Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.

[clumsyhands]

Describe the bug

What does this error mean? There is nothing online about it? I receive this error when running "az ad app" commands from a local Az CLI

Related command

az login
az ad app list

Errors

cli.azure.cli.core.azclierror: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.
az_command_data_logger: Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.

Issue script & Debug output

cli.azure.cli.core.util: Response status: 401
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': 'ce3b4e87-736c-49ef-ad15-e1a49e05cb35'
cli.azure.cli.core.util: 'client-request-id': 'ce3b4e87-736c-49ef-ad15-e1a49e05cb35'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"UK South","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"LO1PEPF00001D5B"}}'
cli.azure.cli.core.util: 'WWW-Authenticate': 'Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", error_description="Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenCreatedWithOutdatedPolicies", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzE4MTkwMTQyIn0sInhtc19ycF9pcGFkZHIiOnsidmFsdWUiOiIyMC42OC4yNDEuMzAifX19", PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjA1NjEyNTAxRDRFN0NGM0Q3RjYxOUUxNjMxQTQ4MDg1OTQyMTMyQjMifQ.eyJ0cyI6MTcxODE5MDEyMH0.M98MqWkUpDJpYBdGbUsbUKm_B28m-sYDP-BWgwWQY7qYvBrmsJmqDdZdDndeafHxfqlXoEhrIH-d8A2ahr1R--VIWBYEw53-l2uubWCFQOq6VrjbXCSB-hsOOu4uB86uhTD39yG_m5GuyVcVVtYZye2Ex6MHJzAzTwzcBmVrNxG3U9iXUR32dzP9l8dZhOaM7HaUHze9A_W1Efhv4BG2O82_a84U-GhPueo3jqn_H90VdBLup736XWcT6Gy2K6Fqp1sazW1qTJNwRFZaayMllYeBzSfjmBDBpMRjbe843IPEyH0blTfmDqWLgEbIgqgsl0mJUD4IBzW6ZFkdfKHWuA"'
cli.azure.cli.core.util: 'Date': 'Wed, 12 Jun 2024 11:02:22 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"error":{"code":"InvalidAuthenticationToken","message":"Exception of type 'Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException' was thrown.","innerError":{"date":"2024-06-12T11:02:22","request-id":"ce3b4e87-736c-49ef-ad15-e1a49e05cb35","client-request-id":"ce3b4e87-736c-49ef-ad15-e1a49e05cb35"}}}

Expected behavior

az ad app list should run without errors

Environment Summary

azure-cli 2.61.0

core 2.61.0
telemetry 1.1.0

Extensions:
azure-devops 1.0.1

Dependencies:
msal 1.28.0
azure-mgmt-resource 23.1.1

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[SeanKilleen]

In case it's helpful to triangulate, I am now getting this error as of this morning using the azuread terraform provider with nothing having changed in my Terraform code. I'm filing something over there but I'll link it here.

[TimHodkin]

Hi,

I am seeing this same issue over the last few days.

I have found that bypassing a conditional access policy we have that is blocking based on geo network locations it then works fine. I could not make this work without bypassing this policy. To my knowledge we have not modified this CA in quite some time and is only blocking limited countries.

I am also seeing this with the AZ powershell module. Anything that tries to lookup Entra based object or references seems to fail.

`Get-AzRoleassignment: SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user . Ensure that you have authenticated with a deveolper fool that supports Azure single sign on.
realm:
authorization_uri: https://logni.microsoftonline.com/common/oath2/authorize
client_id: 0000003-0000-0000-c000-000000000000
error_description: Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied
error: insufficient_claims

`