azure-powershell icon indicating copy to clipboard operation
azure-powershell copied to clipboard
verified publisher icon Azure

The Known Issues of Az.Accounts 3.0.0 and Their Workarounds

Open msJinLei opened this issue 1 year ago • 9 comments

1. The interactive login method cannot popup window for WAM (Fixed)

Report an error "User canceled authentication" Refer to https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/707

  • Workaround of Az.Accounts 3.0.0
Update-AzConfig -EnableLoginByWam $false

[!NOTE] Fixed in Az.Accounts 3.0.1

2. Azure PowerShell cmdlets are unable to run after login with DeviceCode and DeviceCode login methods will fail without -Tenant parameter (Mitigated)

  • Workaround of Az.Accounts 3.0.0
    • Login interactively with the same account on the same machine
    • If 1 is not applicable, disable WAM
Update-AzConfig -EnableLoginByWam $false

[!NOTE] Mitigated in Az.Accounts 3.0.1

Root cause

The root cause was found to be an issue with the cache of MSAL. See https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4786. We are going to integrate the fix into Az.Accounts soon https://github.com/Azure/azure-powershell/pull/25618

3. Azure PowerShell cmdlets are unable to run after login with UserName+Password and UserName+Password login methods will fail without -Tenant parameter (Mitigated)

  • Workaround of Az.Accounts 3.0.0
    • Login interactively with the same account on the same machine
    • If 1 is not applicable, disable WAM
Update-AzConfig -EnableLoginByWam $false

[!NOTE] Mitigated in Az.Accounts 3.0.1

Root cause

UserName+Password cannot support WAM yet and we are requesting Azure.Identity to add the related interface https://github.com/Azure/azure-sdk-for-net/issues/45439

4. WAM pop-up window to select an account is not easy to find

  • Workaround: minimize other windows to look for the pop-up window carefully

Root case

Fail to get the right console handle. See https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4887

5 WAM pop-up window doesn't display "Work and school account" option

  • Workaround
Update-AzConfig -EnableLoginByWam $false

[!NOTE] MSAL team is working on the issue see https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4797

6. The interactive login method cannot popup window for WAM in Window PowerShell ISE Console

  • Workaround
Update-AzConfig -EnableLoginByWam $false

[!NOTE] Reported to MSAL team, see https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4796

7. The ExportAzSshConfig and EnterAzVMCommand from Az.Ssh are not able to use when WAM is enabled.

  • Workaround
Update-AzConfig -EnableLoginByWam $false
  • Related issue of MSAL.Net https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4909

msJinLei avatar May 28 '24 07:05 msJinLei

What about https://github.com/Azure/azure-powershell/issues/25003?

slavizh avatar May 29 '24 09:05 slavizh

In ISE, on Windows 11 mine says the following, does this correlate?

# 12.0.0    Az
# 3.0.0     Az.Accounts
# 6.0.0     Az.KeyVault
Connect-AzAccount -Tenantid [TenantID] -Subscription [Subscription]
# > Connect-AzAccount : InteractiveBrowserCredential authentication failed: A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles 
# > Could not find tenant id for provided tenant domain '[TenantID]'. Please ensure that the provided user is found in the provided tenant domain.

weyCC81 avatar May 29 '24 12:05 weyCC81

What about #25003?

Thanks for reporting the issue. I reply in it.

msJinLei avatar May 29 '24 13:05 msJinLei

In ISE, on Windows 11 mine says the following, does this correlate?

# 12.0.0    Az
# 3.0.0     Az.Accounts
# 6.0.0     Az.KeyVault
Connect-AzAccount -Tenantid [TenantID] -Subscription [Subscription]
# > Connect-AzAccount : InteractiveBrowserCredential authentication failed: A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles 
# > Could not find tenant id for provided tenant domain '[TenantID]'. Please ensure that the provided user is found in the provided tenant domain.

@weyCC81 Thanks for reporting the issue. I shall say yes

Please disable WAM to workaround it firstly

Update-AzConfig -EnableLoginByWam $false

msJinLei avatar May 29 '24 13:05 msJinLei

In ISE, on Windows 11 mine says the following, does this correlate?

# 12.0.0    Az
# 3.0.0     Az.Accounts
# 6.0.0     Az.KeyVault
Connect-AzAccount -Tenantid [TenantID] -Subscription [Subscription]
# > Connect-AzAccount : InteractiveBrowserCredential authentication failed: A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles 
# > Could not find tenant id for provided tenant domain '[TenantID]'. Please ensure that the provided user is found in the provided tenant domain.

@weyCC81 Yes, we have reported your issue to MSAL https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4796

msJinLei avatar Jun 04 '24 07:06 msJinLei

I get the same issue whenever I run from an elevated console window. Running the:

Update-AzConfig -EnableLoginByWam $false

...command fixes it.

spongemike2 avatar Jun 21 '24 20:06 spongemike2

We have solved the below issue in the latest version: Az.Accounts 3.0.1

  1. The interactive login method cannot popup window for WAM We are still working on other issues and will update the progress gradually.

Alex-wdy avatar Jul 11 '24 00:07 Alex-wdy

Using updated versions Az.Accounts 3.0.1 - 3.0.4 and it appears to still hang even after running cmdlet: Update-AzConfig -EnableLoginByWam $false

RichardS013 avatar Sep 10 '24 16:09 RichardS013

Using updated versions Az.Accounts 3.0.1 - 3.0.4 and it appears to still hang even after running cmdlet: Update-AzConfig -EnableLoginByWam $false

Can you give me some more details? Normally, this issue should not exist.

Alex-wdy avatar Oct 17 '24 01:10 Alex-wdy

2 and 7 issues will be released at Az.13.0.0 version.

Alex-wdy avatar Nov 06 '24 05:11 Alex-wdy 

4. WAM pop-up window to select an account is not easy to find
   Workaround: minimize other windows to look for the pop-up window carefully

Is this for real? Your response to a fundamental break in the PowerShell login experience is a shrug?

Like most developers, I'm running a multi screen display environment, and every time I log in, it's like I'm playing wack-a-mole trying to find this stupid login screen. Sometimes it's on the same screen, but buried behind the 8-10 windows I run. Sometimes on my second or third monitor, but again NEVER on top.

How trivial would it be to add the "Always on top" (WS_EX_TOPMOST) flag to the window? I believe that was implemented in Windows 3.x.

ChristopherGLewis avatar Dec 11 '24 19:12 ChristopherGLewis

it's like I'm playing wack-a-mole trying

I understand your pain-point. We list the "workaround" just to unblock the customers who thought the login window was not popped-up. We create the issue to track it. But the fix may refer to several teams so as to require more time.

msJinLei avatar Dec 12 '24 06:12 msJinLei

it's like I'm playing wack-a-mole trying

I understand your pain-point. We list the "workaround" just to unblock the customers who thought the login window was not popped-up. We create the issue to track it. But the fix may refer to several teams so as to require more time.

It's been 5 months. These teams are all Microsoft teams.

WAM should have never been released with this fundamental flaw.

ChristopherGLewis avatar Dec 16 '24 15:12 ChristopherGLewis