Get-AzADServicePrincipal fails with AuthenticationFailedException - SharedTokenCacheCredential authentication failed when used from custom Az environment

[abatishchev]

Description

I created a custom Az environment by cloning Production (AzureCloud) and changing a few properties:

$prod = Get-AzEnvironment -Name AzureCloud
Add-AzEnvironment -Name Canary `
  -ActiveDirectoryAuthority $prod.ActiveDirectoryAuthority `
  -ActiveDirectoryServiceEndpointResourceId $prod.ActiveDirectoryServiceEndpointResourceId `
  -AdTenant $prod.AdTenant `
  -ResourceManagerEndpoint 'https://eastus2euap.management.azure.com' `
  -ManagementPortalUrl $prod.ManagementPortalUrl `
  -ServiceManagementUrl $prod.ServiceManagementUrl `
  -GraphEndpoint $prod.GraphEndpoint `
  -GraphEndpointResourceId $prod.GraphEndpointResourceId `
  -MicrosoftGraphUrl $prod.MicrosoftGraphUrl `
  -MicrosoftGraphEndpointResourceId $prod.MicrosoftGraphEndpointResourceId

Then I log into it:

Login-AzAccount -Environment Canary -Tenant $tenant -Subscription $sub

However, the Az AD commands fail now, e.g.:

Get-AzADApplication -DisplayName $name

Issue script & Debug output

DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: Client side pagination is enabled for this cmdlet
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /applications?$filter=displayName%20eq%20%27ats-local%27
DEBUG: RequestCreated: /v1.0/applications?$filter=displayName%20eq%20%27ats-local%27
DEBUG: HeaderParametersAdded:
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/v1.0/applications?$filter=displayName eq %27ats-local%27

Headers:
x-ms-client-request-id        : 3684e77c-3426-44b7-9b23-1b7bec63c118
CommandName                   : Az.MSGraph.internal\Get-AzADApplication
FullCommandName               : Get-AzADApplication_List
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v10.0.0,PSVersion/v7.5.1,Az.MSGraph/7.8.1

Body:



DEBUG: BeforeCall:
DEBUG: Finally:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: [CmdletException]: Received Exception with message 'AuthenticationFailedException - SharedTokenCacheCredential authentication failed:  :    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.SharedTokenCacheCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.GetAccessTokenAsync(String callerClassName, String parametersLog, TokenCredential tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken, String tenantId, String userId, String homeAccountId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IDictionary`2 optionalParameters)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass15_0.<AuthorizeRequest>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthorizeRequest(IAzureContext context, HttpRequestMessage request, CancellationToken cancellationToken, String endpointResourceIdKey, String endpointSuffixKey, Func`6 tokenAudienceConverter, IDictionary`2 extensibleParamters)
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthenticationHelper(IAzureContext context, String endpointResourceIdKey, String endpointSuffixKey, HttpRequestMessage request, CancellationToken cancelToken, Action cancelAction, Func`4 signal, Func`5 next, Func`6 tokenAudienceConverter)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass10_0.<<AddAuthorizeRequestHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass9_0.<<AddPatchRequestUriHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Module.SendAsync(HttpRequestMessage request, IEventListener callback, ISendAsync next)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication(String consistencyLevel, String Search, String Filter, Nullable`1 Count, String[] Orderby, String[] Select, String[] Expand, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Cmdlets.GetAzADApplication_List.ProcessRecordAsync()
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Cmdlets.GetAzADApplication_List.ProcessRecordAsync()'
DEBUG: CmdletException: AuthenticationFailedException - SharedTokenCacheCredential authentication failed:  :    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.SharedTokenCacheCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.GetAccessTokenAsync(String callerClassName, String parametersLog, TokenCredential tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken, String tenantId, String userId, String homeAccountId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IDictionary`2 optionalParameters)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass15_0.<AuthorizeRequest>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthorizeRequest(IAzureContext context, HttpRequestMessage request, CancellationToken cancellationToken, String endpointResourceIdKey, String endpointSuffixKey, Func`6 tokenAudienceConverter, IDictionary`2 extensibleParamters)
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthenticationHelper(IAzureContext context, String endpointResourceIdKey, String endpointSuffixKey, HttpRequestMessage request, CancellationToken cancelToken, Action cancelAction, Func`4 signal, Func`5 next, Func`6 tokenAudienceConverter)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass10_0.<<AddAuthorizeRequestHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass9_0.<<AddPatchRequestUriHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Module.SendAsync(HttpRequestMessage request, IEventListener callback, ISendAsync next)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication(String consistencyLevel, String Search, String Filter, Nullable`1 Count, String[] Orderby, String[] Select, String[] Expand, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Cmdlets.GetAzADApplication_List.ProcessRecordAsync()
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Cmdlets.GetAzADApplication_List.ProcessRecordAsync()
Get-AzADApplication_List: C:\Users\alexbat\OneDrive - Microsoft\Documents\PowerShell\Modules\Az.Resources\8.0.0\MSGraph.Autorest\custom\Get-AzADApplication.ps1:221
Line |
 221 |      Az.MSGraph.internal\Get-AzADApplication @PSBoundParameters
     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | SharedTokenCacheCredential authentication failed:
DEBUG: CmdletProcessRecordEnd:
DEBUG: AzureQoSEvent:  Module: Az.Resources:8.0.0; CommandName: Get-AzADApplication; PSVersion: 7.5.1; IsSuccess: True; Duration: 00:00:00.7917628; SanitizeDuration: 00:00:00

