[BUG] DefaultAzureCredential VisualStudioCredential unable to retrieve an access token.

[AndrewCS149]

Library name and version

Azure.Identity.DefaultAzureCredential

Describe the bug

I am attempting to authenticate to Azure using the DefaultAzureCredential in my program. However, after I create the DefaultAzureCredential attempt to use it, I receive an error stating that the VisualStudioCredential.GetToken was unable to retrieve an access token.

var options = new DefaultAzureCredentialOptions()
{
    ExcludeAzureCliCredential = true,
    ExcludeAzurePowerShellCredential = true,
    ExcludeEnvironmentCredential = true,
    ExcludeInteractiveBrowserCredential = true,
    ExcludeManagedIdentityCredential = true,
    ExcludeSharedTokenCacheCredential = true,
    ExcludeVisualStudioCodeCredential = true,
    ExcludeVisualStudioCredential = false
};

var cred = new DefaultAzureCredential(options);

When I attempt to actually use the token, I receive this exception:

Azure-Identity: VisualStudioCredential.GetToken was unable to retrieve an access token. Scopes: [ user_impersonation ] 
ParentRequestId: <id> Exception: Azure.Identity.CredentialUnavailableException (0x80131500): 
Process "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\IDE\Extensions\fc0rxpqz.bks\TokenService\Microsoft.Asal.TokenService.exe" 
has failed with unexpected error: TS003: Error, TS007: resource parameter must be a URI or a GUID.

Expected behavior

Successfully authenticate and interact with Azure resources.

Actual behavior

Receive an exception stating 'VisualStudioCredential.GetToken was unable to retrieve an access token'.

Reproduction Steps

1. Open VS 2022
2. Create new console project
3. Create new DefaultAzureCredential
4. Attempt to interact with Azure resources

Environment

Windows 11
.NET 6
Visual Studio 2022

[jsquire]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[LeePhillipsFreemarket]

I am also having the issue exactly as described.

[AndrewCS149]

@jsquire Is there any update on this?

Thank you!

[AndrewCS149]

@LeePhillipsFreemarket Have you found any workaround/solution for this?

[LeePhillipsFreemarket]

@AndrewCS149 Not exactly. When developing locally i'm just using a direct connection string now. When the service is used in azure using managed identity.

Another way round would be to log into azure using powershell as a fallback and just setting ExcludeVisualStudioCredential to true so it doesn't use it.

I've not found a workaround that actually makes use of the VisualStudioCredential.

[christothes]

Hi @AndrewCS149 - Could you provide some sample code that shows how you are calling the azure resource? Are you using another client SDK or fetching the token manually?

Also, could you provide the log output of your repro? Details can be found here:
https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/README.md#logging

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

[TKoval]

Same here, I'm creating instances of blob client like this:

new BlobServiceClient(new Uri(blobServiceUri), new DefaultAzureCredential(options))

When I perform any operation on this client afterwards the error I get is the following:

Status: 401 (Server failed to authenticate the request. Please refer to the information in the www-authenticate header.)
ErrorCode: InvalidAuthenticationInfo

Additional Information:
AuthenticationErrorDetail: Issuer validation failed. Issuer did not match.

Content:
<?xml version="1.0" encoding="utf-8"?><Error><Code>InvalidAuthenticationInfo</Code><Message>Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
RequestId:94ebddbc-301e-0011-80c8-ef1a10000000
</Message><AuthenticationErrorDetail>Issuer validation failed. Issuer did not match.</AuthenticationErrorDetail></Error>

I'm using .net 6, function app v4 running on Windows 11. Core tools version is 4.0.4829. function runtime version is 4.11.2.19273.

What I'm trying to do is to use managed identity for blob storage access and fallback to VisualStudioCredential while debugging my function app locally. The best workaround I found so far is to set VisualStudioTenantId explicitly:

var options = new DefaultAzureCredentialOptions
{
    ExcludeAzureCliCredential = true,
    ExcludeAzurePowerShellCredential = true,
    ExcludeEnvironmentCredential = true,
    ExcludeInteractiveBrowserCredential = true,
    ExcludeManagedIdentityCredential = false,
    ExcludeSharedTokenCacheCredential = true,
    ExcludeVisualStudioCodeCredential = true,
    ExcludeVisualStudioCredential = false,
    VisualStudioTenantId = "<your Azure AD Tenant ID here>"
};

return new BlobServiceClient(new Uri(blobServiceUri), new DefaultAzureCredential(options));

I found this solution here: #13228. The theory is that this bug occurs when accounts have multiple tenants but my account has only one tenant.
Doing it this way has one disadvantage, it takes few seconds for ManagedIdentityCredential to fail and use a fallback. There is a feature request to speed it up: #29471.
EDIT: Solution with setting AZURE_TENANT_ID env variable from #13228 works too.
EDIT 2: My account actually has access to 2 tenants, so maybe it's expected behavior. It would be nice to have some more user-friendly errors in this case.

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!