azure-powershell
azure-powershell copied to clipboard
Azure
Get-AzAccessToken failed
Description
When trying to get access tokens I can no longer use the create token.
Issue script & Debug output
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 18:32:43 - GetAzureRmAccessTokenCommand begin processing with ParameterSet 'KnownResourceTypeName'.
DEBUG: 18:32:43 - using account id 'nathan@XXX'...
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [DisableInstanceDiscovery], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [EnableLoginByWam], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 18:32:43 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'d867b73d-xxxx-48df-9439-xxxxxxxxxxxx', Scopes:'https://management.core.windows.net//.default',
AuthorityHost:'https://login.microsoftonline.com/', UserId:'nathan@XXX'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - cd4f2a99-e83b-491e-9c52-bf32f45d27fd] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - cd4f2a99-e83b-491e-9c52-bf32f45d27fd] [Region discovery] Not using a
regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - cd4f2a99-e83b-491e-9c52-bf32f45d27fd] [Region discovery] Not using a
regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - cd4f2a99-e83b-491e-9c52-bf32f45d27fd] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - cd4f2a99-e83b-491e-9c52-bf32f45d27fd] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [RuntimeBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - dabc6a20-9023-4299-8a67-70802566cbf9] [Region discovery] Not using a
regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] Returning 1 accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] MSAL MSAL.CoreCLR with assembly
version '4.60.3.0'. CorrelationId(86a5c9df-ebff-4735-a2bc-e25d8c1a49e3)
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] LoginHint provided: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] Account provided: True
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] ForceRefresh: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] === Token Acquisition (SilentRequest)
started:
Scopes: https://management.core.windows.net//.default
Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] Broker is configured and enabled,
attempting to use broker instead.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] Can invoke broker. Will attempt to
acquire token with broker.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0003] WARNING SetAuthorityString:98 Initializing authority from string
'https://login.microsoftonline.com/d867b73d-xxxx-48df-9439-xxxxxxxxxxxx/' without authority type, defaulting to MsSts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] ERROR ErrorInternalImpl:134 Created an error: 5vt4a,
StatusInternal::AccountNotFound, InternalEvent::None, Error Code 0, Context 'Account with id '(pii)' not found'
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:393 Printing Telemetry for Correlation
ID: 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: start_time, Value:
2024-05-21T16:32:43.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: api_name, Value:
ReadAccountById
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: was_request_throttled, Value:
false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: authority_type, Value: Unknown
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: msal_version, Value:
1.1.0+local
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: correlation_id, Value:
86a5c9df-ebff-4735-a2bc-e25d8c1a49e3
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: broker_app_used, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: stop_time, Value:
2024-05-21T16:32:43.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: all_error_tags, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: msalruntime_version, Value:
0.16.0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: api_error_code, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: api_error_tag, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: api_status_code, Value:
StatusInternal::AccountNotFound
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: api_error_context, Value:
Account with id '(pii)' not found
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: is_successful, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [MSAL:0014] INFO LogTelemetryData:401 Key: request_duration, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z] [RuntimeBroker] Could not find a WAM account for the selected user. Error:
Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET Framework 4.8.9186.0 Microsoft Windows 10.0.25398 [2024-05-21 16:32:43Z - 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3] Exception type:
Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: wam_no_account_for_id
HTTP StatusCode 0
CorrelationId 86a5c9df-ebff-4735-a2bc-e25d8c1a49e3
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.<ExecuteAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Utils.StopwatchService.<MeasureCodeBlockAsync>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__11.MoveNext()
DEBUG: SharedTokenCacheCredential.GetToken was unable to retrieve an access token. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: Exception:
Azure.Identity.CredentialUnavailableException (0x80131500): SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user xxxx@xxxxxxxx. Ensure that you have
authenticated with a developer tool that supports Azure single sign on.
---> Microsoft.Identity.Client.MsalUiRequiredException (0x80131500): Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [EnableErrorRecordsPersistence], Module = [], Cmdlet = []. Returning default value [False].
Get-AzAccessToken : Authentication failed against tenant d867b73d-xxxx-48df-9439-xxxxxxxxxxxx. User interaction is required. This may be due to the conditional access policy settings such as
multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId XXX'.
At line:1 char:14
+ $ARMtoken = (Get-AzAccessToken).Token
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzAccessToken], AzPSAuthenticationFailedException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.GetAzureRmAccessTokenCommand
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.Accounts:3.0.0; CommandName: Get-AzAccessToken; PSVersion: 5.1.25398.469; IsSuccess: False; Duration: 00:00:00.2253026; SanitizeDuration: 00:00:00; Exception:
Authentication failed against tenant d867b73d-xxxx-48df-9439-xxxxxxxxxxxx. User interaction is required. This may be due to the conditional access policy settings such as multi-factor
authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId XXX'.;
DEBUG: 18:32:43 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 18:32:43 - GetAzureRmAccessTokenCommand end processing.
