[BUG] Azure CLI auth fails when tenant is organizations

[jatinpuri-microsoft]

Describe the bug
This issue is observed when we upgrade the azure-sdk-bom from 1.2.3 to 1.2.5.

We have a suite of tests that work perfectly fine locally, and as well when triggered via azure devops pipelines (via service connection). This is used against azure-sdk-bom 1.2.3. As part of tests, the code authenticates against azure storage account, event grid etc.

When tried against any version post that (say 1.2.5 or 1.2.11), all the tests start to fail.

[INFO] Running xx.xxx.xxxxx.xxxx
[ERROR] Tests run: 2, Failures: 0, Errors: 2, Skipped: 0, Time elapsed: 15.872 s <<< FAILURE! - in xx.xxx.xxxxx.xxxx
[ERROR] startListeningToMessages2 Time elapsed: 9.308 s <<< ERROR!
com.azure.messaging.servicebus.ServiceBusException:
EnvironmentCredential authentication unavailable. Environment variables are not fully configured.To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/java/identity/environmentcredential/troubleshoot
Managed Identity authentication is not available.
SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
IntelliJ Authentication not available. Please log in with Azure Tools for IntelliJ plugin in the IDE.
AzureCliCredential authentication unavailable. Please run 'az login' to set up account. To further mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/java/identity/azclicredential/troubleshoot
Error reading data from readerTo mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azure-identity-java-default-azure-credential-troubleshoot
Caused by: com.azure.identity.CredentialUnavailableException:
EnvironmentCredential authentication unavailable. Environment variables are not fully configured.To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/java/identity/environmentcredential/troubleshoot
Managed Identity authentication is not available.
SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
IntelliJ Authentication not available. Please log in with Azure Tools for IntelliJ plugin in the IDE.
AzureCliCredential authentication unavailable. Please run 'az login' to set up account. To further mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/java/identity/azclicredential/troubleshoot
Error reading data from readerTo mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azure-identity-java-default-azure-credential-troubleshoot

These tests work locally but not when run by azure devops pipeline. This issue can only be found in the newer versions.

I see an update-log here: https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/CHANGELOG.md#154-2022-08-08
Not sure if this is creating trouble

Code Snippet

    this.sender = new ServiceBusClientBuilder()
            .credential(namespace, new DefaultAzureCredentialBuilder().build())
            .sender()
            .queueName(queue)
            .buildClient();

And we specify the service connection here:

    - task: AzureCLI@2
      displayName: 'Running unit tests'
      inputs:
        azureSubscription: '${{ parameters.environments.serviceConnectionId }}'
        scriptType: 'bash'
        scriptLocation: 'inlineScript'
        inlineScript: |
         # The below gives expected output. So I am sure azure cli is working as expected.
          az account show 
          java -version
          source /etc/profile.d/java.sh
          source /etc/profile.d/maven.sh
          cd java-services
          mvn clean verify -ntp -Dmaven.artifact.threads=30

Expected behavior
Expected it to work with newer versions, as it did with older versions.

Can confirm az cli installed on the underlying host

Setup (please complete the following information):

• OS: Linux
• IDE:
• Library/Libraries: azure-sd-bom 1.2.11
• Java version: 17
• App Server/Environment:
• Frameworks:

[joshfree]

Thanks for filing this, @jatinpuri-microsoft. @g2vinay @billwert please follow up ASAP.

[billwert]

Hello @jatinpuri-microsoft! If you are expecting az authentication to work, is it possible it's not logged in when running in the pipeline?

AzureCliCredential authentication unavailable. Please run 'az login' to set up account. To further mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/java/identity/azclicredential/troubleshoot

Can you enable logging for the before and after and share that?

