`az login` fails with "Please select the account you want to log in with" when using WAM

[austindonnelly]

Describe the bug

az login fails with:
WARNING: Please select the account you want to log in with.

If I disable WAM, then the browser popup happens, and there I can chose between my normal corp account, or my SC-Alt account.

Related command

az login

Errors

$ az login
WARNING: Please select the account you want to log in with.

Issue script & Debug output

$ az login --debug
DEBUG: cli.knack.cli: Command arguments: ['login', '--debug']
DEBUG: cli.knack.cli: init debug log:
Cannot enable color.
DEBUG: cli.knack.cli: Event: Cli.PreExecute []
DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0000017FB00AF880>, <function OutputProducer.on_global_arguments at 0x0000017FB02360C0>, <function CLIQuery.on_global_arguments at 0x0000017FB0263C40>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
DEBUG: cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
DEBUG: cli.azure.cli.core: Loading command modules:
DEBUG: cli.azure.cli.core: Name Load Time Groups Commands
DEBUG: cli.azure.cli.core: profile 0.021 2 8
DEBUG: cli.azure.cli.core: Total (1) 0.021 2 8
DEBUG: cli.azure.cli.core: Loaded 2 groups, 8 commands.
DEBUG: cli.azure.cli.core: Found a match in the command table.
DEBUG: cli.azure.cli.core: Raw command : login
DEBUG: cli.azure.cli.core: Command table: login
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0000017FB318E340>]
DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\austind.azure\commands\2024-06-17.15-42-36.login.15428.log'.
INFO: az_command_data_logger: command args: login --debug
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x0000017FB31C67A0>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x0000017FB31F87C0>, <function register_cache_arguments..add_cache_arguments at 0x0000017FB31F8900>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x0000017FB0236160>, <function CLIQuery.handle_query_parameter at 0x0000017FB0263CE0>, <function register_ids_argument..parse_ids_arguments at 0x0000017FB31F8860>]
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\austind\.azure\msal_token_cache.bin', encrypt=True
DEBUG: cli.azure.cli.core.auth.binary_cache: load: C:\Users\austind.azure\msal_http_cache.bin
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
INFO: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/organizations
DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/organizations/kerberos', 'tenant_region_scope': None, 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? True
DEBUG: msal.application: Falls back to broker._signin_interactively()
WARNING: cli.azure.cli.core.auth.identity: Please select the account you want to log in with.
DEBUG: msal.broker: [MSAL:0001] WARNING SetAuthorityString:98 Initializing authority from string 'https://login.microsoftonline.com/organizations' without authority type, defaulting to MsSts
DEBUG: msal.broker: [MSAL:0002] INFO SetCorrelationId:273 Set correlation ID: 9a60c761-2d22-45a7-a419-d616e6bf9dfe
DEBUG: msal.broker: [MSAL:0002] INFO ExecuteInteractiveRequest:1103 The original authority is 'https://login.microsoftonline.com/organizations'
DEBUG: msal.broker: [MSAL:0002] WARNING TryNormalizeRealm:2295 No HomeAccountId provided to normalize the realm
DEBUG: msal.broker: [MSAL:0002] INFO ExecuteInteractiveRequest:1114 The normalized realm is ''
DEBUG: msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:191 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
DEBUG: msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:191 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
DEBUG: msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:215 Authority Realm: organizations
DEBUG: msal.broker: [MSAL:0003] WARNING ReturnResponseDueToMissingParameter:643 Attempted to read cache with a non-normalized realm, access token and ID token reads will fail
DEBUG: msal.broker: [MSAL:0003] WARNING ReadAccountById:227 Account id is empty - account not found

Expected behavior

az login should popup WAM, to let me chose which of my 2 accounts I'd like to use.

Environment Summary

$ az --version
azure-cli 2.61.0

core 2.61.0
telemetry 1.1.0

Dependencies:
msal 1.28.0
azure-mgmt-resource 23.1.1

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\austind.azure\cliextensions'

Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb 6 2024, 22:03:32) [MSC v.1937 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

Work-around is to disable WAM:

az config set core.enable_broker_on_windows=false

[yonzhan]

Thank you for opening this issue, we will look into it.

[Mohamad-Hamamah-Shift]

+1

[onionhammer]

+1

[CharlesCara]

+1

[austindonnelly]

I've updated to az version 2.63.0 and this no longer repros for me.
I see WAM pop up and I get to chose which account to use.

$ az --version
azure-cli                         2.63.0

core                              2.63.0
telemetry                          1.1.0

Extensions:
azure-cli-ml                      1.41.0

Dependencies:
msal                              1.30.0
azure-mgmt-resource               23.1.1

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\austind\.azure\cliextensions'

Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb  6 2024, 21:52:07) [MSC v.1937 32 bit (Intel)]