-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] InteractiveBrowserCredential fails when using a personal/MSA account without passing tenant_id #21830
Comments
Hi @anpaz This is a known issue related to how personal/MSA accounts work. By default, the tenantId that MSAL will try when no hint is given results in this error. I believe the CLI actually goes out and pre-emptively fetches a token for each of your subscriptions so that they are pre-cached. That said, we are working on a feature now that will enable tenant discovery based on challenges retrieved from the service (for services that supply tenant Id info in challenges). The experience when using one of |
Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you! |
I'm working with a customer who is running into this same issue. Has the work @christothes described been done yet? If not, can this be re-opened to track the issue? Also, thanks @anpaz for the work-arounds! |
Yes, tenant discovery is now enabled by default in the latest version of Azure.Identity. A tenantId hint can be sent as part of the TokenRequestContext now to |
Thanks, @christothes. I'll check with the customer which version of Azure.Identity they're using since they're hitting an issue very similar to what's described here and it sounds like that shouldn't be happening if they have up-to-date SDK packages. |
Machinelearningservices microsoft.machine learning services 2022 12 01 preview (Azure#21761) * Adds base for updating Microsoft.MachineLearningServices from version preview/2022-10-01-preview to version 2022-12-01-preview * Updates readme * Updates API version in new specs and examples * Add Dec API Registries Swagger (Azure#21419) * add december registries swagger + examples * add status code 202 in examples * fix 202 examples * fixes * fixes * fix * add 202 back in for put/patch Co-authored-by: Komal Yadav <komalyadav@microsoft.com> * remove location (Azure#21430) Co-authored-by: Komal Yadav <komalyadav@microsoft.com> * remove readonly flag on schedules property for CI (Azure#21653) Co-authored-by: Naman Agarwal <naagarw@microsoft.com> * add missing workspace properties (Azure#21725) * December preview updating mfe.json specs (Azure#21510) * December preview updating mfe.json specs * MFE Dec 2022 Preview API - Adding logbase * MFE 2022-12-01-preview swagger spec model validation fix * MFE 2022-12-01-preview swagger spec model validation fix, add missing location * MFE 2022-12-01-preview swagger spec model validation - typo fix * MFE 2022-12-01-preview swagger spec model validation - fix api version in automljob example * MFE 2022-12-01-preview swagger spec model validation - fix for multiselectenabled error * MFE 2022-12-01-preview swagger spec model validation - fix for multiselectenabled error * Fix for 1006 - RemovedDefinition (RecurrenceTrigger,CronTrigger) (Azure#21822) * fix ReadonlyPropertyChanged of MLC (Azure#21814) Co-authored-by: Bingchen Li <bingchenli@microsoft.com> * fixed custom-words conflict (Azure#21829) * fix custom-words conflict merge (Azure#21830) * example fix (INVALID_REQUEST_PARAMETER) (Azure#21832) Co-authored-by: Ivaliy Ivanov <ivaliyivanov@Ivaliys-MacBook-Air.local> * example fix, use correct api preview version - (INVALID_REQUEST_PARAMETER) (Azure#21833) Co-authored-by: Ivaliy Ivanov <ivaliyivanov@Ivaliys-MacBook-Air.local> * Revert breaking change for MLC swagger 2022-12-01-preview (Azure#21885) Co-authored-by: Bingchen Li <bingchenli@microsoft.com> * Revert Connection Category back to enum. (Azure#21939) * revert provisioning state change (Azure#21940) * remove body (Azure#21978) Co-authored-by: Komal Yadav <komalyadav@microsoft.com> * Addressed comments, added x-ms-long-running-operation to a patch call (Azure#22005) * Addressed comments, added x-ms-long-running-operation to a patch call * fix examples for patch - remove body * fixed formatting * Ivalbert fix patch2 (Azure#22006) * Addressed comments, added x-ms-long-running-operation to a patch call * fix examples for patch - remove body * fixed formatting * fixed formatting * Updated custom words (Azure#22262) * Fixed prettier errors (Azure#22237) * fixed examples for LRO_RESPONSE_HEADER check (Azure#22293) * fixed examples for LRO_RESPONSE_HEADER check (Azure#22294) * Example fix - OBJECT_MISSING_REQUIRED_PROPERTY - Missing required property: triggerType (Azure#22317) --------- Co-authored-by: Komal Yadav <23komal.yadav23@gmail.com> Co-authored-by: Komal Yadav <komalyadav@microsoft.com> Co-authored-by: Naman Agarwal <namanag16@gmail.com> Co-authored-by: Naman Agarwal <naagarw@microsoft.com> Co-authored-by: ZhidaLiu <zhili@microsoft.com> Co-authored-by: libc16 <88697960+libc16@users.noreply.github.com> Co-authored-by: Bingchen Li <bingchenli@microsoft.com> Co-authored-by: Ivaliy Ivanov <ivaliyivanov@Ivaliys-MacBook-Air.local>
Describe the bug
When using InteractiveBrowserCredential with a personal/MSA account without passing the user's TenantId, the interactive authentication fails with message:
To Reproduce
Steps to reproduce the behavior:
InteractiveBrowserCredential
with any Azure SDK client that accepts it, without passing the tenant_id.When the browser authentication opens a new https://login.microsoftonline.com/ web page, try to login with a personal/MSA account such as email@outlook.com. A work/school account should authenticate just fine.
In the case of a personal/MSA account you should see the error message described above.
Sample code:
Expected behavior
We should spare the user from passing their personal account tenant id and had a seamless experience as found with
az login
.Workarounds
Option 1: Use the
DefaultAzureCredential
and pass the tenant_id via environment variablea) Find your account tenant_id: How to find your Azure Active Directory tenant ID
b) Before running the program, set the
AZURE_TENANT_ID
environment variable with your tenant_id value.PowerShell example:
Option 2: Pass the
tenant_id
via theInteractiveBrowserCredential
a) Find your account tenant_id: How to find your Azure Active Directory tenant ID
b) Pass your tenant_id as part of the
InteractiveBrowserCredential
constructor:Environment:
The text was updated successfully, but these errors were encountered: