Unable to get a token for Data Explorer/Log Analytics clusters hosted on Azure China

[ludwhe]

• Azure Data Studio Version: 1.42.0
• OS Version: Windows 11 Enterprise 22H2

Steps to Reproduce:

Scenario 1 (Azure Data Explorer) :

• Add an Azure account hosted in Azure China
• Attempt to connect to an Azure Data Explorer Cluster (optional parameters omitted)

Connection type : Azure Data Explorer (Kusto)
Cluster : <cluster-url>
Authentication type : Azure Active Directory - Universal with MFA support
Account : <az-china-account>
Database : <Default>

• Connect, get the following error :

  Error: failed to get token.

Scenario 2 (Log Analytics Workspace) :

• Add an Azure account hosted in Azure China
• Attempt to connect to a Log Analytics Workspace (optional parameters omitted)

  Connection type : Azure Monitor Logs
  Workspace ID : <workspace-id>
  Authentication type : Azure Active Directory - Universal with MFA support
  Account : <az-china-account>

• Connect, get the following error :

  Error: invalid_request occurred when acquiring token.
  65002 - [2023-03-24 11:07:48Z]: AADSTS65002: Consent between first party application 'REDACTED' and first party resource 'REDACTED' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.
  Trace ID: REDACTED
  Correlation ID: REDACTED
  Timestamp: 2023-03-24 11:07:48Z - Correlation ID: REDACTED - Trace ID: REDACTED

Does this issue occur when all extensions are disabled?: N/A

[github-actions[bot]]

We need more info to debug your Azure Active Directory issue. If you could attach your logs to the issue (ensure no private data is in them), it would help us fix the issue much faster.

• In the settings menu, find the setting titled Azure: Logging Level and select the Verbose option
• Run the process that produces your error
• Open command palette (Click View -> Command Palette)
• Run the command: Developer: Open Logs Folder
• Follow this path to find the Azure Accounts log file: [default log folder]/exthost1/output_logging_[earliest timestamp]/#-Azure Acounts.log
• Please attach the Azure-Accounts.log file to the issue.

[ludwhe]

Hello, Please find the requested logs in the attachments. I redacted some identifying information (tenant/application/resource IDs), but left trace and correlation IDs.

AzAccounts_Sc1_ADX.log AzAccounts_Sc2_LAW.log

[cheenamalhotra]

Thanks for the logs @ludwhe

@cssuh Can you please take a look? It seems there are 2 issues:

1. Kusto endpoints are missing from non-public clouds
2. Log Analytics resources are not configured in first party app, based on this error: AADSTS65002: Consent between first party application ':appId' and first party resource ':resourceName' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.

[ludwhe]

Thank you for the updates on this issue, just a heads up following the April 2023 version release, including the first part of the fix as implemented in the linked PR : attempting to connect to Azure Data Explorer in China now causes the same error as attempting to connect to Log Analytics workspaces, i.e. the first-party app consent issue.

Namely :

Error: invalid_request occurred when acquiring token.
65002 - [2023-04-13 09:15:25Z]: AADSTS65002: Consent between first party application 'REDACTED' and first party resource 'REDACTED' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.
Trace ID: REDACTED
Correlation ID: REDACTED
Timestamp: 2023-04-13 09:15:25Z - Correlation ID: REDACTED - Trace ID: REDACTED

[cssuh]

Hi @ludwhe, yes we are working with the Log Analytics team to get our app pre-authorized, we will let you know once this process is complete.

[cssuh]

Hi @ludwhe, Log Analytics for Mooncake has been preauthorized, Kusto is still in progress. Can you give Log Analytics a try in the meantime?

[ludwhe]

Hello, thank you for the update ! Still getting an error, though a different one, find logs attached ; had yet another one while testing this morning, indicating the workspace could not be found, though this seems to have stopped after I removed and re-added all accounts. 1-Azure Accounts.log

[cssuh]

Hi @ludwhe , thanks for the response we will look into that error - we are working on preauthorization for Azure Data Explorer and will let you know when it's complete.

