-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to run 'az ad user show --id xxx@microsoft.com' on AzureML Ubuntu VM #29282
Comments
Thank you for opening this issue, we will look into it. |
https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes doesn't document There is a feature request #22776 to show the signed in account's object ID, but that feature request was suspended due to several unsettled security discussions. You may follow #22776 (comment) to retrieve the object ID from the access token. |
Thank you @jiasli for the workaround. Do you have a similar to |
You may use the same approach to get the object ID for a service principal. If this is not what you want, what information do you want to extract from |
@jiasli The approach works for my own object ID because I can |
Why can't? Is there any error when running |
@jiasli |
What is the relationship between the login service principal and If |
I am not sure if I understand the question "What is the relationship between the login service principal and gcrllama2ws?". What I am trying to do is:
So I guess the "login service principal" is my extra ID, not really a service principal, and not an app either. I am not sure if I could assign my extra ID the role of "Application.Read.All". But that's an interesting idea. |
Describe the bug
I want to get my Entra ID programmingly via
az ad user show --id xxxx@microsoft.com
. When I run it on an AzureML Ubuntu VM (I ssh to this VM from my Windows workstation), I am getting error below. The same command runs successfully on my Window workstation.Another related symptom. I can run
az login --use-device-code
successfully on the Ubuntu VM. But if I add the option--scope https://graph.microsoft.com//.default
, I am getting error below. The option works fine on my Windows worksationaz login --scope https://graph.microsoft.com//.default
.Related command
az ad user show --id xxxx@microsoft.com
az login --use-device-code --scope https://graph.microsoft.com//.default
Errors
See description above.
Issue script & Debug output
Here is the debug output for
az ad user show --id xxxx@microsoft.com --debug
DEBUG: cli.knack.cli: Command arguments: ['ad', 'user', 'show', '--id', 'REDACT@microsoft.com', '--debug']
DEBUG: cli.knack.cli: init debug log:
Cannot enable color.
DEBUG: cli.knack.cli: Event: Cli.PreExecute []
DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x746a8570c040>, <function OutputProducer.on_global_arguments at 0x746a856b6200>, <function CLIQuery.on_global_arguments at 0x746a856f3ce0>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
DEBUG: cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role']
DEBUG: cli.azure.cli.core: Loading command modules:
DEBUG: cli.azure.cli.core: Name Load Time Groups Commands
DEBUG: cli.azure.cli.core: role 0.004 17 61
DEBUG: cli.azure.cli.core: Total (1) 0.004 17 61
DEBUG: cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
DEBUG: cli.azure.cli.core: Loading extensions:
DEBUG: cli.azure.cli.core: Name Load Time Groups Commands Directory
DEBUG: cli.azure.cli.core: Total (0) 0.000 0 0
DEBUG: cli.azure.cli.core: Loaded 17 groups, 61 commands.
DEBUG: cli.azure.cli.core: Found a match in the command table.
DEBUG: cli.azure.cli.core: Raw command : ad user show
DEBUG: cli.azure.cli.core: Command table: ad user show
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x746a84674e00>]
DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/REDACT/.azure/commands/2024-06-29.06-51-17.ad_user_show.1062634.log'.
