Open Jaykul opened 3 months ago
@Jaykul Does the workaround work for you?
This should be duplicate with the token cache issue. @msJinLei can we close it? Thanks
@Jaykul We originally treat your case as the same failure as device code flow one. We just receive the information from MSAL.net team that they are different. However, we are disabled to login with user name password flow for now. Could you help to collect the debug log for your case? Thanks
Could you re-enable the WAM
Update-AzConfig -EnableLoginByWam $true
and
Run Connect-AzAccount
with debug option
$null = Connect-AzAccount -Debug -Credential $UserCredential -TenantId $CurrentContext.Tenant -Subscription $CurrentContext.Subscription
and paste the debug log here
The issue refer to ROPC flow of WAM, different from device code flow. The same issue is also metioned by in https://github.com/Azure/azure-powershell/issues/24967 Mitigated by Az.Accounts 3.0.1 Reply on Azure.Identity to fix
Description
Get-AzAccessToken throws an exception (where it used to work), and breaks authentication.
Because of ADO's requirements, we have been using a "normal" user account with MFA disabled, for access to git from AKS (Flux).
We generate a PAT token in an Azure pipeline, by using the
(Get-AzAccessToken).Token
in an http header ... but in Az.Accounts 3.0.0 it is now throwing this error exception (I zeroed out the GUID) when we try toGet-AzAccessToken
:We ARE calling
Connect-AzAccount
with all the parameters, the problem is that even though we're logging in with-Credential
Azure still expects to use WAM.It seems to me that WAM should be disabled for the process when we use the
-Credential
parameter onConnect-AzAccount
WORKAROUND:
Manually disable WAM before running anything in the Azure Pipeline...
Issue script & Debug output
Environment data
Module versions
Error output