msJinLei
commented
1 month ago May be the same issue with https://github.com/Azure/azure-powershell/issues/25069 and will check it later.
Open gsuttie opened 1 month ago
msJinLei
commented
1 month ago May be the same issue with https://github.com/Azure/azure-powershell/issues/25069 and will check it later.
gsuttie
commented
2 weeks ago Hi folks
Is there any update on this item?
Thanks Gregor
gsuttie
commented
1 day ago Hi there any update on this?
msJinLei
commented
1 day ago Sorry for late response.
Could do the following steps and copy the debug log here. Remember to remove your personal information
$DebugPreference='Continue'
Connect-AzAccount -Tenant $TenantId -SubscriptionId $SubscriptionId
Get-AzStorageAccountKey -ResourceGroupName -AccountName
BastiaanMolsbeck
commented
1 day ago Hi @msJinLei ,
Thank you for your reply. I tried your script and miraculously it works without the error! So, to summarize: When I do this:
Connect-AzAccount -TenantId $TenantId
Select-AzSubscription -SubscriptionId $SubscriptionId
Get-AzStorageAccountKey -ResourceGroupName $resourceGroup -AccountName $storageAccountNameThen I get the error: The client 'REDACTED' with object id 'REDACTED' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Storage/storageAccounts/REDACTED' or the scope is invalid. If access was recently granted, please refresh your credentials.
But when I do this:
Connect-AzAccount -Tenant $TenantId -SubscriptionId $SubscriptionId
Get-AzStorageAccountKey -ResourceGroupName $resourceGroup -AccountName $storageAccountNameIt works correctly! This looks like a bug in the PowerShell cmdlet, don't you think?
msJinLei
commented
1 day ago @BastiaanMolsbeck
The first script should be equivalent to the second. Could you run with
$DebugPreference='Continue'
Connect-AzAccount -TenantId $TenantId
Select-AzSubscription -SubscriptionId $SubscriptionId
Get-AzStorageAccountKey -ResourceGroupName $resourceGroup -AccountName $storageAccountNamecopy the debug log here?
BastiaanMolsbeck
commented
10 hours ago This is the redacted debug log:
DEBUG: 15:40:47 - ConnectAzureRmAccountCommand begin processing with ParameterSet 'UserWithSubscriptionId'.
DEBUG: 15:40:47 - [ConfigManager] Got [False] from [DisplayBreakingChangeWarning], Module = [], Cmdlet = [].
DEBUG: 15:40:47 - [ConfigManager] Got nothing from [DefaultSubscriptionForLogin], Module = [], Cmdlet = []. Returning default value [].
DEBUG: 15:40:47 - Autosave setting from startup session: 'CurrentUser'
DEBUG: 15:40:47 - No autosave setting detected in environment variable 'AzContextAutoSave'.
DEBUG: 15:40:47 - Using Autosave scope 'CurrentUser'
DEBUG: 15:40:47 - [InteractiveUserAuthenticator] Calling InteractiveBrowserCredential.AuthenticateAsync with TenantId:'*REDACTED*', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline
.com/', RedirectUri:'http://localhost:8400/'
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: Executing interactive authentication workflow inline.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:47Z - *REDACTED*] MSAL MSAL.Desktop with assembly version '4.49.1.0'. CorrelationId(*REDACTED*)
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:47Z - *REDACTED*] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:47Z - *REDACTED*]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - *REDACTED*
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:47Z - *REDACTED*] === Token Acquisition (InteractiveRequest) started:
Scopes: https://management.core.windows.net//.default
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:47Z - *REDACTED*] [Instance Discovery] Instance discovery is enabled and will be performed
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:47Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:47Z - *REDACTED*] Using legacy embedded browser.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:50Z - *REDACTED*] [Legacy WebView] Redirect URI was reached. Stopping WebView navigation...