Environment data
Name Value
---- -----
PSVersion 5.1.25398.469
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.25398.469
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Module versions
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 3.0.0 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault...}
Script 0.7.2 Az.ConnectedMachine {Connect-AzConnectedMachine, Get-AzConnectedExtensionMetadata, Get-AzConnectedMachine, Get-AzConnectedMachineExtension...}
Manifest 0.2.261... AzSHCI.ARCInstaller {Invoke-AzStackHciArcInitialization, Invoke-AzStackHCIDeployment, Invoke-AzStackHCIEnvironmentPreparator, Invoke-AzStackHCIEnvironmentV...
Script 0.0 AzStackHci.AddNode.Helpers {Test-ADCredential, Test-ClusterNodeName, Test-ComputerName, Test-LocalCredential...}
Script 0.0 AzStackHci.ArcIntegration.Helpers {Test-ArcAgentNotConnectedToDifferentResource, Test-ExistingArcResources, Test-ExistingHCIResource, Test-IsRegionValid...}
Script 0.0 AzStackHci.Bitlocker.Helpers Test-BitlockerKeysExist
Script 0.0 AzStackHci.Bootstrap.Helpers
Script 0.0 AzStackHci.ClusterWitness.Helpers {Test-WitnessCloudStorage, Test-WitnessFileShareWithCredential}
Script 0.0 AzStackHci.Connectivity.Helpers {Compare-PSObjectArray, ConvertTo-Hashtable, Export-AzStackHciConnectivityTargetToXml, Get-AzStackHciConnectivityOperationName...}
Script 0.0 AzStackHci.EnvironmentChecker.Po... {Get-SslCertificateChain, Install-UtilityModule, Remove-UtilityModule, Test-Elevation}
Script 0.0 AzStackHci.EnvironmentChecker.Re... {Add-AzStackHciEnvJob, Close-AzStackHciEnvJob, Get-AzStackHciEnvironmentCheckerEvents, Get-AzStackHciEnvProgress...}
Script 0.0 AzStackHci.EnvironmentChecker.Ut... {Get-DeploymentData, Get-IsProxyEnabled, Get-TestCount, Get-TestListByFunction...}
Script 0.0 AzStackHci.ExternalActiveDirecto... {Get-ClusterNameFromCommandLineOrConfigFile, Get-ParamFromCommandLineOrConfigFile, Get-PhysicalHostNamesFromCommandLineOrConfigFile, In...
Script 0.0 AzStackHci.ExternalActiveDirecto... {Test-OrganizationalUnit, Test-OrganizationalUnitOnSession}
Script 0.0 AzStackHci.Hardware.Helpers {Test-Baseboard, Test-FreeSpace, Test-Gpu, Test-MemoryCapacity...}
Script 0.0 AzStackHci.MOCStack.Helpers {Test-MOCStackCloudAgent, Test-MOCStackClusterNode, Test-MOCStackCPUCore, Test-MOCStackFirewallUrl...}
Script 0.0 AzStackHci.Network.Helpers {GetMgmtIpRange, IsTcpPortInUse, Test-MgmtIpRange, TestDHCPStatus...}
Script 0.0 AzStackHci.Observability.Helpers {Test-LogCollection, Test-ObservabilityVolume, Test-RemoteSupport}
Script 0.0 AzStackHci.Ports.Helpers {Get-AzStackHciPortOperationName, Get-AzStackHciPortServiceName, Get-AzStackHciPortTarget, Import-AzStackHciPortTarget...}
Script 0.0 AzStackHCI.RemoteSupport.Helpers {Disable-AzStackHciRemoteSupport, Enable-AzStackHciRemoteSupport, Get-AzStackHCIRemoteSupportAccess, Get-AzStackHCIRemoteSupportSession...
Script 0.0 AzStackHci.SBEHealth.Helpers {Assert-ResponseSchemaValid, Copy-SBEContentLocalToNode, Get-SBEHealthCheckParams, Import-SolutionExtensionModule...}
Script 0.0 AzStackHci.Software.Helpers {Test-IsNotPartofDomain, Test-LocalGroupEnumeration, Test-NtpServer, Test-OSVersion}
Script 0.0 AzStackHCI.StandaloneObservabili...
Script 0.0 AzStackHci.Storage.Helpers {GetRequiredInfraVolumeNames, GetRequiredInfraVolumeRawSizeTotalInBytes, Test-HciStoragePool, Test-HciStorageVolumes}
Error output
HistoryId: 68
Message : Authentication failed against tenant XXX. User interaction is required. This may be due to the conditional access policy settings such as
multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId
XXX'.