Environment data

Name                           Value
----                           -----
PSVersion                      7.5.1
PSEdition                      Core
GitCommitId                    7.5.1
OS                             Microsoft Windows 10.0.26100
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     8.0.0                 Az.Resources

Error output

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Get-AzAD cmdlets fail in Azure Dogfood with error: SharedTokenCacheCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. #18142
• Get-AzADServicePrincipal fails with AADSTS70011 #22180
• SharedTokenCacheCredential authentication unavailable. No account matching the specified username: xx@xx.onmicrosoft.com tenantId: xx was found in the cache #15640

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

When you use the latest version of Az.Resource, AzAD feature is using MSGraph API. So you need to configure below 2 parameters when you add environment.

[-MicrosoftGraphEndpointResourceId <String>]
[-MicrosoftGraphUrl <String>]

Reference:

• Get-AzAD cmdlets fail in Azure Dogfood with error: SharedTokenCacheCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. #18142 (comment)
• Get-AzADServicePrincipal fails with AADSTS70011 #22180 (comment)

Solution 2:

In case anyone has further issues with trying to use Get-AzAD cmdlets in Azure Dogfood its because the guidance above no longer works as the endpoints for Microsoft Graph are actually different:

-GraphUrl "https://graph.ppe.windows.net/"
-GraphEndpointResourceId "https://graph.ppe.windows.net/"
-MicrosoftGraphEndpointResourceId "https://graph.microsoft-ppe.com/"
-MicrosoftGraphUrl "https://graph.microsoft-ppe.com/v1.0/"

Reference:

• Get-AzAD cmdlets fail in Azure Dogfood with error: SharedTokenCacheCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. #18142 (comment)

Powered by issue-sentinel

[isra-fel]

The problem is some of the properties such as MicrosoftGraphEndpointResourceId are under a nested data structure.

PS C:\Users\> $prod = Get-AzEnvironment -Name AzureCloud
PS C:\Users\[3.67s]> $prod.MicrosoftGraphEndpointResourceId
PS C:\Users\[0.03s]> $prod.ExtendedProperties.MicrosoftGraphUrl #<---- note the ExtendedProperties here
https://graph.microsoft.com
PS C:\Users\[0.04s]> $prod.ExtendedProperties.MicrosoftGraphEndpointResourceId
https://graph.microsoft.com/

This design was to prevent binary breaking change BTW

[abatishchev]

Fix:

$prod = Get-AzEnvironment -Name AzureCloud
Set-AzEnvironment -Name Canary `
   # same as above
  -MicrosoftGraphUrl $prod.ExtendedProperties.MicrosoftGraphUrl `
  -MicrosoftGraphEndpointResourceId $prod.ExtendedProperties.MicrosoftGraphEndpointResourceId

Thanks, @isra-fel !!