WARNING: Unable to acquire token for tenant 'organizations'

[alexandair]

Why are we seeing this warning message when we run Connect-AzAccount in Az PowerShell v5.x?

[erich-wang]

@alexandair, could you please share the debug stream by running $DebugPreference='Continue' first?

[alexandair]

@erich-wang

$ docker run -it --rm mcr.microsoft.com/azure-powershell
PowerShell 7.1.0
Copyright (c) Microsoft Corporation.

https://aka.ms/powershell
Type 'help' to get help.

PS />
PS /> $DebugPreference='Continue'
PS /> Connect-AzAccount
DEBUG: Sought all Az modules and got latest version 5.1.0
DEBUG: 3:45:43 PM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'UserWithSubscriptionId'.
DEBUG: 3:45:43 PM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 3:45:43 PM - No autosave setting detected in environment variable 'AzContextAutoSave'.
DEBUG: 3:45:43 PM - Using Autosave scope 'CurrentUser'
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: Request [0c73d170-fd66-4f23-815a-1c2f08435cc5] GET https://login.microsoftonline.com/common/discovery/instance?api-version=REDACTED&authorization_endpoint=REDACTED
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-OS:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
x-ms-client-request-id:0c73d170-fd66-4f23-815a-1c2f08435cc5
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.4.0-beta.1,(.NET 5.0.0; Linux 4.19.104-microsoft-standard #1 SMP Wed Feb 19 06:37:35 UTC 2020)
client assembly: Azure.Identity
DEBUG: Response [0c73d170-fd66-4f23-815a-1c2f08435cc5] 200 OK (00.7s)
Cache-Control:max-age=86400, private
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
Access-Control-Allow-Origin:REDACTED
Access-Control-Allow-Methods:REDACTED
P3P:REDACTED
client-request-id:REDACTED
x-ms-request-id:REDACTED
x-ms-ests-server:REDACTED
Set-Cookie:REDACTED
Date:Tue, 17 Nov 2020 15:45:42 GMT
Content-Length:957
Content-Type:application/json; charset=utf-8

DEBUG: InteractiveBrowserCredential.Authenticate was unable to retrieve an access token. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  Exception: Azure.Identity.AuthenticationFailedException (0x80131500): InteractiveBrowserCredential authentication failed: Unable to open a web page using xdg-open. See inner exception for details. Possible causes for this error are: xdg-open is not installed or it cannot find a way to open an url - make sure you can open a web page by invoking from a terminal: xdg-open https://www.bing.com
 ---> Microsoft.Identity.Client.MsalClientException (0x80131500): Unable to open a web page using xdg-open. See inner exception for details. Possible causes for this error are: xdg-open is not installed or it cannot find a way to open an url - make sure you can open a web page by invoking from a terminal: xdg-open https://www.bing.com
 ---> System.ComponentModel.Win32Exception (0x80004005): No such file or directory
WARNING: Unable to acquire token for tenant 'organizations'
Connect-AzAccount: One or more errors occurred. (InteractiveBrowserCredential authentication failed: Unable to open a web page using xdg-open. See inner exception for details. Possible causes for this error are: xdg-open is not installed or it cannot find a way to open an url - make sure you can open a web page by invoking from a terminal: xdg-open https://www.bing.com )
DEBUG: AzureQoSEvent: CommandName - Connect-AzAccount; IsSuccess - False; Duration - 00:00:01.5348388;; Exception - System.AggregateException: One or more errors occurred. (InteractiveBrowserCredential authentication failed: Unable to open a web page using xdg-open. See inner exception for details. Possible causes for this error are: xdg-open is not installed or it cannot find a way to open an url - make sure you can open a web page by invoking from a terminal: xdg-open https://www.bing.com )
 ---> Azure.Identity.AuthenticationFailedException: InteractiveBrowserCredential authentication failed: Unable to open a web page using xdg-open. See inner exception for details. Possible causes for this error are: xdg-open is not installed or it cannot find a way to open an url - make sure you can open a web page by invoking from a terminal: xdg-open https://www.bing.com
 ---> MSAL.NetCore.4.21.0.0.MsalClientException:
        ErrorCode: linux_xdg_open_failed
Microsoft.Identity.Client.MsalClientException: Unable to open a web page using xdg-open. See inner exception for details. Possible causes for this error are: xdg-open is not installed or it cannot find a way to open an url - make sure you can open a web page by invoking from a terminal: xdg-open https://www.bing.com
 ---> System.ComponentModel.Win32Exception (2): No such file or directory
   at System.Diagnostics.Process.ForkAndExecProcess(String filename, String[] argv, String[] envp, String cwd, Boolean redirectStdin, Boolean redirectStdout, Boolean redirectStderr, Boolean setCredentials, UInt32 userId, UInt32 groupId, UInt32[] groups, Int32& stdinFd, Int32& stdoutFd, Int32& stderrFd, Boolean usesTerminal, Boolean throwOnNoExec)
   at System.Diagnostics.Process.StartCore(ProcessStartInfo startInfo)
   at System.Diagnostics.Process.Start()
   at System.Diagnostics.Process.Start(ProcessStartInfo startInfo)
   at System.Diagnostics.Process.Start(String fileName, String arguments)
   at Microsoft.Identity.Client.Platforms.Shared.NetStdCore.PlatformProxyShared.StartDefaultOsBrowser(String url)
   --- End of inner exception stack trace ---
   at Microsoft.Identity.Client.Platforms.Shared.NetStdCore.PlatformProxyShared.StartDefaultOsBrowser(String url)
   at Microsoft.Identity.Client.Platforms.netcore.NetCorePlatformProxy.StartDefaultOsBrowserAsync(String url)
   at Microsoft.Identity.Client.Platforms.Shared.Desktop.OsBrowser.DefaultOsBrowserWebUi.<InterceptAuthorizationUriAsync>b__10_0(Uri u)
   at Microsoft.Identity.Client.Platforms.Shared.Desktop.OsBrowser.DefaultOsBrowserWebUi.InterceptAuthorizationUriAsync(Uri authorizationUri, Uri redirectUri, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Platforms.Shared.Desktop.OsBrowser.DefaultOsBrowserWebUi.AcquireAuthorizationAsync(Uri authorizationUri, Uri redirectUri, RequestContext requestContext, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.AuthCodeRequestComponent.FetchAuthCodeAndPkceInternalAsync(IWebUI webUi, CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.AuthCodeRequestComponent.FetchAuthCodeAndPkceVerifierAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.GetTokenResponseAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenInteractiveParameters interactiveParameters, CancellationToken cancellationToken)
   at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder`1 builder, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.MsalPublicClient.AcquireTokenInteractiveAsync(String[] scopes, Prompt prompt, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.InteractiveBrowserCredential.GetTokenViaBrowserLoginAsync(String[] scopes, Boolean async, CancellationToken cancellationToken)
   at Azure.Identity.InteractiveBrowserCredential.AuthenticateImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
Inner Excception: System.ComponentModel.Win32Exception (2): No such file or directory
   at System.Diagnostics.Process.ForkAndExecProcess(String filename, String[] argv, String[] envp, String cwd, Boolean redirectStdin, Boolean redirectStdout, Boolean redirectStderr, Boolean setCredentials, UInt32 userId, UInt32 groupId, UInt32[] groups, Int32& stdinFd, Int32& stdoutFd, Int32& stderrFd, Boolean usesTerminal, Boolean throwOnNoExec)
   at System.Diagnostics.Process.StartCore(ProcessStartInfo startInfo)
   at System.Diagnostics.Process.Start()
   at System.Diagnostics.Process.Start(ProcessStartInfo startInfo)
   at System.Diagnostics.Process.Start(String fileName, String arguments)
   at Microsoft.Identity.Client.Platforms.Shared.NetStdCore.PlatformProxyShared.StartDefaultOsBrowser(String url)
   --- End of inner exception stack trace ---
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
   at Azure.Identity.InteractiveBrowserCredential.AuthenticateImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.InteractiveBrowserCredential.AuthenticateAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.GetAccessTokenAsync(Task`1 authTask, TokenCredential tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount account, IAzureEnvironment environment, String tenantId, SecureString password, String promptBehavior, Action`1 promptAction)
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.ListAccountTenants(IAzureAccount account, IAzureEnvironment environment, SecureString password, String promptBehavior, Action`1 promptAction)
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantId, String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, Action`1 promptAction, String name, Boolean shouldPopulateContextList, Int32 maxContextPopulation)
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass107_1.<ExecuteCmdlet>b__3()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.Tasks.Task.<>c.<.cctor>b__277_0(Object obj)
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at System.Threading.Tasks.Task`1.get_Result()
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass107_0.<ExecuteCmdlet>b__0(AzureRmProfile localProfile, RMProfileClient profileClient, String name)
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass113_0.<SetContextWithOverwritePrompt>b__0(AzureRmProfile prof, RMProfileClient client)
   at Microsoft.Azure.Commands.Profile.Common.AzureContextModificationCmdlet.ModifyContext(Action`2 contextAction)
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.SetContextWithOverwritePrompt(Action`3 setContextAction)
   at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.ExecuteCmdlet()
   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
   at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord();
DEBUG: Finish sending metric.
DEBUG: 3:45:46 PM - ConnectAzureRmAccountCommand end processing.
PS />

[erich-wang]

@alexandair , thanks for raising the issue. We noticed unclear error message is shown again in 2.2.0, we just released 2.2.1. Now it looks like if using Az.Accounts 2.2.1:

PS /home/erich> Connect-AzAccount
WARNING: Unable to acquire token for tenant 'organizations'
WARNING: Interactive authentication is not supported in this session, please run Connect-AzAccount using switch -DeviceCode.

As to warning message Unable to acquire token for tenant 'organizations, I agree it is kind of disrupting, we'll take a look if we could eliminate it in such scenario.

[alexandair]

-DeviceCode is an alias parameter. -DeviceAuth and -Device, too.
I think the message should use the parameter name which is -UseDeviceAuthentication.

WARNING: Interactive authentication is not supported in this session, please run Connect-AzAccount using the -UseDeviceAuthentication parameter.

[erich-wang]

@alexandair, good suggestion, we'll update it in next release.

[skippernl]

This issue seems not resolved.
Updated az (Update-module az) restarted powershell 7
Removed the json files AzureRmContext.json and AzureRmContextSettings.json

[ievsantillan]

I am running onto this as well ^

[andyw248]

Same here:
ModuleType Version PreRelease Name ExportedCommands

---

Script 2.2.2 Az.Accounts {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Connect-AzAccount…}

[isra-fel]

Reopening the issue for triage as many customers are encounting the same problem

[ghost]

Add me to the list...

[parsonsm11111]

Same here. Just downloaded the module for the first time.
Set-AzContext -SubscriptionId "zzzzzzzzzzzzzzzzzz" -Tenant "yyyyyyyyyyyyyyyyyyyy"
WARNING: Unable to acquire token for tenant 'yyyyyyyyyyyyyyyyyyyy'
Set-AzContext : Please provide a valid tenant or a valid subscription.
At line:1 char:1

• Set-AzContext -SubscriptionId "zzzzzzzzzzzzzzzz" ...

•   + CategoryInfo          : CloseError: (:) [Set-AzContext], ArgumentException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.SetAzureRMContextCommand
  
  

...and yes, the subscription id and tenant are correct.
...same thing happens for every subscription as well as when I remove the tenant id

[dohughes-msft]

+1

[tomsaenen]

Just for info: I encountered this issue today, out of nowhere. I solved it by going to portal.azure.com, where for some reason suddenly two factor authentication was required. After logging in, connect-azaccount worked without issues.

[snapguedes]

Same here. It´s stopped working just out of the blue.

[divz1323]

This started happening to me too and I think I know why.
I have accounts in two different tenants (A and B). When I login to my tenant A account from PowerShell, the warning is, "Unable to acquire token for tenant B".
In tenant B, I have a "guest" account with my tenant A's email that's set up as an "External Azure Active Directory" source. MFA is enforced on guest accounts in tenant B with Microsoft Authenticator app and I was surprised to see my approval notification go off when I tried to login to tenant A in PowerShell.
I've had this guest account forever and this warning never showed before. I tried the -UseDeviceAuthentication flag and it didn't work.

[shikhachauhan1989]

I also started facing same issue today but got it fixed by installing microsoft authenticator app and using the same for default browser which is used by powershell session while we run connect-azaccount. This took a long time to figure out but was able to fix this way. Let me know who all gets this fixed by following same process.

[skippernl]

Can you elaborate. I am already using the authenticator app and it only present in my csp account. Op wo 3 feb. 2021 15:28 schreef shikhachauhan1989 <notifications@github.com

…

: I also started facing same issue today but got it fixed by installing microsoft authenticator app and using the same for default browser which is used by powershell session while we run connect-azaccount. This took a long time to figure out but was able to fix this way. Let me know who all gets this fixed by following same process. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#13530 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABIWZN4SKYVUSFTSGFQ7TL3S5FMRLANCNFSM4TYPWG7A> .

[shikhachauhan1989]

Can you elaborate. I am already using the authenticator app and it only present in my csp account. Op wo 3 feb. 2021 15:28 schreef shikhachauhan1989 <notifications@github.com
…
: I also started facing same issue today but got it fixed by installing microsoft authenticator app and using the same for default browser which is used by powershell session while we run connect-azaccount. This took a long time to figure out but was able to fix this way. Let me know who all gets this fixed by following same process. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#13530 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIWZN4SKYVUSFTSGFQ7TL3S5FMRLANCNFSM4TYPWG7A .

Just check what browser is set as default in your system as when you run connect-azaccount with powershell it uses the default browser for the login process. once identified, launch browser, complete the login process using two factor authentication and select the checkbox which says keep me signedin. once you are successfully signedin to azure portal. you can launch powershell and try logging-in from there. i hope it fixes your issue as same worked for me.

[ievsantillan]

note that I am using a service account that doesn't have MFA and still running into this issue

[erich-wang]

Close this issue as some of you solved the issue by using Authenticator app, and some issues are not same as issue author reported. If you still encountered the issue, please create a new issue with debug stream, thanks.

[arendkolk]

I have just deleted the 2 extra Tenants i had created for training purposes.

The issue is now solved for me and i can login again via Powershell from within a Docker container

[nicolerib]

In my case I solved just running:

Clear-AzContext

And them trying to connect again

Connect-AzAccount

[Tabrel-LI]

This just started happening to me and none of the other fixes have worked.

[noeffort3]

I know this is snarky... but... As PowerShell (Az cmdlets) is a part of an API platform, there should be zero dependency on which browser (or local user profile) you're using or which "account" your logged into other than the identity you're using "within" the PowerShell console/ISE. Otherwise, that's pretty ridiculous. When I log on to my jump host to do PowerShell work, I am logging on as a CyberArk protected user (not as "me" which is where my 0365/Azure rights are granted). Hence, I have to open a browser, make sure i log out as "DomainAdmin5" or whomever is my CYBR identity, and logon to the browser as "me" in order to make a Warning message not be in context... grrrrrrrrrrrrrrrrrrr

[simone-bennett]

I'm having this issue also. I noticed that when I ran get-azcontext I was getting the wrong subscription/tenant despite being logged into my demo subscription in both PowerShell and the portal.