StackTrace : at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant,
SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
at Microsoft.Azure.Commands.Profile.GetAzureRmAccessTokenCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception : Microsoft.Azure.Commands.Common.Exceptions.AzPSAuthenticationFailedException
InvocationInfo : {Get-AzAccessToken}
Line : $ARMtoken = (Get-AzAccessToken).Token
Position : At line:1 char:14
+ $ARMtoken = (Get-AzAccessToken).Token
+ ~~~~~~~~~~~~~~~~~
HistoryId : 68
Message : SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user nathan@XXX. Ensure that you have authenticated with a developer tool that
supports Azure single sign on.
StackTrace : at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
at Azure.Identity.SharedTokenCacheCredential.<GetTokenImplAsync>d__31.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Identity.SharedTokenCacheCredential.<GetTokenAsync>d__30.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.<GetAccessTokenAsync>d__33.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant,
SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
Exception : Azure.Identity.CredentialUnavailableException
InvocationInfo : {Get-AzAccessToken}
Line : $ARMtoken = (Get-AzAccessToken).Token
Position : At line:1 char:14
+ $ARMtoken = (Get-AzAccessToken).Token
+ ~~~~~~~~~~~~~~~~~
HistoryId : 68
Message : Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
StackTrace : at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.<ExecuteAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Utils.StopwatchService.<MeasureCodeBlockAsync>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.ApiConfig.Executors.ClientApplicationBaseExecutor.<ExecuteAsync>d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.<ExecuteAsync>d__0`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Identity.MsalPublicClient.<AcquireTokenSilentCoreAsync>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Identity.MsalPublicClient.<AcquireTokenSilentAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Identity.SharedTokenCacheCredential.<GetTokenImplAsync>d__31.MoveNext()
Exception : Microsoft.Identity.Client.MsalUiRequiredException
InvocationInfo : {Get-AzAccessToken}
Line : $ARMtoken = (Get-AzAccessToken).Token
Position : At line:1 char:14
+ $ARMtoken = (Get-AzAccessToken).Token
+ ~~~~~~~~~~~~~~~~~
HistoryId : 68
HistoryId: 64
Message : Cannot bind argument to parameter 'ArmAccessToken' because it is an empty string.
StackTrace : at System.Management.Automation.ParameterBinderBase.ValidateNullOrEmptyArgument(CommandParameterInternal parameter, CompiledCommandParameter parameterMetadata, Type
argumentType, Object parameterValue, Boolean recurseIntoCollections)
at System.Management.Automation.ParameterBinderBase.BindParameter(CommandParameterInternal parameter, CompiledCommandParameter parameterMetadata, ParameterBindingFlags flags)
at System.Management.Automation.CmdletParameterBinderController.BindParameter(CommandParameterInternal argument, MergedCompiledCommandParameter parameter,
ParameterBindingFlags flags)
at System.Management.Automation.CmdletParameterBinderController.BindParameter(UInt32 parameterSets, CommandParameterInternal argument, MergedCompiledCommandParameter
parameter, ParameterBindingFlags flags)
at System.Management.Automation.CmdletParameterBinderController.BindParameters(UInt32 parameterSets, Collection`1 arguments)
at System.Management.Automation.CmdletParameterBinderController.BindCommandLineParametersNoValidation(Collection`1 arguments)
at System.Management.Automation.CmdletParameterBinderController.BindCommandLineParameters(Collection`1 arguments)
at System.Management.Automation.CommandProcessor.BindCommandLineParameters()
at System.Management.Automation.CommandProcessor.Prepare(IDictionary psDefaultParameterValues)
at System.Management.Automation.CommandProcessorBase.DoPrepare(IDictionary psDefaultParameterValues)
at System.Management.Automation.Internal.PipelineProcessor.Start(Boolean incomingStream)
at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object input)
at System.Management.Automation.PipelineOps.InvokePipeline(Object input, Boolean ignoreInput, CommandParameterInternal[][] pipeElements, CommandBaseAst[] pipeElementAsts,
CommandRedirection[][] commandRedirections, FunctionContext funcContext)
at System.Management.Automation.Interpreter.ActionCallInstruction`6.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
Exception : System.Management.Automation.ParameterBindingValidationException
InvocationInfo : {Invoke-AzStackHciArcInitialization}
Line : Invoke-AzStackHciArcInitialization -SubscriptionID $Subscription -ResourceGroup $RG -TenantID $Tenantid -Region $Region -Cloud "AzureCloud" -ArmAccessToken $ARMtoken -AccountID
$id
Position : At line:1 char:157
+ ... -Region $Region -Cloud "AzureCloud" -ArmAccessToken $ARMtoken -Accoun ...
