Azure
`az login` fails: OSError: [WinError -2146893813]
This is autogenerated. Please review and update as needed.
Describe the bug
Command Name
az login
Errors:
The command failed with an unexpected error. Here is the traceback:
[WinError -2146893813] : ''
Traceback (most recent call last):
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 231, in invoke
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 657, in execute
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 720, in _run_jobs_serially
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 691, in _run_job
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 328, in __call__
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 145, in login
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 155, in login
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 121, in login_with_auth_code
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1488, in acquire_token_interactive
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 280, in obtain_token_by_browser
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 660, in obtain_token_by_browser
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 135, in obtain_token_by_auth_code_flow
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 204, in obtain_token_by_auth_code_flow
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 548, in obtain_token_by_auth_code_flow
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 714, in _obtain_token_by_authorization_code
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 115, in _obtain_token
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 771, in _obtain_token
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 523, in <lambda>
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 307, in add
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 113, in add
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 184, in __add
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/token_cache.py", line 44, in modify
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/token_cache.py", line 35, in _reload_if_necessary
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/persistence.py", line 172, in load
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/windows.py", line 111, in unprotect
OSError: [WinError -2146893813] : ''
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
- Put any pre-requisite steps here...
-
az login
Expected Behavior
Environment Summary
Windows-10-10.0.19041-SP0
Python 3.8.9
Installer: MSI
azure-cli 2.30.0
Additional Context
+ MSAL developer @rayluo
Same as https://github.com/Azure/azure-cli/issues/17186 happened for the old beta version.
@vperala, have you copied .azure from/to another computer? Could you share the detailed steps you followed to trigger this error? Thanks.
Agree with @jiasli 's triage. By the way, a suggestion to @jiasli : you can convert this issue into a Q&A in Az CLI's Github Discussion, and then select your answer as "chosen answer". This way, it remains visible to future customers, therefore you can safely close those stale issues like #17186.
Or even better, either Az CLI or MSAL EX could perhaps catch that exception and convert it to something like RuntimeError: Unable to decrypt token cache. Did you copy token cache from another computer?
Hi Jiasli, My issue was resolved after deleting all the files and folders under C:\Users<username>.azure folder and tried to reinstall Azure CLI from windows powershell(run as Administrator) with the below command. It's working fine now.
Command:
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
Thanks!!
My issue was resolved after deleting all the files and folders under C:\Users
.azure folder and tried to reinstall Azure CLI from windows powershell(run as Administrator) with the below command. It's working fine now.
Congrats @vperala for recovering from the issue. Can you tell us more on the history of that C:\Users\username\.azure folder? Did you manually copy it from a different computer?
- If your answer is yes, then the error is expected (it is a security feature), although @jiasli and I may still consider some User eXperience (UX) improvement here.
- If your answer is no, then it could be a sequence of operation causing our token cache file to be created unencrypted (by older version of Az CLI?), and then upgrading to Az CLI v2.30+ would attempt to decrypt that file and failed. This would become a migration faq, then.
it could be a sequence of operation causing our token cache file to be created unencrypted (by older version of Az CLI?)
The old ADAL-based Azure CLI saves tokens to ~/.azure/accessTokens.json, while the new MSAL-based Azure CLI saves tokens to ~/.azure/msal_token_cache.json or ~/.azure/msal_token_cache.bin (enrypted), so they work independently.
Hi @jiasli, I get the same error. Here are my repro steps:
- was working in version 2.31.0,
- upgraded using
az upgradeto 2.32.0 -
az loginproduced the error - Uninstalled Azure CLI
- installed version 2.31.0 again, the eror persisted
full log is here:
The command failed with an unexpected error. Here is the traceback: [WinError -2146893813] : '' Traceback (most recent call last): File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 231, in invoke File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 658, in execute File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 721, in _run_jobs_serially File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 692, in _run_job File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 328, in __call__ File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 149, in login File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 155, in login File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 171, in login_with_auth_code File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1546, in acquire_token_interactive File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 280, in obtain_token_by_browser File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 640, in obtain_token_by_browser File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 678, in _obtain_token_by_browser File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 135, in obtain_token_by_auth_code_flow File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 204, in obtain_token_by_auth_code_flow File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 548, in obtain_token_by_auth_code_flow File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 732, in _obtain_token_by_authorization_code File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 115, in _obtain_token File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 789, in _obtain_token File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 581, in <lambda> File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 307, in add File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 113, in add File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/token_cache.py", line 184, in __add File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/token_cache.py", line 67, in modify File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/token_cache.py", line 58, in _reload_if_necessary File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/persistence.py", line 180, in load File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal_extensions/windows.py", line 114, in unprotect OSError: [WinError -2146893813] : ''
Update:
I tried using the command with a different windows user account and it worked fine.