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:50Z - *REDACTED*] An authorization code was retrieved from the /authorize endpoint.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:50Z - *REDACTED*] Exchanging the auth code for tokens.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:50Z - *REDACTED*] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
DEBUG: Request [700a067e-cfda-47db-b0bb-e541eb1e9413] POST https://login.microsoftonline.com/*REDACTED*/oauth2/v2.0/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
x-anchormailbox:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
Content-Type:application/x-www-form-urlencoded
x-ms-client-request-id:700a067e-cfda-47db-b0bb-e541eb1e9413
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.1 (.NET Framework 4.8.9241.0; Microsoft Windows 10.0.19045 )
client assembly: Azure.Identity
DEBUG: Response [700a067e-cfda-47db-b0bb-e541eb1e9413] 200 OK (00.4s)
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
client-request-id:REDACTED
x-ms-request-id:df3dd97b-a93d-476d-9f1d-73e5fb66a700
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
x-ms-srs:REDACTED
X-XSS-Protection:REDACTED
Cache-Control:no-store, no-cache
Content-Type:application/json; charset=utf-8
Expires:-1
P3P:REDACTED
Set-Cookie:REDACTED
Date:Fri, 05 Jul 2024 13:40:50 GMT
Content-Length:6094
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Checking client info returned from the server..
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Saving token response to cache..
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [SaveTokenResponseAsync] Saving AT in cache and removing overlapping ATs...
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Looking for scopes for the authority in the cache which intersect with https://management.core.windows.net//.default
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Intersecting scope entries count - 1
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Matching entries after filtering by user - 1
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [SaveTokenResponseAsync] Saving Id Token and Account in cache ...
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [SaveTokenResponseAsync] Saving RT in cache...
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Not writing FRT in ADAL legacy cache.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*]
=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] AT expiration time: 5-7-2024 14:45:33 +00:00, scopes: https://management.core.windows.net//user_impersonation https://ma
nagement.core.windows.net//.default. source: IdentityProvider
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Fetched access token from host login.microsoftonline.com.
DEBUG: InteractiveBrowserCredential.Authenticate succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: ExpiresOn: 2024-07-05T14:45:33.3063704+00:00
DEBUG: 15:40:51 - [MsalAccessToken] Calling InteractiveBrowserCredential.GetTokenAsync - Scopes:'https://management.core.windows.net//.default'
DEBUG: InteractiveBrowserCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] MSAL MSAL.Desktop with assembly version '4.49.1.0'. CorrelationId(*REDACTED*)
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - *REDACTED*
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] === Token Acquisition (SilentRequest) started:
Scopes: https://management.core.windows.net//.default
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Access token is not expired. Returning the found cache entry. [Current time (07/05/2024 13:40:51) - Expiration Time (07/0
5/2024 14:45:33 +00:00) - Extended Expiration Time (07/05/2024 14:45:33 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*]
=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] AT expiration time: 5-7-2024 14:45:33 +00:00, scopes: https://management.core.windows.net//user_impersonation https://ma
nagement.core.windows.net//.default. source: Cache
DEBUG: InteractiveBrowserCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: ExpiresOn: 2024-07-05T14:45:33.0000000+00:00
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/subscriptions?api-version=2021-01-01
Headers:
x-ms-client-request-id : f7a05574-0ee6-443d-bf11-380935dfc20f
accept-language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Pragma : no-cache
x-ms-ratelimit-remaining-tenant-reads: 249
x-ms-request-id : 92cdc1cd-ed77-4d78-a9cf-a4d216ef93a9
x-ms-correlation-request-id : 92cdc1cd-ed77-4d78-a9cf-a4d216ef93a9
x-ms-routing-request-id : WESTEUROPE:20240705T134051Z:92cdc1cd-ed77-4d78-a9cf-a4d216ef93a9
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
X-Cache : CONFIG_NOCACHE
X-MSEdge-Ref : Ref A: 346FA25823E94D05925F4166C3070D7D Ref B: AMS231020615025 Ref C: 2024-07-05T13:40:51Z
Cache-Control : no-cache
Date : Fri, 05 Jul 2024 13:40:50 GMT
Body:
{
"value": [
{
"id": "/subscriptions/*REDACTED*",
"authorizationSource": "RoleBased",
"managedByTenants": [
{
"tenantId": "*REDACTED*"
},
{
"tenantId": "*REDACTED*"
}
],
"subscriptionId": "*REDACTED*",
"tenantId": "*REDACTED*",
"displayName": "*REDACTED*",
"state": "Enabled",
"subscriptionPolicies": {
"locationPlacementId": "Public_2014-09-01",
"quotaId": "*REDACTED*",
"spendingLimit": "Off"
}
}
],
"count": {
"type": "Total",
"value": 1
}
}
DEBUG: AzureQoSEvent: Module: Az.Accounts:2.11.1; CommandName: Connect-AzAccount; PSVersion: 5.1.19041.4522; IsSuccess: True; Duration: 00:00:04.1183034
DEBUG: 15:40:51 - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 15:40:51 - ConnectAzureRmAccountCommand end processing.