To solve it I had to run:

Import-Module Az.Account

Clear-AzContext

Connect-AzAccount -Tenant <tenant-id>

Then I finally got the MFA prompt and was able to log in successfully. Get-AzContext is returning the correct subscription now.

Not sure if it contributed but i had also opened my default browser, cleared my cache and logged into the azure portal with the account I wanted to use.

[mgreenegit]

This issue still occurs as of July 2021

[david-peden-q2]

Just ran into this yesterday with a service principal account. The fix was basically what @simone-bennett posted above but modified to run for a service principal:

Clear-AzContext -Force
$credential = New-Object System.Management.Automation.PSCredential($servicePrincipalUsername, $(ConvertTo-SecureString $servicePrincipalPassword -AsPlainText -Force))
Connect-AzAccount -Credential $credential -Tenant $tenantId -ServicePrincipal

[AlanFlorance]

I think this issue may be related to the version of Newtonsoft Json thats loaded, have seen this issue when using MicrosoftPowerBIMgmt cmdlets both with AzureAD module and also Az.Accounts

Use
[Newtonsoft.Json.JsonConvert].Module

and that will show you which version is currently loaded.

The order you connect to services changes the behaviour of this.

[chaoscreater]

Still happening in 2023. Using latest Powershell and latest AZ module on Win11.

[delishus]

Happening to me too.. Windows 11, latest AZ module

[jasonvuriker]

Happening to me too

[delishus]

Found my problem, was the use of ad-blockers on my browser.. Proved by using Chromium edge as my default browser with no ad-blocking extensions installed.. everything just works as expected.
Hope that helps someone

[chaoscreater]

Found my problem, was the use of ad-blockers on my browser.. Proved by using Chromium edge as my default browser with no ad-blocking extensions installed.. everything just works as expected. Hope that helps someone

that makes no sense. We're talking about Powershell here. Powershell has got nothing to do with your browser.

[delishus]

Found my problem, was the use of ad-blockers on my browser.. Proved by using Chromium edge as my default browser with no ad-blocking extensions installed.. everything just works as expected. Hope that helps someone

that makes no sense. We're talking about Powershell here. Powershell has got nothing to do with your browser.

Well the default browser is part of the authorization process to my knowledge, hence my assumption would be to start looking there... when digging deeper similar issues can occur when the communications are not properly handled via a proxy, therefore my assumption around the ad-blocker getting in the way.

Have you tried the above?

[chaoscreater]

Found my problem, was the use of ad-blockers on my browser.. Proved by using Chromium edge as my default browser with no ad-blocking extensions installed.. everything just works as expected. Hope that helps someone

that makes no sense. We're talking about Powershell here. Powershell has got nothing to do with your browser.

Well the default browser is part of the authorization process to my knowledge, hence my assumption would be to start looking there... when digging deeper similar issues can occur when the communications are not properly handled via a proxy, therefore my assumption around the ad-blocker getting in the way.

Have you tried the above?

I don't need to try the above because I know it's completely unrelated.

When you run Connect-AZAccount, yes it uses your browser to do the 2FA authentication. However, Connect-AzAccount has never been a problem for me. The problem is that even though I'm already authenticated, i.e I already have the access/bearer token right in my Powershell session, but looping through certain subscriptions will generate this error.

If I do a Get-AZContext, I can see the context I'm currently in. I can list all the subs and it's fine. When I do something like this:

$Subs = Get-AzSubscriptions

foreach ($Sub in $Subs)
{
	Set-AZContext -subscription $Sub.Id

	....
}

It works fine for 99% of the subs, but occasionally one or 2 subs will show the "unable to acquire token for tenant" error. If I re-run the code, it'll sometimes fix itself and work fine. At this point, everything is done within Powershell session. The token has already been generated via the browser and passed to Powershell. Also, the majority of the subscriptions are fine and they obviously use the same access token. This is definitely not a browser issue.