[Reference feedback]: az login --scope requires access to ARM?

[chloeyin]

Type of issue

Other (describe below)

Reference command name

I'm doing a cross cloud authentication from mooncake to public using FIC
After getting an FIC token that can be used in public cloud, I try to login using this command

az login --service-principal \
            --allow-no-subscriptions \
            --username $client_id \
            --tenant $tenant_id \
            --scope https://storage.azure.com/.default \
            --federated-token $ficToken
AADSTS700265: The identity '<>' is not authorized to impersonate the identity '<>' to access resource '<>'. Trace ID: c9976485-2db9-45f8-a847-e42bb0ed0900 Correlation ID: b4c0e723-cdf8-4cd3-a4f1-17567639e99d Timestamp: 2025-02-05 09:10:11Z

The resource ID is ARM and it is a first party app after checking the internal doc.
Notice this log

cli.azure.cli.core.auth.msal_credentials: ServicePrincipalCredential.get_token: scopes=('https://management.core.windows.net//.default',)

Azure CLI tries to get token for ARM scope while I specify the storage scope.

I would like to know: If az login with an explicit scope still requires access to the ARM? And can I bypass it with some args?

This fic token is valid as I can use this token to get an access token for a storage account in public cloud from mooncake environment

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=$client_id" \
-d "client_assertion=$ficToken" \
-d "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer" \
-d "scope=https://storage.azure.com/.default" \
"https://login.microsoftonline.com/$tenant_id/oauth2/v2.0/token"

Feedback

 az login --service-principal \
            --allow-no-subscriptions \
            --username $client_id \
            --tenant $tenant_id \
            --scope https://storage.azure.com/.default \
            --federated-token $ficToken --debug
cli.knack.cli: Command arguments: ['login', '--service-principal', '--allow-no-subscriptions', '--username', '<>', '--tenant', '<>', '--scope', 'https://storage.azure.com/.default', '--federated-token', '<>', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7b2acf877740>, <function OutputProducer.on_global_arguments at 0x7b2acf5d6700>, <function CLIQuery.on_global_arguments at 0x7b2acf61bc40>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: profile                   0.003         2         8
cli.azure.cli.core: Total (1)                 0.003         2         8
cli.azure.cli.core: Loaded 2 groups, 8 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7b2ace85ed40>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/myadmin/.azure/commands/2025-02-06.03-56-48.login.2952.log'.
az_command_data_logger: command args: login --service-principal --allow-no-subscriptions --username {} --tenant {} --scope {} --federated-token {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7b2ace89fce0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7b2ace8ce0c0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7b2ace8ce200>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x7b2ace8ce2a0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7b2acf5d67a0>, <function CLIQuery.handle_query_parameter at 0x7b2acf61bce0>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7b2ace8ce160>]
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/myadmin/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/myadmin/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/<>
msal.authority: openid_config("https://login.microsoftonline.com/<>/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/<>/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/<>/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/<>/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/<>/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/<>/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/<>/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/<>/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: f6a6559d-bd58-426d-a30b-bf591466654d
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/myadmin/.azure/service_principal_entries.json', encrypt=False
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/<>
msal.authority: openid_config("https://login.microsoftonline.com/<>/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/<>/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/<>/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/<>/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/<>/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/<>/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/<>/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/<>/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.msal_credentials: ServicePrincipalCredential.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
msal.telemetry: Generate or reuse correlation_id: c43332aa-f29d-4e25-9c9c-7145af5f6a48
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /<>/oauth2/v2.0/token HTTP/1.1" 401 620
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/opt/az/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 666, in execute
    raise ex
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 734, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 703, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 336, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/profile/custom.py", line 173, in login
    subscriptions = profile.login(
                    ^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/_profile.py", line 201, in login
    subscriptions = subscription_finder.find_using_specific_tenant(tenant, credential)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/_profile.py", line 896, in find_using_specific_tenant
    for s in subscriptions:
             ^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/core/paging.py", line 123, in __next__
    return next(self._page_iterator)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/core/paging.py", line 75, in __next__
    self._response = self._get_next(self.continuation_token)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/mgmt/resource/subscriptions/v2022_12_01/operations/_operations.py", line 526, in get_next
    pipeline_response: PipelineResponse = self._client._pipeline.run(  # pylint: disable=protected-access
                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 229, in run
    return first_node.send(pipeline_request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  [Previous line repeated 2 more times]
  File "/opt/az/lib/python3.12/site-packages/azure/mgmt/core/policies/_base.py", line 47, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/policies/_redirect.py", line 197, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/policies/_retry.py", line 532, in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/policies/_authentication.py", line 145, in send
    self.on_request(request)
  File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/policies/_authentication.py", line 120, in on_request
    self._request_token(*self._scopes)
  File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/policies/_authentication.py", line 96, in _request_token
    self._token = cast(TokenCredential, self._credential).get_token(*scopes, **kwargs)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/msal_credentials.py", line 111, in get_token
    check_result(result)
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/util.py", line 128, in check_result
    aad_error_handler(result, **kwargs)
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/util.py", line 53, in aad_error_handler
    raise AuthenticationError(error_description, msal_error=error, recommendation=recommendation)
azure.cli.core.azclierror.AuthenticationError: AADSTS700265: The identity '<>' is not authorized to impersonate the identity '<>' to access resource '<>'. Trace ID: 89a790b0-ff82-4484-9b8d-0c2149091600 Correlation ID: c43332aa-f29d-4e25-9c9c-7145af5f6a48 Timestamp: 2025-02-06 03:56:48Z

