Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.

[clumsyhands]

Describe the bug

What does this error mean? There is nothing online about it? I receive this error when running "az ad app" commands from a local Az CLI

Related command

az login
az ad app list

Errors

cli.azure.cli.core.azclierror: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.
az_command_data_logger: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.

Issue script & Debug output

cli.azure.cli.core.util: Response status: 401
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': 'ce3b4e87-736c-49ef-ad15-e1a49e05cb35'
cli.azure.cli.core.util: 'client-request-id': 'ce3b4e87-736c-49ef-ad15-e1a49e05cb35'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"UK South","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"LO1PEPF00001D5B"}}'
cli.azure.cli.core.util: 'WWW-Authenticate': 'Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", error_description="Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenCreatedWithOutdatedPolicies", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzE4MTkwMTQyIn0sInhtc19ycF9pcGFkZHIiOnsidmFsdWUiOiIyMC42OC4yNDEuMzAifX19", PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjA1NjEyNTAxRDRFN0NGM0Q3RjYxOUUxNjMxQTQ4MDg1OTQyMTMyQjMifQ.eyJ0cyI6MTcxODE5MDEyMH0.M98MqWkUpDJpYBdGbUsbUKm_B28m-sYDP-BWgwWQY7qYvBrmsJmqDdZdDndeafHxfqlXoEhrIH-d8A2ahr1R--VIWBYEw53-l2uubWCFQOq6VrjbXCSB-hsOOu4uB86uhTD39yG_m5GuyVcVVtYZye2Ex6MHJzAzTwzcBmVrNxG3U9iXUR32dzP9l8dZhOaM7HaUHze9A_W1Efhv4BG2O82_a84U-GhPueo3jqn_H90VdBLup736XWcT6Gy2K6Fqp1sazW1qTJNwRFZaayMllYeBzSfjmBDBpMRjbe843IPEyH0blTfmDqWLgEbIgqgsl0mJUD4IBzW6ZFkdfKHWuA"'
cli.azure.cli.core.util: 'Date': 'Wed, 12 Jun 2024 11:02:22 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"error":{"code":"InvalidAuthenticationToken","message":"Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.","innerError":{"date":"2024-06-12T11:02:22","request-id":"ce3b4e87-736c-49ef-ad15-e1a49e05cb35","client-request-id":"ce3b4e87-736c-49ef-ad15-e1a49e05cb35"}}}

Expected behavior

az ad app list should run without errors

Environment Summary

azure-cli 2.61.0

core 2.61.0
telemetry 1.1.0

Extensions:
azure-devops 1.0.1

Dependencies:
msal 1.28.0
azure-mgmt-resource 23.1.1

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[SeanKilleen]

In case it's helpful to triangulate, I am now getting this error as of this morning using the azuread terraform provider with nothing having changed in my Terraform code. I'm filing something over there but I'll link it here.

[TimHodkin]

Hi,

I am seeing this same issue over the last few days.

I have found that bypassing a conditional access policy we have that is blocking based on geo network locations it then works fine. I could not make this work without bypassing this policy. To my knowledge we have not modified this CA in quite some time and is only blocking limited countries.

I am also seeing this with the AZ powershell module. Anything that tries to lookup Entra based object or references seems to fail.

`Get-AzRoleassignment: SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user . Ensure that you have authenticated with a deveolper fool that supports Azure single sign on.
realm:
authorization_uri: https://logni.microsoftonline.com/common/oath2/authorize
client_id: 0000003-0000-0000-c000-000000000000
error_description: Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied
error: insufficient_claims

`

[durankeeley]

Just been hit with the same.
2 days ago was fine. now with no change to the code I get this with Terraform:

 Error: Retrieving Application with object ID "88b184d2-1b2c-45a2-86f9-cdae5f79c005"
│
│   with module.apim_instance.azuread_application.aad_application,
│   on ..\..\..\..\modules\azure\azure-apim\main.tf line 36, in resource "azuread_application" "aad_application":
│   36: resource "azuread_application" "aad_application" {
│
│ ApplicationsClient.BaseClient.Get(): unexpected status 401 with OData error: InvalidAuthenticationToken: Exception of
│ type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.
╵

same if I use az ad app list

Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.

Tried to exclude myself in all Conditional Access but that didn't help

[Natasha-Kohli]

In case it's helpful to triangulate, I am now getting this error as of this morning using the azuread terraform provider with nothing having changed in my Terraform code. I'm filing something over there but I'll link it here.

I've been getting the same error everyone else has occasionally. As per Sean's linked issue, there is nothing I do that fixes the error other than time. It's hard to tell if logging out and logging back in is actually fixing anything

[seblatre]

For those who are reaching this issue like me, I was able to workaround it by setting the env variable AZURE_IDENTITY_DISABLE_CP1=1 prior to call the az ad sp...
(export AZURE_IDENTITY_DISABLE_CP1=1 in Linux env)

[psinghca]

Same issue with all 'az ad' commands.
No conditional policy or MFA on the account.

Resolution for me: Remove your .azure folder from the root (linux) and do the az login again to resolve it.

[ashtmMSFT]

I'm intermittently seeing this exception while logged into az cli as a service principal (clientId + clientSecret) in a tenant with no Azure subscriptions while running commands to add/remove Entra ID users.

I first started seeing the exception after disabling and then re-enabling the service principal in the tenant.

az logout and/or az account clear followed by a fresh az login does not resolve the issue. Only waiting an indeterminate amount of time seems to fix the issue. My experience aligns with others in the thread in that the issue seems intermittent. I can't consistently repro it.

None of the workarounds proposed in the thread worked on my end.

I suspect this is likely an issue with Graph / the Entra ID service and not the az cli tool. Is there a good place for logging and tracking issues for Graph?

[drdamour]

$env:AZURE_IDENTITY_DISABLE_CP1=1 worked for me...not sure what it did... :(