[BUG] VisualStudioCredential error AADSTS65002 connecting to Azure SQL in Azure Gov Cloud

[LightBulbIdea]

Library name and version

Azure.Identity 1.10.4

Describe the bug

Using VisualStudioCredential via DefaultAzureCredential to run applications locally using Azure SQL in Gov Cloud fails with an error indicating the consent between Visual Studio and Azure SQL needs to be approved by Microsoft. I am using the same DefaultAzureCredential in the same app to retrieve Key Vault secrets and it works fine.

Expected behavior

A user logged in to Visual Studio with an appropriate account should be able to authenticate using VisualStudioCredential

Actual behavior

The following error is thrown when attempting to obtain a token for Azure SQL:

Process "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\IDE\CommonExtensions\Microsoft\Asal\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS004: Unable to get access token. 'WAM Error Error Code: 3399614466 Error Message: IncorrectConfiguration WAM Error Message: V2Error: invalid_request AADSTS65002: Consent between first party application '04f0c124-f2bc-4f59-8241-bf6df9866bbd' and first party resource '022907d3-0f1b-48f7-badc-1ba6abab6d66' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 219a7c2f-9980-4242-89f3-b15606770b00 Correlation ID: ff3a0690-222f-4ec9-8653-ccc8df5cc1d5 Timestamp: 2024-01-05 19:16:23Z Internal Error Code: 557973643 Possible causes: -Invalid redirect uri - ensure you have configured the following url in the application registration in Azure Portal: ms-appx-web://microsoft.aad.brokerplugin/04f0c124-f2bc-4f59-8241-bf6df9866bbd '.

Reproduction Steps

Log in to Visual Studio as a user with permissions on an Azure SQL Server (currently using a user with Global Administrator permission). Log out of Azure CLI, Azure PowerShell and other possible credential sources (make sure to only use VS credentials) .

Use the following code to attempt to connect to a database and run a query.

using(SqlConnection conn = new SqlConnection()) { conn.ConnectionString = "Server={yourServerName}.database.usgovcloudapi.net,1433;Initial Catalog={yourDatabaseName};Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Authentication=\"Active Directory Default\";"; conn.Open(); //will crash here }

Environment

Visual Studio 17.8.3

.NET SDK: Version: 8.0.100 Commit: 57efcf1350 Workload version: 8.0.100-manifests.8d38d0cc

Runtime Environment: OS Name: Windows OS Version: 10.0.22631 OS Platform: Windows RID: win-x64 Base Path: C:\Program Files\dotnet\sdk\8.0.100\

.NET workloads installed: Workload version: 8.0.100-manifests.8d38d0cc [maui-windows] Installation Source: VS 17.8.34330.188 Manifest Version: 8.0.3/8.0.100 Manifest Path: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.maui\8.0.3\WorkloadManifest.json Install Type: Msi

[maccatalyst] Installation Source: VS 17.8.34330.188 Manifest Version: 17.0.8478/8.0.100 Manifest Path: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.maccatalyst\17.0.8478\WorkloadManifest.json Install Type: Msi

[ios] Installation Source: VS 17.8.34330.188 Manifest Version: 17.0.8478/8.0.100 Manifest Path: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.ios\17.0.8478\WorkloadManifest.json Install Type: Msi

[android] Installation Source: VS 17.8.34330.188 Manifest Version: 34.0.43/8.0.100 Manifest Path: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.android\34.0.43\WorkloadManifest.json Install Type: Msi

Host: Version: 8.0.0 Architecture: x64 Commit: 5535e31a71

.NET SDKs installed: 8.0.100 [C:\Program Files\dotnet\sdk]

.NET runtimes installed: Microsoft.AspNetCore.App 8.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.NETCore.App 6.0.11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 8.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.WindowsDesktop.App 6.0.11 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 8.0.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

Other architectures found: x86 [C:\Program Files (x86)\dotnet] registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]

Environment variables: Not set

global.json file: Not found

Learn more: https://aka.ms/dotnet/info

[jsquire]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[christothes]

//cc @crmann1

[Bboyaji]

@LightBulbIdea in order to ensure we set up the preauthorization correctly on our end, we would like to confirm with you what permissions are required. Will User.Read be sufficient? If not, please let us know the scope of the permissions required for your use case.

[LightBulbIdea]

@Bboyaji I am not entirely sure how these permissions translate to Azure SQL. But we can start with just User.Read and see how it goes. I can report here whether we need more elevated permissions or not.

[Bboyaji]

@LightBulbIdea it seems like additional permissions will be required, it looks like User.Read is already in the system. I wanted to confirm, are you trying to access a public cloud or a private gov cloud?

[LightBulbIdea]

@Bboyaji I am trying to connect to Azure US Gov Cloud.

[github-actions[bot]]

Hi @LightBulbIdea. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

[LightBulbIdea]

/unresolve

[LightBulbIdea]

It seems that we have made some progress, however I am now facing a TCP error. Here are the error details...

Error message: connecting to 169.254.169.254:80: connecting to 169.254.169.254:80: dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.

Does Azure needs to enable something for me? Do I need to whitelist something? Not entirely sure how to fix this. A quick google on the IP address shows that it is a Azure Instance Metadata Service https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=windows.

[christothes]

@LightBulbIdea This is the IP of the managed identity endpoint. If you are debugging this locally, this is expected to fail.

[LightBulbIdea]

@christothes If I understand you correctly, there is no way for us to use MS Entra from our local instances of VS when authenticating against US Gov Cloud Azure SQL Server, correct?

I was able to do this with no issues when running VS against Azure Public Cloud Azure SQL Server.

[christothes]

@LightBulbIdea - sorry for the confusion, but what I meant in my previous comment was that the error you are showing related to the 169.254.169.254 address is expected when running locally. This address is only available when running in Azure on a resource that has a managed identity configured.

But it looks like Visual Studio application still needs to be pre-authorized for the US Gov cloud. I've contacted the appropriate folks to make sure that process is in motion.

[LightBulbIdea]

@christothes thank you for the clarification. It seems that I misunderstood your previous comment.

Also, thank you for contacting the folks that can fix this for me. I'll wait to hear an update from you guys.

[christothes]

If this hasn't been resolved yet, the appropriate way to report this is via the instructions mentioned here and include the details of the AADSTS65002 error via the reporting link mentioned in the link above.

[crmann1]

The SQL team has deployed the changes so it should work now.