Account selection window pops up after Connect-AzAccount fails with "user canceled authentication"

[qishengc]

Description

I was on Az.Accounts V2.13.1, and my script is working fine, but today after a latest update to Az.Accounts V3.0.0, Connect-AzAccount always succeeded with warning "WARNING: Unable to acquire token for tenant ..." , and although it looks like it connected successfully, no Az operations such as Get-AzSubscription could execute successfully, it reports the same warning:

Here are details:

1. Way 1: user PSCredential

$Username='foo@test.com' // example
$Password='example'
psCred = New-Object System.Management.Automation.PSCredential -ArgumentList ($Username, (ConvertTo-SecureString -String $Password -AsPlainText -Force)) 
Connect-AzAccount -Credential $psCred 

Result:

Retrieving subscriptions for the selection...

[Announcements]
With the new Azure PowerShell login experience, you can select the subscription you want to use more easily. Learn more about it and its configuration at https://go.microsoft.com/fwlink/?linkid=2271909.

If you encounter any problem, please open an issue at: https://aka.ms/azpsissue

Subscription name                            Tenant
-----------------                            ------
Non-Prod PAYG AS on a830edad9050849paygmsit3 TEST_TEST_E3_SelfServiceHb_202306290544_85XBofcIeP

Even though it shows like connected successfully, run: Get-AzSubscription to test, got no result with below warning (Repeated in console):
WARNING: Unable to acquire token for tenant 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa' with error 'Authentication failed against tenant a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'.'
WARNING: Unable to acquire token for tenant 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa' with error 'Authentication failed against tenant a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'.'

1. Way 2: Interactive login

 Connect-AzAccount -TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa

Result:

Please select the account you want to login with.

Connect-AzAccount: InteractiveBrowserCredential authentication failed: User canceled authentication.
Could not find tenant id for provided tenant domain 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'. Please ensure that the provided user is found in the provided tenant domain.

I have no chance to select any thing, the login window appears after the above message.

1. Way 3: Use DeviceCode

Connect-AzAccount -DeviceCode

Result:

Please select the account you want to login with.

[Login to Azure] To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code AJEAZZDUG to authenticate.
Retrieving subscriptions for the selection...
WARNING: Unable to acquire token for tenant 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa' with error 'Authentication failed against tenant a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'.'

[Announcements]
With the new Azure PowerShell login experience, you can select the subscription you want to use more easily. Learn more about it and its configuration at https://go.microsoft.com/fwlink/?linkid=2271909.

If you encounter any problem, please open an issue at: https://aka.ms/azpsissue

Subscription name                            Tenant
-----------------                            ------
Non-Prod PAYG AS on a830edad9050849paygmsit3 TEST_TEST_E3_SelfServiceHb_202306290544_85XBofcIeP

Even though it shows like connected successfully, run: Get-AzSubscription to test, got no result with below warning (Repeated in console):
WARNING: Unable to acquire token for tenant 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa' with error 'Authentication failed against tenant a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'.'
WARNING: Unable to acquire token for tenant 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa' with error 'Authentication failed against tenant a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'.'

Issue script & Debug output

$DebugPreference='Continue'
Get-AzSubscription
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:12 PM - GetAzureRMSubscriptionCommand begin processing with ParameterSet 'ListByIdInTenant'.
DEBUG: 11:36:12 PM - using account id 'automation@***.onmicrosoft.com'...
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [DisableInstanceDiscovery], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [EnableLoginByWam], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:12 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'automation@a830edad9050849paygmsit3.onmicrosoft.com'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 002f97b6-87e4-452d-8b47-c4d7b2eef2f8] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 002f97b6-87e4-452d-8b47-c4d7b2eef2f8] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 002f97b6-87e4-452d-8b47-c4d7b2eef2f8] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 002f97b6-87e4-452d-8b47-c4d7b2eef2f8] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 002f97b6-87e4-452d-8b47-c4d7b2eef2f8] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [RuntimeBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 197572b7-1a7e-4392-9f9d-fa162e7eefb3] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] Returning 1 accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] MSAL MSAL.CoreCLR with assembly version '4.60.3.0'. CorrelationId(a6f4c117-599e-4d30-8000-83ab3cfb3e33)
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] LoginHint provided: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] Account provided: True
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] ForceRefresh: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - a6f4c117-599e-4d30-8000-83ab3cfb3e33
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] Broker is configured and enabled, attempting to use broker instead.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] Can invoke broker. Will attempt to acquire token with broker.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0001]      WARNING SetAuthorityString:98     Initializing authority from string 'https://login.microsoftonline.com/a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa/' without authority type, defaulting to MsSts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      ERROR   ErrorInternalImpl:134     Created an error: 5vt4a, StatusInternal::AccountNotFound, InternalEvent::None, Error Code 0, Context 'Account with id '(pii)' not found'
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:393      Printing Telemetry for Correlation ID: a6f4c117-599e-4d30-8000-83ab3cfb3e33
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: start_time, Value: 2024-05-22T06:36:12.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: api_name, Value: ReadAccountById
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: was_request_throttled, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: authority_type, Value: Unknown
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: msal_version, Value: 1.1.0+local
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: correlation_id, Value: a6f4c117-599e-4d30-8000-83ab3cfb3e33
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: broker_app_used, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: stop_time, Value: 2024-05-22T06:36:12.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: all_error_tags, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: msalruntime_version, Value: 0.16.0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: api_error_code, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: api_error_tag, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: api_status_code, Value: StatusInternal::AccountNotFound
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: api_error_context, Value: Account with id '(pii)' not found
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: is_successful, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0002]      INFO    LogTelemetryData:401      Key: request_duration, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [RuntimeBroker] Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - a6f4c117-599e-4d30-8000-83ab3cfb3e33] Exception type: Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: wam_no_account_for_id
HTTP StatusCode 0
CorrelationId a6f4c117-599e-4d30-8000-83ab3cfb3e33
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

DEBUG: SharedTokenCacheCredential.GetToken was unable to retrieve an access token. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user automation@a830edad9050849paygmsit3.onmicrosoft.com. Ensure that you have authenticated with a developer tool that supports Azure single sign on.
 ---> Microsoft.Identity.Client.MsalUiRequiredException (0x80131500): Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
WARNING: Unable to acquire token for tenant 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa' with error 'Authentication failed against tenant a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'.'
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [DisableInstanceDiscovery], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [EnableLoginByWam], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:12 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'automation@a830edad9050849paygmsit3.onmicrosoft.com'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 92c130e5-19e2-413b-ab5c-6109629873bc] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 92c130e5-19e2-413b-ab5c-6109629873bc] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 92c130e5-19e2-413b-ab5c-6109629873bc] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 92c130e5-19e2-413b-ab5c-6109629873bc] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 92c130e5-19e2-413b-ab5c-6109629873bc] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [RuntimeBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - bd4ad8a7-d588-4a61-9921-8eb04f00724e] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] Returning 1 accounts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] MSAL MSAL.CoreCLR with assembly version '4.60.3.0'. CorrelationId(455ca45e-0cc8-495f-9bfa-e8904288fd25)
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] LoginHint provided: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] Account provided: True
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] ForceRefresh: False
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - 455ca45e-0cc8-495f-9bfa-e8904288fd25
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] Broker is configured and enabled, attempting to use broker instead.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [Runtime] WAM supported OS.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] Can invoke broker. Will attempt to acquire token with broker.
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0001]      WARNING SetAuthorityString:98     Initializing authority from string 'https://login.microsoftonline.com/a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa/' without authority type, defaulting to MsSts
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      ERROR   ErrorInternalImpl:134     Created an error: 5vt4a, StatusInternal::AccountNotFound, InternalEvent::None, Error Code 0, Context 'Account with id '(pii)' not found'
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:393      Printing Telemetry for Correlation ID: 455ca45e-0cc8-495f-9bfa-e8904288fd25
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: start_time, Value: 2024-05-22T06:36:12.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: api_name, Value: ReadAccountById
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: was_request_throttled, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: authority_type, Value: Unknown
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: msal_version, Value: 1.1.0+local
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: correlation_id, Value: 455ca45e-0cc8-495f-9bfa-e8904288fd25
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: broker_app_used, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: stop_time, Value: 2024-05-22T06:36:12.000Z
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: all_error_tags, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: msalruntime_version, Value: 0.16.0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: api_error_code, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: api_error_tag, Value: 5vt4a
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: api_status_code, Value: StatusInternal::AccountNotFound
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: api_error_context, Value: Account with id '(pii)' not found
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: is_successful, Value: false
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [MSAL:0003]      INFO    LogTelemetryData:401      Key: request_duration, Value: 0
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z] [RuntimeBroker] Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
DEBUG: False MSAL 4.60.3.0 MSAL.CoreCLR .NET 8.0.4 Microsoft Windows 10.0.22631 [2024-05-22 06:36:12Z - 455ca45e-0cc8-495f-9bfa-e8904288fd25] Exception type: Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: wam_no_account_for_id
HTTP StatusCode 0
CorrelationId 455ca45e-0cc8-495f-9bfa-e8904288fd25
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

