search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.12k stars 3.76k forks source link

Get-AzAccessToken failed #24963

Open NathOsull opened 1 month ago

NathOsull commented 1 month ago

Description

When trying to get access tokens I can no longer use the create token.

Issue script & Debug output

DEBUG: 18:32:43 - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 18:32:43 - GetAzureRmAccessTokenCommand begin processing with ParameterSet 'KnownResourceTypeName'.
DEBUG: 18:32:43 - using account id 'nathan@XXX'...
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [DisableInstanceDiscovery], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [EnableLoginByWam], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 18:32:43 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'d867b73d-xxxx-48df-9439-xxxxxxxxxxxx', Scopes:'https://management.core.windows.net//.default',
AuthorityHost:'https://login.microsoftonline.com/', UserId:'nathan@XXX'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - cd4f2a99-e83b-491e-9c52-bf32f45d27fd] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - cd4f2a99-e83b-491e-9c52-bf32f45d27fd] [Region discovery] Not using a
regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - cd4f2a99-e83b-491e-9c52-bf32f45d27fd] [Region discovery] Not using a
regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - cd4f2a99-e83b-491e-9c52-bf32f45d27fd] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - cd4f2a99-e83b-491e-9c52-bf32f45d27fd] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [RuntimeBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - dabc6a20-9023-4299-8a67-70802566cbf9] [Region discovery] Not using a
regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] Returning 1 accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] MSAL MSAL.CoreCLR with assembly
version '4.60.3.0'. CorrelationId(86a5c9df-ebff-4735-a2bc-e25d8c1a49e3)
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] LoginHint provided: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] Account provided: True
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] ForceRefresh: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] === Token Acquisition (SilentRequest)
started:
  Scopes: https://management.core.windows.net//.default
 Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] Broker is configured and enabled,
attempting to use broker instead.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] Can invoke broker. Will attempt to
acquire token with broker.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0003] WARNING SetAuthorityString:98 Initializing authority from string
'https://login.microsoftonline.com/d867b73d-xxxx-48df-9439-xxxxxxxxxxxx/' without authority type, defaulting to MsSts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] ERROR   ErrorInternalImpl:134 Created an error: 5vt4a,
StatusInternal::AccountNotFound, InternalEvent::None, Error Code 0, Context 'Account with id '(pii)' not found'
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:393 Printing Telemetry for Correlation
ID: 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: start_time, Value:
2024-05-21T16:32:43.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: api_name, Value:
ReadAccountById
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: was_request_throttled, Value:
false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: authority_type, Value: Unknown
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: msal_version, Value:
1.1.0+local
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: correlation_id, Value:
86a5c9df-ebff-4735-a2bc-e25d8c1a49e3
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: broker_app_used, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: stop_time, Value:
2024-05-21T16:32:43.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: all_error_tags, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: msalruntime_version, Value:
0.16.0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: api_error_code, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: api_error_tag, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: api_status_code, Value:
StatusInternal::AccountNotFound
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: api_error_context, Value:
Account with id '(pii)' not found
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: is_successful, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [MSAL:0014] INFO    LogTelemetryData:401 Key: request_duration, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z] [RuntimeBroker] Could not find a WAM account for the selected user. Error:
Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398  [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] Exception type:
Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: wam_no_account_for_id
HTTP StatusCode 0
CorrelationId 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.<ExecuteAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Utils.StopwatchService.<MeasureCodeBlockAsync>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__11.MoveNext()
DEBUG: SharedTokenCacheCredential.GetToken was unable to retrieve an access token. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  Exception:
Azure.Identity.CredentialUnavailableException (0x80131500): SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user xxxx@xxxxxxxx. Ensure that you have
authenticated with a developer tool that supports Azure single sign on.
 ---> Microsoft.Identity.Client.MsalUiRequiredException (0x80131500): Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [EnableErrorRecordsPersistence], Module = [], Cmdlet = []. Returning default value [False].
Get-AzAccessToken : Authentication failed against tenant d867b73d-xxxx-48df-9439-xxxxxxxxxxxx. User interaction is required. This may be due to the conditional access policy settings such as
multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId XXX'.
At line:1 char:14
+ $ARMtoken = (Get-AzAccessToken).Token
+              ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Get-AzAccessToken], AzPSAuthenticationFailedException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.GetAzureRmAccessTokenCommand

