Multiple login prompts when using an account with MFA enabled #460
Comments
|
I also have to login 3 times. When this was only 2 times with MFA I was promised it was fixed in a future release. In fact it is worse. One thing I would note is that once I finally login my pay as you go account is listed 3 times but does not expand to anything. |
|
I also have to login 3 times! |
|
This is by far the worst thing about storage explorer. I work as a consultant and have access to many azure subscriptions. Many of which require MFA (for good reasons). I get 10+ login prompts now. I try to only accept the first one, and then just close all the others, eventually it usually works, but it is so annoying that I'm starting to use access keys instead, which is very bad security practice. Could you please add an option to just login to a single (user defined) tenant, I'm okay if I have to start storage explorer with a commandline argument that specify tenantId or something similar, but the current situation is so frustrating. |
|
I hope the fact this has been added to a milestone means it will soon be addressed (after nearly two years!). Really, it is quite a bad experience to get annoyed with an application even before you have finished opening it! |
@sjkp , this is where we would like to go in the future. Unfortunately as of right now though, logging into every tenant is the only option the auth library we are using exposes.
@cbailiss I hate to dash your hopes, but I've done some more digging, and this unfortunately is not going to be fixed for 1.14. I'm not even sure when we'll get the capability to only log into user specified tenants, so I'm going to be moving this to a later milestone to check in on it then. I definitely understand how the experience is currently cruddy |
|
Same issue for my team. This is a real problem because it encourages bad practices like using connection string instead login with our user who have been authorized to access storage account. Multiple tenants and multiple subscriptions all with MFA require a very long time before accesssing just one azure blob storage. I hope it will get fix really soon. |
|
Proof that we are working on something: |
|
Plan is:
Disclaimer: design may change slightly between now and release, but if y'all have feedbacks for it let us know. |
|
Do you have an ETA for this feature? I have 25 Tenants with many subs underneath. This leads to many, many MFA logins and 100's of subscriptions to parse through. |
|
The best way to track when a feature will be released is to:
The due dates for most of our milestones are at or around when we expect so ship it. Granted, dates can change and features/bugs can be cut for various reasons. For this specific feature, I'm really hopeful/determined that it makes 1.19 (current due date of April 15th). I know this has been a huge pain in the side for users like y'all who have so many tenants. I'll do my best to keep y'all updated with my progress. For sure once I have the UI hooked up to real business logic, I'll try to to post a preview version here for y'all to demo. Thank you for all the patience! PS: @softcraftsman, if you really are at where your profile says you are at, please do me and yourself a favor and go have a giant milkshake at Chick & Ruth's 😋 |
|
@softcraftsman @ziesemer @ @sjkp @BenWyattMilliman @TechWatching @hajekj @cbailiss @CraigLittlewood @johnstaveley and everyone else I have a preview build for y'all to try! This build contains the new account panel as I previewed in my screenshot. Before links, let me go over everything there is in this build:
I think that basically covers all there is for the account panel. There's other changes in the build that will be a part of 1.19 but I won't get into those. So in general with this build:
Ok, link time!
|
|
@MRayermannMSFT - I installed it, and everything just worked fantastic. This is a significant and needed improvement, and thank you for the changes here! The only thing I'd please like to see yet is at least an option to include the tenant display name, tenant GUID, or even subscription GUID next to each loaded subscription in the Explorer. The majority of the tenants that I work in are all "Azure Subscription 1", so I have what appear to be duplicate accounts in the Explorer:
... with no way to differentiate between them without recognizing the different storage account names, etc., contained within. In the "Properties" panel, after clicking on each, it at least shows the "Subscription ID", along with "Account Email" and "Environment" (but here, the "Account Email" and "Environment" are also all identical). Ideally, the tenant display name and tenant GUID would also be included as properties here - with at least one additional bit available for display inline in the tree. I can open a new issue for this, if desired. |
|
@ziesemer, I'm glad to hear the preview build seems great! With regards to your feedback, right now we have #2621 to track adding a tenant node to the tree view. We'll be revisiting that issue once this one is wrapped. So please follow/comment on that issue (if you haven't already) so we can know to tag you if we have any questions regarding what we should do in that area. For 1.19 though, it shouldn't be too hard for me to add tenant ID to the properties panel real quick today. |
|
