77c4c624-999c-463c-a8e0-db02b7951245)
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] 
=== Request Data ===
Authority Provided? - True
Scopes - https://vault.azure.net/.default
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 77c4c624-999c-463c-a8e0-db02b7951245
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 

DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] === Token Acquisition (SilentRequest) started:
     Scopes: https://vault.azure.net/.default
    Authority Host: xxxxxxx
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] Access token has expired or about to expire. [Current time (02/14/2024 00:41:38) - Expiration Time (01/08/2024 22:23:52 +00:00) - Extended Expiration Time (01/08/2024 22:23:52 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] [FindRefreshTokenAsync] Refresh token found in the cache? - True
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] [Instance Discovery] Instance discovery is enabled and will be performed
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] [Throttling] Entry found. Creation: 2/14/2024 12:40:49 AM +00:00 Expiration: 2/14/2024 12:42:49 AM +00:00 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] [Throttling] Returning valid entry.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] [Throttling] Exception thrown because of throttling rule UiRequired 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] [FOCI] FRT refresh failed - other error. 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] Refreshing the RT failed. Is the exception retryable? False. Is there an AT in the cache that is usable? False 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] Failed to refresh the RT and cannot use existing AT (expired or missing). 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.9 Darwin 19.6.0 Darwin Kernel Version 19.6.0: Mon Aug 31 22:12:52 PDT 2020; root:xnu-6153.141.2~1/RELEASE_X86_64 [2024-02-14 00:41:38Z - 77c4c624-999c-463c-a8e0-db02b7951245] Exception type: Microsoft.Identity.Client.MsalThrottledUiRequiredException
, ErrorCode: invalid_grant
HTTP StatusCode 400
CorrelationId 820ead67-3cbd-463a-8b85-0eab7df5b8b9

   at Microsoft.Identity.Client.OAuth2.Throttling.UiRequiredProvider.TryThrowException(String thumbprint, ILoggerAdapter logger)
   at Microsoft.Identity.Client.OAuth2.Throttling.UiRequiredProvider.TryThrottle(AuthenticationRequestParameters requestParams, IReadOnlyDictionary`2 bodyParams)
   at Microsoft.Identity.Client.OAuth2.Throttling.SingletonThrottlingManager.TryThrottle(AuthenticationRequestParameters requestParams, IReadOnlyDictionary`2 bodyParams)
   at Microsoft.Identity.Client.OAuth2.TokenClient.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, String scopeOverride, String tokenEndpointOverride, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.SilentRequestHelper.RefreshAccessTokenAsync(MsalRefreshTokenCacheItem msalRefreshTokenItem, RequestBase request, AuthenticationRequestParameters authenticationRequestParameters, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.Silent.CacheSilentStrategy.TryGetTokenUsingFociAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.Silent.CacheSilentStrategy.RefreshRtOrFailAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.Silent.CacheSilentStrategy.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.Silent.CacheSilentStrategy.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
DEBUG: SharedTokenCacheCredential.GetToken was unable to retrieve an access token. Scopes: [ https://vault.azure.net/.default ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user xxx. Ensure that you have authenticated with a developer tool that supports Azure single sign on.
 ---> Microsoft.Identity.Client.MsalThrottledUiRequiredException (0x80131500): AADSTS530003: Your device is required to be managed to access this resource. Trace ID: 59e8d6bf-037f-43a7-be53-b1eb912e2200 Correlation ID: 820ead67-3cbd-463a-8b85-0eab7df5b8b9 Timestamp: 2024-02-14 00:40:49Z
DEBUG: [Common.Authentication]: Received exception SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user xxx. Ensure that you have authenticated with a developer tool that supports Azure single sign on., while authenticating.
DEBUG: 7:41:38 PM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
Get-AzKeyVaultSecret: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.
SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user xxx. Ensure that you have authenticated with a developer tool that supports Azure single sign on.
DEBUG: 7:41:38 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 7:41:38 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.KeyVault:4.10.1; CommandName: Get-AzKeyVaultSecret; PSVersion: 7.3.6; IsSuccess: False; Duration: 00:00:00.0302961; Exception: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.
SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user xxx. Ensure that you have authenticated with a developer tool that supports Azure single sign on.;
DEBUG: 7:41:38 PM - GetAzureKeyVaultSecret end processing.
PS /Users/sharedadmin>

Environment data

Please refer the screenshot above.

Module versions

Please refer the screenshot above.

Error output

Please refer the screenshot above.

[isra-fel]

Hi @v-bafa The error message (in debug log) read "AADSTS530003: Your device is required to be managed to access this resource." You need to manage your device or switch to another managed device in order to access the vault. That said, we'll improve the visibility of error message.

[v-bafa]

Thank you @isra-fel . Is this only applied to Azure KeyVault? I could upload files to Azure Blob Storage via Az PowerShell from this device.

Also, are there changes to this recently? We only see this failure happening since last week. The commands worked without issue before that, and verified there is no changes to the Key Vault itself.

[v-bafa]

Also, the Vault could be retrieved, but secret is not.

[isra-fel]

Vaults are control plane, secrets are data plane, their access control are different. I'd assume this is a "policy" thing rather than an API behavior change.