DEBUG: 18:32:43 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:3.0.0; CommandName: Get-AzAccessToken; PSVersion: 5.1.25398.469; IsSuccess: False; Duration: 00:00:00.2253026; SanitizeDuration: 00:00:00; Exception:
Authentication failed against tenant d867b73d-xxxx-48df-9439-xxxxxxxxxxxx. User interaction is required. This may be due to the conditional access policy settings such as multi-factor
authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId XXX'.;
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 18:32:43 - GetAzureRmAccessTokenCommand end processing.

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.25398.469
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.25398.469
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     3.0.0      Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault...}
Script     0.7.2      Az.ConnectedMachine                 {Connect-AzConnectedMachine, Get-AzConnectedExtensionMetadata, Get-AzConnectedMachine, Get-AzConnectedMachineExtension...}
Manifest   0.2.261... AzSHCI.ARCInstaller                 {Invoke-AzStackHciArcInitialization, Invoke-AzStackHCIDeployment, Invoke-AzStackHCIEnvironmentPreparator, Invoke-AzStackHCIEnvironmentV...
Script     0.0        AzStackHci.AddNode.Helpers          {Test-ADCredential, Test-ClusterNodeName, Test-ComputerName, Test-LocalCredential...}
Script     0.0        AzStackHci.ArcIntegration.Helpers   {Test-ArcAgentNotConnectedToDifferentResource, Test-ExistingArcResources, Test-ExistingHCIResource, Test-IsRegionValid...}
Script     0.0        AzStackHci.Bitlocker.Helpers        Test-BitlockerKeysExist
Script     0.0        AzStackHci.Bootstrap.Helpers
Script     0.0        AzStackHci.ClusterWitness.Helpers   {Test-WitnessCloudStorage, Test-WitnessFileShareWithCredential}
Script     0.0        AzStackHci.Connectivity.Helpers     {Compare-PSObjectArray, ConvertTo-Hashtable, Export-AzStackHciConnectivityTargetToXml, Get-AzStackHciConnectivityOperationName...}
Script     0.0        AzStackHci.EnvironmentChecker.Po... {Get-SslCertificateChain, Install-UtilityModule, Remove-UtilityModule, Test-Elevation}
Script     0.0        AzStackHci.EnvironmentChecker.Re... {Add-AzStackHciEnvJob, Close-AzStackHciEnvJob, Get-AzStackHciEnvironmentCheckerEvents, Get-AzStackHciEnvProgress...}
Script     0.0        AzStackHci.EnvironmentChecker.Ut... {Get-DeploymentData, Get-IsProxyEnabled, Get-TestCount, Get-TestListByFunction...}
Script     0.0        AzStackHci.ExternalActiveDirecto... {Get-ClusterNameFromCommandLineOrConfigFile, Get-ParamFromCommandLineOrConfigFile, Get-PhysicalHostNamesFromCommandLineOrConfigFile, In...
Script     0.0        AzStackHci.ExternalActiveDirecto... {Test-OrganizationalUnit, Test-OrganizationalUnitOnSession}
Script     0.0        AzStackHci.Hardware.Helpers         {Test-Baseboard, Test-FreeSpace, Test-Gpu, Test-MemoryCapacity...}
Script     0.0        AzStackHci.MOCStack.Helpers         {Test-MOCStackCloudAgent, Test-MOCStackClusterNode, Test-MOCStackCPUCore, Test-MOCStackFirewallUrl...}
Script     0.0        AzStackHci.Network.Helpers          {GetMgmtIpRange, IsTcpPortInUse, Test-MgmtIpRange, TestDHCPStatus...}
Script     0.0        AzStackHci.Observability.Helpers    {Test-LogCollection, Test-ObservabilityVolume, Test-RemoteSupport}
Script     0.0        AzStackHci.Ports.Helpers            {Get-AzStackHciPortOperationName, Get-AzStackHciPortServiceName, Get-AzStackHciPortTarget, Import-AzStackHciPortTarget...}
Script     0.0        AzStackHCI.RemoteSupport.Helpers    {Disable-AzStackHciRemoteSupport, Enable-AzStackHciRemoteSupport, Get-AzStackHCIRemoteSupportAccess, Get-AzStackHCIRemoteSupportSession...
Script     0.0        AzStackHci.SBEHealth.Helpers        {Assert-ResponseSchemaValid, Copy-SBEContentLocalToNode, Get-SBEHealthCheckParams, Import-SolutionExtensionModule...}
Script     0.0        AzStackHci.Software.Helpers         {Test-IsNotPartofDomain, Test-LocalGroupEnumeration, Test-NtpServer, Test-OSVersion}
Script     0.0        AzStackHCI.StandaloneObservabili...
Script     0.0        AzStackHci.Storage.Helpers          {GetRequiredInfraVolumeNames, GetRequiredInfraVolumeRawSizeTotalInBytes, Test-HciStoragePool, Test-HciStorageVolumes}

Error output

HistoryId: 68

Message        : Authentication failed against tenant XXX. User interaction is required. This may be due to the conditional access policy settings such as 
                 multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId 
                 XXX'.
StackTrace     :    at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, 
                 SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
                    at Microsoft.Azure.Commands.Profile.GetAzureRmAccessTokenCommand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : Microsoft.Azure.Commands.Common.Exceptions.AzPSAuthenticationFailedException
InvocationInfo : {Get-AzAccessToken}
Line           : $ARMtoken = (Get-AzAccessToken).Token
Position       : At line:1 char:14
                 + $ARMtoken = (Get-AzAccessToken).Token
                 +              ~~~~~~~~~~~~~~~~~
HistoryId      : 68

Message        : SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user nathan@XXX. Ensure that you have authenticated with a developer tool that 
                 supports Azure single sign on.
StackTrace     :    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
                    at Azure.Identity.SharedTokenCacheCredential.<GetTokenImplAsync>d__31.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.SharedTokenCacheCredential.<GetTokenAsync>d__30.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.<GetAccessTokenAsync>d__33.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, 
                 SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
Exception      : Azure.Identity.CredentialUnavailableException
InvocationInfo : {Get-AzAccessToken}
Line           : $ARMtoken = (Get-AzAccessToken).Token
Position       : At line:1 char:14
                 + $ARMtoken = (Get-AzAccessToken).Token
                 +              ~~~~~~~~~~~~~~~~~
HistoryId      : 68

Message        : Could not find a WAM account for the selected user. Error: Status: AccountNotFound
                 Context: Account with id '(pii)' not found
                 Tag: 0x1f553780
StackTrace     :    at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.<ExecuteAsync>d__5.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Identity.Client.Utils.StopwatchService.<MeasureCodeBlockAsync>d__4.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__11.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Identity.Client.ApiConfig.Executors.ClientApplicationBaseExecutor.<ExecuteAsync>d__2.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.<ExecuteAsync>d__0`1.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.MsalPublicClient.<AcquireTokenSilentCoreAsync>d__11.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.MsalPublicClient.<AcquireTokenSilentAsync>d__10.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.SharedTokenCacheCredential.<GetTokenImplAsync>d__31.MoveNext()
Exception      : Microsoft.Identity.Client.MsalUiRequiredException
InvocationInfo : {Get-AzAccessToken}
Line           : $ARMtoken = (Get-AzAccessToken).Token
Position       : At line:1 char:14
                 + $ARMtoken = (Get-AzAccessToken).Token
                 +              ~~~~~~~~~~~~~~~~~
HistoryId      : 68

