Connect-AzAccount with -Tenant parameter unable to authenticate

[AjKundnani]

Description

Expected Result

When running command Connect-AzAccount -SubscriptionId abc-123 -Tenant domain.onmicrosoft.com, Az PowerShell should authenticate into specified subscription ID.

Issue

After update to Az PowerShell module version 8.3.0 getting error below:

It seems the tenant ID queried for tenant domain is not correct.

`WARNING: The access token is from the wrong issuer 'https://sts.windows.net/<guid1>'. It must match the tenant 'https://sts.windows.net/<guid2>/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/<guid2>' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.
Connect-AzAccount: The provided account <user Id> does not have access to subscription ID "<subscription Id>". Please try logging in with different credentials or a different subscription ID. If a subscription is not specified, please check the configs by `Get-AzConfig`.

Issue script & Debug output

Connect-AzAccount -SubscriptionId <subscriptionId> -Tenant <domain>.onmicrosoft.com
DEBUG: 10:53:09 AM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'UserWithSubscriptionId'.
DEBUG: 10:53:09 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 10:53:09 AM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 10:53:09 AM - No autosave setting detected in environment variable 'AzContextAutoSave'.
DEBUG: 10:53:09 AM - Using Autosave scope 'CurrentUser'
DEBUG: 10:53:09 AM - [InteractiveUserAuthenticator] Calling InteractiveBrowserCredential.AuthenticateAsync with TenantId:'domain.onmicrosoft.com', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', RedirectUri:'http://localhost:8400/'
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: Executing interactive authentication workflow inline.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:09.26 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] MSAL MSAL.NetCore with assembly version '4.39.0.0'. CorrelationId(b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8)
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:09.26 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False

DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:09.26 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8
UserAssertion set: False
LongRunningOboCacheKey set: False

DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:09.26 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] === Token Acquisition (InteractiveRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:09.26 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:09.26 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] Using system browser.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:09.28 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] Listening for authorization code on http://localhost:8400/
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.25 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] Processing a response message to the browser. HttpStatus:OK
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.25 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] An authorization code was retrieved from the /authorize endpoint.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.25 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] Exchanging the auth code for tokens.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.25 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False

DEBUG: Request [1a52c19d-62c1-4239-a38f-c435c991a8f7] POST https://login.microsoftonline.com/domain.onmicrosoft.com/oauth2/v2.0/token
x-client-SKU:REDACTED
x-client-Ver:REDACTED
x-client-CPU:REDACTED
x-client-OS:REDACTED
x-anchormailbox:REDACTED
x-client-current-telemetry:REDACTED
x-client-last-telemetry:REDACTED
x-ms-lib-capability:REDACTED
client-request-id:REDACTED
return-client-request-id:REDACTED
x-app-name:REDACTED
x-app-ver:REDACTED
x-ms-client-request-id:1a52c19d-62c1-4239-a38f-c435c991a8f7
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.0,(.NET 6.0.8; Microsoft Windows 10.0.22621)
Content-Type:application/x-www-form-urlencoded
client assembly: Azure.Identity
DEBUG: Response [1a52c19d-62c1-4239-a38f-c435c991a8f7] 200 OK (00.7s)
Cache-Control:no-store, no-cache
Pragma:no-cache
Strict-Transport-Security:REDACTED
X-Content-Type-Options:REDACTED
P3P:REDACTED
client-request-id:REDACTED
x-ms-request-id:e06e190b-4074-485b-a928-f58b19e71300
x-ms-ests-server:REDACTED
x-ms-clitelem:REDACTED
X-XSS-Protection:REDACTED
Set-Cookie:REDACTED
Date:Tue, 13 Sep 2022 05:23:13 GMT
Content-Type:application/json; charset=utf-8
Expires:-1
Content-Length:4996

DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.94 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] Checking client info returned from the server..
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.94 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] Saving token response to cache..
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.94 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] Saving AT in cache and removing overlapping ATs...
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] Looking for scopes for the authority in the cache which intersect with https://management.core.windows.net//.default
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] Intersecting scope entries count - 1
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] Matching entries after filtering by user - 1
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] Saving Id Token and Account in cache ...
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] Saving RT in cache...
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] Saving to ADAL legacy cache.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] Not writing FRT in ADAL legacy cache.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8] Fetched access token from host login.microsoftonline.com.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8]
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - b7d1c4aa-0b1f-4b1e-9f79-9f0818b893e8]  AT expiration time: 9/13/2022 6:32:04 AM +00:00, scopes https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default source IdentityProvider from login.microsoftonline.com appHashCode 22869410
DEBUG: InteractiveBrowserCredential.Authenticate succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2022-09-13T06:32:04.9447200+00:00
DEBUG: 10:53:13 AM - [MsalAccessToken] Calling InteractiveBrowserCredential.GetTokenAsync - Scopes:'https://management.core.windows.net//.default'
DEBUG: InteractiveBrowserCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - f46dc1ff-09d0-4e43-9aa7-262fadf283db] MSAL MSAL.NetCore with assembly version '4.39.0.0'. CorrelationId(f46dc1ff-09d0-4e43-9aa7-262fadf283db)
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - f46dc1ff-09d0-4e43-9aa7-262fadf283db] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - f46dc1ff-09d0-4e43-9aa7-262fadf283db] LoginHint provided: False
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - f46dc1ff-09d0-4e43-9aa7-262fadf283db] Account provided: True
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - f46dc1ff-09d0-4e43-9aa7-262fadf283db] ForceRefresh: False
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - f46dc1ff-09d0-4e43-9aa7-262fadf283db]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - f46dc1ff-09d0-4e43-9aa7-262fadf283db
UserAssertion set: False
LongRunningOboCacheKey set: False

DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.95 - f46dc1ff-09d0-4e43-9aa7-262fadf283db] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.97 - f46dc1ff-09d0-4e43-9aa7-262fadf283db] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.97 - f46dc1ff-09d0-4e43-9aa7-262fadf283db] Access token is not expired. Returning the found cache entry. [Current time (09/13/2022 05:23:13) - Expiration Time (09/13/2022 06:32:04 +00:00) - Extended Expiration Time (09/13/2022 06:32:04 +00:00)]
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.97 - f46dc1ff-09d0-4e43-9aa7-262fadf283db] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.97 - f46dc1ff-09d0-4e43-9aa7-262fadf283db] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.97 - f46dc1ff-09d0-4e43-9aa7-262fadf283db] Fetched access token from host login.microsoftonline.com.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.97 - f46dc1ff-09d0-4e43-9aa7-262fadf283db]
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:13.97 - f46dc1ff-09d0-4e43-9aa7-262fadf283db]  AT expiration time: 9/13/2022 6:32:04 AM +00:00, scopes https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default source Cache from login.microsoftonline.com appHashCode 22869410
DEBUG: InteractiveBrowserCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2022-09-13T06:32:04.0000000+00:00
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/tenants?api-version=2021-01-01

Headers:
x-ms-client-request-id        : bdeaf2ae-84ee-41f7-a2f8-82c934840671
Accept-Language               : en-US

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-ratelimit-remaining-tenant-reads: 11999
x-ms-request-id               : 2885592c-2467-4b97-98e8-1c52a089c508
x-ms-correlation-request-id   : 2885592c-2467-4b97-98e8-1c52a089c508
x-ms-routing-request-id       : JIOINDIACENTRAL:20220913T052314Z:2885592c-2467-4b97-98e8-1c52a089c508
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Tue, 13 Sep 2022 05:23:13 GMT

Body:
{
  "value": [<REDACTED>]
}


DEBUG: 10:53:14 AM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'<guid1>', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'<username>'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.44 - f065ff26-d0d4-4696-9e9b-d919ba248f6f] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.44 - f065ff26-d0d4-4696-9e9b-d919ba248f6f] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.44 - f065ff26-d0d4-4696-9e9b-d919ba248f6f] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.44 - f065ff26-d0d4-4696-9e9b-d919ba248f6f] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.44 - f065ff26-d0d4-4696-9e9b-d919ba248f6f] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.44] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.44] Returning 1 accounts
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.44 - 988b6976-b598-4ab0-b759-167b0c90ca18] MSAL MSAL.NetCore with assembly version '4.39.0.0'. CorrelationId(988b6976-b598-4ab0-b759-167b0c90ca18)
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.44 - 988b6976-b598-4ab0-b759-167b0c90ca18] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.44 - 988b6976-b598-4ab0-b759-167b0c90ca18] LoginHint provided: False
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.44 - 988b6976-b598-4ab0-b759-167b0c90ca18] Account provided: True
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.44 - 988b6976-b598-4ab0-b759-167b0c90ca18] ForceRefresh: False
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.44 - 988b6976-b598-4ab0-b759-167b0c90ca18]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 988b6976-b598-4ab0-b759-167b0c90ca18
UserAssertion set: False
LongRunningOboCacheKey set: False

DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.44 - 988b6976-b598-4ab0-b759-167b0c90ca18] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.45 - 988b6976-b598-4ab0-b759-167b0c90ca18] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.45 - 988b6976-b598-4ab0-b759-167b0c90ca18] Access token is not expired. Returning the found cache entry. [Current time (09/13/2022 05:23:14) - Expiration Time (09/13/2022 06:35:29 +00:00) - Extended Expiration Time (09/13/2022 06:35:29 +00:00)]
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.45 - 988b6976-b598-4ab0-b759-167b0c90ca18] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.45 - 988b6976-b598-4ab0-b759-167b0c90ca18] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.45 - 988b6976-b598-4ab0-b759-167b0c90ca18] Fetched access token from host login.microsoftonline.com.
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.45 - 988b6976-b598-4ab0-b759-167b0c90ca18]
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.39.0.0 MSAL.NetCore .NET 6.0.8 Microsoft Windows 10.0.22621 [09/13 05:23:14.45 - 988b6976-b598-4ab0-b759-167b0c90ca18]  AT expiration time: 9/13/2022 6:35:29 AM +00:00, scopes https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default source Cache from login.microsoftonline.com appHashCode 57057459
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2022-09-13T06:35:29.0000000+00:00
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/<SUBSCRIPTIONID>?api-version=2021-01-01

Headers:
x-ms-client-request-id        : bdeaf2ae-84ee-41f7-a2f8-82c934840671
Accept-Language               : en-US

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Unauthorized

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
WWW-Authenticate              : Bearer authorization_uri="https://login.windows.net/<GUID2>", error="invalid_token", error_description="The access token is from the wrong issuer. It must match the tenant associated with this subscription. Please use correct authority to get the token."
x-ms-failure-cause            : gateway
x-ms-request-id               : 0e021aba-143a-4b87-a0a9-ad6358840b1e
x-ms-correlation-request-id   : 0e021aba-143a-4b87-a0a9-ad6358840b1e
x-ms-routing-request-id       : JIOINDIACENTRAL:20220913T052314Z:0e021aba-143a-4b87-a0a9-ad6358840b1e
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Tue, 13 Sep 2022 05:23:13 GMT
Connection                    : close

Body:
{
  "error": {
    "code": "InvalidAuthenticationTokenTenant",
    "message": "The access token is from the wrong issuer 'https://sts.windows.net/<GUID1>/'. It must match the tenant 'https://sts.windows.net/<GUID2>/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/<GUID2>' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
  }
}


WARNING: The access token is from the wrong issuer 'https://sts.windows.net/<GUID1>/'. It must match the tenant 'https://sts.windows.net/<GUID2>/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/<GUID2>' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.
DEBUG: 10:53:14 AM - Microsoft.Rest.Azure.CloudException: The access token is from the wrong issuer 'https://sts.windows.net/<GUID1>/'. It must match the tenant 'https://sts.windows.net/<GUID2>/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/<GUID2>' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.
   at Microsoft.Azure.Commands.Profile.Models.SubscriptionClientProxy.<>c.<.ctor>b__2_0(Action`1 subscriptionClientAction, LoggerWriter warning)
   at Microsoft.Azure.Commands.Profile.Models.SubscriptionClientProxy.GetSubscriptionById(String subscriptionId, IAccessToken accessToken, IAzureAccount account, IAzureEnvironment environment)
   at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.TryGetTenantSubscription(IAccessToken accessToken, IAzureAccount account, IAzureEnvironment environment, String subscriptionId, String subscriptionName, Boolean isTenantPresent, IAzureSubscription& subscription, IAzureTenant& tenant)
DEBUG: 10:53:14 AM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
Connect-AzAccount: The provided account <username> does not have access to subscription ID "<subscriptionid>". Please try logging in with different credentials or a different subscription ID. If a subscription is not specified, please check the configs by `Get-AzConfig`.
DEBUG: 10:53:14 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.Accounts:2.10.0; CommandName: Connect-AzAccount; PSVersion: 7.2.6; IsSuccess: False; Duration: 00:00:05.3807978; Exception: The provided account <username> does not have access to subscription ID "<subscriptionId>". Please try logging in with different credentials or a different subscription ID. If a subscription is not specified, please check the configs by `Get-AzConfig`.;
DEBUG: Finish sending metric.
DEBUG: 10:53:14 AM - ConnectAzureRmAccountCommand end processing.

Environment data

Name                           Value
----                           -----
PSVersion                      7.2.6
PSEdition                      Core
GitCommitId                    7.2.6
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.10.0                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}

Error output

DEBUG: 11:01:05 AM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 11:01:05 AM - using account id '<username>'...
DEBUG: 11:01:05 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release.  Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.

   HistoryId: 7

Message        : The provided account <username> does not have access to subscription ID "<subscriptionId>". Please try logging in with different credentials or a different subscription ID. If a subscription is not specified, please check the
                 configs by `Get-AzConfig`.
StackTrace     :    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantId, String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, Action`1
                 promptAction, String name, Boolean shouldPopulateContextList, Int32 maxContextPopulation, String authScope)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass127_2.<ExecuteCmdlet>b__5()
                    at System.Threading.Tasks.Task`1.InnerInvoke()
                    at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
                 --- End of stack trace from previous location ---
                    at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
                 --- End of stack trace from previous location ---
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass127_0.<ExecuteCmdlet>b__1(AzureRmProfile localProfile, RMProfileClient profileClient, String name)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass136_0.<SetContextWithOverwritePrompt>b__0(AzureRmProfile prof, RMProfileClient client)
                    at Microsoft.Azure.Commands.Profile.Common.AzureContextModificationCmdlet.ModifyContext(Action`2 contextAction)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.SetContextWithOverwritePrompt(Action`3 setContextAction)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.Management.Automation.PSInvalidOperationException
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount -SubscriptionId 821664e1-b43e-4312-a018-4d2d284c2b9c -Tenant microsoft.onmicrosoft.com
Position       : At line:1 char:1
                 + Connect-AzAccount -SubscriptionId 821664e1-b43e-4312-a018-4d2d284c2b9 …
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 7

he Azure PowerShell team is listening, please let us know how we are doing: https://aka.ms/azpssurvey?Q_CHL=ERROR.

DEBUG: 11:01:05 AM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.Accounts:2.10.0; CommandName: Resolve-AzError; PSVersion: 7.2.6; IsSuccess: True; Duration: 00:00:00.0684114
DEBUG: Finish sending metric.
DEBUG: 11:01:06 AM - ResolveError end processing.

[isra-fel]

Thanks @AjKundnani for reporting!

This seems to be an old issue. I tested Az.Accounts v2.8.0 which was released 4 months ago and it reproduced.

The root cause is that when user types in a tenant name, we don't use the name to match the correct tenant, instead we just choose the first home tenant. See

https://github.com/Azure/azure-powershell/blob/main/src/Accounts/Accounts/Models/RMProfileClient.cs#L174-L176

[AjKundnani]

Thanks @AjKundnani for reporting!

This seems to be an old issue. I tested Az.Accounts v2.8.0 which was released 4 months ago and it reproduced.

The root cause is that when user types in a tenant name, we don't use the name to match the correct tenant, instead we just choose the first home tenant. See

https://github.com/Azure/azure-powershell/blob/main/src/Accounts/Accounts/Models/RMProfileClient.cs#L174-L176

Thanks @isra-fel for checking. On my local workstation, it was working with previous version of Az Module, I didn't make note of version of the working modules, for validating 8.3.0 release I updated Az Module after which I noticed the error.

It works fine with tenantId.

[isra-fel]

Yes. This issue happens only when using tenant name, so the work-around is using tenant ID as @AjKundnani suggested.

I'm targeting the October release to fix it.