az account get-access-token failing in docker image but succeeds on host windows desktop

[jayman-dalal]

Describe the bug

I can acquire an access token from the host desktop windows pc (24H2 OS Build 26100.4349). However, when trying to acquire the same on docker image mounted on docker desktop (Docker version 28.1.1, build 4eba377), I get the error:

az account get-access-token --output json --resource https://kusto.kusto.windows.net
AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2025-06-12T17:47:44.4543868Z and the maximum allowed lifetime for this request is 43200. Trace ID: 084459e9-579c-4168-baeb-0995f01b0700 Correlation ID: dfbb9257-7de8-45c0-b0b9-070c51433adb Timestamp: 2025-06-19 12:18:57Z

I can run az account show in the docker desktop image and it outputs same information as running on windows pc desktop. I have attempted both network_mode=host and bridge network driver, but it is failing. This error blocks me from trying to run Kusto queries on the docker image in my automation agent, which I can successfully do on the host. I have the VPN turned on for the host PC. If I do the az login --scope https://kusto.kusto.windows.net/.default as suggested from the output, it requires me to do interactive login using device code. When I try to do that on the host desktop PC's browser, I get the error below:

Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, location, or an authentication flow that is restricted by your admin.
Error Code: 53003
Request Id: 4244032e-ad59-4be7-9227-8ff660a90600
Correlation Id: de4024e1-98d7-4d9d-8bea-b948b0ad2da4
Timestamp: 2025-06-19T13:10:30.885Z
App name: Microsoft Azure CLI
App id: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
IP address: 50.35.38.11
Device identifier: 5de25f00-fb57-42bb-8b18-11ade8b7d354
Device platform: Windows 10
Device state: Compliant

Please see https://gist.github.com/jayman-dalal/b6aca9832a5ac262a6ae4b109b30a466 for my backend dockerfile and docker-compose.yaml.

Related command

az account get-access-token --output json --resource https://kusto.kusto.windows.net

Errors

az account get-access-token --output json --resource https://kusto.kusto.windows.net

Issue script & Debug output

$ az account get-access-token --output json --resource https://kusto.kusto.windows.net --debug
cli.knack.cli: Command arguments: ['account', 'get-access-token', '--output', 'json', '--resource', 'https://kusto.kusto.windows.net', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f3e2afa7880>, <function OutputProducer.on_global_arguments at 0x7f3e2acf27a0>, <function CLIQuery.on_global_arguments at 0x7f3e2ad37ce0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'account': ['azure.cli.command_modules.profile', 'azure.cli.command_modules.resource']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: profile                   0.002         2         8
cli.azure.cli.core: resource                  0.119        52       232
cli.azure.cli.core: Total (2)                 0.121        54       240
cli.azure.cli.core: Loaded 53 groups, 240 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : account get-access-token
cli.azure.cli.core: Command table: account get-access-token
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f3e29f38180>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/appuser/.azure/commands/2025-06-19.12-54-22.account_get-access-token.678.log'.
az_command_data_logger: command args: account get-access-token --output {} --resource {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f3e29f8ee80>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f3e29f8ef20>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f3e29f8f060>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x7f3e29f8f100>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f3e2acf2840>, <function CLIQuery.handle_query_parameter at 0x7f3e2ad37d80>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7f3e29f8efc0>]
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/appuser/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/appuser/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47
msal.authority: openid_config("https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://kusto.kusto.windows.net/.default',), kwargs={}
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://kusto.kusto.windows.net/.default'], claims_challenge=None, kwargs={}
msal.application: Found 1 RTs matching {'environment': 'login.microsoftonline.com', 'home_account_id': '********.72f988bf-86f1-41af-91ab-2d7cd011db47', 'family_id': '1'}
msal.telemetry: Generate or reuse correlation_id: 9e47c9be-c156-461f-b517-c90a2ca1e1cd
msal.application: Cache attempts an RT
cli.azure.cli.core.auth.binary_cache: save: /home/appuser/.azure/msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: /home/appuser/.azure/msal_http_cache.bin
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token HTTP/1.1" 400 594
cli.azure.cli.core.auth.binary_cache: save: /home/appuser/.azure/msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: /home/appuser/.azure/msal_http_cache.bin
msal.application: Refresh failed. invalid_grant: AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2025-06-12T17:47:44.4543868Z and the maximum allowed lifetime for this request is 43200. Trace ID: b4c31bc5-6cb0-4f87-8174-3ac01a950800 Correlation ID: 9e47c9be-c156-461f-b517-c90a2ca1e1cd Timestamp: 2025-06-19 12:54:23Z
msal.application: Found 1 RTs matching {'environment': 'login.microsoftonline.com', 'home_account_id': '********.72f988bf-86f1-41af-91ab-2d7cd011db47', 'client_id': '04b07795-8ddb-461a-bbee-02f9e1bf7b46'}
msal.telemetry: Generate or reuse correlation_id: 9e47c9be-c156-461f-b517-c90a2ca1e1cd
msal.application: Cache attempts an RT
msal.application: Refresh failed. invalid_grant: AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2025-06-12T17:47:44.4543868Z and the maximum allowed lifetime for this request is 43200. Trace ID: b4c31bc5-6cb0-4f87-8174-3ac01a950800 Correlation ID: 9e47c9be-c156-461f-b517-c90a2ca1e1cd Timestamp: 2025-06-19 12:54:23Z
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/opt/az/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 666, in execute
    raise ex
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 734, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 703, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 336, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/profile/custom.py", line 89, in get_access_token
    creds, subscription, tenant = profile.get_raw_token(subscription=subscription, resource=resource, scopes=scopes,
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/_profile.py", line 449, in get_raw_token
    sdk_token = sdk_cred.get_token(*scopes)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/credential_adaptor.py", line 33, in get_token
    msal_result = self._credential.acquire_token(list(scopes), **msal_kwargs)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/msal_credentials.py", line 62, in acquire_token
    check_result(result, scopes=scopes, claims_challenge=claims_challenge)
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/util.py", line 128, in check_result
    aad_error_handler(result, **kwargs)
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/util.py", line 53, in aad_error_handler
    raise AuthenticationError(error_description, msal_error=error, recommendation=recommendation)
azure.cli.core.azclierror.AuthenticationError: AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2025-06-12T17:47:44.4543868Z and the maximum allowed lifetime for this request is 43200. Trace ID: b4c31bc5-6cb0-4f87-8174-3ac01a950800 Correlation ID: 9e47c9be-c156-461f-b517-c90a2ca1e1cd Timestamp: 2025-06-19 12:54:23Z