+ ~~~~~~~~~
HistoryId : 64
HistoryId: 61
Message : Authentication failed against tenant XXX. User interaction is required. This may be due to the conditional access policy settings such as
multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId
XXX'.
StackTrace : at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant,
SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
at Microsoft.Azure.Commands.Profile.GetAzureRmAccessTokenCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception : Microsoft.Azure.Commands.Common.Exceptions.AzPSAuthenticationFailedException
InvocationInfo : {Get-AzAccessToken}
Line : $ARMtoken = (Get-AzAccessToken).Token
Position : At line:1 char:14
+ $ARMtoken = (Get-AzAccessToken).Token
+ ~~~~~~~~~~~~~~~~~
HistoryId : 61
Message : SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user nathan@XXX. Ensure that you have authenticated with a developer tool that
supports Azure single sign on.
StackTrace : at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
at Azure.Identity.SharedTokenCacheCredential.<GetTokenImplAsync>d__31.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Azure.Identity.SharedTokenCacheCredential.<GetTokenAsync>d__30.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.<GetAccessTokenAsync>d__33.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant,
SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
Exception : Azure.Identity.CredentialUnavailableException
InvocationInfo : {Get-AzAccessToken}
Line : $ARMtoken = (Get-AzAccessToken).Token
Position : At line:1 char:14
+ $ARMtoken = (Get-AzAccessToken).Token
+ ~~~~~~~~~~~~~~~~~
HistoryId : 61
Message : Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
StackTrace : at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.<ExecuteAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at
Hey @NathOsull thanks for reporting. Could you run a Connect-AzAccount then try again?
Note that if multi-factor authentication (MFA) is required by your tenant, you need to add -TenantId to Connect-AzAccount
Hi @NathOsull, currently you can workaround it in the following ways
If you are in a Windows system, login interactive before you run any other Azure PowerShell cmdlets
Connect-AzAccount
If you have no access to Windows system with UI, you can disable WAM temporarily
Update-AzConfig -EnableLoginByWam $false
We are experiencing the same error with no change on our side to powershell scripts. It suddently stopped working and we are getting similar error when attempting to get token after successful connection with Connect-AzAccount
Connect-AzAccount -Credential $credential -Tenant $tenantId
$azContext = Get-AzContext
Write-Host "Connnected: $($azContext.Account)"
$script:resourceUrl = "https://api.fabric.microsoft.com"
$script:fabricToken = (Get-AzAccessToken -ResourceUrl $script:resourceUrl).Token
It gives error
Get-AzAccessToken: Authentication failed against resource https://api.fabric.microsoft.com. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). Please rerun 'Connect-AzAccount' with additional parameter '-AuthScope https://api.fabric.microsoft.com'.
We have verified there is no MFA or conditional access policy blocking the credential account. Have also tested with AuthScope but this gives no difference in the error and tenantId is already present in Connect-AzAccount as advised.
When running suggested workaround to disable WAM it works, but this shouldnt be necessary?
Update-AzConfig -EnableLoginByWam $false`
As mentioned this has worked for multiple months and started failing today, it leads us to think there has been a bug released in the Az powershell module? any ideas/referances? it looks similar to this issue reported as well ##24967
I ran this and now it works again
Hi @NathOsull, currently you can workaround it by disable WAM temporarily
Update-AzConfig -EnableLoginByWam $false
Ran this ^^ and all working (thanks by the way) ....what changed within a week?
@NathOsull what is the way to Connect-AzAccount before you run Get-AzAccessToken?
@NathOsull @gudbrand3 The issue is due to the change https://learn.microsoft.com/en-us/powershell/azure/release-notes-azureps?view=azps-12.0.0#azaccounts-300
Web Account Manager (WAM) was set the default experience of interactive login. For more details please refer to https://go.microsoft.com/fwlink/?linkid=2272007
If you login with user authentication flow (username password, interactively, device code) before, you have to run Connect-AzAccount interactively login before you run any other Azure PowerShell cmdlets after you move to Az.Accounts 3.0.0. We are working on a fix to the issue.
Re-enable WAM, please run
Update-azconfig -EnableLoginByWam $true
and then restart the PowerShell session
Check whether WAM is enabled
Get-AzConfig -EnableLoginByWam
If you enable WAM, run Connect-AzAccount interactively, but still have an issue to run subsequent cmdlets, Please let us know. The WAM feature greatly replies on the environments. We, developers may not have the same environment with you so that we cannot find the issues easily.
The reporter doesn't mention which auth flow they use to login. But no matter what it is, the issue should be mitigated in Az.Accounts 3.0.1. Close the issue now.