Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] InteractiveBrowserCredential fails when using a personal/MSA account without passing tenant_id #21830

Closed
anpaz opened this issue Jun 11, 2021 · 5 comments
Assignees
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-author-feedback Workflow: More information is needed from author to address the issue.

Comments

@anpaz
Copy link

anpaz commented Jun 11, 2021

Describe the bug

When using InteractiveBrowserCredential with a personal/MSA account without passing the user's TenantId, the interactive authentication fails with message:

User account 'email@outlook.com' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot
access the application '04b07795-8ddb-461a-bbee-02f9e1bf7b46'(Microsoft Azure CLI) in that tenant. The account needs to
be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

To Reproduce

Steps to reproduce the behavior:

  1. Use the InteractiveBrowserCredential with any Azure SDK client that accepts it, without passing the tenant_id.
  2. Attempt to login using a personal/MSA account
    When the browser authentication opens a new https://login.microsoftonline.com/ web page, try to login with a personal/MSA account such as email@outlook.com. A work/school account should authenticate just fine.
    In the case of a personal/MSA account you should see the error message described above.

Sample code:

    var credential = new InteractiveBrowserCredential();
    
    var blobClient = new BlobClient(new Uri("https://myaccount.blob.core.windows.net/mycontainer/myblob"), credential);
    var result = blobClient.DownloadContent();

Expected behavior

We should spare the user from passing their personal account tenant id and had a seamless experience as found with az login.

Workarounds

Option 1: Use the DefaultAzureCredential and pass the tenant_id via environment variable
a) Find your account tenant_id: How to find your Azure Active Directory tenant ID
b) Before running the program, set the AZURE_TENANT_ID environment variable with your tenant_id value.
PowerShell example:

$env:AZURE_TENANT_ID = "your tenant id"

Option 2: Pass the tenant_id via the InteractiveBrowserCredential
a) Find your account tenant_id: How to find your Azure Active Directory tenant ID
b) Pass your tenant_id as part of the InteractiveBrowserCredential constructor:

    var options = new InteractiveBrowserCredentialOptions { TenantId = "ed8ca8a2-451e-4a07-b172-f38e7969c820" };
    var credential = new InteractiveBrowserCredential(options);

Environment:

  • Name and version of the Library package used: Azure.Storage.Blobs 12.9.0, Azure.Identity 1.4.0
  • Hosting platform or OS and .NET runtime version
>dotnet --info
.NET SDK (reflecting any global.json):
 Version:   5.0.204
 Commit:    84d1fe1bb7

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.19042
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\5.0.204\

Host (useful for support):
  Version: 5.0.7
  Commit:  556582d964

.NET SDKs installed:
  2.1.524 [C:\Program Files\dotnet\sdk]
  2.1.816 [C:\Program Files\dotnet\sdk]
  2.2.401 [C:\Program Files\dotnet\sdk]
  2.2.402 [C:\Program Files\dotnet\sdk]
  3.0.103 [C:\Program Files\dotnet\sdk]
  3.1.302 [C:\Program Files\dotnet\sdk]
  3.1.404 [C:\Program Files\dotnet\sdk]
  3.1.410 [C:\Program Files\dotnet\sdk]
  5.0.203 [C:\Program Files\dotnet\sdk]
  5.0.204 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.All 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.2.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.2.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.2.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.2.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.15 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.16 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.2.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.2.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.15 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.16 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 3.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 3.1.15 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 3.1.16 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.6 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.7 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
@ghost ghost added the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Jun 11, 2021
@jsquire jsquire added Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Jun 12, 2021
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Jun 12, 2021
@christothes
Copy link
Member

Hi @anpaz This is a known issue related to how personal/MSA accounts work. By default, the tenantId that MSAL will try when no hint is given results in this error. I believe the CLI actually goes out and pre-emptively fetches a token for each of your subscriptions so that they are pre-cached.

That said, we are working on a feature now that will enable tenant discovery based on challenges retrieved from the service (for services that supply tenant Id info in challenges). The experience when using one of Azure.Identity's built in TokenCredentials with those service clients will be that it just works.

@christothes christothes added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Jun 14, 2021
@ghost ghost removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Jun 14, 2021
@ghost ghost added the no-recent-activity There has been no recent activity on this issue. label Jun 21, 2021
@ghost
Copy link

ghost commented Jun 21, 2021

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

@ghost ghost closed this as completed Jul 6, 2021
@mjrousos
Copy link
Member

I'm working with a customer who is running into this same issue. Has the work @christothes described been done yet? If not, can this be re-opened to track the issue?

Also, thanks @anpaz for the work-arounds!

@ghost ghost removed the no-recent-activity There has been no recent activity on this issue. label Nov 17, 2021
@christothes
Copy link
Member

Yes, tenant discovery is now enabled by default in the latest version of Azure.Identity. A tenantId hint can be sent as part of the TokenRequestContext now to GetToken which will be used in favor of the explicitly defined tenantId, if present.