DEBUG: 15:40:51 - SetAzureRMContextCommand begin processing with ParameterSet 'Subscription'.
DEBUG: 15:40:51 - using account id '*REDACTED*'...
DEBUG: 15:40:51 - [ConfigManager] Got [False] from [DisplayBreakingChangeWarning], Module = [], Cmdlet = [].
DEBUG: 15:40:51 - Autosave setting from startup session: 'CurrentUser'
DEBUG: 15:40:51 - No autosave setting detected in environment variable 'AzContextAutoSave'.
DEBUG: 15:40:51 - Using Autosave scope 'CurrentUser'
DEBUG: 15:40:51 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'*REDACTED*', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'*REDACTED*'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z] [WamBroker] WAM supported OS.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z] [WamBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z] Returning 1 accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] MSAL MSAL.Desktop with assembly version '4.49.1.0'. CorrelationId(*REDACTED*)
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - *REDACTED*
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] === Token Acquisition (SilentRequest) started:
Scopes: https://management.core.windows.net//.default
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Access token is not expired. Returning the found cache entry. [Current time (07/05/2024 13:40:51) - Expiration Time (07/0
5/2024 14:45:33 +00:00) - Extended Expiration Time (07/05/2024 14:45:33 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*]
=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] AT expiration time: 5-7-2024 14:45:33 +00:00, scopes: https://management.core.windows.net//user_impersonation https://ma
nagement.core.windows.net//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: ExpiresOn: 2024-07-05T14:45:33.0000000+00:00
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/tenants?api-version=2021-01-01
Headers:
x-ms-client-request-id : b24d19e9-4fa6-4238-ab90-0d42a3f5f77f
accept-language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Pragma : no-cache
x-ms-ratelimit-remaining-tenant-reads: 249
x-ms-request-id : 4ff7d5e4-d99c-4c88-bb98-f0b7c1378edc
x-ms-correlation-request-id : 4ff7d5e4-d99c-4c88-bb98-f0b7c1378edc
x-ms-routing-request-id : WESTEUROPE:20240705T134051Z:4ff7d5e4-d99c-4c88-bb98-f0b7c1378edc
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
X-Cache : CONFIG_NOCACHE
X-MSEdge-Ref : Ref A: 417EBAF47069421B9F98353B97582F39 Ref B: AMS231032607047 Ref C: 2024-07-05T13:40:51Z
Cache-Control : no-cache
Date : Fri, 05 Jul 2024 13:40:50 GMT
Body:
{
"value": [
{
"id": "/tenants/*REDACTED*",
"tenantId": "*REDACTED*",
"countryCode": "NL",
"displayName": "*REDACTED*",
"domains": [
"*REDACTED*"
],
"tenantCategory": "Home",
"defaultDomain": "*REDACTED*",
"tenantType": "AAD",
"tenantBrandingLogoUrl": "*REDACTED*"
}
]
}
DEBUG: 15:40:51 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'*REDACTED*', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'*REDACTED*'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z] [WamBroker] WAM supported OS.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z] [WamBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z] Returning 1 accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] MSAL MSAL.Desktop with assembly version '4.49.1.0'. CorrelationId(*REDACTED*)
