Since the new Azure CLI login experience was added, `az ad signed-in-user show` no longer works

[GavBurke]

Describe the bug

Our login code fetches the user ID via az ad signed-in-user show but since this new Azure CLI Login Experience, where it now asks what subscription to login to, this no longer works giving the error Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.

Related command

az ad signed-in-user show

Errors

Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.

Issue script & Debug output

cli.knack.cli: Command arguments: ['ad', 'signed-in-user', 'show', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7fbd39a240e0>, <function OutputProducer.on_global_arguments at 0x7fbd399ce2a0>, <function CLIQuery.on_global_arguments at 0x7fbd397e7d80>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: role 0.002 17 61
cli.azure.cli.core: Total (1) 0.002 17 61
cli.azure.cli.core: Loaded 17 groups, 61 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : ad signed-in-user show
cli.azure.cli.core: Command table: ad signed-in-user show
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7fbd388ecea0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/gavinbu/.azure/commands/2024-06-21.12-29-02.ad_signed-in-user_show.13543.log'.
az_command_data_logger: command args: ad signed-in-user show --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7fbd38945f80>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7fbd389691c0>, <function register_cache_arguments..add_cache_arguments at 0x7fbd38969300>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7fbd399ce340>, <function CLIQuery.handle_query_parameter at 0x7fbd397e7e20>, <function register_ids_argument..parse_ids_arguments at 0x7fbd38969260>]
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/gavinbu/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/gavinbu/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b
msal.authority: openid_config("https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/457a65b9-e5e8-45e1-83fb-85aa42633e5b/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://graph.microsoft.com//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: e7b216ec-d8ca-463f-b9c2-bb9801827cd2
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/me'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util: 'User-Agent': 'python/3.11.8 (Linux-5.15.153.1-microsoft-standard-WSL2-x86_64-with-glibc2.36) AZURECLI/2.61.0 (DEB)'
cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util: 'Accept': '/'
cli.azure.cli.core.util: 'Connection': 'keep-alive'
cli.azure.cli.core.util: 'x-ms-client-request-id': 'fdb35a1e-3baa-4074-8812-201c40fcf3e2'
cli.azure.cli.core.util: 'CommandName': 'ad signed-in-user show'
cli.azure.cli.core.util: 'ParameterSetName': '--debug'
cli.azure.cli.core.util: 'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/me HTTP/1.1" 401 None
cli.azure.cli.core.util: Response status: 401
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': 'b03fa5b7-917c-48db-8c96-02a6974761db'
cli.azure.cli.core.util: 'client-request-id': 'b03fa5b7-917c-48db-8c96-02a6974761db'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"AM2PEPF0002326E"}}'
cli.azure.cli.core.util: 'WWW-Authenticate': 'Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", error_description="Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenCreatedWithOutdatedPolicies", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzE4OTcyOTQzIn0sInhtc19ycF9pcGFkZHIiOnsidmFsdWUiOiIzNC43Ny4xMDcuODMifX19", PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjQ4RDBDNENCQzcwQkYyQUYzQzE4NzE1RDkwQ0MxN0EyRjM0NjkyMjQifQ.eyJ0cyI6MTcxODk3Mjk0MH0.a0OyYgSmkcbfIGev7PoxcTK31c1NqOChaOjFQgfrT_gzN1Ycs7Rcn2Qdf7PZrYG4Avzy2ku8ItgRPO3jqXeyc32qa9naG16Lzn59XBlYoPTwQzUgrCshkZ_RpVg08tGiPjz4TlqenhjSsIz3z5sYYAP1qDM_-Tc3J6YoBVrgrVN-cK451YOWLxNV8VjMdhsh_Kg3Jczlf2dRINjTy339T5A9V8dBFZ9iz7pDiWILzGDD4E5p-DGYKiKsoMnC4e5RF8wssbEje4xMz4Okrd5HClZJHJ_dlvO61eZUHRIRhfY54VIZKRzJoJcGmXihD4yaI8FihxbRss5OUZx1d91ouw"'
cli.azure.cli.core.util: 'Date': 'Fri, 21 Jun 2024 12:29:02 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"error":{"code":"InvalidAuthenticationToken","message":"Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.","innerError":{"date":"2024-06-21T12:29:03","request-id":"b03fa5b7-917c-48db-8c96-02a6974761db","client-request-id":"b03fa5b7-917c-48db-8c96-02a6974761db"}}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send
r = send_raw_request(self._cli_ctx, method, url, resource=self._resource, uri_parameters=param,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/util.py", line 1007, in send_raw_request
raise HTTPError(reason, r)
azure.cli.core.azclierror.HTTPError: Unauthorized({"error":{"code":"InvalidAuthenticationToken","message":"Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.","innerError":{"date":"2024-06-21T12:29:03","request-id":"b03fa5b7-917c-48db-8c96-02a6974761db","client-request-id":"b03fa5b7-917c-48db-8c96-02a6974761db"}}})

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 701, in _run_job
result = cmd_copy(params)
^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 334, in call
return self.handler(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 363, in handler
show_exception_handler(ex)
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/arm.py", line 432, in show_exception_handler
raise ex
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 361, in handler
return op(**command_args)
^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/custom.py", line 1821, in show_signed_in_user
result = client.signed_in_user_get()
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 224, in signed_in_user_get
result = self._send("GET", "/me")
^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 55, in _send
raise GraphError(ex.response.json()['error']['message'], ex.response) from ex
azure.cli.command_modules.role._msgrpah._graph_client.GraphError: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/az/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 664, in execute
raise ex
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 731, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 723, in _run_job
return cmd_copy.exception_handler(ex)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/commands.py", line 50, in graph_err_handler
raise CLIError(ex)
knack.util.CLIError: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.

cli.azure.cli.core.azclierror: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.
az_command_data_logger: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7fbd388ed120>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 0.427 seconds (init: 0.107, invoke: 0.320)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3927 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.11/site-packages/azure/cli/telemetry/init.py /home/gavinbu/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

To be returned the logged in users details, as we then grab the ID to grant permissions to

Environment Summary

azure-cli 2.61.0

core 2.61.0
telemetry 1.1.0

Dependencies:
msal 1.28.0
azure-mgmt-resource 23.1.1

Python location '/opt/az/bin/python3'
Extensions directory '/home/gavinbu/.azure/cliextensions'

Python (Linux) 3.11.8 (main, May 16 2024, 03:50:12) [GCC 12.2.0]

Additional context

No response

[azure-client-tools-bot-prd]

Hi @GavBurke
Find similar issue #29155.

Issue title	Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.
Create time	2024-06-12
Comment number	0

Possible solution:
The error message "Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown" indicates that there is an issue with the authentication token. The existing issue suggests that bypassing a conditional access policy that is blocking based on geo network locations might resolve the issue. You can try bypassing the policy to see if it resolves the issue. If not, you can try other solutions suggested in the existing issue.

---

Please confirm if this resolves your issue.

[yonzhan]

Thank you for opening this issue, we will look into it.

[GavBurke]

Thanks @yonzhan

A colleague found hashicorp/terraform-provider-azuread#1410 (comment) which doing that helped me get around this issue; after previously just trying to login again and accept the same sub I've always used which was given as being the default, I logged out and then on logging back in I got a different default sub given as the "default", a sub which I have never ever used or connected to before (our tenant has 16 subs) but now the AD User show works fine 😕