Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

az login error in interactive mode #30810

Open
oceanshade opened this issue Feb 12, 2025 · 4 comments
Open

az login error in interactive mode #30810

oceanshade opened this issue Feb 12, 2025 · 4 comments
Assignees
@jiasli
Labels
Account az login/account Auto-Assign Auto assign by bot Auto-Resolve Auto resolve by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. Possible-Solution question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Similar-Issue
Milestone
Backlog

Comments

@oceanshade
Copy link

Describe the bug

when run this command:
az login --tenant vgc.partner.onmschina.cn
A web browser has been opened at https://login.partner.microsoftonline.cn/a12a82ff-eb68-4d6d-b3c7-c4fb2d2220e5/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with az login --use-device-code.
then the interactive pop up window of microsoft edge showed up and then I input my azure account for this tenant to login, it looks authentication verified successfully, but finally it told me that authentication failed with the following message:
AADSTS500011: The resource principal named https://management.core.windows.net/ was not found in the tenant named VGC. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: f19a3214-aaac-4396-bd0b-f19506925a01 Correlation ID: 596ef644-de7c-4adf-b839-0c25b846cd7b Timestamp: 2025-02-12 09:53:39Z

Related command

az login --tenant vgc.partner.onmschina.cn

Errors

Authentication failed
invalid_resource: AADSTS500011: The resource principal named https://management.core.windows.net/ was not found in the tenant named VGC. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: 33290a63-148d-49bb-9b1b-71dd408e2901 Correlation ID: 229a5269-8e56-49e5-aba9-d47a8a7e92f5 Timestamp: 2025-02-12 09:50:16Z. (https://login.partner.microsoftonline.cn/error?code=500011)

Issue script & Debug output

az login --tenant vgc.partner.onmschina.cn
A web browser has been opened at https://login.partner.microsoftonline.cn/a12a82ff-eb68-4d6d-b3c7-c4fb2d2220e5/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with az login --use-device-code.
AADSTS500011: The resource principal named https://management.core.windows.net/ was not found in the tenant named VGC. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: 33290a63-148d-49bb-9b1b-71dd408e2901 Correlation ID: 229a5269-8e56-49e5-aba9-d47a8a7e92f5 Timestamp: 2025-02-12 09:50:16Z

Authentication failed
invalid_resource: AADSTS500011: The resource principal named https://management.core.windows.net/ was not found in the tenant named VGC. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: 33290a63-148d-49bb-9b1b-71dd408e2901 Correlation ID: 229a5269-8e56-49e5-aba9-d47a8a7e92f5 Timestamp: 2025-02-12 09:50:16Z. (https://login.partner.microsoftonline.cn/error?code=500011)

Expected behavior

it can be login successfully to use azure cli

Environment Summary

azure-cli 2.44.1 *

core 2.44.1 *
telemetry 1.0.8 *

Dependencies:
msal 1.20.0
azure-mgmt-resource 21.1.0b1

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\gw029di.azure\cliextensions'

Python (Windows) 3.10.8 (tags/v3.10.8:aaaf517, Oct 11 2022, 16:37:59) [MSC v.1933 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

No response
@oceanshade oceanshade added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Feb 12, 2025
@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

Hi @oceanshade,

2.44.1 is not the latest Azure CLI(2.69.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

@azure-client-tools-bot-prd azure-client-tools-bot-prd bot added the Auto-Resolve Auto resolve by bot label Feb 12, 2025
@yonzhan
Copy link
Collaborator

yonzhan commented Feb 12, 2025

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot Account az login/account labels Feb 12, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Feb 12, 2025
@github-actions GitHub Actions
Copy link

Here are some similar issues that might help you. Please check if they can solve your problem.

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

The error AADSTS500011 is from AAD service, not Azure CLI. Are you using the AzureCloud public cloud? In sovereign clouds or Azure Stack, the resource URI of ARM is different. For example, in AzureChinaCloud, it's https://management.chinacloudapi.cn. Please make sure you are using the correct ARM URI and try again. If you still can't solve it, please contact Azure Support or your cloud administrator.

Reference:

Solution 2:

Ok, I was able to get this working. There are two typos in the credential_scopes examples given for AzureChinaCloud in the page linked in Reproduce steps (https://docs.microsoft.com/en-us/azure/developer/python/azure-sdk-sovereign-domain). The scope needs a / after the host url and should not have a ' at the end. This works: credential_scopes=[AZURE_CHINA_CLOUD.endpoints.resource_manager + "/.default"] This does not: credential_scopes=[AZURE_CHINA_CLOUD.endpoints.resource_manager + ".default'"] The argument needs to be used for any auth *Client (ResourceManagementClient, ComputeManagementClient, NetworkManagementClient, StorageManagementClient, etc).

Reference:

@yonzhan yonzhan removed the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Feb 12, 2025
@yonzhan yonzhan added this to the Backlog milestone Feb 12, 2025
@oceanshade
Copy link
Author

oceanshade commented Feb 13, 2025 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Account az login/account Auto-Assign Auto assign by bot Auto-Resolve Auto resolve by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. Possible-Solution question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Similar-Issue
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@jiasli @yonzhan @oceanshade