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - *REDACTED*
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] === Token Acquisition (SilentRequest) started:
Scopes: https://management.core.windows.net//.default
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Access token is not expired. Returning the found cache entry. [Current time (07/05/2024 13:40:51) - Expiration Time (07/0
5/2024 14:57:24 +00:00) - Extended Expiration Time (07/05/2024 14:57:24 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*]
=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] AT expiration time: 5-7-2024 14:57:24 +00:00, scopes: https://management.core.windows.net//user_impersonation https://ma
nagement.core.windows.net//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: ExpiresOn: 2024-07-05T14:57:24.0000000+00:00
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/subscriptions/*REDACTED*?api-version=2021-01-01
Headers:
x-ms-client-request-id : b24d19e9-4fa6-4238-ab90-0d42a3f5f77f
accept-language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Pragma : no-cache
x-ms-ratelimit-remaining-subscription-reads: 249
x-ms-ratelimit-remaining-subscription-global-reads: 3749
x-ms-request-id : a30bbb0d-dc66-4f06-af66-640307a17b43
x-ms-correlation-request-id : a30bbb0d-dc66-4f06-af66-640307a17b43
x-ms-routing-request-id : WESTEUROPE:20240705T134051Z:a30bbb0d-dc66-4f06-af66-640307a17b43
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
X-Cache : CONFIG_NOCACHE
X-MSEdge-Ref : Ref A: EB4D6D0F7326478DAC27F1B21BD4A7D0 Ref B: AMS231020512047 Ref C: 2024-07-05T13:40:51Z
Cache-Control : no-cache
Date : Fri, 05 Jul 2024 13:40:51 GMT
Body:
{
"id": "/subscriptions/*REDACTED*",
"authorizationSource": "RoleBased",
"managedByTenants": [
{
"tenantId": "*REDACTED*"
},
{
"tenantId": "*REDACTED*"
}
],
"subscriptionId": "*REDACTED*",
"tenantId": "*REDACTED*",
"displayName": "*REDACTED*",
"state": "Enabled",
"subscriptionPolicies": {
"locationPlacementId": "Public_2014-09-01",
"quotaId": "*REDACTED*",
"spendingLimit": "Off"
}
}
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
*REDACTED* *REDACTED* *REDACTED* AzureCloud
Name : *REDACTED* (*REDACTED*) - *REDACTED* - *REDACTED*
Account : *REDACTED*
Environment : AzureCloud
Subscription : *REDACTED*
Tenant : *REDACTED*
TokenCache :
VersionProfile :
ExtendedProperties : {}
DEBUG: AzureQoSEvent: Module: Az.Accounts:2.11.1; CommandName: Set-AzContext; PSVersion: 5.1.19041.4522; IsSuccess: True; Duration: 00:00:00.2935485
DEBUG: 15:40:51 - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 15:40:51 - SetAzureRMContextCommand end processing.
DEBUG: 15:40:51 - GetAzureStorageAccountKeyCommand begin processing with ParameterSet '__AllParameterSets'.
DEBUG: 15:40:51 - using account id '*REDACTED*'...
DEBUG: 15:40:51 - [ConfigManager] Got [False] from [DisplayBreakingChangeWarning], Module = [], Cmdlet = [].