Thank you very much for working on this sir! I was able to get the test version installed, and the new Account Management screen does look very useful. I'm one of those PITA users with access to 7 tenants, 4 of which have their own layers of MFA (which makes the current stable release practically unusable). In my testing of this new preview build, I was unable to access a non-home tenant that had its own MFA. When I clicked "Reauthenticate now" under the non-home tenant a browser window would open, quickly pass through SSO (without any interaction on my part) and land on a local page that served the message "Authenticated. You can return to Storage Explorer. You might need to authenticate again if you close this browser tab.". Back in storage explorer, it would try to then authenticate and list the subscriptions, but then return to the message of "Subscriptions could not be loaded for this tenant. You may need to reauthenticate. See the error details for more information.". Clicking on the error details shows this message: (I redacted the GUIDs in the error details above. So I like the UI and the workflow, but it doesn't seem to be triggering the MFA step for my non-home tentants as it should. I'll try to switch my default browser to one that isn't enabled for SSO perhaps... Happy to provide any additional information or even do a screenshare if it would help. Thanks! |
|
@shea-parkes are you on Windows? If not, can you get access to Windows machine to test on? I'd like you to grab a fiddler trace and some other logs so we can see what reauthentication is being done. I'll write you some instructions once you confirm you have access to Windows. |
|
@MRayermannMSFT tested your build and if authentication works directly it looks ok in the list. But if there is any error and i am asked due to error to "Reauthenticate now.." to my Home Tenant. if i press that link the browser opens up and ask me to login to another tenant that is not the directory i clicked the link for, and is not my home tenant. |
|
@MRayermannMSFT - Thanks for the swift reply sir. It was a Windows machine I was having issues on. That one was an ephemeral VM alas. But I can setup the test on my laptop (that is running Windows). This is pretty important to us, so if you can provide some instructions for what specific logging you'd like I'd be happy to run the tests for ya. |
|
I confirmed I am able to reproduce the error of "Reauthenticate now..." not triggering an MFA check on my non-home tenants on my laptop running Windows. Let me know what logging you'd like gathered and I'd be happy to gather it and help out. |
|
For both @shea-parkes and @dlindblom, attached to this comment are some instructions for you to gather us logs. Additionally, I have a new version (FYI: it's not signed) for y'all to try if you have time to install that as well: IMPORTANT: the Fiddler trace generated as part of this is going to contain passwords you entered/sent in your browser during the gathering of the trace. Please read the instructions on how to remove passwords from the Fiddler trace. If you have any questions regarding the instructions, or you do not feel comfortable sending/cannot send the Fiddler trace, let me know. Ideally we get the Fiddler trace, but we can get a lot of good info even without it/we can be creative about extracting the information needed from it. @dlindblom So you're saying that:
If yes then:
|
|
Hey @shea-parkes and @dlindblom, I think we've identified what was going wrong. Feel free to hold off on getting logs until I get a new version to y'all to try. Thanks! :) |
|
@MRayermannMSFT ok. To your question yes and only home tenant was selected. After having these problem for very long time it's nice to see the issue addressed but i see same problem with other tools as well and not only Storage Explorer. This problem exist also with i.e Datastudio, even SQL Management Studio try to logon to wrong tenant with MFA (not the home tenant where SQL Server is located). I happy for a solution coming in Storage Explorer but would be good if you are able to share findings with other developer teams so we do get solution for all tools/authentication. |
|
@shea-parkes and @dlindblom, here's the new build:
@dlindblom yes, it is definitely a tricky problem to solve. We will be certain to pass our learnings along to other teams. :) |
|
Thank you very much sir. My testing of that latest build was quite successful. I was cleanly prompted for MFA when selecting/checking a new tenant. Thanks again! |
|
Installed it earlier today and so far, so good! I was on issue 3608, related to this and I think it's solved for me too. |
|
We're locking down for the 1.19 release fairly soon. If anyone has any feedback to share, or is having an issues with, the new account panel now would be a great time to share! |
|
@MRayermannMSFT latest build looks good for me. |
|
Hey @dlindblom yes, I feel exactly the same way! I have access to many many subscriptions in the home tenant of my work account. And all of my "testing" accounts are sorted after my work account in the list. I often get annoying at having to scroll/re-click to collapse the tenant after doing a restart. I'll keep trying to think of a better solution for deciding when to auto expand... Thanks for the feedback on the latest build! |
|
It works fine thanks :) |
|
Installed it yesterday... THANK YOU soooo much... Storage Explorer for me (as a consultant) is usable again! |
|
Nice! Glad to hear @wolfgangstrasser. What a great way to end my day. 🙂 We should be shipping tomorrow as planned, so I'm going to go ahead and close this issue now. Many thanks to y'all for the help this past month and half, and for the three years of patience. |
Storage Explorer Version: 1.3.1
Platform: Windows
Architecture: ia32
Build Number: 20180711.1
Commit: 9a954726
Steps to Reproduce:
Using an MSA account (hotmail, live, etc).
Account is tenant admin in Azure and has MFA enabled in Azure.
Account has two subscriptions (one PAYG, another Visual Studio credits).
Signing into storage explorer, I have to login three times.
First time: Username-Password.
Second and third times: Username, Password, MFA text message code.
Expected Experience:
Login once.
Actual Experience:
Have to login three times, as described above.
The text was updated successfully, but these errors were encountered: