Azure-cli: az cli 2.12.0, no matter what command I run, always throws " ValidationError:"

Could you run the command with --debug and share the output?

az group list --debug

Command arguments: ['group', 'list', '--debug']
Event: Cli.PreExecute []
Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x033DC8E8>, <function OutputProducer.on_global_arguments at 0x0356AD68>, <function CLIQuery.on_global_arguments at 0x0358FD68>]
Event: CommandInvoker.OnPreCommandTableCreate []
Modules found from index for 'group': ['azure.cli.command_modules.resource']
Loading command modules:
Name                  Load Time    Groups  Commands
resource                  0.009        34       158
Total (1)                 0.009        34       158
These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_ai_did_you_mean_this']
Loading extensions:
Name                  Load Time    Groups  Commands  Directory
Total (0)                 0.000         0         0
Loaded 34 groups, 158 commands.
Found a match in the command table.
Raw command  : group list
Command table: group list
Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x037B4B28>]
az_command_data_logger : command args: group list --debug
metadata file logging enabled - writing logs to 'C:\Users\rchen\.azure\commands'.
Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x03808348>, <function register_global_query_examples_argument.<locals>.register_query_examples at 0x03808A98>]
Event: CommandInvoker.OnPostArgumentLoad []
Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x03808AE0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x03808B70>]
Event: CommandInvoker.OnCommandTableLoaded []
Event: CommandInvoker.OnPreParseArgs []
Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x0356ADB0>, <function CLIQuery.handle_query_parameter at 0x0358FDB0>, <function register_global_query_examples_argument.<locals>.handle_example_parameter at 0x03808A50>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x03808B28>]
Getting management service client client_type=ResourceManagementClient
msrest.universal_http.requests : Configuring retry: max_retries=4, backoff_factor=0.8, max_backoff=90
msrest.async_paging : Paging async iterator protocol is not available for ResourceGroupPaged
attempting to read file C:\Users\rchen\.azure\accessTokens.json as utf-8-sig
adal-python : b9c79932-537e-4e16-98e4-728d94b907b2 - Authority:Performing instance discovery: ...
adal-python : b9c79932-537e-4e16-98e4-728d94b907b2 - Authority:Performing static instance discovery
adal-python : b9c79932-537e-4e16-98e4-728d94b907b2 - Authority:Authority validated via static instance discovery
adal-python : b9c79932-537e-4e16-98e4-728d94b907b2 - TokenRequest:Getting token from cache with refresh if necessary.
adal-python : b9c79932-537e-4e16-98e4-728d94b907b2 - CacheDriver:finding with query keys: {'_clientId': '...', 'userId': '...'}
adal-python : b9c79932-537e-4e16-98e4-728d94b907b2 - CacheDriver:Looking for potential cache entries: {'_clientId': '...', 'userId': '...'}
adal-python : b9c79932-537e-4e16-98e4-728d94b907b2 - CacheDriver:Found 20 potential entries.
azure.cli.core.util.handle_exception is called with an exception:
Traceback (most recent call last):
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-cep_dxyk\azure\cli\core\adal_authentication.py", line 27, in _get_token
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-cep_dxyk\azure\cli\core\_profile.py", line 567, in _retrieve_token
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-cep_dxyk\azure\cli\core\_profile.py", line 1019, in retrieve_token_for_user
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-mu_8y5v2\adal\authentication_context.py", line 145, in acquire_token
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-mu_8y5v2\adal\authentication_context.py", line 128, in _acquire_token
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-mu_8y5v2\adal\authentication_context.py", line 143, in token_func
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-mu_8y5v2\adal\token_request.py", line 347, in get_token_from_cache_with_refresh
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-mu_8y5v2\adal\token_request.py", line 127, in _find_token_from_cache
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-mu_8y5v2\adal\cache_driver.py", line 196, in find
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-mu_8y5v2\adal\cache_driver.py", line 124, in _load_single_entry_from_cache
adal.adal_error.AdalError: More than one token matches the criteria. The result is ambiguous.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-2gf5i3x9\knack\cli.py", line 215, in invoke
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-cep_dxyk\azure\cli\core\commands\__init__.py", line 654, in execute
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-cep_dxyk\azure\cli\core\commands\__init__.py", line 718, in _run_jobs_serially
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-cep_dxyk\azure\cli\core\commands\__init__.py", line 711, in _run_job
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-z1u_tuk4\six.py", line 703, in reraise
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-cep_dxyk\azure\cli\core\commands\__init__.py", line 688, in _run_job
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-cep_dxyk\azure\cli\core\commands\__init__.py", line 325, in __call__
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-cep_dxyk\azure\cli\core\__init__.py", line 784, in default_command_handler
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-suu5892n\azure\cli\command_modules\resource\custom.py", line 1128, in list_resource_groups
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-htqn9o92\msrest\paging.py", line 143, in __next__
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-htqn9o92\msrest\paging.py", line 129, in advance_page
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-98udkndc\azure\mgmt\resource\resources\v2020_06_01\operations\_resource_groups_operations.py", line 547, in internal_paging
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-htqn9o92\msrest\service_client.py", line 336, in send
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-htqn9o92\msrest\pipeline\__init__.py", line 197, in run
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-htqn9o92\msrest\pipeline\__init__.py", line 150, in send  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-htqn9o92\msrest\pipeline\requests.py", line 65, in send
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-cep_dxyk\azure\cli\core\adal_authentication.py", line 73, in signed_session
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-cep_dxyk\azure\cli\core\adal_authentication.py", line 52, in _get_token
knack.util.CLIError

cli.azure.cli.core.azclierror : ValidationError:
ValidationError:
Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x037B4C48>]
az_command_data_logger : exit code: 1
Command ran in 0.502 seconds (init: 0.127, invoke: 0.375)
telemetry.save : Save telemetry record of length 2806 in cache
telemetry.check : Negative: The C:\Users\rchen\.azure\telemetry.txt was modified at 2020-09-28 15:36:32.958403, which in less than 600.000000 s

Could you run the command with --debug and share the output?

az group list --debug

This seems to be the same issue as #5548, #6147, #6957.

There are actually 2 issues:

1. The actual error is hidden
2. ADAL raises adal.adal_error.AdalError: More than one token matches the criteria. The result is ambiguous.

The actual error message is hidden

The original issue gives an incorrect error (TypeError) because in has higher precedence than or, thus

raise AdalError('More than one token matches the criteria. The result is ambiguous.')
...
if 'AADSTS70008:' in (getattr(err, 'error_response', None) or {}).get('error_description') or '':
                  ^^

raises

TypeError: argument of type 'NoneType' is not iterable

Instead, it should be

if 'AADSTS70008:' in ((getattr(err, 'error_response', None) or {}).get('error_description') or ''):

Thus, the original error is replaced by TypeError.

Even though in the current code the error detail is extracted first:

err = (getattr(err, 'error_response', None) or {}).get('error_description') or ''

the error message is still hidden.

Hi, After run Az account clear, it seems fine now

@theasphaltworld, if the issue happens again, do you mind sharing your ~/.azure/accessTokens.json to my email address @microsoft.com? Please remove sensitive information accessToken and refreshToken. Thank you very much.

Checked the code from ADAL, it look like sometimes there is more than one entry that matches _clientId, userId, resource and _authority.

if potential_entries:
    resource_tenant_specific_entries = [
        x for x in potential_entries 
        if x[TokenResponseFields.RESOURCE] == self._resource and 
        x[TokenResponseFields._AUTHORITY] == self._authority]

    ...
        raise AdalError('More than one token matches the criteria. The result is ambiguous.')

@rayluo, just wondering if you have seen this issue before in ADAL. Thanks.

@jiasli Sorry I have not. By the way, ADAL Python's successor - MSAL Python - uses a different design which would handle this situation internally without raising an exception. Assuming Az CLI is going to adopt MSAL (even just indirectly), you might not need to invent a new error type for this.