INFO: az_command_data_logger: command args: ad user show --id {} --debug
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x746a846cf060>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x746a8472d1c0>, <function register_cache_arguments..add_cache_arguments at 0x746a8472d300>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x746a856b62a0>, <function CLIQuery.handle_query_parameter at 0x746a856f3d80>, <function register_ids_argument..parse_ids_arguments at 0x746a8472d260>]
DEBUG: cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='/home/REDACT/.azure/msal_token_cache.json', encrypt=False
DEBUG: cli.azure.cli.core.auth.binary_cache: load: /home/REDACT/.azure/msal_http_cache.bin
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
INFO: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47
DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? None
DEBUG: cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://graph.microsoft.com//.default',), claims=None, kwargs={}
DEBUG: msal.application: Found 1 RTs matching {'environment': 'login.microsoftonline.com', 'home_account_id': '.72f988bf-86f1-41af-91ab-2d7cd011db47', 'family_id': '1'}
DEBUG: msal.telemetry: Generate or reuse correlation_id: b70b6628-f204-44de-aab3-c0e51e80cf10
DEBUG: msal.application: Cache attempts an RT
DEBUG: msal.application: Refresh failed. invalid_grant: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: a3c52841-d43e-4d86-88e7-d0f2c3862b00 Correlation ID: 53263086-9034-477f-b299-66436a86d9d2 Timestamp: 2024-06-29 06:51:14Z
DEBUG: msal.application: Found 1 RTs matching {'environment': 'login.microsoftonline.com', 'home_account_id': '.72f988bf-86f1-41af-91ab-2d7cd011db47', 'client_id': '04b07795-8ddb-461a-bbee-02f9e1bf7b46'}
DEBUG: msal.telemetry: Generate or reuse correlation_id: b70b6628-f204-44de-aab3-c0e51e80cf10
DEBUG: msal.application: Cache attempts an RT
DEBUG: msal.application: Refresh failed. invalid_grant: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: a3c52841-d43e-4d86-88e7-d0f2c3862b00 Correlation ID: 53263086-9034-477f-b299-66436a86d9d2 Timestamp: 2024-06-29 06:51:14Z
DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/opt/az/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 664, in execute
raise ex
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 731, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 723, in _run_job
return cmd_copy.exception_handler(ex)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/commands.py", line 51, in graph_err_handler
raise ex
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 701, in _run_job
result = cmd_copy(params)
^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 334, in call
return self.handler(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 363, in handler
show_exception_handler(ex)
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/arm.py", line 432, in show_exception_handler
raise ex
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 361, in handler
return op(**command_args)
^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/custom.py", line 1859, in show_user
return client.user_get(upn_or_object_id)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 304, in user_get
result = self._send("GET", "{}".format(_get_user_url(id_or_upn)))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send
r = send_raw_request(self._cli_ctx, method, url, resource=self._resource, uri_parameters=param,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/util.py", line 983, in send_raw_request
token_info, _, _ = profile.get_raw_token(resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/_profile.py", line 406, in get_raw_token
sdk_token = credential.get_token(*scopes)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/auth/msal_authentication.py", line 74, in get_token
check_result(result, scopes=scopes, claims=claims)
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/auth/util.py", line 139, in check_result
aad_error_handler(result, **kwargs)
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/auth/util.py", line 43, in aad_error_handler
raise AuthenticationError(error_description, msal_error=error, recommendation=login_message)
azure.cli.core.azclierror.AuthenticationError: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: a3c52841-d43e-4d86-88e7-d0f2c3862b00 Correlation ID: 53263086-9034-477f-b299-66436a86d9d2 Timestamp: 2024-06-29 06:51:14Z
ERROR: cli.azure.cli.core.azclierror: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: a3c52841-d43e-4d86-88e7-d0f2c3862b00 Correlation ID: 53263086-9034-477f-b299-66436a86d9d2 Timestamp: 2024-06-29 06:51:14Z
ERROR: az_command_data_logger: AADSTS530003: Your device is required to be managed to access this resource. Trace ID: a3c52841-d43e-4d86-88e7-d0f2c3862b00 Correlation ID: 53263086-9034-477f-b299-66436a86d9d2 Timestamp: 2024-06-29 06:51:14Z
Interactive authentication is needed. Please run:
az login --scope https://graph.microsoft.com//.default
DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x746a84675080>]
INFO: az_command_data_logger: exit code: 1
INFO: cli.main: Command ran in 0.291 seconds (init: 0.148, invoke: 0.142)
INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1
INFO: telemetry.client: Accumulated 0 events. Flush the clients.
INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1
INFO: telemetry.save: Save telemetry record of length 3995 in cache
INFO: telemetry.main: Begin creating telemetry upload process.
INFO: telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.11/site-packages/azure/cli/telemetry/init.py /home/REDACT/.azure"
INFO: telemetry.process: Return from creating process
INFO: telemetry.main: Finish creating telemetry upload process.
Expected behavior
az ad user show --id xxxx@microsoft.com
should run successfully on AzureML Ubuntu VMEnvironment Summary
azure-cli 2.61.0
core 2.61.0
telemetry 1.1.0
Extensions:
ml 2.26.1
Dependencies:
msal 1.28.0
azure-mgmt-resource 23.1.1
Python location '/opt/az/bin/python3'
Extensions directory '/home/REDACT/.azure/cliextensions'
Python (Linux) 3.11.8 (main, May 16 2024, 03:47:28) [GCC 11.4.0]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
No response
The text was updated successfully, but these errors were encountered: