OData suddenly failing with "Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown."

[SeanKilleen]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.8.5 on windows_amd64

• provider registry.terraform.io/cloudflare/cloudflare v4.35.0
• provider registry.terraform.io/hashicorp/azuread v2.51.0
• provider registry.terraform.io/hashicorp/azurerm v3.107.0
• provider registry.terraform.io/hashicorp/tls v4.0.5
• provider registry.terraform.io/vancluever/acme v2.23.1

Affected Resource(s)

• azuread_user -- used as a data source

Terraform Configuration Files

A minimal reproduction looks to include --

providers.tf:

terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "2.51.0"
    }
  }
}

provider "azuread" {
  tenant_id = var.sct_azure_tenant_id
}

getting the users in main.tf

data "azuread_user" "vm_users" {
  for_each            = var.vm_users
  user_principal_name = each.value
}

To be clear, this has worked for some time and has not been recently changed.

Debug Output

Relevant portion of the Request/response from the debug log is here: https://gist.github.com/SeanKilleen/7d8022776fbb360c9feac86cb2fbb791

Panic Output

Expected Behavior

Pull the users like normal using the data source

Actual Behavior

For each user in that data source, I see:

UsersClient.BaseClient.Get(): unexpected status 401 with OData error: InvalidAuthenticationToken: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown

I attempted to run az logout and az login from the CLI. Those operations were successful but I still received the error.

Steps to Reproduce

1. terraform apply

Important Factoids

• I'm using the latest az CLI, 2.61.0
• This code has not changed and previously worked.
• The error message in the debug log back from the request is Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenIssuedBeforeRevocationTimestamp -- I'll do some research on that.

References

• I noticed a similar issue on the az CLI repo from yesterday -- Wondering if something might be happening at the API level that's common to them both. https://github.com/Azure/azure-cli/issues/29155
• I see a similar issue at https://github.com/Azure/azure-cli/issues/26504 but in their case, running az logout and az login fixed it; in my case it does not appear to do so.

[SeanKilleen]

This must have been a transient issue -- after multiple rounds of az logout and az login, it resolved itself.

The exact steps I took before it was fixed (though I don't believe they influenced the outcome):

• Close all VS Code and terminal windows
• Open a new terminal window
• Run az logout
• Run az login
• Run az ad user list to verify I could see things via that command (possibly this resolved it by syncing things up?)
• Open VS Code and run my terraform apply statement.

I'm going to close this but wanted to put the information here in case others can benefit.

[manicminer]

Hi @SeanKilleen, thanks for reporting. This appears to be either an API issue/outage, or an Azure CLI bug, so I don't believe there would be anything for us to do here.