So i deleted the C:\Users\<user>\.azure
And it works.
Maybe, upgrade comand should be updated to remove the conflictual configuration.
@lucianbalaban, I don't think this is related to upgrade, as we didn't change any code for token encryption between 2.31.0 and 2.32.0.
Questions
- Have you copied
~/.azurefolder from another computer or mounted it into a container? - Could you share the detailed steps you followed to trigger this error?
Workaround
You may delete C:\Users\<username>\.azure folder and re-login.
If this still doesn't help, you may temporarily turn off token cache encryption. (⚠ This is an internal experimental config option. We may change it or drop it anytime.)
az config set core.encrypt_token_cache=false
az login
Hi, my error was solved by deleting the .azure folder. I cannot replicate it anymore.
If it happens again, I will try the az account clear
Thanks!
On Fri, Jan 7, 2022 at 8:40 AM Jiashuo Li @.***> wrote:
Workaround
First, you may try to clear the credential cache and re-login:
az account clear
az login
If this still doesn't help, you may temporarily turn off token cache encryption. (⚠ This is an internal experimental config option. We may change it or drop it anytime.)
az config set core.encrypt_token_cache=false
az login
— Reply to this email directly, view it on GitHub https://github.com/Azure/azure-cli/issues/20231#issuecomment-1007176901, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABLLTVRONZ7QBWPC7JJV6NLUU2DG5ANCNFSM5HPZWHLQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you were mentioned.Message ID: @.***>
@Christopher-Balnaves, "RuntimeError: 0. The ID token is not yet valid." is irrelevant to this issue.
I was able to catch this after local user password reset. Deletion of the .azure solve it.
Got this error from terraform plan in SSH session.
Full error:
Error: obtaining Authorization Token from the Azure CLI: parsing json result from the Azure CL I: waiting for the Azure CLI: exit status 1: ERROR: Decryption failed: [WinError -2146893813] Ke y not valid for use in specified state.. App developer may consider this guidance: https://githu b.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError
PS F:> (New-Object System.Net.WebClient).Proxy.Credentials = ` [System.Net.CredentialCache]::DefaultNetworkCredentials
PS F:> az login
az : WARNING: A web browser has been opened at
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web
browser. If no web browser is available or if the web browser fails to open, use device code flow with az login --use-device-code.
At line:1 char:1
- az login
-
+ CategoryInfo : NotSpecified: (WARNING: A web ...e-device-code`.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError
ERROR: The command failed with an unexpected error. Here is the traceback:
ERROR: [WinError 0] : ''
Traceback (most recent call last):
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 231, in invoke
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py",
line 658, in execute
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py",
line 721, in _run_jobs_serially
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py",
line 692, in _run_job
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py",
line 328, in call
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operat
ion.py", line 121, in handler
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/cust
om.py", line 139, in login
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line
155, in login
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py",
line 171, in login_with_auth_code
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1546, in
acquire_token_interactive
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 280, in
obtain_token_by_browser
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 640,
in obtain_token_by_browser
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 678,
in _obtain_token_by_browser
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 135, in
obtain_token_by_auth_code_flow
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 204, in
obtain_token_by_auth_code_flow
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 548,
in obtain_token_by_auth_code_flow
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 732,
in _obtain_token_by_authorization_code
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oidc.py", line 115, in
_obtain_token
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/oauth2cli/oauth2.py", line 789,
in _obtain_token
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 581, in
PS F:> $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
PS F:> az account clear
PS F:> az login
az : WARNING: A web browser has been opened at
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web
browser. If no web browser is available or if the web browser fails to open, use device code flow with az login --use-device-code.
At line:1 char:1
- az login
-
+ CategoryInfo : NotSpecified: (WARNING: A web ...e-device-code`.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError
ERROR: Decryption failed: [WinError 0] None. App developer may consider this guidance: h ttps://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/Persistenc eDecryptionError Please report to us via Github: https://github.com/Azure/azure-cli/issues/20278
PS F:> az config set core.encrypt_token_cache=false az : WARNING: Command group 'config' is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus At line:1 char:1
- az config set core.encrypt_token_cache=false
-
+ CategoryInfo : NotSpecified: (WARNING: Comman...s/CLI_refstatus:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError
PS F:> az login
az : WARNING: A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize.
Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use
device code flow with az login --use-device-code.
At line:1 char:1
- az login
-
+ CategoryInfo : NotSpecified: (WARNING: A web ...e-device-code`.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError
ERROR: ('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x0522DCD0>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed'))
PS F:>
From a fresh machine installation of Windows 11, Azure CLI installed and upgraded by using chocolatey. The first login was after the upgrade, where I received the error within #22937. Once the C:\Users<user>.azure folder had been removed authentication worked.