cli.azure.cli.core.azclierror: AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2025-06-12T17:47:44.4543868Z and the maximum allowed lifetime for this request is 43200. Trace ID: b4c31bc5-6cb0-4f87-8174-3ac01a950800 Correlation ID: 9e47c9be-c156-461f-b517-c90a2ca1e1cd Timestamp: 2025-06-19 12:54:23Z
az_command_data_logger: AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2025-06-12T17:47:44.4543868Z and the maximum allowed lifetime for this request is 43200. Trace ID: b4c31bc5-6cb0-4f87-8174-3ac01a950800 Correlation ID: 9e47c9be-c156-461f-b517-c90a2ca1e1cd Timestamp: 2025-06-19 12:54:23Z
Interactive authentication is needed. Please run:
az login --scope https://kusto.kusto.windows.net/.default
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f3e29f38400>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 1.117 seconds (init: 0.313, invoke: 0.804)

Expected behavior

Consistent behavior on acquiring access token on docker image as it is on host PC.

Environment Summary

$ az --version
azure-cli 2.74.0

core 2.74.0
telemetry 1.1.0

Dependencies:
msal 1.32.3
azure-mgmt-resource 23.3.0

Python location '/opt/az/bin/python3'
Config directory '/home/appuser/.azure'
Extensions directory '/home/appuser/.azure/cliextensions'

Python (Linux) 3.12.10 (main, May 27 2025, 09:13:03) [GCC 12.2.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[jiasli]

AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2025-06-12T17:47:44.4543868Z and the maximum allowed lifetime for this request is 43200.

The error message indicates the refresh token has expired. You need to re-login with az login to get a new refresh token.

I used Azure CLI's docker image:

docker run -it mcr.microsoft.com/azure-cli

Then logged in with

az login --use-device-code --scope https://kusto.kusto.windows.net/.default --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47

and finished the device code flow on my host Windows PC. I could log in successfully without seeing 53003.

Do you see the same error 53003 when you run az login --use-device-code --scope https://kusto.kusto.windows.net/.default --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47 on your Windows PC?

Also, have you tried using Microsoft Edge to do the device code login?

[jayman-dalal]

Thanks for the quick response.

Also, have you tried using Microsoft Edge to do the device code login?

Yes. I am using Edge Browser. I tried both In Private mode and regular work profile. I still get the same Error Code: 53003

Do you see the same error 53003 when you run az login --use-device-code --scope https://kusto.kusto.windows.net/.default --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47 on your Windows PC?

Yes. I see the same error code on host windows PC (physical). I also tried the command and logging in from edge browser on a devbox pc in cloud and got the same error.

I used Azure CLI's docker image:

docker run -it mcr.microsoft.com/azure-cli

Then logged in with

az login --use-device-code --scope https://kusto.kusto.windows.net/.default --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47

and finished the device code flow on my host Windows PC. I could log in successfully without seeing 53003.

I tried downloading the azure-cli image and running the login on it in my docker desktop and got the same error.

Note. Both the commands works below on host PC and container. So I suspect the Kusto scope is special and PC or account is not compliant since it is working for you.

az login --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47
az login --use-device-code --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47

Any other thoughts/ideas?

[jayman-dalal]

Additional Info.
Command below succeeds on Host PC and I can get the token, but fails on container.
az account get-access-token --resource https://servicetreepublic.westus.kusto.windows.net/ --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47

The error in container is:

AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: 049f5b31-da5a-46ca-a341-cc6f959a4000 Correlation ID: 284dc37f-21e5-4af0-aa16-7e6dad3c5dcb Timestamp: 2025-06-20 17:06:55Z
Interactive authentication is needed. Please run:
az login --scope https://servicetreepublic.westus.kusto.windows.net//.default

When I run az login --scope https://servicetreepublic.westus.kusto.windows.net//.default on container and login using browser on host, it fails it fails with error 53003.
When I run az login --scope https://servicetreepublic.westus.kusto.windows.net//.default on host PC it succeeds. But when I run az login --scope https://servicetreepublic.westus.kusto.windows.net//.default **--use-device-code** on host PC, it fails with 53003