Error: AADSTS500011: The resource principal named https://management.azure.com was not found in the tenant named...

[luyitong]

Describe the bug
We updated the Azure Cli to the latest version 2.18.0, and changed the Active cloud to China. but the creation of the Image Version from the Shared Image Gallery with az cli (az sig image-version create) fails. Pls help check if this is a bug and fix it.
error:
AADSTS500011: The resource principal named https://management.azure.com was not found in the tenant named xxxxxxxx-0ec9-4a09-a414-a7cbbdxxxxxx. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

To Reproduce

1. Create the centos machine, and install or update azure-cli version to the latest(2.18.0).
2. Create a Shared Image Gallery and gallery-image-definition.
3. Create Image Version in Shared Image Gallery using az cli:
   az sig image-version create
   -g lytrg
   -l chinanorth2
   --gallery-name gallerylyt
   --gallery-image-definition specializedImgsDef
   --gallery-image-version 1.0.3
   --managed-image ""/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx-xxxxx/resourceGroups/lytrg/providers/Microsoft.Compute/virtualMachines/xxxxxx"

Environment summary
Azure cli 2.18.0

Additional context
We can do this successfully with lower cli version (e.g. 2.15.1) or Portal in Azure China or Global Azure(cli 2.18.0).

[yungezz]

hi @qwordy could you pls take a look? thanks

[jsntcy]

@jiasli, to see if it's related to auth or not.

[qwordy]

@luyitong Did you use managed identity to log in? I confirmed a bug recently. #16628

[luyitong]

@qwordy I didn't log in with managed identity. I loged in interactively or with a service principal.

[luyitong]

@qwordy Hello! Do you have any update for this issue? Thanks.

[qwordy]

@luyitong I haven't reproduced this issue. Can you help do

1. Add --debug and send output so that I can know where it reports an error.
2. Does it require access to an external tenant or subscription?

[luyitong]