[cssuh]

Hi @ludwhe, ADS has now been preauthorized for Azure Data Explorer in Azure China, can you please go ahead and give it a try?

[ludwhe]

Hello, thanks for the update! Getting the same error as for Log Analytics:

Error: invalid_grant occurred when acquiring token.
9002313 - [2023-05-12 09:53:00Z]: AADSTS9002313: Invalid request. Request is malformed or invalid.
Trace ID: 03c4c493-cfc2-4f8e-b6de-202efb645000
Correlation ID: 59d80128-9983-491c-9644-5bc3242adfca
Timestamp: 2023-05-12 09:53:00Z - Correlation ID: 59d80128-9983-491c-9644-5bc3242adfca - Trace ID: 03c4c493-cfc2-4f8e-b6de-202efb645000

[ludwhe]

Hello, some good news regarding this: had to setup Data Studio on a new computer, after updating to 1.44.0 on the new install, connecting to Data Explorer works ! Thank you for the work on this 😄 Connecting to Log Aalytics however does not :

System.Exception: The Log Analytics Workspace can not be reached. Please validate the Workspace ID, the correct tenant is selected, and that you have access to the workspace. 
Error Message: The provided authentication is not valid for this resource

   at Microsoft.Kusto.ServiceLayer.DataSource.Monitor.MonitorClient.LoadMetadata(Boolean refresh) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\Monitor\MonitorClient.cs:line 64
   at Microsoft.Kusto.ServiceLayer.DataSource.Monitor.MonitorIntellisenseClient..ctor(MonitorClient monitorClient) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\Monitor\MonitorIntellisenseClient.cs:line 17
   at Microsoft.Kusto.ServiceLayer.DataSource.DataSourceFactory.Create(ConnectionDetails connectionDetails, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\DataSourceFactory.cs:line 44
   at Microsoft.Kusto.ServiceLayer.Connection.ReliableDataSourceConnection..ctor(ConnectionDetails connectionDetails, RetryPolicy connectionRetryPolicy, RetryPolicy commandRetryPolicy, IDataSourceFactory dataSourceFactory, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\ReliableDataSourceConnection.cs:line 65
   at Microsoft.Kusto.ServiceLayer.Connection.DataSourceConnectionFactory.CreateDataSourceConnection(ConnectionDetails connectionDetails, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\Connection\DataSourceConnectionFactory.cs:line 36
   at Microsoft.Kusto.ServiceLayer.Connection.ConnectionService.TryOpenConnection(ConnectionInfo connectionInfo, ConnectParams connectionParams) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\Connection\ConnectionService.cs:line 402

[ricardoschroeder]

I've the same issue connecting to Log Analytics after upgrading to the latest version: Version: 1.44.1 (user setup) Commit: 8f53a316fa00a98264f1ab119641cd540b5af25c Date: 2023-06-01T02:12:48.765Z VS Code: 1.70.0 Electron: 19.1.8 Chromium: 102.0.5005.167 Node.js: 16.14.2 V8: 10.2.154.15-electron.0 OS: Windows_NT x64 10.0.19044

Hello, some good news regarding this: had to setup Data Studio on a new computer, after updating to 1.44.0 on the new install, connecting to Data Explorer works ! Thank you for the work on this 😄 Connecting to Log Aalytics however does not :

System.Exception: The Log Analytics Workspace can not be reached. Please validate the Workspace ID, the correct tenant is selected, and that you have access to the workspace. 
Error Message: The provided authentication is not valid for this resource

   at Microsoft.Kusto.ServiceLayer.DataSource.Monitor.MonitorClient.LoadMetadata(Boolean refresh) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\Monitor\MonitorClient.cs:line 64
   at Microsoft.Kusto.ServiceLayer.DataSource.Monitor.MonitorIntellisenseClient..ctor(MonitorClient monitorClient) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\Monitor\MonitorIntellisenseClient.cs:line 17
   at Microsoft.Kusto.ServiceLayer.DataSource.DataSourceFactory.Create(ConnectionDetails connectionDetails, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\DataSourceFactory.cs:line 44
   at Microsoft.Kusto.ServiceLayer.Connection.ReliableDataSourceConnection..ctor(ConnectionDetails connectionDetails, RetryPolicy connectionRetryPolicy, RetryPolicy commandRetryPolicy, IDataSourceFactory dataSourceFactory, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\ReliableDataSourceConnection.cs:line 65
   at Microsoft.Kusto.ServiceLayer.Connection.DataSourceConnectionFactory.CreateDataSourceConnection(ConnectionDetails connectionDetails, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\Connection\DataSourceConnectionFactory.cs:line 36
   at Microsoft.Kusto.ServiceLayer.Connection.ConnectionService.TryOpenConnection(ConnectionInfo connectionInfo, ConnectParams connectionParams) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\Connection\ConnectionService.cs:line 402

[cssuh]

@ricardoschroeder is this for the Azure China cloud or Public Cloud?

[cssuh]

@ludwhe we are currently working with the log analytics team to get this error fixed, I will let you know when we have an update.

[ricardoschroeder]

@ricardoschroeder is this for the Azure China cloud or Public Cloud?

@cssuh it's for public cloud

[cssuh]

@ricardoschroeder do you have a request ID for this error?

[cssuh]

Hi @ricardoschroeder @ludwhe, can you please try the latest release of ADS (1.45) and see if that fixes your issue?

[ludwhe]

Hello ! Getting the following error :

System.Exception: The Log Analytics Workspace can not be reached. Please validate the Workspace ID, the correct tenant is selected, and that you have access to the workspace. 
Error Message: The provided authentication is not valid for this resource

   at Microsoft.Kusto.ServiceLayer.DataSource.Monitor.MonitorClient.LoadMetadata(Boolean refresh) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\Monitor\MonitorClient.cs:line 64
   at Microsoft.Kusto.ServiceLayer.DataSource.Monitor.MonitorIntellisenseClient..ctor(MonitorClient monitorClient) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\Monitor\MonitorIntellisenseClient.cs:line 17
   at Microsoft.Kusto.ServiceLayer.DataSource.DataSourceFactory.Create(ConnectionDetails connectionDetails, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\DataSourceFactory.cs:line 44
   at Microsoft.Kusto.ServiceLayer.Connection.ReliableDataSourceConnection..ctor(ConnectionDetails connectionDetails, RetryPolicy connectionRetryPolicy, RetryPolicy commandRetryPolicy, IDataSourceFactory dataSourceFactory, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\ReliableDataSourceConnection.cs:line 65
   at Microsoft.Kusto.ServiceLayer.Connection.DataSourceConnectionFactory.CreateDataSourceConnection(ConnectionDetails connectionDetails, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\Connection\DataSourceConnectionFactory.cs:line 36
   at Microsoft.Kusto.ServiceLayer.Connection.ConnectionService.TryOpenConnection(ConnectionInfo connectionInfo, ConnectParams connectionParams) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\Connection\ConnectionService.cs:line 402

[asmithamk]

Also getting this same issue. Not related to Azure China either. I'm attempting to connect to instances in Azure Commercial and receive the following error after trying a number of the usual "fixes." Also running latest 1.45.0

System.Exception: The Log Analytics Workspace can not be reached. Please validate the Workspace ID, the correct tenant is selected, and that you have access to the workspace. 
Error Message: The provided authentication is not valid for this resource

Also installed and tested with ADS Preview release, v 1.46 and got the same result.

[yooakim]

I also encounter this issue when trying to connect to Azure Log Analytics.

--- Error message ---
System.Exception: The Log Analytics Workspace can not be reached. Please validate the Workspace ID, the correct tenant is selected, and that you have access to the workspace. 
Error Message: The provided authentication is not valid for this resource