DEBUG: [Common.Authentication]: Authenticating using Account: '*REDACTED*', environment: 'AzureCloud', tenant: '*REDACTED*'
DEBUG: 15:40:51 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'*REDACTED*', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'*REDACTED*'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z] [WamBroker] WAM supported OS.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z] [WamBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z] Returning 1 accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] MSAL MSAL.Desktop with assembly version '4.49.1.0'. CorrelationId(*REDACTED*)
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - *REDACTED*
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] === Token Acquisition (SilentRequest) started:
Scopes: https://management.core.windows.net//.default
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Access token is not expired. Returning the found cache entry. [Current time (07/05/2024 13:40:51) - Expiration Time (07/0
5/2024 14:57:24 +00:00) - Extended Expiration Time (07/05/2024 14:57:24 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*]
=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2024-07-05 13:40:51Z - *REDACTED*] AT expiration time: 5-7-2024 14:57:24 +00:00, scopes: https://management.core.windows.net//user_impersonation https://ma
nagement.core.windows.net//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: ExpiresOn: 2024-07-05T14:57:24.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '*REDACTED*', UserId: '*REDACTED*'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
POST
Absolute Uri:
https://management.azure.com/subscriptions/*REDACTED*/resourceGroups/*REDACTED*/providers/Microsoft.Storage/storageAccounts/*REDACTED*/listKeys?api-version=2022-09-01
Headers:
x-ms-client-request-id : efebd1e4-7f58-4a2f-b884-0e855d652832
accept-language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Pragma : no-cache
x-ms-failure-cause : gateway
x-ms-request-id : 8ec622d8-3d6c-47df-a605-bbe85c8bb47a
x-ms-correlation-request-id : 8ec622d8-3d6c-47df-a605-bbe85c8bb47a
x-ms-routing-request-id : WESTEUROPE:20240705T134051Z:8ec622d8-3d6c-47df-a605-bbe85c8bb47a
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
X-Cache : CONFIG_NOCACHE
X-MSEdge-Ref : Ref A: 605EEF5DCF644DB49DD20DA35E32F20D Ref B: AMS231032609047 Ref C: 2024-07-05T13:40:51Z
Cache-Control : no-cache
Date : Fri, 05 Jul 2024 13:40:51 GMT
Body:
{
"error": {
"code": "AuthorizationFailed",
"message": "The client '*REDACTED*' with object id '*REDACTED*' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/*REDACTED*/resourceGroups/*REDACTED*/providers/Microsoft.Storage/storageAccounts/*REDACTED*' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
DEBUG: 15:40:51 - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
Get-AzStorageAccountKey : The client '*REDACTED*' with object id '*REDACTED*' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/*REDACTED*/resourceGroups/*REDACTED*/providers/Microsoft.Storage/storageAccounts/*REDACTED*' or the scope is invalid. If access was recently granted, please refresh your credentials.
At line:3 char:1
+ Get-AzStorageAccountKey -ResourceGroupName $resourceGroup -AccountNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzStorageAccountKey], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Management.Storage.GetAzureStorageAccountKeyCommand
DEBUG: 15:40:51 - [ConfigManager] Got [False] from [DisplayBreakingChangeWarning], Module = [], Cmdlet = [].
DEBUG: AzureQoSEvent: Module: Az.Storage:5.3.0; CommandName: Get-AzStorageAccountKey; PSVersion: 5.1.19041.4522; IsSuccess: False; Duration: 00:00:00.1268979; Exception: The client '*REDACTED*' with object id 'b9c65a45-ef03-4df3-9de9-e66cd880a0e
0' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/*REDACTED*/resourceGroups/*REDACTED*/providers/Microsoft.Storage/storageAccounts/*REDACTED*' or the scope is invalid. If access was recently granted, please refresh your credentials.;
DEBUG: 15:40:51 - GetAzureStorageAccountKeyCommand end processing.
Description
We use a lot of Azure PowerShell cmdlets when performing maintenance on our environment.
Some cmdlets give an authorization error which we cannot explain. The error does not always occur, but it does very often. The strange thing is that my permissions are not changed between when it does work and when it does not. And the other strange thing is that some Azure PowerShell cmdlets does work when that authorization error occurs.
We cannot find the cause for this. We think it has to do with the fact that have multiple Azure tenants, and that the browser already logged on to one of them.
To give an example, when I run these commands:
Connect-AzAccount -TenantId
Select-AzSubscription -SubscriptionId
Get-AzStorageAccountKey -ResourceGroupName -AccountName
Then I get this error:
Get-AzStorageAccountKey : The client '<redacted' with object id '' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions//resourceGroups//providers/Microsoft.Storage/storageAccounts/' or the scope is invalid. If access was recently granted, please refresh your credentials.
When I try that same script for instance the next day (after being logged out), the script does work correctly.
Do you have any idea where we should look for the cause for this?
Issue script & Debug output
Environment data
Module versions
Error output
No response