Hi, please see the debug output as below:
[root@centos75 ~]# az sig image-version create -g lytrg -l chinanorth2 --gallery-name mysharingvault --gallery-image-definition Windows-spec --gallery-image-version 1.0.6 --managed-image "/subscriptions/5cbb692b-6a2e-4bb4-b5e2-eb812718ad13/resourceGroups/lytrg/providers/Microsoft.Compute/virtualMachines/win10-image-VM" --debug
cli.knack.cli: Command arguments: ['sig', 'image-version', 'create', '-g', 'lytrg', '-l', 'chinanorth2', '--gallery-name', 'mysharingvault', '--gallery-image-definition', 'Windows-spec', '--gallery-image-version', '1.0.6', '--managed-image', '/subscriptions/5cbb692b-6a2e-4bb4-b5e2-eb812718ad13/resourceGroups/lytrg/providers/Microsoft.Compute/virtualMachines/win10-image-VM', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7faf36d32e18>, <function OutputProducer.on_global_arguments at 0x7faf36664598>, <function CLIQuery.on_global_arguments at 0x7faf36683950>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'sig': ['azure.cli.command_modules.vm']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: vm 1.895 44 224
cli.azure.cli.core: Total (1) 1.895 44 224
cli.azure.cli.core: Loaded 44 groups, 224 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : sig image-version create
cli.azure.cli.core: Command table: sig image-version create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7faf35d1e730>]
az_command_data_logger: command args: sig image-version create -g {} -l {} --gallery-name {} --gallery-image-definition {} --gallery-image-version {} --managed-image {} --debug
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/root/.azure/commands'.
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7faf35c9ff28>, <function register_global_query_examples_argument..register_query_examples at 0x7faf35cafe18>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7faf35cafea0>, <function register_cache_arguments..add_cache_arguments at 0x7faf35cbe048>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7faf36664620>, <function CLIQuery.handle_query_parameter at 0x7faf366839d8>, <function register_global_query_examples_argument..handle_example_parameter at 0x7faf35cafd90>, <function register_ids_argument..parse_ids_arguments at 0x7faf35caff28>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ComputeManagementClient
cli.azure.cli.core._profile: Retrieving token from ADAL for resource 'https://management.azure.com'
cli.azure.cli.core.util: attempting to read file /root/.azure/accessTokens.json as utf-8-sig
adal-python: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87 - Authority:Performing instance discovery: ...
adal-python: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87 - Authority:Performing static instance discovery
adal-python: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87 - Authority:Authority validated via static instance discovery
adal-python: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87 - TokenRequest:Getting token from cache with refresh if necessary.
adal-python: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87 - CacheDriver:finding with query keys: {'_clientId': '...', 'userId': '...'}
adal-python: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87 - CacheDriver:Looking for potential cache entries: {'_clientId': '...', 'userId': '...'}
adal-python: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87 - CacheDriver:Found 4 potential entries.
adal-python: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87 - CacheDriver:No resource specific cache entries found.
adal-python: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87 - CacheDriver:Found an MRRT token.
adal-python: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87 - CacheDriver:Returning token from cache lookup, AccessTokenId: b'qWW54MalQ12m0+khDyIV+V/0o/0KTxQrK9hBeZQiO8w=', RefreshTokenId: b'NHQ6VcWak414ljpO1F20f36ujIrMh19MnkQKy5lkEn8='
adal-python: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87 - CacheDriver:Acquiring new access token from MRRT token.
adal-python: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87 - TokenRequest:called to refresh a token from the cache
adal-python: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87 - TokenRequest:Getting a new token from a refresh token
urllib3.connectionpool: Starting new HTTPS connection (1): login.chinacloudapi.cn:443
urllib3.connectionpool: https://login.chinacloudapi.cn:443 "POST /b388b808-0ec9-4a09-a414-a7cbbd8b7e9b/oauth2/token HTTP/1.1" 400 767
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/adal_authentication.py", line 38, in _get_token
scheme, token, full_token = self._token_retriever(sdk_resource)
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 588, in _retrieve_token
account[_TENANT_ID], token_resource)
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 1065, in retrieve_token_for_user
token_entry = context.acquire_token(resource, username, _CLIENT_ID)
File "/usr/lib64/az/lib/python3.6/site-packages/adal/authentication_context.py", line 145, in acquire_token
return self._acquire_token(token_func)
File "/usr/lib64/az/lib/python3.6/site-packages/adal/authentication_context.py", line 128, in _acquire_token
return token_func(self)
File "/usr/lib64/az/lib/python3.6/site-packages/adal/authentication_context.py", line 143, in token_func
return token_request.get_token_from_cache_with_refresh(user_id)
File "/usr/lib64/az/lib/python3.6/site-packages/adal/token_request.py", line 347, in get_token_from_cache_with_refresh
return self._find_token_from_cache()
File "/usr/lib64/az/lib/python3.6/site-packages/adal/token_request.py", line 127, in _find_token_from_cache
return self._cache_driver.find(cache_query)
File "/usr/lib64/az/lib/python3.6/site-packages/adal/cache_driver.py", line 199, in find
is_resource_tenant_specific)
File "/usr/lib64/az/lib/python3.6/site-packages/adal/cache_driver.py", line 184, in _refresh_entry_if_necessary
return self._acquire_new_token_from_mrrt(entry)
File "/usr/lib64/az/lib/python3.6/site-packages/adal/cache_driver.py", line 160, in _acquire_new_token_from_mrrt
token_response = self._refresh_function(entry, self._resource)
File "/usr/lib64/az/lib/python3.6/site-packages/adal/token_request.py", line 137, in _get_token_with_token_response
return self._get_token_with_refresh_token(refresh_token, resource, None)
File "/usr/lib64/az/lib/python3.6/site-packages/adal/token_request.py", line 339, in _get_token_with_refresh_token
return self._oauth_get_token(oauth_parameters)
File "/usr/lib64/az/lib/python3.6/site-packages/adal/token_request.py", line 112, in _oauth_get_token
return client.get_token(oauth_parameters)
File "/usr/lib64/az/lib/python3.6/site-packages/adal/oauth2_client.py", line 289, in get_token
raise AdalError(return_error_string, error_response)
adal.adal_error.AdalError: Get Token request returned http error: 400 and server response: {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://management.azure.com was not found in the tenant named b388b808-0ec9-4a09-a414-a7cbbd8b7e9b. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: f35b5049-0a9b-48ee-a4dc-1ab7122b7000\r\nCorrelation ID: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87\r\nTimestamp: 2021-02-23 02:38:38Z","error_codes":[500011],"timestamp":"2021-02-23 02:38:38Z","trace_id":"f35b5049-0a9b-48ee-a4dc-1ab7122b7000","correlation_id":"bd438795-a01b-4d06-b1d4-c5bfb8dd0c87","error_uri":"https://login.chinacloudapi.cn/error?code=500011"}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.6/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 664, in execute
raise ex
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 727, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 720, in _run_job
six.reraise(*sys.exc_info())
File "/usr/lib64/az/lib/python3.6/site-packages/six.py", line 703, in reraise
raise value
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 698, in _run_job
result = cmd_copy(params)
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 331, in call
return self.handler(*args, **kwargs)
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/init.py", line 816, in default_command_handler
return op(**command_args)
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/command_modules/vm/custom.py", line 3299, in create_image_version
_, _, _, external_tokens = cred.get_all_tokens('https://management.azure.com/.default')
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/adal_authentication.py", line 73, in get_all_tokens
scheme, token, full_token, external_tenant_tokens = self._get_token(_try_scopes_to_resource(scopes))
File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/adal_authentication.py", line 63, in _get_token
raise CLIError(err)
knack.util.CLIError: AADSTS500011: The resource principal named https://management.azure.com was not found in the tenant named b388b808-0ec9-4a09-a414-a7cbbd8b7e9b. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: f35b5049-0a9b-48ee-a4dc-1ab7122b7000
Correlation ID: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87
Timestamp: 2021-02-23 02:38:38Z

cli.azure.cli.core.azclierror: AADSTS500011: The resource principal named https://management.azure.com was not found in the tenant named b388b808-0ec9-4a09-a414-a7cbbd8b7e9b. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: f35b5049-0a9b-48ee-a4dc-1ab7122b7000
Correlation ID: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87
Timestamp: 2021-02-23 02:38:38Z
cli.azure.cli.core.azclierror: AADSTS500011: The resource principal named https://management.azure.com was not found in the tenant named b388b808-0ec9-4a09-a414-a7cbbd8b7e9b. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: f35b5049-0a9b-48ee-a4dc-1ab7122b7000
Correlation ID: bd438795-a01b-4d06-b1d4-c5bfb8dd0c87
Timestamp: 2021-02-23 02:38:38Z
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7faf35d1e950>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 6.782 seconds (init: 0.406, invoke: 6.376)
telemetry.save: Save telemetry record of length 3634 in cache
telemetry.check: Returns Positive.
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/bin/python3 /usr/lib64/az/lib/python3.6/site-packages/azure/cli/telemetry/init.py /root/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

az account show:

[root@centos75 ~]# az account show
{
"environmentName": "AzureChinaCloud",
"homeTenantId": "b388b808-0ec9-4a09-a414-a7cbbd8b7e9b",
"id": "5cbb692b-6a2e-4bb4-b5e2-eb812718ad13",
"isDefault": true,
"managedByTenants": [],
"name": "Lu Yitong (SHULIANG)",
"state": "Enabled",
"tenantId": "b388b808-0ec9-4a09-a414-a7cbbd8b7e9b",
"user": {
"name": "[email protected]",
"type": "user"
}
}

[yungezz]

hi @qwordy, any update on the issue? thanks

[qwordy]

@luyitong, the failed code is updated. Cross-tenant authentication is supported by Azure CLI framework now. Could you download the latest version of Azure CLI and retry? Thanks.
Old code

File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/command_modules/vm/custom.py", line 3299, in create_image_version
_, _, _, external_tokens = cred.get_all_tokens('https://management.azure.com/.default')