az ad signed-in-user show in 2.37.0 does not work: ADSTS50005: User tried to log in to a device from a platform (Unknown) that's currently not supported through Conditional Access policy.

[torumakabe]

Describe the bug

az ad signed-in-user show in 2.37.0 does not work in my env. The cause seems to be AD Conditional Access policy, but in the previous version (2.36.0), it works as expected without error.

The migration doc doesn't seem to have any known issues with this error.

This command is used in in common packages for HashiCorp products such as Terraform, so has a big impact.

If it's a tenant configuration issue, I'll talk to the admin. However, it worked in the previous Azure CLI version, so could you please check it? Thanks!

Command Name
az ad signed-in-user show

Errors:

AADSTS50005: User tried to log in to a device from a platform (Unknown) that's currently not supported through Conditional Access policy. Supported device platforms are: iOS, Android, Mac, and Windows flavors.
Trace ID: 0c31027b-05eb-4d4d-b600-1fec50530400
Correlation ID: 08abee16-3df6-480b-b128-2678be62ade3
Timestamp: 2022-05-26 03:04:09Z

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• az ad signed-in-user show -o {}

Environment Summary

Linux-5.15.0-33-generic-x86_64-with-glibc2.35, Ubuntu 22.04 LTS
Python 3.10.4
Installer: DEB

azure-cli 2.37.0

Extensions:
ssh 1.1.1
aks-preview 0.5.74

Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1

[jiasli]

@torumakabe,

This issue has been reported before in #16401.

Azure CLI 2.36.0 works before because it calls AD Graph. Now Azure CLI 2.37.0 calls Microsoft Graph, and the error message AADSTS50005 actually doesn't come from MS Graph, but MSAL and AAD, indicating resource MS Graph has Conditional Access policy configured.

Could you try to run this command on a supported device (iOS, Android, Mac, and Windows flavors) which has Company Portal installed and is complaint?

I can successfully run it on my Microsoft-managed laptop:

> az ad signed-in-user show
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
  ...
  "userPrincipalName": "xxx@microsoft.com"
}

If it's a tenant configuration issue, I'll talk to the admin.

Yes. This would be a reasonable approach to take.

[torumakabe]

@jiasli Thanks! Unfortunately, I'm running Azure CLI on a Linux server... Logged in with --use-device-code option. There may be many users who have similar issues.

I'll talk to the tenant admin. Thanks!

[jiasli]

Root cause

Due to Microsoft company policy, Microsoft tenant 72f988bf-86f1-41af-91ab-2d7cd011db47 has Conditional Access policies that block using device code flow to access Microsoft Graph API.

Solution

For user identity, only interactive login using auth code flow is allowed by Microsoft tenant to call Microsoft Graph API.

If you can't use auth code flow, you may use a service principal which is designed to be used in automated environments, like a server:

• Sign in with a service principal
• Create an Azure service principal with the Azure CLI

[torumakabe]

@jiasli As a result of additional verification, it was found that even Linux behaves differently depending on the login method.

• Can be performed without error in an environment where authentication can be redirected to the browser (like WSL2, Azure Cloud Shell via Windows Terminal)
• Error occurs in device flow authenticated environment. az login --use-device-code

Apart from conditional access settings, I think the difference in behavior should be clarified. Could you specify it in the document?

[jiasli]

Linux VM

I am able to reproduce on Linux VM:

$ az login
# It launches device code flow and calling ARM works

# Calling MS Graph is a "step-up`
$ az ad signed-in-user show
AADSTS50005: User tried to log in to a device from a platform (Unknown) that's currently not supported through Conditional Access policy. Supported device platforms are: iOS, Android, Mac, and Windows flavors.
Trace ID: 8e0e3ae2-92a7-4dff-8070-ed99ff611b00
Correlation ID: c7fb3bec-5617-4b99-8d89-713bcbe3562e
Timestamp: 2022-05-26 10:47:01Z
To re-authenticate, please run:
az login --scope https://graph.microsoft.com//.default

Then I ran

az login --scope https://graph.microsoft.com//.default

I got rejected by AAD in the browser:

Local Windows machine

I also got error on local Windows machine using device code flow:

> az login --use-device-code
> az ad signed-in-user show
AADSTS53000: Device is not in required device state: compliant. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune.
Trace ID: 1f4fdf19-f63c-40ad-a604-30a0fe2d0100
Correlation ID: 7010d1aa-730a-4401-ade8-ff5ddfa8144b
Timestamp: 2022-05-26 11:52:23Z

> az login --scope https://graph.microsoft.com//.default --use-device-code

WSL2

WSL 2 works because it can utilize the auth code flow.

Cloud Shell in Windows Terminal

Per my understanding, Cloud Shell in Windows Terminal also uses device code flow:

I got error:

$ az ad signed-in-user show
Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned: <Response [400]>

Are you able to make it work for Cloud Shell in Windows Terminal?

Cloud Shell in Azure Portal

Cloud Shell in Azure Portal works because it borrows Azure Portal's token which is auth code authenticated.

[janegilring]

I also ran into this issue from an Ubuntu 20.04-based dev-container in VS Code after upgrading Azure CLI from 2.36 to 2.37.

I have always used device codes to authenticate from dev-containers in order to control which browser session the authentication happens in:
az login --use-device-code

Authenticating using the scope suggested in the error message solved the issue for me:
az login --scope https://graph.microsoft.com//.default --use-device-code

Both az ad signed-in-user show -o json and terraform plan works fine now.

[jiasli]

@janegilring, I am glad to know az login with --scope works. However, your problem maybe different. Could you please share the error message you get?

Originally your MS Graph command fails because using ARM refresh token to get MS Graph access token is a step-up operation which may require MFA. If you log in with --scope, the AAD login page can successfully do MFA.

We supported Conditional Access login with:

• {Core} az login: support --scope #17778
• [Core] Conditional Access: Show --scope for az login message when failed to refresh the access token #17738