Microsoft Azure CLI not compatible with device state conditional access

[magic-happenz]

Describe the bug

Hello,

I just setup a new WSL instance and noticed that az login seems no longer work.
The first problem I encounter is the missing browser opening already mentioned in multiple open issues such as: #27879.
But worse is the incompatibility with conditional access policies that check on device state.

Related command

az login

Errors

In Browser:
Authentication failed access_denied: $error_description. ($error_uri)

In Console:
Operation not supported
None
Interactive authentication is needed. Please run:
az login

Issue script & Debug output

msal.oauth2cli.authcode: Got auth response: {'error': 'access_denied', 'error_subcode': 'cancel', 'state': 'bIADrGdEnUwiemoN'}
msal.oauth2cli.authcode: "GET /?error=access_denied&error_subcode=cancel&state=bIADrGdEnUwiemoN HTTP/1.1" 200 -
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/opt/az/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 666, in execute
raise ex
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 733, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 703, in _run_job
result = cmd_copy(params)
^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 336, in call
return self.handler(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
return op(**command_args)
^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/profile/custom.py", line 173, in login
subscriptions = profile.login(
^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/_profile.py", line 176, in login
user_identity = identity.login_with_auth_code(scopes=scopes, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/identity.py", line 173, in login_with_auth_code
return check_result(result)
^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/util.py", line 149, in check_result
aad_error_handler(result, **kwargs)
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/util.py", line 53, in aad_error_handler
raise AuthenticationError(error_description, msal_error=error, recommendation=recommendation)
azure.cli.core.azclierror.AuthenticationError: None

cli.azure.cli.core.azclierror: None
az_command_data_logger: None
Interactive authentication is needed. Please run:
az login
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f31bb8bae80>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 16.640 seconds (init: 0.138, invoke: 16.503)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3546 in cache file under /home/user/.azure/telemetry/20241224113051999
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.12/site-packages/azure/cli/telemetry/init.py /home/user/.azure /home/user/.azure/telemetry/20241224113051999"
telemetry.process: Return from creating process 1255
telemetry.main: Finish creating telemetry upload process.

Expected behavior

Successfully login to the CLI.

Environment Summary

azure-cli 2.67.0

core 2.67.0
telemetry 1.1.0

Dependencies:
msal 1.31.0
azure-mgmt-resource 23.1.1

Python location '/opt/az/bin/python3'
Extensions directory '/home/user/.azure/cliextensions'

Python (Linux) 3.12.7 (main, Nov 13 2024, 04:06:34) [GCC 13.2.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

To reproduce:

• Install Azure CLI on WSL
• Run az login
• Note Operation not supported
• Click the link from the console anyways
• Sign in
• Get the following message
  
• On click Ok receive error: Authentication failed access_denied: $error_description. ($error_uri)

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• az login fails from Linux box: AADSTS50005: User tried to log in to a device from a platform (Unknown) #16401

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solutions

Log in with web browser

Initialize auth code flow which uses a web browser (without --use-device-code):

az login

Log in with service principal

If a web browser is not available, you may create a service principal on a supported system - Windows or Mac, with either Azure Portal or Azure CLI command:

az ad sp create-for-rbac --role xxx --scopes xxx

Then log in with the service principal on Linux:

az login --service-principal --username xxx --password xxx --tenant xxx

Reference:

• az login fails from Linux box: AADSTS50005: User tried to log in to a device from a platform (Unknown) #16401 (comment)

[jiasli]

The error message indicates your device is not registered:

The error is returned by Microsoft Entra ID, not Azure CLI, so I don't think it is related to running Azure CLI in WSL. If you install Azure CLI directly on Windows (https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli) and run az login, it is very likely you will see the same error message.

I would recommend double check your organization's policy and register your device accordingly.

[magic-happenz]

@jiasli thank you for the reply. My device is registered actually and as I am administrator of my company's policies I can tell you that the policy is not supposed to apply to this use case. Browser Auth is excluded. That means something in the Auth process of Azure CLI is telling Entra that it's a client app and not a browser. So why is that?
Works with device login flow by the way.