cli.azure.cli.core.azclierror: AADSTS700265: The identity '<>' is not authorized to impersonate the identity '<>' to access resource '<>'. Trace ID: 89a790b0-ff82-4484-9b8d-0c2149091600 Correlation ID: c43332aa-f29d-4e25-9c9c-7145af5f6a48 Timestamp: 2025-02-06 03:56:48Z
az_command_data_logger: AADSTS700265: The identity '<>' is not authorized to impersonate the identity '<>' to access resource '<>'. Trace ID: 89a790b0-ff82-4484-9b8d-0c2149091600 Correlation ID: c43332aa-f29d-4e25-9c9c-7145af5f6a48 Timestamp: 2025-02-06 03:56:48Z
Interactive authentication is needed. Please run:
az login
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7b2ace85efc0>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 1.048 seconds (init: 0.204, invoke: 0.844)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4109 in cache file under /home/myadmin/.azure/telemetry/20250206035649087
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.12/site-packages/azure/cli/telemetry/__init__.py /home/myadmin/.azure /home/myadmin/.azure/telemetry/20250206035649087"
telemetry.process: Return from creating process 2957
telemetry.main: Finish creating telemetry upload process.

Page URL

No response

Content source URL

No response

Author

No response

Document Id

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[bgavrilMS]

Hi @chloeyin - FIC (federated identity credential) with Entra itself ... the cross-cloud scenario, needs to be approved and allow-listed by the Entra team. It it not available out of the box.

@jiasli - Az CLI's behavior here is correct, it shows the Entra error message. Nothing to do.

[chloeyin]

@bgavrilMS @jiasli
Hi, I understand it needs approval to do cross cloud FIC. I just want to know, if login with scope still requires ARM access? As this means a new resource to be approved and onboarded. If I only need storage scope, do I still need to onboard ARM to do az login?

[bgavrilMS]

Oh, I see. You need a token for storage. But az login internally tries to get a token for ARM and this isn't pre-authorized.

I am not sure if Azure CLI is meant to be a general purpose token acquirer, but @jiasli or @dcaro can confirm. Maybe you want to use one of the SDKs - like Azure SDK directly?

[chloeyin]

Yes, using SDK can unblock us, just raise this question to confirm the behaviour of AzureCLI.