Get-AzTenant and Get-AzContext not returning tenant name when connecting with a serviceprincipal

[syspro-chrisvogt]

Description

Get-AzTenant and Get-AzContext does not return tenant name when connecting with a serviceprincipal. This is similar to those reported on #10767, #20075, and #22887.

I am logging this separately as #22887 has this listed as a feature request, but I believe this to be a bug for three reasons:

1. When connecting use other methods (e.g. interactive logon) with the same permissions applied then the tenant information is returned as expected.
2. Get-AzContext is also not returning the tenant name
3. There isn't a way that I can see to retrieve the tenant name

Issue script & Debug output

PS C:\Users\ChrisV> Get-AzTenant -TenantId $tenantId -Debug | Out-File C:\Users\ChrisV\Downloads\aztenant.txt
DEBUG: 17:47:08 - GetAzureRMTenantCommand begin processing with ParameterSet '__AllParameterSets'.
DEBUG: 17:47:08 - using account id 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa'...
DEBUG: 17:47:08 - [ConfigManager] Got [False] from [DisplayBreakingChangeWarning], Module = [], Cmdlet = [].
DEBUG: 17:47:08 - [ConfigManager] Got nothing from [DisableInstanceDiscovery], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 17:47:08 - [ServicePrincipalAuthenticator] Calling ClientSecretCredential.GetTokenAsync - ApplicationId:'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa', TenantId:'bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/'
DEBUG: ClientSecretCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:08Z - ccccccc-cccc-cccc-cccc-cccccccccccc] MSAL MSAL.CoreCLR with assembly version '4.56.0.0'. CorrelationId(ccccccc-cccc-cccc-cccc-cccccccccccc)
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:08Z - ccccccc-cccc-cccc-cccc-cccccccccccc] === AcquireTokenForClientParameters ===
SendX5C: False
ForceRefresh: False

DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:08Z - ccccccc-cccc-cccc-cccc-cccccccccccc]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenForClient
IsConfidentialClient - True
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - ccccccc-cccc-cccc-cccc-cccccccccccc
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:08Z - ccccccc-cccc-cccc-cccc-cccccccccccc] === Token Acquisition (ClientCredentialRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:08Z - ccccccc-cccc-cccc-cccc-cccccccccccc] [Instance Discovery] Instance discovery is enabled and will be performed
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:08Z - ccccccc-cccc-cccc-cccc-cccccccccccc] [Region discovery] Not using a regional authority.
DEBUG: Request [dddddddd-dddd-dddd-dddd-dddddddddddd] POST https://login.microsoftonline.com/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb/oauth2/v2.0/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
Content-Type:application/x-www-form-urlencoded
x-ms-client-request-id:dddddddd-dddd-dddd-dddd-dddddddddddd
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.10.3 (.NET 8.0.4; Microsoft Windows 10.0.22631)
client assembly: Azure.Identity
DEBUG: Response [dddddddd-dddd-dddd-dddd-dddddddddddd] 200 OK (00.8s)
Cache-Control:no-store, no-cache
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
P3P:REDACTED
client-request-id:REDACTED
x-ms-request-id:eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
x-ms-srs:REDACTED
X-XSS-Protection:REDACTED
Set-Cookie:REDACTED
Date:Tue, 23 Apr 2024 15:47:09 GMT
Content-Type:application/json; charset=utf-8
Expires:-1
Content-Length:1473

DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:09Z - ccccccc-cccc-cccc-cccc-cccccccccccc] ScopeSet was missing from the token response, so using developer provided scopes in the result.
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:09Z - ccccccc-cccc-cccc-cccc-cccccccccccc] Checking client info returned from the server..
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:09Z - ccccccc-cccc-cccc-cccc-cccccccccccc] Saving token response to cache..
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:09Z - ccccccc-cccc-cccc-cccc-cccccccccccc] [SaveTokenResponseAsync] ID Token not present in response.
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:09Z - ccccccc-cccc-cccc-cccc-cccccccccccc] Cannot determine home account id - or id token or no client info and no subject
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:09Z - ccccccc-cccc-cccc-cccc-cccccccccccc] [SaveTokenResponseAsync] Saving AT in cache and removing overlapping ATs...
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:09Z - ccccccc-cccc-cccc-cccc-cccccccccccc] Looking for scopes for the authority in the cache which intersect with https://management.core.windows.net//.default
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:09Z - ccccccc-cccc-cccc-cccc-cccccccccccc] Intersecting scope entries count - 0
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:09Z - ccccccc-cccc-cccc-cccc-cccccccccccc]
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:09Z - ccccccc-cccc-cccc-cccc-cccccccccccc]  AT expiration time: 2024/04/23 16:47:08 +00:00, scopes: https://management.core.windows.net//.default. source: IdentityProvider
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-04-23 15:47:09Z - ccccccc-cccc-cccc-cccc-cccccccccccc] Fetched access token from host login.microsoftonline.com.
DEBUG: ClientSecretCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2024-04-23T16:47:08.7446605+00:00
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/tenants?api-version=2021-01-01

