Azure-cli: az login doens't redirect properly
when i use az login with the browser login, the redirect doesn't redirect properly after signing in with my device and credentials (2 factor authentication).
I get "The page isn鈥檛 redirecting properly" error.
This is the url:
https://login.microsoftonline.com/common/oauth2/deviceauth?code=&state=
If i try to login using user name and password, i get an error:
Get Token request returned http error: 400 and server response: {"error":"interaction_required","error_description":"AADSTS50079: The user is required to u
se multi-factor authentication.rnTrace ID: 393963bb-3961-4968-9517-a516c5c50100rnCorrelation ID: 448fe095-499f-43e9-9cb1-802f98ae0df1rnTimestamp: 201
7-11-17 20:34:54Z","error_codes":[50079],"timestamp":"2017-11-17 20:34:54Z","trace_id":"393963bb-3961-4968-9517-a516c5c50100","correlation_id":"448fe095-49
9f-43e9-9cb1-802f98ae0df1"}
Environment summary
PS C:Usersuser> az --version
azure-cli (2.0.21)
acr (2.0.15)
acs (2.0.19)
appservice (0.1.20)
backup (1.0.3)
batch (3.1.7)
batchai (0.1.3)
billing (0.1.6)
cdn (0.0.10)
cloud (2.0.10)
cognitiveservices (0.1.9)
command-modules-nspkg (2.0.1)
component (2.0.8)
configure (2.0.12)
consumption (0.1.6)
container (0.1.13)
core (2.0.21)
cosmosdb (0.1.15)
dla (0.0.15)
dls (0.0.18)
eventgrid (0.1.5)
extension (0.0.6)
feedback (2.0.6)
find (0.2.7)
interactive (0.3.11)
iot (0.1.14)
keyvault (2.0.14)
lab (0.0.13)
monitor (0.0.12)
network (2.0.18)
nspkg (3.0.1)
profile (2.0.15)
rdbms (0.0.9)
redis (0.2.10)
reservations (0.1.0)
resource (2.0.18)
role (2.0.14)
servicefabric (0.0.6)
sql (2.0.15)
storage (2.0.19)
vm (2.0.18)
Python location 'C:Program Files (x86)Microsoft SDKsAzureCLI2python.exe'
Extensions directory 'C:Usersuser.azurecliextensions'
Python (Windows) 3.6.1 (v3.6.1:69c0db5, Mar 21 2017, 17:54:52) [MSC v.1900 32 bit (Intel)]
Legal docs and information: aka.ms/AzureCliLegal)
apryiomka
All 14 comments
@apryiomka, what browser you are using to sign in and on what OS?
If i try to login using user name and password, i get an error...
This is expected, as regular user-name/password flow will stop working once your tenant admin enforced 2FA. You can to use login through a browse using the device code CLI displays
yugangw-msft
on 20 Nov 2017
It is apparently a server side issue, not a browser. I use FF on windows 10. The page is issuing too many redirects back and forth. I tried in Edge and chrome and it is the same issue in all browsers as well as my colleague is having the same issue on his PC. This is the flow:
GET-> 200 - https://login.microsoftonline.com/common/oauth2/deviceauth?code=DEVICECODE&state=STATETOKEN&flowtoken=FLOWTOKEN_111
302 REDIRECT -> https://login.microsoftonline.com/common/oauth2/deviceauth?code=DEVICECODE&state=STATETOKEN&flowtoken=FLOWTOKEN_111&sso_reload=true
GET -> 200 - https://login.microsoftonline.com/common/oauth2/deviceauth?code=DEVICECODE&state=STATETOKEN&flowtoken=FLOWTOKEN_222
303 REDIRECT -> https://login.microsoftonline.com/common/oauth2/deviceauth?code=DEVICECODE&state=STATETOKEN&flowtoken=FLOWTOKEN_222&sso_reload=true
In the URL the state remain the same, the device token is the same, we attach sso_reload=true on the redirect that will redirect back and the flowtoken gets updated.
This flow keeps going back and forth indefinitely.
apryiomka
on 20 Nov 2017
I attached a fiddler screenshot for more details:
apryiomka
on 20 Nov 2017
@apryiomka Can you open the browser using private mode and see whether the same issue still repro'd?
yugangw-msft
on 21 Nov 2017
@yugangw-msft az login doesn't work in none-private window to begin with.
apryiomka
on 21 Nov 2017
I also tried mobile browser and i have exactly the same "redirects" issue. It is apparent, this is not a browser issue or my OS/PC issue. I have exactly the same behavior on my cell phone browser and my colleague has exactly the same issue. You should be able to reproduce this easily, just log in with two factor authentication token device. You should not be able to.
apryiomka
on 21 Nov 2017
Closing as the root cause is internal
yugangw-msft
on 22 Nov 2017
Has this issue been fixed. I am facing the same problem.
annika07
on 7 Dec 2017
@annika07, this error is specific to accounts enrolling to Azure AD's testing environment. I have sent you a mail with instructions to unblock you.
yugangw-msft
on 7 Dec 2017
Thank you! It is fixed now!
annika07
on 7 Dec 2017
I am also running into this problem. Can you also send me instructions to unblock me? Thanks!
PakDLiu
on 12 Dec 2017
The MSFT employees who are a part of the inner ring by default need to opt out of the inner ring:
- Navigate to https://login.microsoftonline.com/common/insider/[email protected] (replacing YOURALIAS with your alias).
- Clear your browser cookies in any browser you will use to sign in to AAD that you don鈥檛 want to redirect to the insider ring.
It is bad that the bug has been known for months and MSFT doesn't seem to do much to fix it.
Good luck!
apryiomka
on 12 Dec 2017
Awesome, thanks! That worked!
PakDLiu
on 12 Dec 2017
I was still running into this issue and following the instructions by @apryiomka fixed the issue for me.
smoak
on 12 Feb 2018
Related issues
binderjoe
路
3Comments
derekperkins
路
3Comments
ambakshi
路
3Comments
FumiakiNagano
路
3Comments
oakeyc
路
3Comments
Most helpful comment
The MSFT employees who are a part of the inner ring by default need to opt out of the inner ring:
It is bad that the bug has been known for months and MSFT doesn't seem to do much to fix it.
Good luck!