Could not find tenant id for provided tenant domain. Please ensure that the provided service principal is found in the provided tenant domain.

[Jonsey1980]

Description

using Connect-AzAccount using a service principal with code below:

_$clientSecret = '{Secret}' | ConvertTo-SecureString -AsPlainText -Force
$connectCreds = New-Object -TypeName System.Management.Automation.PSCredential `
-ArgumentList '{SPN ID}', $clientSecret
Connect-AzAccount -ServicePrincipal -Credential $connectCreds -Tenant '{tenant id}'_ 

this works of one server, but fails of another - we are unable to diagnose why - versions:

• az = 11.5.0
• az.accounts: = 2.17.0
• Az.Resources = 6.16.1
• Az.Network = 7.4.1
• Az.Compute = 7.2.0

error message

_Connect-AzAccount : ClientSecretCredential authentication failed: Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy. Could not find tenant id for provided tenant domain '{tenantID}'. Please ensure that the provided service principal '{{SPN ID}' is found in the provided tenant domain. At line:15 char:1

• Connect-AzAccount -ServicePrincipal -Credential $connectCreds -Tenan ...
• CategoryInfo : CloseError: (:) [Connect-AzAccount], ArgumentNullException
• FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand_

ErrorRecord : Run Connect-AzAccount to login. Message : Run Connect-AzAccount to login. Data : {} InnerException : TargetSite : Void HandleException(System.Runtime.ExceptionServices.ExceptionDispatchInfo) StackTrace : at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.HandleException(ExceptionDispatchInfo capturedException) at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.ExecuteCmdlet() at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord() HelpLink : Source : Microsoft.Azure.PowerShell.Cmdlets.ResourceManager HResult : -2146233079

Issue script & Debug output

DEBUG: Request [31c393df-c813-4ba8-9df5-94ecde422400] exception Azure.RequestFailedException: An error occurred while sending the request. ---> System.Net.Http.HttpRequestException: An error 
occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: T
he client and server cannot communicate, because they do not possess a common algorithm
   at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
   at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
   at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
   at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
   at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.BeginWrite(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback asyncCallback, Object asyncState)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.HttpClientTransport.<ProcessAsync>d__12.MoveNext()
   --- End of inner exception stack trace ---
   at Azure.Core.Pipeline.HttpClientTransport.<ProcessAsync>d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.HttpPipelineTransportPolicy.<ProcessAsync>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.ResponseBodyPolicy.<ProcessAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.LoggingPolicy.<ProcessAsync>d__9.MoveNext()

Environment data

Name                           Value                                                                                                                                                          
----                           -----                                                                                                                                                          
PSVersion                      5.1.14393.6343                                                                                                                                                 
PSEdition                      Desktop                                                                                                                                                        
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                        
BuildVersion                   10.0.14393.6343                                                                                                                                                
CLRVersion                     4.0.30319.42000                                                                                                                                                
WSManStackVersion              3.0                                                                                                                                                            
PSRemotingProtocolVersion      2.3                                                                                                                                                            
SerializationVersion           1.1.0.1

Module versions

az = 11.5.0
az.accounts: = 2.17.0
Az.Resources = 6.16.1
Az.Network = 7.4.1
Az.Compute = 7.2.0

Error output

Message        : The client and server cannot communicate, because they do not possess a common algorithm
StackTrace     :    at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
                    at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
                    at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
                    at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
                    at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
                    at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
                    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
                    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
                    at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
                    at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
                    at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
                    at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
                    at System.Net.TlsStream.BeginWrite(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback asyncCallback, Object asyncState)
                    at System.Net.ConnectStream.WriteHeaders(Boolean async)
Exception      : System.ComponentModel.Win32Exception
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount -ServicePrincipal -Credential $connectCreds -Tenant 'f009f285-5242-433a-9365-daa1edf145c3'

Position       : At line:43 char:1
                 + Connect-AzAccount -ServicePrincipal -Credential $connectCreds -Tenant ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 1

TLS 1.1 and TLS 1.2 is enabled on the server

[AzureStackNerd]

I have the same issue since this morning using an Azure Powershell tasks in Azure DevOps

Connect-AzAccount: /home/vsts/work/_tasks/AzurePowerShell_72a1931b-effb-4d2e-8fd8-f8472a07cb62/5.238.11/InitializeAz.ps1:111
Line |
 111 |      $null = Connect-AzAccount -ServicePrincipal -Tenant $endpointObje …
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | ClientAssertionCredential authentication failed: AADSTS90061: Request to
     | External OIDC endpoint failed. Trace ID:
     | 903c7eca-7598-457d-a199-1753f6b8ca00 Correlation ID:
     | 0d8656dd-3d7f-41dd-899f-c62e7e055118 Timestamp: 2024-05-01 08:26:48Z
     | Could not find tenant id for provided tenant domain
     | 'xxxxxxxx-xxxx-0000-0000-xxxxxxxxxxxxx'

re-created the service connection (with workload identity (automatic)), just to make sure. But that did not help.

It was working fine yesterday

[Makzemann]

Exact same issue on our side, was working fine yesterday

[xcITs-Xian]

More or less the same issue here since this morning (May 1st 2024). For us it is happening in an Azure DevOps Power Shell task (Azure PowerShell 5.*) during deployment. Yesterday and everything was fine, the deployment was running several times without issues, since today always the same error. Nothing was changed in DevOps since yesterday.

2024-05-01T11:36:52.6226881Z VERBOSE: Command [Connect-AzAccount] failed the maximum number of 5 times.
2024-05-01T11:36:52.7452685Z ##[error]AADSTS50166: Request to External OIDC endpoint failed. Trace ID: bc766619-5c69-4b24-b49d-9905bdfc4400 Correlation ID: 42cdd13a-028c-421d-baa5-19f540815535 Timestamp: 2024-05-01 11:36:54Z
Could not find tenant id for provided tenant domain 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx'. 
2024-05-01T11:36:52.8173333Z ##[error]PowerShell exited with code '1'.

[xcITs-Xian]

MS is working on it: https://status.dev.azure.com/_event/499193080

[AstridMalanka01]

Good morning, any update?

[JonathonAnderson]

Still having this issue