On Azure CLI version 2.37.0, the command az ad sp create-for-rbac command started to intermittently fail with the following error:
Error due to concurrent requests being made to the tenant. Please wait briefly and retry.
Looking at the debug log, the cause was the /addPassword POST call failing with an HTTP 503:
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "POST /v1.0/applications/{redacted_for_github_issue}/addPassword HTTP/1.1" 503 None
cli.azure.cli.core.util: Response status: 503
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Cache-Control': 'no-cache'
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': 'dfef9c16-ab41-4e64-a05d-ed0501997cd1'
cli.azure.cli.core.util: 'client-request-id': 'dfef9c16-ab41-4e64-a05d-ed0501997cd1'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"AM4PEPF00015127"}}'
cli.azure.cli.core.util: 'x-ms-resource-unit': '1'
cli.azure.cli.core.util: 'Date': 'Mon, 20 Jun 2022 12:50:27 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"error":{"code":"Directory_ConcurrencyViolation","message":"Error due to concurrent requests being made to the tenant. Please wait briefly and retry.","innerError":{"date":"2022-06-20T12:50:27","request-id":"dfef9c16-ab41-4e64-a05d-ed0501997cd1","client-request-id":"dfef9c16-ab41-4e64-a05d-ed0501997cd1"}}}
After opening a Microsoft Service Request (number 2206210050000221) against Graph to determine why this call was intermittently failing in our tenant, the response was that this can happen when there are multiple update requests to the same object within a few seconds, and that the request should be retried after 1-2 minutes when this error occurs.
Looking at the Azure CLI debug log, the /addPassword call was indeed immediately preceded by a /removePassword call for the same Application Registration.
It seems that Azure CLI issues the /addPassword call too soon after the /removePassword call and does not have a retry mechanism, causing the intermittent error we see.
Could Azure CLI be changed to wait a bit longer between update calls to Graph and/or implement a retry mechanism in case of concurrency violation errors?
On Azure CLI version 2.37.0, the command
az ad sp create-for-rbaccommand started to intermittently fail with the following error:Looking at the debug log, the cause was the /addPassword POST call failing with an HTTP 503:
After opening a Microsoft Service Request (number 2206210050000221) against Graph to determine why this call was intermittently failing in our tenant, the response was that this can happen when there are multiple update requests to the same object within a few seconds, and that the request should be retried after 1-2 minutes when this error occurs.
Looking at the Azure CLI debug log, the /addPassword call was indeed immediately preceded by a /removePassword call for the same Application Registration.
It seems that Azure CLI issues the /addPassword call too soon after the /removePassword call and does not have a retry mechanism, causing the intermittent error we see.
Could Azure CLI be changed to wait a bit longer between update calls to Graph and/or implement a retry mechanism in case of concurrency violation errors?