DEBUG: SharedTokenCacheCredential.GetToken was unable to retrieve an access token. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  Exception: Azure.Identity.CredentialUnavailableException (0x80131500): SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user automation@a830edad9050849paygmsit3.onmicrosoft.com. Ensure that you have authenticated with a developer tool that supports Azure single sign on.
 ---> Microsoft.Identity.Client.MsalUiRequiredException (0x80131500): Could not find a WAM account for the selected user. Error: Status: AccountNotFound
Context: Account with id '(pii)' not found
Tag: 0x1f553780
WARNING: Unable to acquire token for tenant 'a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa' with error 'Authentication failed against tenant a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId a065c5e1-13a0-4485-8bc7-0eeca4ebb4aa'.'
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:3.0.0; CommandName: Get-AzSubscription; PSVersion: 7.4.2; IsSuccess: True; Duration: 00:00:00.0749216; SanitizeDuration: 00:00:00
DEBUG: 11:36:12 PM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:12 PM -

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     3.0.0                 Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefaul…
Script     0.3.2                 Az.CostManagement                   {Get-AzCostManagementExport, Get-AzCostManagementExportExecutionHis…
Script     7.1.0                 Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignmen…
Script     7.0.0                 Az.Storage                          {Add-AzRmStorageContainerLegalHold, Add-AzStorageAccountManagementP…

Error output

DEBUG: 11:36:46 PM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:46 PM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 11:36:46 PM - using account id 'automation@a830edad9050849paygmsit3.onmicrosoft.com'...
DEBUG: 11:36:46 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].


DEBUG: 11:36:46 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:46 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:3.0.0; CommandName: Resolve-AzError; PSVersion: 7.4.2; IsSuccess: True; Duration: 00:00:00.0019185; SanitizeDuration: 00:00:00
DEBUG: 11:36:46 PM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 11:36:46 PM - ResolveError end processing.

[msqishengc]

Confirmed that the exact same command, with the exact same Entra ID account and tenant works as expected with Az.Accounts v2.19.0.

[bbz94]

I'm having the same issue.

[msqishengc]

Run this before Connect Az account resolved my issue:
Update-AzConfig -EnableLoginByWam $false

Got it from #24962 #24962

[bbz94]

Run this before Connect Az account resolved my issue: Update-AzConfig -EnableLoginByWam $false

Got it from #24962 #24962

Helped to solve the problem.

[isra-fel]

Way 1 and Way 3 are reported by #24963 and can be workarounded by disabling WAM for login Update-AzConfig -EnableLoginByWam $false.

Way 2 is new to us, could you share more about your environment?

1. By "I have no chance to select any thing, the login window appears after the above message.", was the window a browser window or a windows native window (not your browser)?
2. Does this happen all the time?
3. Did it happen before or after you applied the workaround?

Thanks a lot

[msqishengc]

Way 1 and Way 3 are reported by #24963 and can be workarounded by disabling WAM for login Update-AzConfig -EnableLoginByWam $false.

Way 2 is new to us, could you share more about your environment?

1. By "I have no chance to select any thing, the login window appears after the above message.", was the window a browser window or a windows native window (not your browser)?
2. Does this happen all the time?
3. Did it happen before or after you applied the workaround?

Thanks a lot

I would simply repro on a new VM or Sandbox on Windows 11.

1. Install PowerShell 7 with installer (according to https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.4)
2. Open Powershell console, install the module: Install-Module -Name Az.Accounts -Force -Verbose -Scope CurrentUser -ErrorAction Stop -AllowClobber -SkipPublisherCheck -Repository PSGallery
3. Run Connect-AzAccount or Connect-AzAccount with -TenantId **** parameter, both failed immediately with Sign in modal dialog opened, and if I dismiss the Sign in dialog, The console could not be focused anymore that I need to kill it by task manager.

[isra-fel]

For the record: the window pop-up-too-late issue was also reported by users of Azure CLI - Azure/azure-cli#28997

[isra-fel]

(I edited the title so that we can focus on the "user canceled authentication" error in this thread.)

We had reported this issue to the corresponding team. Latest status is: "The issue is caused by a bug in the account control logic, and it will return unexpected user cancel signal. We are working on it with our highest priority."

Again the workaround to this issue is to disable WAM by Update-AzConfig -EnableLoginByWam $false.

Will keep this updated.

[jflieben]

For us the update from v2 to v3 was causing the following error:

Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up
     | your Azure credentials. Authentication failed against tenant xxxxx.
     | User interaction is required. This may be due to the conditional access policy settings such as
     | multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun
     | 'Connect-AzAccount' with additional parameter '-TenantId xxxx.

using -EnableLoginByWam $false did not fix this until we ALSO used -LoginExperienceV2 Off

[thesonofman0]

Run this before Connect Az account resolved my issue: Update-AzConfig -EnableLoginByWam $false

Got it from #24962 #24962

Thank you for this. Was greeted by the below after I successfully logged in. After tinkering around came here.
Your Azure credentials have not been set up or have expired, please run Connect-AzAccount to set up your Azure credentials.
Authentication failed against tenant ID. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions
in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId ID'.

[slavizh]

It seems this was rushed to release too early without more extensive testing.

[slavizh]

There seems to be an issue also when you run Login-Azaccount -tenantId inside VSCode terminal. It does not open this Windows UI for selecting account and it stays frozen without finishing the command. Setting -EnableLoginByWam $false resolves the problem as it switches to using the browser authentication.

[efd7887]

So who or what broke this? I was working fine as of Friday and now Ive had to play hide and seek with yet ANOTHER Microsoft self-inflicted issue in the realm of Az Powershell. I am going to start recording the time it takes me to identify, investigate and resolve the issues created by these issues and I will be posting those here.

I started today. 2 hours, 13 minutes

My question is, who is going to compensate my company for the time it takes to fix these issues. Yes, I understand its a free "tool", but there are things you can't do, or efficiently do in Azure without PowerShell. Is there a customer agreement or terms and conditions I can have my technical writer review?

Tell the kids who are working on this stuff to slow down and do some QA testing.

It seems this was rushed to release too early without more extensive testing.

[Borgquite]

Yep - Microsoft - where's your testing?

[sxipper]

Any update on this issue?

Currently running with the workaround.

[msJinLei]

Any update on this issue?

Currently running with the workaround.

The MSAL team is working intensely on the fix. We are going to release a new version after we get the fix version.

[JohnJDB]

As of 30 May we have same issue. Its stopped scripts from running. Running PS7.4.2 and Az 12.

[AiHaibara]

if i using Update-AzConfig -EnableLoginByWam $false
i will get another error

D:\a\1\s\deploy\scripts\aad-register.ps1 : Cannot process argument transformation on parameter 'context'. Cannot 
convert the "System.Object[]" value of type "System.Object[]" to type 
"Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext".
At D:\a\1\s\deploy\scripts\deploy.ps1:919 char:29
+ ... ript:aadConfig = & (Join-Path $script:ScriptDir "aad-register.ps1") `

[msJinLei]

if i using Update-AzConfig -EnableLoginByWam $false i will get another error

D:\a\1\s\deploy\scripts\aad-register.ps1 : Cannot process argument transformation on parameter 'context'. Cannot 
convert the "System.Object[]" value of type "System.Object[]" to type 
"Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext".
At D:\a\1\s\deploy\scripts\deploy.ps1:919 char:29
+ ... ript:aadConfig = & (Join-Path $script:ScriptDir "aad-register.ps1") `

@AiHaibara
Could you provide the cmdlet that run into the error?

[AiHaibara]

if i using Update-AzConfig -EnableLoginByWam $false i will get another error

D:\a\1\s\deploy\scripts\aad-register.ps1 : Cannot process argument transformation on parameter 'context'. Cannot 
convert the "System.Object[]" value of type "System.Object[]" to type 
"Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext".
At D:\a\1\s\deploy\scripts\deploy.ps1:919 char:29
+ ... ript:aadConfig = & (Join-Path $script:ScriptDir "aad-register.ps1") `

@AiHaibara Could you provide the cmdlet that run into the error?

the deploy item already deleted now, not sure but seems only these error otherwise it be catched and not print.
but it seems working now using Update-AzConfig -EnableLoginByWam $false and with install and import some specify requireversion module
Az 11.3.1
Microsoft.Graph 2.16.0

[msJinLei]

if i using Update-AzConfig -EnableLoginByWam $false i will get another error

D:\a\1\s\deploy\scripts\aad-register.ps1 : Cannot process argument transformation on parameter 'context'. Cannot 
convert the "System.Object[]" value of type "System.Object[]" to type 
"Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext".
At D:\a\1\s\deploy\scripts\deploy.ps1:919 char:29
+ ... ript:aadConfig = & (Join-Path $script:ScriptDir "aad-register.ps1") `

@AiHaibara Could you provide the cmdlet that run into the error?

the deploy item already deleted now, not sure but seems only these error otherwise it be catched and not print. but it seems working now using Update-AzConfig -EnableLoginByWam $false and with install and import some specify requireversion module Az 11.3.1 Microsoft.Graph 2.16.0

To resolve your issue, could try the latest version and send the debug log to us so that we can check it? thanks

[AiHaibara]

if i using Update-AzConfig -EnableLoginByWam $false i will get another error

D:\a\1\s\deploy\scripts\aad-register.ps1 : Cannot process argument transformation on parameter 'context'. Cannot 
convert the "System.Object[]" value of type "System.Object[]" to type 
"Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext".
At D:\a\1\s\deploy\scripts\deploy.ps1:919 char:29
+ ... ript:aadConfig = & (Join-Path $script:ScriptDir "aad-register.ps1") `

@AiHaibara Could you provide the cmdlet that run into the error?

the deploy item already deleted now, not sure but seems only these error otherwise it be catched and not print. but it seems working now using Update-AzConfig -EnableLoginByWam $false and with install and import some specify requireversion module Az 11.3.1 Microsoft.Graph 2.16.0

To resolve your issue, could try the latest version and send the debug log to us so that we can check it? thanks

sorry for some delay, but it seems i can't reproduce this when i using without using target version.

[wab-id]

Run this before Connect Az account resolved my issue: Update-AzConfig -EnableLoginByWam $false

Got it from #24962 #24962

thanks man, you nail it.