I ran in to the same issue today. I had a password change several days ago, needed to run an az command today which prompted me that the grant was no longer valid. Was able to az login again and work as expected. Several hours later, I started seeing this issue with any az command. I was able to move forward by deleting msal_token.cache.bin and msal_http_cache.bin and relogging in.
Hi Jiasli, My issue was resolved after deleting all the files and folders under C:\Users
.azure folder and tried to reinstall Azure CLI from windows powershell(run as Administrator) with the below command. It's working fine now. Command:
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
Thanks!!
This solution worked for me properly with 'az cli v2.38.0' thanks!
For me worked removing .azure folder: C:\users<your user>.azure
Before it I've executed the command too: az upgrade
But removing folder just could works, The problem I think was when I used Az Cloud Shell and Powershell togheter
I started getting the error in 2.36.0. Tried upgrading to 2.39.0 but continued to get the same error. Deleting the .Azure worked like a charm for me.
Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError Please report to us via Github: https://github.com/Azure/azure-cli/issues/20231
deleting the .Azure folder as mentioned above resolved it.
Here same error:
az login
A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError
Please report to us via Github: https://github.com/Azure/azure-cli/issues/20231
Deleting the folder .Azure in the home the issue is solved
az --version
azure-cli 2.43.0
core 2.43.0
telemetry 1.0.8
Dependencies:
msal 1.20.0
azure-mgmt-resource 21.1.0b1
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\pb00018\.azure\cliextensions'
Python (Windows) 3.10.8 (tags/v3.10.8:aaaf517, Oct 11 2022, 16:37:59) [MSC v.1933 32 bit (Intel)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Also facing this issue after rotating the password for a Service Principal.
usage:
az login --service-principal -u $env:AZ_NAME -p $env:AZ_PWD --tenant $env:AZ_TENANT
Here is the error:
Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError
azure-cli 2.46.0
core 2.46.0
telemetry 1.0.8
Dependencies:
msal 1.20.0
azure-mgmt-resource 21.1.0b1
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\buildadmin\.azure\cliextensions'
Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
deleting the 'msal_http_cache.bin', 'msal_token_cache.bin', 'service_principal_entries.bin' files fixed the problem.
Also facing this issue after rotating the password for a Service Principal.
usage:
az login --service-principal -u $env:AZ_NAME -p $env:AZ_PWD --tenant $env:AZ_TENANT
@jiasli, unlike most other reports here, this report provided repro steps. Do you think that code path would alter the token cache file?
Yes. az login --service-principal saves the service principal credential to service_principal_entries.bin and access tokens to msal_token_cache.bin.
After I changed my windows 11 password, I couldn't use my az cli anymore. For whatever command I'm getting: "Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError"
After deleting in the .azure folder msal_*.bin and relogging it works like a charm again
After I changed my windows 11 password, I couldn't use my az cli anymore. For whatever command I'm getting: "Decryption failed: [WinError -2146893813] Key not valid for use in specified state.. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError"
After deleting in the .azure folder msal_*.bin and relogging it works like a charm again
Token cache is protected by DPAPI, which seems to be affected by a password reset. @jiasli, do we consider adding this as a hint in our error message?
Can confirm that deleting your C:\users
I ran into this as well on a Windows VM where I ran az login --tenant {tenant name} for the first time after reseting my password on the VM through the Azure portal (maybe that has the same affect of resetting the password from computer management which causes this issue?).
In addition to what kierke-gaard got, I got a message with a bit more info when I passed the "--debug" option:
msal_extensions.persistence.PersistenceDecryptionError: [Errno -2146893813] Decryption failed: [Errno -2146893813] Key not valid for use in specified state. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError: 'C:\\Users\\myuser\\.azure\\msal_token_cache.bin
Based on that Github wiki in the error message, I figured that the file it printed at the end was the file it was having trouble with (and likely got corrupted with the password reset), so I moved that to my home directory, ran the "az login --tenant {tenant name}" command again, and everything worked! It looks like it regenerated that file with the new login.
This happened after a routine password reset via AD sync. Lots of Windows internal credential caches were messed up. Based on some advice from Dell based on Windows TPM Error 80090016, I ended up moving the AAD BrokerPlugin directory out of the way and letting Windows repopulate it via a sizable number of manual logins. I suspect this contributed to the MSAL auth failures.
I tried selectively clearing bad login tokens by using "az logout" but this just showed the same error.
Finally, like so many others before me, I moved the .azure directory out of the way and logged back in, which worked.