   HistoryId: 64

Message        : Cannot bind argument to parameter 'ArmAccessToken' because it is an empty string.
StackTrace     :    at System.Management.Automation.ParameterBinderBase.ValidateNullOrEmptyArgument(CommandParameterInternal parameter, CompiledCommandParameter parameterMetadata, Type 
                 argumentType, Object parameterValue, Boolean recurseIntoCollections)
                    at System.Management.Automation.ParameterBinderBase.BindParameter(CommandParameterInternal parameter, CompiledCommandParameter parameterMetadata, ParameterBindingFlags flags)
                    at System.Management.Automation.CmdletParameterBinderController.BindParameter(CommandParameterInternal argument, MergedCompiledCommandParameter parameter, 
                 ParameterBindingFlags flags)
                    at System.Management.Automation.CmdletParameterBinderController.BindParameter(UInt32 parameterSets, CommandParameterInternal argument, MergedCompiledCommandParameter 
                 parameter, ParameterBindingFlags flags)
                    at System.Management.Automation.CmdletParameterBinderController.BindParameters(UInt32 parameterSets, Collection`1 arguments)
                    at System.Management.Automation.CmdletParameterBinderController.BindCommandLineParametersNoValidation(Collection`1 arguments)
                    at System.Management.Automation.CmdletParameterBinderController.BindCommandLineParameters(Collection`1 arguments)
                    at System.Management.Automation.CommandProcessor.BindCommandLineParameters()
                    at System.Management.Automation.CommandProcessor.Prepare(IDictionary psDefaultParameterValues)
                    at System.Management.Automation.CommandProcessorBase.DoPrepare(IDictionary psDefaultParameterValues)
                    at System.Management.Automation.Internal.PipelineProcessor.Start(Boolean incomingStream)
                    at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input)
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input)
                    at System.Management.Automation.PipelineOps.InvokePipeline(Object input, Boolean ignoreInput, CommandParameterInternal[][] pipeElements, CommandBaseAst[] pipeElementAsts, 
                 CommandRedirection[][] commandRedirections, FunctionContext funcContext)
                    at System.Management.Automation.Interpreter.ActionCallInstruction`6.Run(InterpretedFrame frame)
                    at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
Exception      : System.Management.Automation.ParameterBindingValidationException
InvocationInfo : {Invoke-AzStackHciArcInitialization}
Line           : Invoke-AzStackHciArcInitialization -SubscriptionID $Subscription -ResourceGroup $RG -TenantID $Tenantid -Region $Region -Cloud "AzureCloud" -ArmAccessToken $ARMtoken -AccountID 
                 $id
Position       : At line:1 char:157
                 + ... -Region $Region -Cloud "AzureCloud" -ArmAccessToken $ARMtoken -Accoun ...
                 +                                                         ~~~~~~~~~
HistoryId      : 64

   HistoryId: 61

Message        : Authentication failed against tenant XXX. User interaction is required. This may be due to the conditional access policy settings such as 
                 multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId 
                 XXX'.
StackTrace     :    at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, 
                 SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
                    at Microsoft.Azure.Commands.Profile.GetAzureRmAccessTokenCommand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : Microsoft.Azure.Commands.Common.Exceptions.AzPSAuthenticationFailedException
InvocationInfo : {Get-AzAccessToken}
Line           : $ARMtoken = (Get-AzAccessToken).Token
Position       : At line:1 char:14
                 + $ARMtoken = (Get-AzAccessToken).Token
                 +              ~~~~~~~~~~~~~~~~~
HistoryId      : 61

Message        : SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user nathan@XXX. Ensure that you have authenticated with a developer tool that 
                 supports Azure single sign on.
StackTrace     :    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
                    at Azure.Identity.SharedTokenCacheCredential.<GetTokenImplAsync>d__31.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.SharedTokenCacheCredential.<GetTokenAsync>d__30.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.<GetAccessTokenAsync>d__33.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, 
                 SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
Exception      : Azure.Identity.CredentialUnavailableException
InvocationInfo : {Get-AzAccessToken}
Line           : $ARMtoken = (Get-AzAccessToken).Token
Position       : At line:1 char:14
                 + $ARMtoken = (Get-AzAccessToken).Token
                 +              ~~~~~~~~~~~~~~~~~
HistoryId      : 61