[jatinpuri-microsoft]

Hi Bill, The other az cli commands are working fine. In fact when we use the azure-sdk-bom dependency as 1.2.3, it seamlessly works (we have an application in production and have been using the pipeline for sometime now). It is only when we move away from 1.2.3 to newer versions (1.2.5+), do things stop working. The moment we revert back to 1.2.3, it works again. Regards, Jatin

…

________________________________ From: Bill Wert ***@***.***> Sent: Tuesday, April 11, 2023 1:41 AM To: Azure/azure-sdk-for-java ***@***.***> Cc: Jatin Puri ***@***.***>; Mention ***@***.***> Subject: Re: [Azure/azure-sdk-for-java] [BUG] Azure Identity Auth fails post azure-identity is upgraded (Issue #34387) Hello @jatinpuri-microsoft<https://github.com/jatinpuri-microsoft>! If you are expecting az authentication to work, is it possible it's not logged in when running in the pipeline? AzureCliCredential authentication unavailable. Please run 'az login' to set up account. To further mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/java/identity/azclicredential/troubleshoot Can you enable logging<https://learn.microsoft.com/en-us/azure/developer/java/sdk/logging-overview> for the before and after and share that? — Reply to this email directly, view it on GitHub<#34387 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AZTMAKXY2ST35SCVNBPFYW3XARSPVANCNFSM6AAAAAAWY4RYGE>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[billwert]

The reason I ask is we only hit the error text you're seeing in when az's error message has some specific text in it. Thus I am wondering if you had previously been using another authentication method without knowing it or something like that. Looking at the changes in that range nothing is jumping out to me yet as the culprit.

[jatinpuri-microsoft]

Hi Bill.

We have a reproducible. When used against azure-sdk-bom 1.2.3, everything seems to work fine. But when we carve out a branch and use 1.2.11, it results in the above errors.

The moment we roll back from 1.2.11 to 1.2.3. Things work again.

So I am not really sure if the environment is the problem. Note, we are facing this problem only when running on Azure Devops and not locally.

Note: Just before I run mvn clean test, we also make a call to az account list and it shows results as expected.

[saragluna]

I ran into the same issue on my Mac. I am able to create resources using Azure CLI, but the azure-identity says "Azure Identity => Attempted credential AzureCliCredential is unavailable."

Both azure-identity 1.7.3 and 1.8.2 report the same error.

My az version:

❯ az version
{
  "azure-cli": "2.47.0",
  "azure-cli-core": "2.47.0",
  "azure-cli-telemetry": "1.0.8",
  "extensions": {
    "azure-devops": "0.18.0",
    "interactive": "0.4.3",
    "spring": "1.11.0"
  }
}

[saragluna]

I ran into the same issue on my Mac. I am able to create resources using Azure CLI, but the azure-identity says "Azure Identity => Attempted credential AzureCliCredential is unavailable."

Both azure-identity 1.7.3 and 1.8.2 report the same error.

My az version:

❯ az version
{
  "azure-cli": "2.47.0",
  "azure-cli-core": "2.47.0",
  "azure-cli-telemetry": "1.0.8",
  "extensions": {
    "azure-devops": "0.18.0",
    "interactive": "0.4.3",
    "spring": "1.11.0"
  }
}

After some debugging, I found out that the error message should not be az login, the actual error is

ERROR: AADSTS500011: The resource principal named api://xxxxxx/user.impersonation was not found in the tenant named xxx. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

[billwert]

Thanks for digging in, @saragluna. I'll investigate further.

[purijatin]

Following up on this again. This is still an open issue for us.

We are unable to migrate to the latest version of the azure-sdk because of this. The one we are using has vulnerabilities reported and need to migrate sooner.

Kindly please help

[billwert]

@saragluna It looks like your issue is unrelated to @jatinpuri-microsoft's. In your case, with logging enabled did you see the output you shared here? I believe you should have. If so, that is the expected behavior. You should not have seen the az login guidance as your error doesn't contain the strings az login or az account set.

[billwert]

@jatinpuri-microsoft I need you to share the output of the logging when it works, please.