   at Microsoft.Kusto.ServiceLayer.DataSource.Monitor.MonitorClient.LoadMetadata(Boolean refresh) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\Monitor\MonitorClient.cs:line 64
   at Microsoft.Kusto.ServiceLayer.DataSource.Monitor.MonitorIntellisenseClient..ctor(MonitorClient monitorClient) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\Monitor\MonitorIntellisenseClient.cs:line 17
   at Microsoft.Kusto.ServiceLayer.DataSource.DataSourceFactory.Create(ConnectionDetails connectionDetails, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\DataSourceFactory.cs:line 44
   at Microsoft.Kusto.ServiceLayer.Connection.ReliableDataSourceConnection..ctor(ConnectionDetails connectionDetails, RetryPolicy connectionRetryPolicy, RetryPolicy commandRetryPolicy, IDataSourceFactory dataSourceFactory, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\ReliableDataSourceConnection.cs:line 65
   at Microsoft.Kusto.ServiceLayer.Connection.DataSourceConnectionFactory.CreateDataSourceConnection(ConnectionDetails connectionDetails, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\Connection\DataSourceConnectionFactory.cs:line 36
   at Microsoft.Kusto.ServiceLayer.Connection.ConnectionService.TryOpenConnection(ConnectionInfo connectionInfo, ConnectParams connectionParams) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\Connection\ConnectionService.cs:line 402

This is Public Azure, resources in West Europe. Azure Data Studio info:

Version: 1.45.1 (system setup)
Commit: 88c21b1725a3e79440027bdb7b5a55fb036be0e2
Date: 2023-08-03T00:42:37.945Z
VS Code: 1.79.2
Electron: 22.3.14
Chromium: 108.0.5359.215
Node.js: 16.17.1
V8: 10.8.168.25-electron.0
OS: Windows_NT x64 10.0.22621

[egallis31]

Encountering the same with US East - Log Analytics - Public Cloud

System.Exception: The Log Analytics Workspace can not be reached. Please validate the Workspace ID, the correct tenant is selected, and that you have access to the workspace. 
Error Message: The provided authentication is not valid for this resource

   at Microsoft.Kusto.ServiceLayer.DataSource.Monitor.MonitorClient.LoadMetadata(Boolean refresh) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\Monitor\MonitorClient.cs:line 64
   at Microsoft.Kusto.ServiceLayer.DataSource.Monitor.MonitorIntellisenseClient..ctor(MonitorClient monitorClient) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\Monitor\MonitorIntellisenseClient.cs:line 17
   at Microsoft.Kusto.ServiceLayer.DataSource.DataSourceFactory.Create(ConnectionDetails connectionDetails, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\DataSourceFactory.cs:line 44
   at Microsoft.Kusto.ServiceLayer.Connection.ReliableDataSourceConnection..ctor(ConnectionDetails connectionDetails, RetryPolicy connectionRetryPolicy, RetryPolicy commandRetryPolicy, IDataSourceFactory dataSourceFactory, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\ReliableDataSourceConnection.cs:line 65
   at Microsoft.Kusto.ServiceLayer.Connection.DataSourceConnectionFactory.CreateDataSourceConnection(ConnectionDetails connectionDetails, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\Connection\DataSourceConnectionFactory.cs:line 36
   at Microsoft.Kusto.ServiceLayer.Connection.ConnectionService.TryOpenConnection(ConnectionInfo connectionInfo, ConnectParams connectionParams) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\Connection\ConnectionService.cs:line 402

Version: 1.46.1 (user setup)
Commit: ba29842b81dec01177415e53948ca2168e69c3f8
Date: 2023-10-02T18:14:22.887Z
VS Code: 1.79.2
Electron: 22.3.25
Chromium: 108.0.5359.215
Node.js: 16.17.1
V8: 10.8.168.25-electron.0
OS: Windows_NT x64 10.0.22631

[blarsern]

Same problem here, can't use log analytics in azure data studio.. West europe.

The Log Analytics Workspace can not be reached. Please validate the Workspace ID, the correct tenant is selected, and that you have access to the workspace. Error Message: The provided authentication is not valid for this resource

Any workarounds at all ?

[Expecho]

Any update on this? Issue is still valid :-(

[UWwizard]

I had to revert back to version 1.41.3 to get it to work again.

