The auth panel should show any subscriptions it can get instead of showing nothing, even if only a subset of tenants had issues

[rytmis]

Storage Explorer Version: 1.0.0

Platform: Windows

Architecture: ia32

Build Number: 20180415.2

Commit: 5d603052

Regression From: 1.0.0 preview

Steps to Reproduce:

1. Open ASE.
2. Remove existing credentials due to changed authentication library
3. Re-enter credentials
4. Get message saying subscriptions could not be retrieved.

Expected Experience:

Get a list of my azure subscriptions

Actual Experience:

This only happens with my MSA -- I have an Office 365 AAD account that works fine.

I opened up the developer tools and found out the tenant ID that is giving me grief. It seems that my MSA is a guest user in that tenant. I don't have access to any of the Azure resources in that tenant, and I don't have any way of removing my MSA from that tenant, either.

[jouniheikniemi]

This is also an effective denial-of-service vector. If I add an account as a guest to an AAD tenant, the user cannot leave the tenant without the collaboration of the admin of the tenant (or a support ticket). Therefore, just adding someone to an empty tenant is enough to disable his/her usage of Storage Explorer.

[MRayermannMSFT]

Hi @rytmis , sorry that you've run into this issue. In the future, if someone has a subset of tenants causing issues, we're going to display whatever subscriptions we can get from the working tenants and also a message indicating that some number of tenants failed. Unfortunately though, I can't give you a time estimate for when that might ship. 🙁

Until then, can you at least disable your account in that tenant? If you can, then our auth library won't return the tenant to us and we won't try enumerating it's subscriptions. Otherwise, you may need to downgrade to 0.9.6 for the time being (I think the previous version link on azure.com now points to 1.0.0, so let me know if you need an installer for 0.9.6 and for what platform).

[rytmis]

Turns out that the directory in question had had 2FA enabled -- this may be part of the reason why this happened. I only noticed when logging in via Azure PowerShell.

Anyway, I worked around this by switching to a different account in the tenant where I wanted to operate and opened a support request to have me removed from the unwanted tenant.

[MRayermannMSFT]

Yes, there's also a known issue around 2FA in a few edge cases. We/our auth team is working on it. I'm glad you were able to find a workaround though. I'll leave this issue open as a tracker for the feature I discussed earlier.

[MRayermannMSFT]

This has been merged into master and will be shipped in 1.2.0.

[datarchitect]

I still have this error with version 1.2.0. The below error shows up. Explorer does show the name of all subscriptions I have, but does not let me click Apply and proceed.

Error Details.
Subscriptions for the follwowing tenants could not be retrieved:
Tenant Id: 22529389-206f-490d-b222-2c0ac87b3edf, Error: "AuthenticationNeededError"