az account get-access-token doesnt seem to work in multi-tenant scenarios correctly

[digitalinfinity]

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug

If you log in to az cli with multiple tenants, and then run az account get-access-token with --tenant-id, it fails to retrieve the tenant. However, if you use --subscription with a subscription in that tenant, it works.

To Reproduce

az login (into tenant A)
az login --device-code (into tenant B)
az account get-access-token --scope "https://vault.azure.net/.default" --tenant <id of tenant B>
az account get-access-token --scope "https://vault.azure.net/.default" --tenant <id of tenant A>
az account get-access-token --scope "https://vault.azure.net/.default" --subscription <subscription in tenant A>

Here, the first get-access-token call succeeds, the second fails, and the third succeeds.

Expected behavior

All three get-access-token calls succeed

Environment summary

az cli 2.33.0 running on WSL2

Additional context

[yonzhan]

@jiasli for awareness

[jiasli]

Could you give more information on how the second command fails? Any error, output?

[digitalinfinity]

az account get-access-token --scope "https://vault.azure.net/.default" --tenant "<redacted tenant A>"
AADSTS50020: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/<redacted tenant B>/' does not exist in tenant 'Microsoft' and cannot access the application '04b07795-8ddb-461a-bbee-02f9e1bf7b46'(Microsoft Azure CLI) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Trace ID: 4a296d31-eab2-4719-a474-4c4f852b0100
Correlation ID: 8a2d8304-11b7-42df-ba85-4491756a9780
Timestamp: 2022-02-08 22:03:22Z
To re-authenticate, please run:
az login --scope https://vault.azure.net/.default

[digitalinfinity]

Also, i just noticed that my original post didnt escape the angle brackets correctly- updated in place for clarity

[jackhorton]

@yonzhan @jiasli Do you have any update here? This issue is still requiring us to use a custom AzureCliCredential wrapper that handles this behavior correctly as the one shipped with the Azure.Identity package does not handle this correctly.

[jiasli]

I think I figured out the problem. You log into 2 tenants with 2 different users. After that, you can get expected token with --subscription, but not with --tenant.

There will be no error when the current user belongs to both tenants:

> az account get-access-token --scope "https://vault.azure.net/.default" --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47
{
  "accessToken": <Decoded: "tid": "72f988bf-86f1-41af-91ab-2d7cd011db47">,
  "expiresOn": "2022-12-07 11:36:29.000000",
  "tenant": "72f988bf-86f1-41af-91ab-2d7cd011db47",
  "tokenType": "Bearer"
}
> az account get-access-token --scope "https://vault.azure.net/.default" --tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a
{
  "accessToken": <Decoded: "tid": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a">,
  "expiresOn": "2022-12-07 11:17:30.000000",
  "tenant": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
  "tokenType": "Bearer"
}

The tenant ID provided with --tenant matches the tenant ID of the access token.

I got the same error if the current user doesn't exist in the provided --tenant:

> az account get-access-token --scope "https://vault.azure.net/.default" --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47
AADSTS50020: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/' does not exist in tenant 'Microsoft' and cannot access the application '04b07795-8ddb-461a-bbee-02f9e1bf7b46'(Microsoft Azure CLI) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Trace ID: 988ded24-207a-4a5d-9d98-680f78610100
Correlation ID: e33352c9-d0e4-4b0b-876b-9bcedbb9da27
Timestamp: 2022-12-07 02:27:18Z
Interactive authentication is needed. Please run:
az login --scope https://vault.azure.net/.default

This is because we disabled tenanted passthrough due to security:

• Tenanted passthrough will be disabled on 2022-08-02 #23255

The reason why subscription ID can be used to select user identity is because subscription ID is the primary key of the list from az account list, but tenant ID is not. Tenant ID can lead to ambiguity. Imagine 2 entries for different users contain the same tenant ID, which user identity should we use?

• [subA], tenantA, userA
• [subB], tenantA, userB

So the behavior can be summarized as

• If --subscription is provided, the user identity matching that --subscription is used
• If --tenant is provided, the current user identity is used

This is how the user identity is selected (by --subscription or the current account):

azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

Line 362 in 060b414

account = self.get_subscription(subscription)

--tenant is then applied to the selected user identity:

azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

Line 382 in 060b414

credential = self._create_credential(account, tenant)

The help message also tells the same:

> az account get-access-token -h

Command
    az account get-access-token : Get a token for utilities to access Azure.
        The token will be valid for at least 5 minutes with the maximum at 60 minutes. If the
        subscription argument isn't specified, the current account is used.

Also see

• [Enhancement Proposal] User and tenant isolation #15005
• [Core] Allow disabling subscription finding #13285

[jiasli]

This topic was also previously discussed in Azure/azure-devops-cli-extension#1226