search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.22k stars 3.83k forks source link

Azure credentials have not been set up or have expired after run Connect-AzAccount #25074

Open BethanyZhou opened 3 months ago

BethanyZhou commented 3 months ago

Description

Azure credentials have not been set up or have expired after run Connect-AzAccount

Issue script & Debug output

Connect-AzAccount

Get-Azcontext

   Tenant: xxxx(xxxxx-xxxx-xxxx-xxxx-xxxxxxxx)

SubscriptionName SubscriptionId                       Account           Environment
---------------- --------------                       -------           -----------
xxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx     xxx@microsoft.com AzureCloud

Get-AzResourceGroup -Name bez-rg
Get-AzResourceGroup: Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.
Authentication failed against tenant $tenantId. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId $tenantId'.

Environment data

Name                           Value
----                           -----
PSVersion                      7.3.6
PSEdition                      Core
GitCommitId                    7.3.6
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     3.0.0                 Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzConte…
Script     6.16.0                Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, G…
Script     0.0                   chocolateyProfile                   {TabExpansion, Update-SessionEnvironment, refresh…
Manifest   7.0.0.0               Microsoft.PowerShell.Management     {Add-Content, Clear-Content, Clear-Item, Clear-It…
Manifest   7.0.0.0               Microsoft.PowerShell.Security       {ConvertFrom-SecureString, ConvertTo-SecureString…
Manifest   7.0.0.0               Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable, Compare-Ob…
Manifest   7.0.0.0               Microsoft.WSMan.Management          {Connect-WSMan, Disable-WSManCredSSP, Disconnect-…
Script     1.4.7                 PackageManagement                   {Find-Package, Find-PackageProvider, Get-Package,…
Script     2.2.5                 PowerShellGet                       {Find-Command, Find-DscResource, Find-Module, Fin…
Script     2.2.5                 PSReadLine

Error output

Message        : Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up
                 your Azure credentials.
                 Authentication failed against tenant $tenantId User interaction is
                 required. This may be due to the conditional access policy settings such as multi-factor
                 authentication (MFA). If you need to access subscriptions in that tenant, please rerun
                 'Connect-AzAccount' with additional parameter '-TenantId $tenantId'.
StackTrace     :    at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.Handle
                 Exception(ExceptionDispatchInfo capturedException)
                    at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.Execut
                 eCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronously
                 OrAsJob>b__3_0(T c)
                    at
                 Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T
                 cmdlet, Action`1 executor)
                    at
                 Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T
                 cmdlet)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : Microsoft.Azure.Commands.Common.Exceptions.AzPSArgumentException
InvocationInfo : {Get-AzResourceGroup}
Line           : Get-AzResourceGroup -Name bez-rg
Position       : At line:1 char:1
                 + Get-AzResourceGroup -Name bez-rg
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 5

Message        : Authentication failed against tenant $tenantId. User interaction is
                 required. This may be due to the conditional access policy settings such as multi-factor
                 authentication (MFA). If you need to access subscriptions in that tenant, please rerun
                 'Connect-AzAccount' with additional parameter '-TenantId $tenantId'.
StackTrace     :    at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzu
                 reAccount account, IAzureEnvironment environment, String tenant, SecureString password, String
                 promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
                    at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzu
                 reAccount account, IAzureEnvironment environment, String tenant, SecureString password, String
                 promptBehavior, Action`1 promptAction, String resourceId)
                    at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.GetServiceClientC
                 redentials(IAzureContext context, String targetEndpoint, String resourceId)
Exception      : Microsoft.Azure.Commands.Common.Exceptions.AzPSAuthenticationFailedException
InvocationInfo : {Get-AzResourceGroup}
Line           : Get-AzResourceGroup -Name bez-rg
Position       : At line:1 char:1
                 + Get-AzResourceGroup -Name bez-rg
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 5

Message        : SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user
                 xxx@microsoft.com. Ensure that you have authenticated with a developer tool that supports Azure
                 single sign on.
StackTrace     :    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String
                 additionalMessage, Boolean isCredentialUnavailable)
                    at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext
                 requestContext, CancellationToken cancellationToken)
                    at Azure.Identity.SharedTokenCacheCredential.GetTokenAsync(TokenRequestContext requestContext,
                 CancellationToken cancellationToken)
                    at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.GetAccessTokenAsync(String
                 callerClassName, String parametersLog, TokenCredential tokenCredential, TokenRequestContext
                 requestContext, CancellationToken cancellationToken, String tenantId, String userId, String
                 homeAccountId)
                    at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzu
                 reAccount account, IAzureEnvironment environment, String tenant, SecureString password, String
                 promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
Exception      : Azure.Identity.CredentialUnavailableException
InvocationInfo : {Get-AzResourceGroup}
Line           : Get-AzResourceGroup -Name bez-rg
Position       : At line:1 char:1
                 + Get-AzResourceGroup -Name bez-rg
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 5

Message        : WAM Error
                  Error Code: 3399614476
                  Error Message: (pii)
                  Internal Error Code: 557973645

StackTrace     :    at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken
                 cancellationToken)
                    at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.
                 MoveNext()
                 --- End of stack trace from previous location ---
                    at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
                    at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken
                 cancellationToken)
                    at Microsoft.Identity.Client.ApiConfig.Executors.ClientApplicationBaseExecutor.ExecuteAsync(Acquire
                 TokenCommonParameters commonParameters, AcquireTokenSilentParameters silentParameters,
                 CancellationToken cancellationToken)
                    at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTok
                 enParameterBuilder`1 builder, Boolean async, CancellationToken cancellationToken)
                    at Azure.Identity.MsalPublicClient.AcquireTokenSilentCoreAsync(String[] scopes, String claims,
                 IAccount account, String tenantId, Boolean enableCae, Boolean async, CancellationToken
                 cancellationToken)
                    at Azure.Identity.MsalPublicClient.AcquireTokenSilentAsync(String[] scopes, String claims,
                 IAccount account, String tenantId, Boolean enableCae, Boolean async, CancellationToken
                 cancellationToken)
                    at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext
                 requestContext, CancellationToken cancellationToken)
Exception      : Microsoft.Identity.Client.MsalUiRequiredException
InvocationInfo : {Get-AzResourceGroup}
Line           : Get-AzResourceGroup -Name bez-rg
Position       : At line:1 char:1
                 + Get-AzResourceGroup -Name bez-rg
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 5
msJinLei commented 3 months ago

@BethanyZhou It seems that you set Sub1 of TenantB as the default sub, but you fail to acquire token of tenantB due to MFA. Try to run Connect-AzAccount -Tenant TenantB to see whether the issue still exists.

isra-fel commented 3 months ago

If this is related to MFA, why we didn't diplay the MFA-specific error message? @msJinLei