Get-AzAccessToken broken for non-WAM users

[Jaykul]

Description

Get-AzAccessToken throws an exception (where it used to work), and breaks authentication.

Because of ADO's requirements, we have been using a "normal" user account with MFA disabled, for access to git from AKS (Flux).

We generate a PAT token in an Azure pipeline, by using the (Get-AzAccessToken).Token in an http header ... but in Az.Accounts 3.0.0 it is now throwing this error exception (I zeroed out the GUID) when we try to Get-AzAccessToken:

Get-AzAccessToken: Authentication failed against tenant 00000000-0000-0000-0000-000000000000. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId 00000000-0000-0000-0000-000000000000'.

We ARE calling Connect-AzAccount with all the parameters, the problem is that even though we're logging in with -Credential Azure still expects to use WAM.

It seems to me that WAM should be disabled for the process when we use the -Credential parameter on Connect-AzAccount

WORKAROUND:

Manually disable WAM before running anything in the Azure Pipeline...

Update-AzConfig -EnableLoginByWam $false -Scope Environment

Issue script & Debug output

# In automation, this would be fetched from a keyvault:
$UserCredential = Get-Credential

# We are already connected to some subscription, and must put it back after
$CurrentContext = Get-AzContext

# Log in with the provided credentials
$null = Connect-AzAccount -Credential $UserCredential -TenantId $CurrentContext.Tenant -Subscription $CurrentContext.Subscription

$DebugPreference = "Continue"
# Set up the authorization header --- THIS LINE CRASHES NOW ---
# Later on, we'll `Invoke-RestMethod @Headers` to generate the PAT token.
$Headers = @{ 'Authorization' = "Bearer $((Get-AzAccessToken).Token)" }

# Return to our original context
Get-AzContext | Remove-AzContext -Force
$null = $CurrentContext | Select-AzContext

#########
# OUTPUT:

Retrieving subscriptions for the selection...
[Announcements]
With the new Azure PowerShell login experience, you can select the subscription you want to use more easily. Learn more about it and its configuration at https://go.microsoft.com/fwlink/?linkid=2271909.

If you encounter any problem, please open an issue at: https://aka.ms/azpsissue

DEBUG: 4:56:00 PM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 4:56:00 PM - GetAzureRmAccessTokenCommand begin processing with ParameterSet 'KnownResourceTypeName'.
DEBUG: 4:56:00 PM - using account id '.................@...........com'...
DEBUG: 4:56:00 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 4:56:00 PM - [ConfigManager] Got nothing from [DisableInstanceDiscovery], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 4:56:00 PM - [ConfigManager] Got [True] from [EnableLoginByWam], Module = [], Cmdlet = [].
DEBUG: 4:56:00 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'deadbeef-dead-beef-dead-000000000000', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'.................@...........com'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - 331a6580-d168-41b4-887b-519488c93e1e] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - 331a6580-d168-41b4-887b-519488c93e1e] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - 331a6580-d168-41b4-887b-519488c93e1e] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - 331a6580-d168-41b4-887b-519488c93e1e] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - 331a6580-d168-41b4-887b-519488c93e1e] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - 331a6580-d168-41b4-887b-519488c93e1e] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [RuntimeBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - 59fe069e-6864-440c-a87e-2b1ea538466a] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] Found 2 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] Returning 2 accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - d5a109ba-07fe-4e26-a497-0e81e1ce45cc] MSAL MSAL.CoreCLR with assembly version '4.60.3.0'. CorrelationId(d5a109ba-07fe-4e26-a497-0e81e1ce45cc)
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - d5a109ba-07fe-4e26-a497-0e81e1ce45cc] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - d5a109ba-07fe-4e26-a497-0e81e1ce45cc] LoginHint provided: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - d5a109ba-07fe-4e26-a497-0e81e1ce45cc] Account provided: True
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - d5a109ba-07fe-4e26-a497-0e81e1ce45cc] ForceRefresh: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - d5a109ba-07fe-4e26-a497-0e81e1ce45cc]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - d5a109ba-07fe-4e26-a497-0e81e1ce45cc
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - d5a109ba-07fe-4e26-a497-0e81e1ce45cc] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - d5a109ba-07fe-4e26-a497-0e81e1ce45cc] Broker is configured and enabled, attempting to use broker instead.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - d5a109ba-07fe-4e26-a497-0e81e1ce45cc] Can invoke broker. Will attempt to acquire token with broker.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0001]      WARNING SetAuthorityString:98   Initializing authority from string 'https://login.microsoftonline.com/deadbeef-dead-beef-dead-000000000000/' without authority type, defaulting to MsSts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      ERROR   ErrorInternalImpl:134   Created an error: 5vt4a, StatusInternal::AccountNotFound, InternalEvent::None, Error Code 0, Context 'Account with id '(pii)' not found'
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:393    Printing Telemetry for Correlation ID: d5a109ba-07fe-4e26-a497-0e81e1ce45cc
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: start_time, Value: 2024-05-29T20:56:00.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: api_name, Value: ReadAccountById
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: was_request_throttled, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: authority_type, Value: Unknown
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: msal_version, Value: 1.1.0+local
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: correlation_id, Value: d5a109ba-07fe-4e26-a497-0e81e1ce45cc
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: broker_app_used, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: stop_time, Value: 2024-05-29T20:56:00.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: all_error_tags, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: msalruntime_version, Value: 0.16.0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: api_error_code, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: api_error_tag, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: api_status_code, Value: StatusInternal::AccountNotFound
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: api_error_context, Value: Account with id '(pii)' not found
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: is_successful, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [MSAL:0101]      INFO    LogTelemetryData:401    Key: request_duration, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z] [RuntimeBroker] Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.19045 [2024-05-29 20:56:00Z - d5a109ba-07fe-4e26-a497-0e81e1ce45cc] Exception type: Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: wam_no_account_for_id
HTTP StatusCode 0
CorrelationId d5a109ba-07fe-4e26-a497-0e81e1ce45cc
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

