diff --git a/src/Accounts/Accounts/ChangeLog.md b/src/Accounts/Accounts/ChangeLog.md index 9389507f3feb..77f372b57bfa 100644 --- a/src/Accounts/Accounts/ChangeLog.md +++ b/src/Accounts/Accounts/ChangeLog.md @@ -18,6 +18,7 @@ - Additional information about change #1 --> ## Upcoming Release +* Fixed an issue that TenantId may be not respected if using `Connect-AzAccount -DeviceCode`[#13477] * Added new cmdlet `Get-AzAccessToken` * Fixed an issue that error happens if user profile path is inaccessible * Fixed an issue causing Write-Object error during Connect-AzAccount [#13419] diff --git a/src/Accounts/Accounts/Models/RMProfileClient.cs b/src/Accounts/Accounts/Models/RMProfileClient.cs index 4ea1257ebc8e..01638f0a8037 100644 --- a/src/Accounts/Accounts/Models/RMProfileClient.cs +++ b/src/Accounts/Accounts/Models/RMProfileClient.cs @@ -195,6 +195,7 @@ public AzureRmProfile Login( environment, subscriptionId, subscriptionName, + true, out newSubscription, out newTenant)) { @@ -248,7 +249,7 @@ public AzureRmProfile Login( if (token != null && newTenant == null && - TryGetTenantSubscription(token, account, environment, subscriptionId, subscriptionName, out tempSubscription, out tempTenant)) + TryGetTenantSubscription(token, account, environment, subscriptionId, subscriptionName, false, out tempSubscription, out tempTenant)) { // If no subscription found for the given token/tenant,discard tempTenant value. // Continue to look for matched subscripitons until one subscription retrived by its home tenant is found. @@ -554,6 +555,7 @@ private bool TryGetTenantSubscription(IAccessToken accessToken, IAzureEnvironment environment, string subscriptionId, string subscriptionName, + bool isTenantPresent, out IAzureSubscription subscription, out IAzureTenant tenant) { @@ -596,7 +598,13 @@ private bool TryGetTenantSubscription(IAccessToken accessToken, } catch (CloudException ex) { - WriteWarningMessage(ex.Message); + //Error "InvalidAuthenticationTokenTenant" means tenant and subscription mismatches. + //If tenant is not present, we're iterating all tenants until finding right tenant for specified subscription, + //in this case, InvalidAuthenticationTokenTenant message is expected and we should ignore it. + if (isTenantPresent || !string.Equals(ex.Body?.Code, "InvalidAuthenticationTokenTenant", StringComparison.OrdinalIgnoreCase)) + { + WriteWarningMessage(ex.Message); + } } if (subscription != null) diff --git a/src/Accounts/Authenticators/DeviceCodeAuthenticator.cs b/src/Accounts/Authenticators/DeviceCodeAuthenticator.cs index 4bbd50757350..063607c61198 100644 --- a/src/Accounts/Authenticators/DeviceCodeAuthenticator.cs +++ b/src/Accounts/Authenticators/DeviceCodeAuthenticator.cs @@ -48,7 +48,7 @@ public override Task Authenticate(AuthenticationParameters paramet DeviceCodeCallback = DeviceCodeFunc, AuthorityHost = new Uri(authority), ClientId = clientId, - TenantId = onPremise ? tenantId : null, + TenantId = tenantId, TokenCache = tokenCache.TokenCache, }; var codeCredential = new DeviceCodeCredential(options);