az ad subcommands broken: User 'xxx' does not exist in MSAL token cache

[readefries]

Describe the bug

It looks like there's something broken between az ad and msal in the current version.

Although I can find my user info in ~/.azure/msal_token_cache.json, and according to the az login I'm logged in (az account show lists my subscriptions). The az ad part doesn't seem to work anymore.

Related command

az ad signed-in-user show

Errors

User '<>' does not exist in MSAL token cache. Run az login.

Issue script & Debug output

cli.knack.cli: Command arguments: ['ad', 'signed-in-user', 'show', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f465f7fe2a0>, <function OutputProducer.on_global_arguments at 0x7f465f554400>, <function CLIQuery.on_global_arguments at 0x7f465f581ee0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: role 0.002 17 61
cli.azure.cli.core: Total (1) 0.002 17 61
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 17 groups, 61 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : ad signed-in-user show
cli.azure.cli.core: Command table: ad signed-in-user show
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f465e4cf420>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/hindrik/.azure/commands/2024-07-08.14-48-34.ad_signed-in-user_show.407781.log'.
az_command_data_logger: command args: ad signed-in-user show --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7f465e51f600>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7f465e51f6a0>, <function register_cache_arguments..add_cache_arguments at 0x7f465e51f7e0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f465f5544a0>, <function CLIQuery.handle_query_parameter at 0x7f465f581f80>, <function register_ids_argument..parse_ids_arguments at 0x7f465e51f740>]
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/hindrik/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/hindrik/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183
msal.authority: openid_config("https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/aa8f6f48-5c58-40f7-b8c8-02b0cb9a6183/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
msal.application: get_accounts(username='[email protected]') finds no account. If tokens were acquired without 'profile' scope, they would contain no username for filtering. Consider calling get_accounts(username=None) instead.
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/azure/cli/core/commands/init.py", line 664, in execute
raise ex
File "/usr/lib/python3/dist-packages/azure/cli/core/commands/init.py", line 731, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/azure/cli/core/commands/init.py", line 723, in _run_job
return cmd_copy.exception_handler(ex)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/azure/cli/command_modules/role/commands.py", line 51, in graph_err_handler
raise ex
File "/usr/lib/python3/dist-packages/azure/cli/core/commands/init.py", line 701, in _run_job
result = cmd_copy(params)
^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/azure/cli/core/commands/init.py", line 334, in call
return self.handler(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/azure/cli/core/commands/command_operation.py", line 363, in handler
show_exception_handler(ex)
File "/usr/lib/python3/dist-packages/azure/cli/core/commands/arm.py", line 432, in show_exception_handler
raise ex
File "/usr/lib/python3/dist-packages/azure/cli/core/commands/command_operation.py", line 361, in handler
return op(**command_args)
^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/azure/cli/command_modules/role/custom.py", line 1821, in show_signed_in_user
result = client.signed_in_user_get()
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 224, in signed_in_user_get
result = self._send("GET", "/me")
^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send
r = send_raw_request(self._cli_ctx, method, url, resource=self._resource, uri_parameters=param,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/azure/cli/core/util.py", line 983, in send_raw_request
token_info, _, _ = profile.get_raw_token(resource)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/azure/cli/core/_profile.py", line 405, in get_raw_token
credential = self._create_credential(account, tenant)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/azure/cli/core/_profile.py", line 615, in _create_credential
return identity.get_user_credential(username_or_sp_id)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/azure/cli/core/auth/identity.py", line 232, in get_user_credential
return UserCredential(self.client_id, username, **self._msal_public_app_kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/azure/cli/core/auth/msal_authentication.py", line 58, in init
raise CLIError("User '{}' does not exist in MSAL token cache. Run az login.".format(username))
knack.util.CLIError: User '[email protected]' does not exist in MSAL token cache. Run az login.

cli.azure.cli.core.azclierror: User '[email protected]' does not exist in MSAL token cache. Run az login.
az_command_data_logger: User '[email protected]' does not exist in MSAL token cache. Run az login.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f465e4cf6a0>]
az_command_data_logger: exit code: 1
cli.azure.cli.main: Command ran in 0.473 seconds (init: 0.101, invoke: 0.372)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3885 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/bin/python3 /usr/lib/python3/dist-packages/azure/cli/telemetry/init.py /home/hindrik/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

Show the logged in user info :D

Environment Summary

azure-cli 2.61.0
core 2.61.0
telemetry 1.1.0
Extensions:
azure-devops 1.0.1
Dependencies:
msal 1.29.0
azure-mgmt-resource 23.1.1

Python location '/usr/bin/python3'
Extensions directory '/home/hindrik/.azure/cliextensions'
Extensions system directory '/usr/lib/python3/dist-packages/azure-cli-extensions'

Python (Linux) 3.11.9 (main, Apr 10 2024, 13:16:36) [GCC 13.2.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

[azure-client-tools-bot-prd]

Hi @cloudcosmonaut,

This is not the official Azure CLI published by Microsoft.

How to tell if the installed Azure CLI is unofficial:

• Unofficial Azure CLI deb packages are distributed by Linux repositories #19640 (comment)
• Unofficial Azure CLI deb packages are distributed by Linux repositories #19640 (comment)

Please follow https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-linux to install Microsoft official Azure CLI.

If you feel that further discussion is needed, please add a comment with the text /clibot unresolve to reopen the issue.

[yonzhan]

Thank you for opening this issue, we will look into it.

[readefries]

/clibot unresolve

[readefries]

I installed the azure-cli just as described

[readefries]

When downgrading to 2.60.0 it seems to work, so some degradation happened in between

[jiasli]

/usr/lib/python3/dist-packages is not the official Azure CLI's installation location /opt/az/lib/python3.11/site-packages. Please follow https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt to install the official package and try again.

[readefries]

Hmmn, I did install it using curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash. So I don't understand why it got installed in the wrong location. After completely removing az cli and the source it got installed with, and reinstalling it again it seemed to be fixed. Could it be a difference in Linux distro? I use Debian, could there have been a diff in dependencies or something?

Thanks anyway!

Cheers, Hindrik

[jiasli]

Which Debian version you are using? You may check with cat /etc/os-release and it shows something like

$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

I guess you simply ran apt install azure-cli which installed the unofficial Azure CLI, such as https://packages.debian.org/unstable/azure-cli

[readefries]

I do see the azure-cli package is available in multiple sources:

This is the output of os-release:

[yulrizka]

I can confirm to have the same problem. was running 2.63.0, reverting back to 2.60.0 solved my issue.

az  az acr login -n xxx
User 'XXX' does not exist in MSAL token cache. Run `az login`.

In some stackoverflow, it also mentioned using --tenant when trying the 'az login`, but this does not work for me

[Serpentiel]

Hey! 👋

I can confirm that this problem also exists in v2.63.0 for me, and reverting back to v2.60.0 also solved it.

I'm running Azure CLI on macOS 14.6.1:

Darwin x.local 23.6.0 Darwin Kernel Version 23.6.0: Mon Jul 29 21:14:30 PDT 2024; root:xnu-10063.141.2~1/RELEASE_ARM64_T6030 arm64

@cloudcosmonaut could you perhaps re-open the issue?

Thanks!

[readefries]

The issue in my case was I accidentally installed azure-cli from a different source which was causing the issues.
Not sure how you installed Azure CLI on you Mac, but it could have a similar cause.