DEBUG: SharedTokenCacheCredential.GetToken was unable to retrieve an access token. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user .................@...........com. Ensure that you have authenticated with a developer tool that supports Azure single sign on.
 ---> Microsoft.Identity.Client.MsalUiRequiredException (0x80131500): Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
DEBUG: 4:56:00 PM - [ConfigManager] Got nothing from [EnableErrorRecordsPersistence], Module = [], Cmdlet = []. Returning default value [False].
Get-AzAccessToken:
Line |
  11 |  $Headers = @{ 'Authorization' = "Bearer $((Get-AzAccessToken).Token)" …
     |                                             ~~~~~~~~~~~~~~~~~
     | Authentication failed against tenant deadbeef-dead-beef-dead-000000000000. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId deadbeef-dead-beef-dead-000000000000'.
DEBUG: 4:56:00 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 4:56:00 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 4:56:00 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:3.0.0; CommandName: Get-AzAccessToken; PSVersion: 7.4.2; IsSuccess: False; Duration: 00:00:00.0569465; SanitizeDuration: 00:00:00; Exception: Authentication failed against tenant deadbeef-dead-beef-dead-000000000000. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId deadbeef-dead-beef-dead-000000000000'.;
DEBUG: 4:56:00 PM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 4:56:01 PM - GetAzureRmAccessTokenCommand end processing.
DEBUG: 4:56:01 PM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 4:56:01 PM - GetAzureRMContextCommand begin processing with ParameterSet 'GetSingleContext'.
DEBUG: 4:56:01 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 4:56:01 PM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 4:56:01 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 4:56:01 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:3.0.0; CommandName: Get-AzContext; PSVersion: 7.4.2; IsSuccess: True; Duration: 00:00:00.0116628; SanitizeDuration: 00:00:00.0102980
DEBUG: 4:56:01 PM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 4:56:01 PM - GetAzureRMContextCommand end processing.

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name
---------- -------    ---------- ----
Script     3.0.0                 Az.Accounts
Script     6.0.3                 Az.Aks
Script     6.0.0                 Az.KeyVault
Script     7.1.0                 Az.Resources

Error output

# Same info that's in debug output above

[msJinLei]

@Jaykul Does the workaround work for you?

[isra-fel]

This should be duplicate with the token cache issue. @msJinLei can we close it? Thanks

[msJinLei]

@Jaykul We originally treat your case as the same failure as device code flow one. We just receive the information from MSAL.net team that they are different. However, we are disabled to login with user name password flow for now. Could you help to collect the debug log for your case? Thanks

Could you re-enable the WAM

Update-AzConfig -EnableLoginByWam $true

and Run Connect-AzAccount with debug option

$null = Connect-AzAccount -Debug -Credential $UserCredential -TenantId $CurrentContext.Tenant -Subscription $CurrentContext.Subscription

and paste the debug log here

[msJinLei]

The issue refer to ROPC flow of WAM, different from device code flow. The same issue is also metioned by in https://github.com/Azure/azure-powershell/issues/24967 Mitigated by Az.Accounts 3.0.1 Reply on Azure.Identity to fix