Azure-cli: `az login` fails due to MFA

For MFA, you have to use interactive login through az login w/o -u. This requirement comes from AAD token service, not CLI.

Sorry if I wasn't clear.

Interactive AND non-interactive fail with MFA.

Sent from my iPhone

On 4 Aug 2018, at 2:05 am, Yugang Wang <[email protected]notifications@github.com> wrote:

For MFA, you have to use interactive login through az login w/o -u. This requirement comes from AAD token service, not CLI.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-cli/issues/6962#issuecomment-410299981, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AIKIGZaRtyc6hjM6tKyAlLX21_sXU9nKks5uNHSwgaJpZM4Vt50X.

Are you able to login in to portal? If yes, can you try az login again?

Yes, all fine via the portal and cloud shell.

Only CLI on my local is broken.

Sent from my iPhone

On 4 Aug 2018, at 7:27 am, Yugang Wang <[email protected]notifications@github.com> wrote:

Are you able to login in to portal? If yes, can you try az login again?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-cli/issues/6962#issuecomment-410380775, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AIKIGdZDEY3JLjyEcXrgWuow8eOLbpcpks5uNMAogaJpZM4Vt50X.

This is an error from AAD server which I shall clarify with service team.

    AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'

At the same time, in browser, can you log out the portal and run "az login" again? The goal is to clear the old cache associated with non MFA accounts, and force a new authentication flow.

if still not working, can you send the correlation id displayed in the browser to me at yugangw at microsoft dot com? It is needed for AAD team to diagnose for the root cause.

I just sent you an email to your microsoft address.

From: Yugang Wang notifications@github.com
Sent: Saturday, 4 August 2018 8:55 AM
To: Azure/azure-cli azure-cli@noreply.github.com
Cc: David O'Brien me@david-obrien.net; Author author@noreply.github.com
Subject: Re: [Azure/azure-cli] az login fails due to MFA (#6962)

if still not working, can you send the correlation id displayed in the browser to me at yugangw at microsoft dot com? It is needed for AAD team to diagnose for the root cause.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-cli/issues/6962#issuecomment-410396155, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AIKIGdGlORkbmQ9TsmrPa8ZOxlQlzH2xks5uNNSygaJpZM4Vt50X.

I'm having this exact issue on azure-cli version 2.0.30. First noticed it a couple days ago.

2.0.30 might be a bit too old CLI version, but regardless can you send me the error at yugangw at microsoft dot com as well? Once confirmed is the same error code, I will submit a support ticket.
Also did your tenant admin make any recent change such as location condition policies?

I tried again after updating to 2.0.43, and at first received the same error, but then after running it several times it mysteriously disappeared and everything seems to be working fine. Weird.

I can reproduce this behavior by doing:

1. In portal, enable the baseline policy right away by following "Azure Active Directory=>Conditional Access=>Baseline policy" and turning on the option of "Use policy immediately"
2. Launch CLI, and click the account tile in the browser, which will sign you in, but then you will get a same error from CLI.

I ended up fixing this by re-opening the browser and re-login to the portal, which triggered the wizard for me to configure all needed for MFA authentication. After that, "az login" works again.
Hope this help.

Closing. No actions I can take from CLI's end to make it better, the issue is on the browser ui caches old auth configurations. If more users report the same error I will transfer to AAD/ESTS team who owns the whole browser based authentication flow.

Hi,

I too face similar issue. If i try to access my web app outside Microsoft office environment i getting prompted with MFA. But if i try using my application inside MS environment it just asks me basic authentication and allows access. But in this case since i didn't do MFA when i try to access Azure APIs it throws below error:

err :AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'.

So everytime i have to clear browser cache, Login via Azure portal which asks for MFA and then access my site. Which is quite painful.

Any help appreciated.

@yugangw-msft - In our organization we face the same issue:
az login, when using with a MFA-enabled account in AzureCloud (EU), leads to

Note, we have launched a browser for you to login. For old experience with device code, use "az login --use-device-code"
You have logged in. Now let us find all the subscriptions to which you have access...
Failed to authenticate '{'additional_properties': {}, 'id': '/tenants/XXX', 'tenant_id': 'XXX'}' due to error 'Get Token request returned http error: 400 and server response: {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access 'XXX'.\r\nTrace ID: XXX\r\nCorrelation ID: XXX\r\nTimestamp: 2019-02-05 13:03:27Z","error_codes":[50076],"timestamp":"2019-02-05 13:03:27Z","trace_id":"XXX","correlation_id":"XXX","suberror":"basic_action"}'
No subscriptions were found for 'None'. If this is expected, use '--allow-no-subscriptions' to have tenant level accesses

When I log in via Browser manually it asks me for MFA, I confirm, re-try with az login then it works.
I highly recommend forwarding this issue to AAD/ESTS team as you suggested.

@sjentzsch, I have forwarded this to the AAD group, thanks for the feedback. What we have experienced are confusing, indeed.

This will happen if your account is associated with multiple Azure AD's. It can exist as a member user in one Azure AD, and as a guest user in the other Azure AD. If the Azure AD that you are a guest user in requires MFA, this error will occur.

You can mitigate this 'problem' by adding the Azure AD tenant to the login:

az login --tenant [tenantid]

in your case:

az login --tenant 4253165e-ba77-4eaa-bd15-e7abb69a74ef

To add insult to injury, this is happening to an account/ID that is in multiple AAD directories-member and guest in others, MFA (via AAD) required on some, AND it is marked with risky logins from an expired trial of AAD Identity Protection. Needless to say, the conditional access is working :).

It seems to me that this is an ambiguous scenario, meaning AAD cannot determine if the ID can be "fully" authenticated across multiple directories, and naturally @tinod 's suggestion of adding the --tenant worked - the tenant used had no Identity Protection enabled and is not a guest. Specifying a tenant in which the ID is a guest and Identity Protection + MFA causes the AADSTS50076 error.

@jiasli please take a look.

I have the same problem.
I am logged in to my companies Office 365 tenant but we have another tenant for Azure DevOps where I am a "guest" using my Office365 e-mail.
My companies Office 365 has no MFA but the DevOps ADD has MFA.
"az login" fails with "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access"

"az login --tenant ".onmicrosoft.com" runs MFA authentication but denies access to artifacts.

This only started happening when I updated to latest az and devops. az-cli 2.0.75 devops 0.13.0.
I am the owner of the feed I am trying to access so it should be fine.

If I set the $env:AZURE_DEVOPS_EXT_PAT to my PAT the command works just fine.

Is there any news on this topic? We need a way to login users on environments without a browser. @yugangw-msft

anyone? @yonzhan @qianwens @jiasli

@Bessonov, you may use az login --use-device-code for user login or az login --service-principal for service principal login. Please see Create an Azure service principal with Azure CLI for details.

@Miles-Davies-HORIBA , when you use az login --tenant "xxx.onmicrosoft.com", and get denied access to artifacts, what is the error? Is it the same or something else? +@bagga from DevOps team

@JeffBor , in my test, I used --tenant with a tenant/directory that requires MFA and the browser did ask for MFA as expected. Could you try purging the browser cache and run az login --tenant again?

@Miles-Davies-HORIBA , when you use az login --tenant "xxx.onmicrosoft.com", and get denied access to artifacts, what is the error? Is it the same or something else? +@bagga from DevOps team

I think my issue was caused by a bug in az which was fixed. It works fine for me with the latest

@jiasli thank you very much for your response! az login --use-device-code seems to be working!

Linux guys: if you have this kind of issue. Workaround is: install addon in your browser that modify UserAgent. Set it to a windows 10 ... and microsoft will allow logins.