DefaultAzureCredential fails when multiple accounts are available and defaulting to SharedTokenCacheCredential

[twsouthwick]

Describe the bug
I am using v1.0 of Azure.Identity on both .NET Framework and .NET Core and am attempting to connect to a blob container via DefaultAzureCredential:

async static Task CreateBlockBlobAsync(string accountName, string containerName)
{
    // Construct the blob container endpoint from the arguments.
    string containerEndpoint = string.Format("https://{0}.blob.core.windows.net/{1}", accountName, containerName);

    // Get a credential and create a client object for the blob container.
    var containerClient = new BlobContainerClient(new Uri(containerEndpoint), new DefaultAzureCredential());

    // Create the container if it does not exist.
    await containerClient.CreateIfNotExistsAsync();
}

I am logged into Visual Studio with two accounts. When I run this, I get the following:

Azure.Identity.AuthenticationFailedException
  HResult=0x80131500
  Message=The DefaultAzureCredential failed to retrieve a token from the included credentials.
  EnvironmentCredential is unavailable Environment variables not fully configured. AZURE_TENANT_ID and AZURE_CLIENT_ID must be set, along with either AZURE_CLIENT_SECRET or AZURE_USERNAME and AZURE_PASSWORD. Currently set variables [  ].
  ManagedIdentityCredential is unavailable No managed identity endpoint found..
  SharedTokenCacheCredential is unavailable Multiple accounts were discovered in the shared token cache. To fix, set the AZURE_USERNAME environment variable to the preferred username, or specify it when constructing SharedTokenCacheCredential.
 Discovered Accounts: [ '****@outlook.com', '****@microsoft.com' ].
See inner exception for more detail.
  Source=Azure.Identity
  StackTrace:
   at Azure.Identity.DefaultAzureCredential.<GetTokenAsync>d__10.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Identity.DefaultAzureCredential.<GetTokenAsync>d__9.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.<ProcessAsync>d__8.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.<ProcessAsync>d__1.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Azure.Core.Pipeline.RetryPolicy.<ProcessAsync>d__11.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Azure.Core.Pipeline.RetryPolicy.<ProcessAsync>d__11.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.<ProcessAsync>d__1.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.<ProcessAsync>d__1.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Storage.Blobs.BlobRestClient.Container.<CreateAsync>d__0.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Storage.Blobs.BlobContainerClient.<CreateInternal>d__36.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Storage.Blobs.BlobContainerClient.<CreateIfNotExistsInternal>d__35.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Storage.Blobs.BlobContainerClient.<CreateIfNotExistsAsync>d__34.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at StorageAccountSample.Program.<CreateBlockBlobAsync>d__1.MoveNext() in C:\Users\tasou\source\repos\StorageAccountSample\StorageAccountSample\Program.cs:line 24
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at StorageAccountSample.Program.<Main>d__0.MoveNext() in C:\Users\tasou\source\repos\StorageAccountSample\StorageAccountSample\Program.cs:line 12
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at StorageAccountSample.Program.<Main>(String[] args)

Inner Exception 1:
AggregateException: The DefaultAzureCredential failed to retrieve a token from the included credentials.

Inner Exception 2:
CredentialUnavailableException: Environment variables not fully configured. AZURE_TENANT_ID and AZURE_CLIENT_ID must be set, along with either AZURE_CLIENT_SECRET or AZURE_USERNAME and AZURE_PASSWORD. Currently set variables [  ]

At this, point, I attempt to set AZURE_USERNAME. This fails with the following:

Azure.Identity.AuthenticationFailedException
  HResult=0x80131500
  Message=The DefaultAzureCredential failed due to an unhandled exception:  SharedTokenCacheCredential failed with unhandled exception The authentication request failed due to an unhandled exception.  See inner exception for details..
  EnvironmentCredential is unavailable Environment variables not fully configured. AZURE_TENANT_ID and AZURE_CLIENT_ID must be set, along with either AZURE_CLIENT_SECRET or AZURE_USERNAME and AZURE_PASSWORD. Currently set variables [  AZURE_USERNAME ].
  ManagedIdentityCredential is unavailable No managed identity endpoint found..
  SharedTokenCacheCredential failed with The authentication request failed due to an unhandled exception.  See inner exception for details..
See inner exception for more detail.
  Source=Azure.Identity
  StackTrace:
   at Azure.Identity.DefaultAzureCredential.<GetTokenAsync>d__10.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Identity.DefaultAzureCredential.<GetTokenAsync>d__9.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.<ProcessAsync>d__8.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.<ProcessAsync>d__1.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Azure.Core.Pipeline.RetryPolicy.<ProcessAsync>d__11.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Azure.Core.Pipeline.RetryPolicy.<ProcessAsync>d__11.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.<ProcessAsync>d__1.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.<ProcessAsync>d__1.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Storage.Blobs.BlobRestClient.Container.<CreateAsync>d__0.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Storage.Blobs.BlobContainerClient.<CreateInternal>d__36.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Storage.Blobs.BlobContainerClient.<CreateIfNotExistsInternal>d__35.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Storage.Blobs.BlobContainerClient.<CreateIfNotExistsAsync>d__34.MoveNext()
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at StorageAccountSample.Program.<CreateBlockBlobAsync>d__1.MoveNext() in C:\Users\tasou\source\repos\StorageAccountSample\StorageAccountSample\Program.cs:line 25
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at StorageAccountSample.Program.<Main>d__0.MoveNext() in C:\Users\tasou\source\repos\StorageAccountSample\StorageAccountSample\Program.cs:line 13
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
   at StorageAccountSample.Program.<Main>(String[] args)