Headers:
Accept-Language               : en-US
x-ms-client-request-id        : ffffffff-ffff-ffff-ffff-ffffffffffff

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-ratelimit-remaining-tenant-reads: 11999
x-ms-request-id               : gggggggg-gggg-gggg-gggg-gggggggggggg
x-ms-correlation-request-id   : gggggggg-gggg-gggg-gggg-gggggggggggg
x-ms-routing-request-id       : SOUTHAFRICAWEST:20240423T154713Z:gggggggg-gggg-gggg-gggg-gggggggggggg
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
X-Cache                       : CONFIG_NOCACHE
X-MSEdge-Ref                  : Ref A: HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Ref B: IIIIIIIIIIIIIII Ref C: 2024-04-23T15:47:13Z
Date                          : Tue, 23 Apr 2024 15:47:12 GMT

Body:
{
  "value": [
    {
      "id": "/tenants/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
      "tenantId": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
      "tenantCategory": "Home"
    }
  ]
}

DEBUG: 17:47:13 - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 17:47:13 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 17:47:13 - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.17.0; CommandName: Get-AzTenant; PSVersion: 7.4.2; IsSuccess: True; Duration: 00:00:04.5390424
DEBUG: 17:47:13 - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 17:47:13 - GetAzureRMTenantCommand end processing.

PS C:\Users\ChrisV> Get-AzContext -Debug
DEBUG: 18:05:32 - GetAzureRMContextCommand begin processing with ParameterSet 'GetSingleContext'.
DEBUG: 18:05:32 - [ConfigManager] Got [False] from [DisplayBreakingChangeWarning], Module = [], Cmdlet = [].
DEBUG: 18:05:32 - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [False].

DEBUG: 18:05:32 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 18:05:32 - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.17.0; CommandName: Get-AzContext; PSVersion: 7.4.2; IsSuccess: True; Duration: 00:00:00.0037242
DEBUG: 18:05:32 - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 18:05:32 - GetAzureRMContextCommand end processing.
   Tenant: bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb

SubscriptionName SubscriptionId Account                              Environment
---------------- -------------- -------                              -----------
                                jjjjjjjj-jjjj-jjjj-jjjj-jjjjjjjjjjjj AzureCloud

Environment data

PS C:\Users\ChrisV> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

PS C:\Users\ChrisV> Get-Module Az.Accounts

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.17.0                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzConte…

Error output

No error

[isra-fel]

@BethanyZhou please check if this is a limitation of the Entra ID APIs.

[BethanyZhou]

Hi @syspro-chrisvogt , thanks for reaching out to us.

When connecting use other methods (e.g. interactive logon) with the same permissions applied then the tenant information is returned as expected. Get-AzContext is also not returning the tenant name

• The detailed information of tenants will not be retrieved during the process of executing Connect-AzAccount if tenantId is provided. That's why tenant name is missing in the result of Get-AzContext. The behavior is expected and consistent for different login flows, including interactive login.

There isn't a way that I can see to retrieve the tenant name

• I'm sorry for that. What I observe from the response body of Entra ID APIs is tenant name is not returned if connecting with a SP. I believe it's a limitation of the Entra ID APIs.
• @isra-fel , could you help connect people from Entra ID team to see if they are aware of this?

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/tenants?api-version=2021-01-01

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Body:
{
  "value": [
    {
      "id": "/tenants/xxxxxxx",
      "tenantId": "xxxxxxx",
      "tenantCategory": "Home"
    }
  ]
}

[syspro-chrisvogt]

Hi @BethanyZhou

The detailed information of tenants will not be retrieved during the process of executing Connect-AzAccount if tenantId is provided. That's why tenant name is missing in the result of Get-AzContext. The behavior is expected and consistent for different login flows, including interactive login.

If I connect interactively, specifying the tenant ID, then when using Get-AzTenant, it returns the list of tenants I have access to. If I need to do something with one of the other tenants, I do need to authenticate still, but at least I can see the list of tenants and, at a minimum, the current tenant's name.

If I connect using a service principal and specify the tenant ID (with access to the same tenants and the same level of permissions/role assignments as the user mentioned above), then Get-AzTenant only returns the current tenant but does not include the tenant name.

I've re-tested the Get-AzContext bit and see that the tenant name is not returned, regardless of the login method used.

My current use case is that I am trying to return the list of reservations expiring within a certain number of days. Unfortunately you have to connect to each tenant to do this and cannot use Lighthouse. What I have written thus far gets the list of tenants (dynamically) and returns this information from each tenant. With Get-AzTenant not returning the list of "available" tenants I will need to hardcode or look this up elsewhere, and this lookup (wherever it is) will now need to be maintained too. By extension, for reporting purposes because it does not return the name means the output is not in a user-friendly format. Again, this can be looked up elsewhere... this just means, though, that things can be missed.