@mjrousos
Copy link
Member

Thanks, @christothes. I'll check with the customer which version of Azure.Identity they're using since they're hitting an issue very similar to what's described here and it sounds like that shouldn't be happening if they have up-to-date SDK packages.

azure-sdk pushed a commit to azure-sdk/azure-sdk-for-net that referenced this issue Feb 1, 2023
Machinelearningservices microsoft.machine learning services 2022 12 01 preview (Azure#21761)

* Adds base for updating Microsoft.MachineLearningServices from version preview/2022-10-01-preview to version 2022-12-01-preview

* Updates readme

* Updates API version in new specs and examples

* Add Dec API Registries Swagger (Azure#21419)

* add december registries swagger + examples

* add status code 202 in examples

* fix 202 examples

* fixes

* fixes

* fix

* add 202 back in for put/patch

Co-authored-by: Komal Yadav <komalyadav@microsoft.com>

* remove location (Azure#21430)

Co-authored-by: Komal Yadav <komalyadav@microsoft.com>

* remove readonly flag on schedules property for CI (Azure#21653)

Co-authored-by: Naman Agarwal <naagarw@microsoft.com>

* add missing workspace properties (Azure#21725)

* December preview updating mfe.json specs (Azure#21510)

* December preview updating mfe.json specs

* MFE Dec 2022 Preview API - Adding logbase

* MFE 2022-12-01-preview swagger spec model validation fix

* MFE 2022-12-01-preview swagger spec model validation fix, add missing location

* MFE 2022-12-01-preview swagger spec model validation - typo fix

* MFE 2022-12-01-preview swagger spec model validation - fix api version in automljob example

* MFE 2022-12-01-preview swagger spec model validation - fix for multiselectenabled error

* MFE 2022-12-01-preview swagger spec model validation - fix for multiselectenabled error

* Fix  for 1006 - RemovedDefinition (RecurrenceTrigger,CronTrigger) (Azure#21822)

* fix ReadonlyPropertyChanged of MLC (Azure#21814)

Co-authored-by: Bingchen Li <bingchenli@microsoft.com>

* fixed custom-words conflict (Azure#21829)

* fix custom-words conflict merge (Azure#21830)

* example fix (INVALID_REQUEST_PARAMETER) (Azure#21832)

Co-authored-by: Ivaliy Ivanov <ivaliyivanov@Ivaliys-MacBook-Air.local>

* example fix, use correct api preview version  - (INVALID_REQUEST_PARAMETER) (Azure#21833)

Co-authored-by: Ivaliy Ivanov <ivaliyivanov@Ivaliys-MacBook-Air.local>

* Revert breaking change for MLC swagger 2022-12-01-preview (Azure#21885)

Co-authored-by: Bingchen Li <bingchenli@microsoft.com>

* Revert Connection Category back to enum. (Azure#21939)

* revert provisioning state change (Azure#21940)

* remove body (Azure#21978)

Co-authored-by: Komal Yadav <komalyadav@microsoft.com>

* Addressed comments, added x-ms-long-running-operation to a patch call (Azure#22005)

* Addressed comments, added x-ms-long-running-operation to a patch call

* fix examples for patch - remove body

* fixed formatting

* Ivalbert fix patch2 (Azure#22006)

* Addressed comments, added x-ms-long-running-operation to a patch call

* fix examples for patch - remove body

* fixed formatting

* fixed formatting

* Updated custom words (Azure#22262)

* Fixed prettier errors (Azure#22237)

* fixed examples for LRO_RESPONSE_HEADER check (Azure#22293)

* fixed examples for LRO_RESPONSE_HEADER check (Azure#22294)

* Example fix - OBJECT_MISSING_REQUIRED_PROPERTY - Missing required property: triggerType (Azure#22317)

---------

Co-authored-by: Komal Yadav <23komal.yadav23@gmail.com>
Co-authored-by: Komal Yadav <komalyadav@microsoft.com>
Co-authored-by: Naman Agarwal <namanag16@gmail.com>
Co-authored-by: Naman Agarwal <naagarw@microsoft.com>
Co-authored-by: ZhidaLiu <zhili@microsoft.com>
Co-authored-by: libc16 <88697960+libc16@users.noreply.github.com>
Co-authored-by: Bingchen Li <bingchenli@microsoft.com>
Co-authored-by: Ivaliy Ivanov <ivaliyivanov@Ivaliys-MacBook-Air.local>
@github-actions github-actions bot locked and limited conversation to collaborators Mar 27, 2023
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. needs-author-feedback Workflow: More information is needed from author to address the issue.
Projects
None yet
Development

No branches or pull requests

5 participants