Message        : Could not find a WAM account for the selected user. Error: Status: AccountNotFound
                 Context: Account with id '(pii)' not found
                 Tag: 0x1f553780
StackTrace     :    at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.<ExecuteAsync>d__5.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at
isra-fel commented 1 month ago

Hey @NathOsull thanks for reporting. Could you run a Connect-AzAccount then try again? Note that if multi-factor authentication (MFA) is required by your tenant, you need to add -TenantId to Connect-AzAccount

msJinLei commented 1 month ago

Hi @NathOsull, currently you can workaround it in the following ways

If you are in a Windows system, login interactive before you run any other Azure PowerShell cmdlets

Connect-AzAccount

If you have no access to Windows system with UI, you can disable WAM temporarily

Update-AzConfig -EnableLoginByWam $false
gudbrand3 commented 1 month ago

We are experiencing the same error with no change on our side to powershell scripts. It suddently stopped working and we are getting similar error when attempting to get token after successful connection with Connect-AzAccount

Connect-AzAccount -Credential $credential -Tenant $tenantId 
$azContext = Get-AzContext   
Write-Host "Connnected: $($azContext.Account)"
$script:resourceUrl = "https://api.fabric.microsoft.com" 
$script:fabricToken = (Get-AzAccessToken -ResourceUrl $script:resourceUrl).Token

It gives error 

Get-AzAccessToken: Authentication failed against resource https://api.fabric.microsoft.com. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). Please rerun 'Connect-AzAccount' with additional parameter '-AuthScope https://api.fabric.microsoft.com'.

We have verified there is no MFA or conditional access policy blocking the credential account. Have also tested with AuthScope but this gives no difference in the error and tenantId is already present in Connect-AzAccount as advised.

When running suggested workaround to disable WAM it works, but this shouldnt be necessary?

Update-AzConfig -EnableLoginByWam $false`

As mentioned this has worked for multiple months and started failing today, it leads us to think there has been a bug released in the Az powershell module? any ideas/referances? it looks similar to this issue reported as well ##24967

NathOsull commented 1 month ago

I ran this and now it works again

Hi @NathOsull, currently you can workaround it by disable WAM temporarily

Update-AzConfig -EnableLoginByWam $false

Ran this ^^ and all working (thanks by the way) ....what changed within a week?

msJinLei commented 1 month ago

@NathOsull what is the way to Connect-AzAccount before you run Get-AzAccessToken?

@NathOsull @gudbrand3 The issue is due to the change https://learn.microsoft.com/en-us/powershell/azure/release-notes-azureps?view=azps-12.0.0#azaccounts-300

Web Account Manager (WAM) was set the default experience of interactive login. For more details please refer to https://go.microsoft.com/fwlink/?linkid=2272007

If you login with user authentication flow (username password, interactively, device code) before, you have to run Connect-AzAccount interactively login before you run any other Azure PowerShell cmdlets after you move to Az.Accounts 3.0.0. We are working on a fix to the issue.

Re-enable WAM, please run

Update-azconfig -EnableLoginByWam $true

and then restart the PowerShell session

Check whether WAM is enabled

Get-AzConfig -EnableLoginByWam

If you enable WAM, run Connect-AzAccount interactively, but still have an issue to run subsequent cmdlets, Please let us know. The WAM feature greatly replies on the environments. We, developers may not have the same environment with you so that we cannot find the issues easily.

efd7887 commented 1 month ago

Once again my work is stifled by the apparent incompetency of Microsoft developers. Cant just let something be that is actually working. Now we have broken processes and I can hold no one accountable. I mention this in many of my other frustration, disenfranchised fueled responses to issues like this. I don't know where you recruit these developers, but you should really consider your source and employ more thorough vetting against potential candidates. Im personally getting real tired of getting half way through developing something just to have it stop working because of poorly socialized, poorly tested and poorly implemented code changes that seem to be almost completely unnecessary. What happened to those developers that would test 100x before implementing and release a solid, working solution? I feel many of the younger generation lack the work ethics, skills and drive to provide the quality work required in the development realm.

This is beyond infuriating. And no, I dont read any responses to these posts (or rarely) because Im not a narcissist.