Inner Exception 1:
AggregateException: The DefaultAzureCredential failed due to an unhandled exception:  SharedTokenCacheCredential failed with unhandled exception The authentication request failed due to an unhandled exception.  See inner exception for details..

Inner Exception 2:
CredentialUnavailableException: Environment variables not fully configured. AZURE_TENANT_ID and AZURE_CLIENT_ID must be set, along with either AZURE_CLIENT_SECRET or AZURE_USERNAME and AZURE_PASSWORD. Currently set variables [  AZURE_USERNAME ]

It appears that when multiple accounts are available, SharedTokenCacheCredential expected AZURE_USERNAME to disambiguate. However, since EnvironmentCredential runs first, it reports an error.

How can I use DefaultCredential when using multiple accounts in VS? I would expected Tools->Options->Azure Service Authentication->Account Selection in VS would be honored but it does not seem to be (which works with Microsoft.Azure.Services.AppAuthentication.

[pakrym]

cc @schaabs

[schaabs]

@twsouthwick Thanks for reporting this issue. It seems that the error message you're getting here is a pretty confusing. The CredentialUnavailableException is actually handled by the DefaultAzureCredential and is basically used as a signal to try the next credential in the chain. It looks like the SharedTokenCacheCredential is actually attempting to authenticate in the second error you shared, but this failed with an unhandled exception.

 SharedTokenCacheCredential failed with unhandled exception The authentication request failed due to an unhandled exception.  See inner exception for details..

So I believe in this case AZURE_USERNAME is properly being used to disambiguate, but when we tried to authenticate with this account an exception was raised. Unfortunately the specific exception which caused the SharedTokenCacheCredential to fail in this case isn't being added to the exception message, and is not intuitive to dig out as it's actually buried in the tree of inner exceptions. To dig out this exception message and callstack you'd need to print the whole tree of inner exceptions. I've created issue #8665 to address this.

As to your second point. We are working to get parity with Microsoft.Azure.Services.AppAuthentication. We are using a newer mechanism to share credentials between VS and the running application, which currently doesn't honor the selection in Tools->Options->Azure Service Authentication->Account Selection. For the time being AZURE_USERNAME needs to be specified to differentiate.

[twsouthwick]

That makes sense. Let me know if there's any debugging I can do on my side

[pakrym]

Can you enable Break on all exceptions (https://docs.microsoft.com/en-us/visualstudio/debugger/managing-exceptions-with-the-debugger?view=vs-2019) are copy the exception details for the exception that gets thrown in Microsoft.Identity.Client

[twsouthwick]

Ok, when I do this, I get the following:

Microsoft.Identity.Client.MsalServiceException
  HResult=0x80131500
  Message=AADSTS70002: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
Trace ID: ab88f102-5946-4b60-ac06-294565df0100
Correlation ID: 61d55a29-6ef5-4caf-ba0b-01ad1cbd8dea
Timestamp: 2019-11-07 23:13:55Z
  Source=Microsoft.Identity.Client
  StackTrace:
   at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateErrorResponse(HttpResponse response, RequestContext requestContext)

This occurs a number of times it seems. I had to click "don't break on this" to be able to get through it.

[jackfoxy]

Our team is also suffering from what I think is this problem, although a somewhat different call stack.
Please fix this.

[tuanle07]

Had exactly the same issue as well when I logged into VS with 2 accounts (though I selected only 1 account for Azure default credentials). Please fix it!

[arkiaconsulting]

@tuanle07 Please make sure that the only remaining account has not been invited in another tenant(s). If this is the case, in the VS Account UI, untick all tenants except the one that you're interested in.

[tuanle07]

@tuanle07 Please make sure that the only remaining account has not been invited in another tenant(s). If this is the case, in the VS Account UI, untick all tenants except the one that you're interested in.

Where do you see the list of tenants in the VS Account Settings UI? I can only see a list of logged in accounts and ability to remove them. 🤔

[arkiaconsulting]

In the account window, click on the Apply filter next to the account you're interested in.

If you don't have this option, your account may not be invited in other tenants, and as such, my solution does not apply to your case...

[tuanle07]

In the account window, click on the Apply filter next to the account you're interested in.

If you don't have this option, your account may not be invited in other tenants, and as such, my solution does not apply to your case...

I’m using VS Professional version so not sure if that matters but I don’t see the Apply Filter button next to the account. 😞