[ByMitta]

I've the same issue connecting to Log Analytics after upgrading to the latest version: Version: 1.44.1 (user setup) Commit: 8f53a31 Date: 2023-06-01T02:12:48.765Z VS Code: 1.70.0 Electron: 19.1.8 Chromium: 102.0.5005.167 Node.js: 16.14.2 V8: 10.2.154.15-electron.0 OS: Windows_NT x64 10.0.19044

Hello, some good news regarding this: had to setup Data Studio on a new computer, after updating to 1.44.0 on the new install, connecting to Data Explorer works ! Thank you for the work on this 😄 Connecting to Log Aalytics however does not :

System.Exception: The Log Analytics Workspace can not be reached. Please validate the Workspace ID, the correct tenant is selected, and that you have access to the workspace. 
Error Message: The provided authentication is not valid for this resource

   at Microsoft.Kusto.ServiceLayer.DataSource.Monitor.MonitorClient.LoadMetadata(Boolean refresh) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\Monitor\MonitorClient.cs:line 64
   at Microsoft.Kusto.ServiceLayer.DataSource.Monitor.MonitorIntellisenseClient..ctor(MonitorClient monitorClient) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\Monitor\MonitorIntellisenseClient.cs:line 17
   at Microsoft.Kusto.ServiceLayer.DataSource.DataSourceFactory.Create(ConnectionDetails connectionDetails, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\DataSourceFactory.cs:line 44
   at Microsoft.Kusto.ServiceLayer.Connection.ReliableDataSourceConnection..ctor(ConnectionDetails connectionDetails, RetryPolicy connectionRetryPolicy, RetryPolicy commandRetryPolicy, IDataSourceFactory dataSourceFactory, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\ReliableDataSourceConnection.cs:line 65
   at Microsoft.Kusto.ServiceLayer.Connection.DataSourceConnectionFactory.CreateDataSourceConnection(ConnectionDetails connectionDetails, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\Connection\DataSourceConnectionFactory.cs:line 36
   at Microsoft.Kusto.ServiceLayer.Connection.ConnectionService.TryOpenConnection(ConnectionInfo connectionInfo, ConnectParams connectionParams) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\Connection\ConnectionService.cs:line 402

I am also having this issue. Im using version 1.48.0

[giacomotaba]

I am also having this issue. Im using version 1.48.0

Encountering the same with US East - Log Analytics - Public Cloud

System.Exception: The Log Analytics Workspace can not be reached. Please validate the Workspace ID, the correct tenant is selected, and that you have access to the workspace. 
Error Message: The provided authentication is not valid for this resource

   at Microsoft.Kusto.ServiceLayer.DataSource.Monitor.MonitorClient.LoadMetadata(Boolean refresh) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\Monitor\MonitorClient.cs:line 64
   at Microsoft.Kusto.ServiceLayer.DataSource.Monitor.MonitorIntellisenseClient..ctor(MonitorClient monitorClient) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\Monitor\MonitorIntellisenseClient.cs:line 17
   at Microsoft.Kusto.ServiceLayer.DataSource.DataSourceFactory.Create(ConnectionDetails connectionDetails, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\DataSourceFactory.cs:line 44
   at Microsoft.Kusto.ServiceLayer.Connection.ReliableDataSourceConnection..ctor(ConnectionDetails connectionDetails, RetryPolicy connectionRetryPolicy, RetryPolicy commandRetryPolicy, IDataSourceFactory dataSourceFactory, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\DataSource\ReliableDataSourceConnection.cs:line 65
   at Microsoft.Kusto.ServiceLayer.Connection.DataSourceConnectionFactory.CreateDataSourceConnection(ConnectionDetails connectionDetails, String ownerUri) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\Connection\DataSourceConnectionFactory.cs:line 36
   at Microsoft.Kusto.ServiceLayer.Connection.ConnectionService.TryOpenConnection(ConnectionInfo connectionInfo, ConnectParams connectionParams) in D:\a\1\s\src\Microsoft.Kusto.ServiceLayer\Connection\ConnectionService.cs:line 402

I am also having this issue. Im using version 1.48.1

[zhusulai]

I'm also having this issue. I'm using Version: 1.48.1 of the Azure Data Studio and Version v0.1.9 of the Azure Monitor Logs extension.