Connect-AzAccount fails when using federated token with AzureChinaCloud

[starkmsu]

Description

When trying to login to AzureChinaCloud via Connect-AzAccount using federated token it fails.
Connect-AzAccount -ServicePrincipal -Tenant a3a14ec6-4597-4a3c-aacf-34e746c2624e -ApplicationId *** -FederatedToken ***** -Environment AzureChinaCloud -Scope Process

But az cli call with the same parameters succeeds:
az cloud set -n AzureChinaCloud
az login --service-principal -u *** --tenant a3a14ec6-4597-4a3c-aacf-34e746c2624e --federated-token ***

It was reproduced on these versions of Az module: 9.3.0, 9.7.1, 10.2.0

Issue script & Debug output

Connect-AzAccount -ServicePrincipal -Tenant a3a14ec6-4597-4a3c-aacf-34e746c2624e -ApplicationId *** -FederatedToken ***** -Environment AzureChinaCloud -Scope Process
Connect-AzAccount: /home/vsts/work/_tasks/AzurePowerShell_72a1931b-effb-4d2e-8fd8-f8472a07cb62/5.226.0/InitializeAz.ps1:111
Line |
 111 |      Connect-AzAccount -ServicePrincipal -Tenant $endpointObject.tenan …
     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | AADSTS90002: Tenant 'a3a14ec6-4597-4a3c-aacf-34e746c2624e' not found.
     | Check to make sure you have the correct tenant ID and are signing into
     | the correct cloud. Check with your subscription administrator, this may
     | happen if there are no active subscriptions for the tenant. Trace ID:
     | f9ac3863-8a96-4973-87f1-55b034386c00 Correlation ID:
     | 20f5fb3e-6970-47aa-828f-b6c903ef618b Timestamp: 2023-08-24 08:57:19Z

Environment data

Name                           Value                                                                                   
----                           -----                                                                                   
PSVersion                      5.1.20348.1850                                                                          
PSEdition                      Desktop                                                                                 
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                 
BuildVersion                   10.0.20348.1850                                                                         
CLRVersion                     4.0.30319.42000                                                                         
WSManStackVersion              3.0                                                                                     
PSRemotingProtocolVersion      2.3                                                                                     
SerializationVersion           1.1.0.1

Module versions

Name              : Az.Accounts
Path              : C:\Modules\az_10.2.0\Az.Accounts\2.12.5\Az.Accounts.psm1
Description       : Microsoft Azure PowerShell - Accounts credential management cmdlets for Azure Resource Manager in 
                    Windows PowerShell and PowerShell Core.
                    
                    For more information on account credential management, please visit the following: 
                    https://learn.microsoft.com/powershell/azure/authenticate-azureps
Guid              : 17a2feff-488b-47f9-8729-e2cec094624c
Version           : 2.12.5
ModuleBase        : C:\Modules\az_10.2.0\Az.Accounts\2.12.5
ModuleType        : Script
PrivateData       : {PSData}
AccessMode        : ReadWrite
ExportedAliases   : {[Add-AzAccount, Add-AzAccount], [Get-AzDomain, Get-AzDomain], [Invoke-AzRest, Invoke-AzRest], 
                    [Login-AzAccount, Login-AzAccount]...}
ExportedCmdlets   : {[Add-AzEnvironment, Add-AzEnvironment], [Clear-AzConfig, Clear-AzConfig], [Clear-AzContext, 
                    Clear-AzContext], [Clear-AzDefault, Clear-AzDefault]...}
ExportedFunctions : {}
ExportedVariables : {}
NestedModules     : {Microsoft.Azure.PowerShell.Cmdlets.Accounts}

Error output

Message        : AADSTS90002: Tenant 'a3a14ec6-4597-4a3c-aacf-34e746c2624e' not found. Check to make sure you have the
                 correct tenant ID and are signing into the correct cloud. Check with your subscription administrator,
                 this may happen if there are no active subscriptions for the tenant.
                 Trace ID: cdf546ba-a9e8-4a7c-b756-51b6aadd3000
                 Correlation ID: 2a52416e-0284-4209-8b0f-a60ffa86c143
                 Timestamp: 2023-08-24 09:57:56Z
StackTrace     :    at Microsoft.Identity.Client.Internal.Requests.RequestBase.HandleTokenRefreshErrorAsync(MsalService
                 Exception e, MsalAccessTokenCacheItem cachedAccessTokenItem)
                    at
                 Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken
                 cancellationToken)
                    at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken
                 cancellationToken)
                    at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTok
                 enCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters,
                 CancellationToken cancellationToken)
                    at Microsoft.Azure.PowerShell.Authenticators.Identity.MsalConfidentialClient.AcquireTokenForClientC
                 oreAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken)
                    at Microsoft.Azure.PowerShell.Authenticators.Identity.MsalConfidentialClient.AcquireTokenForClientA
                 sync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken)
                    at Microsoft.Azure.PowerShell.Authenticators.Identity.ClientAssertionCredential.GetTokenAsync(Token
                 RequestContext requestContext, CancellationToken cancellationToken)
                    at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.GetAccessTokenAsync(String
                 callerClassName, String parametersLog, TokenCredential tokenCredential, TokenRequestContext
                 requestContext, CancellationToken cancellationToken, String tenantId, String userId, String
                 homeAccountId)
                    at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzu
                 reAccount account, IAzureEnvironment environment, String tenant, SecureString password, String
                 promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
                    at
                 Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount
                 account, IAzureEnvironment environment, String tenantId, SecureString password, String
                 promptBehavior, Action`1 promptAction, String resourceId)
                    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account,
                 IAzureEnvironment environment, String tenantIdOrName, String subscriptionId, String subscriptionName,
                 SecureString password, Boolean skipValidation, Action`1 promptAction, String name, Boolean
                 shouldPopulateContextList, Int32 maxContextPopulation, String authScope)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass127_2.<ExecuteCmd
                 let>b__5()
                    at System.Threading.Tasks.Task`1.InnerInvoke()
                    at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread,
                 ExecutionContext executionContext, ContextCallback callback, Object state)
                 --- End of stack trace from previous location ---
                    at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread
                 threadPoolThread)
                 --- End of stack trace from previous location ---
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass127_0.<ExecuteCmd
                 let>b__1(AzureRmProfile localProfile, RMProfileClient profileClient, String name)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass136_0.<SetContext
                 WithOverwritePrompt>b__0(AzureRmProfile prof, RMProfileClient client)
                    at Microsoft.Azure.Commands.Profile.Common.AzureContextModificationCmdlet.ModifyContext(Action`2
                 contextAction)
                    at
                 Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.SetContextWithOverwritePrompt(Action`3
                 setContextAction)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronously
                 OrAsJob>b__3_0(T c)
                    at
                 Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T
                 cmdlet, Action`1 executor)
                    at
                 Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T
                 cmdlet)
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : Microsoft.Identity.Client.MsalServiceException
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount -ServicePrincipal -Tenant a3a14ec6-4597-4a3c-aacf-34e746c2624e -ApplicationId
                 1d6e67bf-c5b2-4ac9-9c7d-d612200bb50b -Environment AzureChinaCloud -Scope Process -FederatedToken %I_masked_used_token_value%
Position       : At line:1 char:1
                 + Connect-AzAccount -ServicePrincipal -Tenant a3a14ec6-4597-4a3c-aacf-3 …
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[isra-fel]

Thanks for reporting!

[isra-fel]

Let me try to reproduce this issue with the latest version of MSAL + Identity.

[geekzter]

@isra-fel Could you successfully reproduce the issue?

[a99cl208]

@isra-fel after quick investigation the bug seems to be here: https://github.com/Azure/azure-powershell/blob/main/src/Accounts/Authenticators/ClientAssertionAuthenticator.cs#L43
You are not setting the authority retrieved line 38 in the ClientAssertionCredentialOptions. You can refer in comparison to what is done on the service principal authenticator: https://github.com/Azure/azure-powershell/blob/main/src/Accounts/Authenticators/ServicePrincipalAuthenticator.cs#L54

[wenli-isatec]

Hi seeking update on this issue. Getting the same error output as reported by author. Thanks!
https://developercommunity.visualstudio.com/t/DevOps-Classic-Pipeline-:-Azure-Powers/10497763

[isra-fel]

Fixed by #23829 please update to Az 11.2.0 or above.