keyvault secret show fail with "Access has been blocked by Conditional Access policies" on ubuntu WSL

[noam-shapira]

Describe the bug

az keyvault secret show while running from ubuntu WSL
same command from windows environment works

Related command

Similar errors appear during az login, but the command succussed

➜ ~ az login --use-device-code
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code DRCJY6YBU to authenticate.

Retrieving tenants and subscriptions for the selection...
Authentication failed against tenant 1a092f68-5741-455a-8057-2acdb897a850 'HMGAdmin': AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: 81466617-1ad3-4b74-9c53-6e7ce0a46400 Correlation ID: d8f625a0-e877-4e5d-8759-2a62a9f69d76 Timestamp: 2025-06-24 08:46:52Z
Authentication failed against tenant 203be6f5-25dc-424d-ab25-a3f55302774a 'Financial Fabric Chronos': AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'. Trace ID: 927b7f9a-8862-41a3-b718-8f73f5662e00 Correlation ID: ad2483f2-3222-4a7e-8bf6-b5a2636694ee Timestamp: 2025-06-24 08:46:53Z
Authentication failed against tenant 2d89ee00-0440-46ed-8f09-68e286bcb9b2 'a365rpsftenant': AADSTS5000224: We are sorry, this resource is not available. If you are seeing this message by mistake, please contact Microsoft support. Trace ID: 961bc61d-98dc-447a-a290-4a19ebe33300 Correlation ID: 4fcb59d9-e1f7-4e37-ad87-536afb01d8e2 Timestamp: 2025-06-24 08:46:53Z
Authentication failed against tenant 88087633-6b2c-430e-b961-4edb0675d5ad 'noamTest': AADSTS5000224: We are sorry, this resource is not available. If you are seeing this message by mistake, please contact Microsoft support. Trace ID: ae1b1407-c979-4a31-9ebf-4ac4261e3e00 Correlation ID: 2e7e2515-3f78-4d3d-a262-caf09839320b Timestamp: 2025-06-24 08:46:54Z

Errors

AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: 0424de61-ddc1-4820-9951-3c9fa8417f00 Correlation ID: 33adf90c-171e-42a5-b767-cd2f88d03d9c Timestamp: 2025-06-24 08:47:36Z

Issue script & Debug output

➜ ~ az keyvault secret show --debug --vault-name kustokeyvaultdev --name TridentE2ETenantUser1
cli.knack.cli: Command arguments: ['keyvault', 'secret', 'show', '--debug', '--vault-name', 'kustokeyvaultdev', '--name', 'TridentE2ETenantUser1']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7ffa0da5f880>, <function OutputProducer.on_global_arguments at 0x7ffa0d7aa7a0>, <function CLIQuery.on_global_arguments at 0x7ffa0d7efce0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'keyvault': ['azure.cli.command_modules.keyvault']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: keyvault 0.010 20 114
cli.azure.cli.core: Total (1) 0.010 20 114
cli.azure.cli.core: Loaded 20 groups, 114 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : keyvault secret show
cli.azure.cli.core: Command table: keyvault secret show
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7ffa0c94c180>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/noshapir/.azure/commands/2025-06-24.09-01-22.keyvault_secret_show.17689.log'.
az_command_data_logger: command args: keyvault secret show --debug --vault-name {} --name {}
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7ffa0c9a4680>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7ffa0c9a6e80>, <function register_cache_arguments..add_cache_arguments at 0x7ffa0c9a6fc0>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x7ffa0c9a7060>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7ffa0d7aa840>, <function CLIQuery.handle_query_parameter at 0x7ffa0d7efd80>, <function register_ids_argument..parse_ids_arguments at 0x7ffa0c9a6f20>]
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/noshapir/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/noshapir/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47
msal.authority: openid_config("https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.sdk.policies: Request URL: 'https://kustokeyvaultdev.vault.azure.net/secrets/TridentE2ETenantUser1/?api-version=7.4'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'cd18e586-50d9-11f0-b32b-00155d2e28f0'
cli.azure.cli.core.sdk.policies: 'CommandName': 'keyvault secret show'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--debug --vault-name --name'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.74.0 (DEB) azsdk-python-core/1.31.0 Python/3.12.10 (Linux-5.15.167.4-microsoft-standard-WSL2-x86_64-with-glibc2.39)'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): kustokeyvaultdev.vault.azure.net:443
urllib3.connectionpool: https://kustokeyvaultdev.vault.azure.net:443 "GET /secrets/TridentE2ETenantUser1/?api-version=7.4 HTTP/1.1" 401 97
cli.azure.cli.core.sdk.policies: Response status: 401
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-keyvault-region': 'eastus'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'cd18e586-50d9-11f0-b32b-00155d2e28f0'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'a65cba7a-c8d3-4702-bc4c-cf630a877fcd'
cli.azure.cli.core.sdk.policies: 'x-ms-keyvault-service-version': '1.9.2497.1'
cli.azure.cli.core.sdk.policies: 'x-ms-keyvault-network-info': 'conn_type=Ipv4;addr=20.160.68.60;act_addr_fam=InterNetwork;'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000;includeSubDomains'
cli.azure.cli.core.sdk.policies: 'WWW-Authenticate': 'Bearer authorization="https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47", resource="https://vault.azure.net"'
cli.azure.cli.core.sdk.policies: 'Date': 'Tue, 24 Jun 2025 09:01:23 GMT'
cli.azure.cli.core.sdk.policies: 'Content-Length': '97'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"Unauthorized","message":"AKV10000: Request is missing a Bearer or PoP token."}}
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token_info: scopes=('https://vault.azure.net/.default',), options={'tenant_id': '72f988bf-86f1-41af-91ab-2d7cd011db47'}
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://vault.azure.net/.default'], claims_challenge=None, kwargs={}
msal.application: Found 1 RTs matching {'environment': 'login.microsoftonline.com', 'home_account_id': '.72f988bf-86f1-41af-91ab-2d7cd011db47', 'family_id': '1'}
msal.telemetry: Generate or reuse correlation_id: 1d69ca0a-0340-45ca-a1b1-720b28ebe2d3
msal.application: Cache attempts an RT
cli.azure.cli.core.auth.binary_cache: save: /home/noshapir/.azure/msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: /home/noshapir/.azure/msal_http_cache.bin
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token HTTP/1.1" 400 551
cli.azure.cli.core.auth.binary_cache: save: /home/noshapir/.azure/msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: /home/noshapir/.azure/msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: /home/noshapir/.azure/msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: /home/noshapir/.azure/msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: /home/noshapir/.azure/msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: /home/noshapir/.azure/msal_http_cache.bin
msal.application: Refresh failed. invalid_grant: AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: a998bcc7-a002-490a-a582-b6bf25847700 Correlation ID: 1d69ca0a-0340-45ca-a1b1-720b28ebe2d3 Timestamp: 2025-06-24 09:01:24Z
msal.application: Found 1 RTs matching {'environment': 'login.microsoftonline.com', 'home_account_id': '.72f988bf-86f1-41af-91ab-2d7cd011db47', 'client_id': '04b07795-8ddb-461a-bbee-02f9e1bf7b46'}
msal.telemetry: Generate or reuse correlation_id: 1d69ca0a-0340-45ca-a1b1-720b28ebe2d3
msal.application: Cache attempts an RT
msal.application: Refresh failed. invalid_grant: AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: a998bcc7-a002-490a-a582-b6bf25847700 Correlation ID: 1d69ca0a-0340-45ca-a1b1-720b28ebe2d3 Timestamp: 2025-06-24 09:01:24Z
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 132, in keyvault_command_handler
show_exception_handler(ex)
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/arm.py", line 432, in show_exception_handler
raise ex
File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 109, in keyvault_command_handler
result = op(**command_args)
^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/keyvault/secrets/_client.py", line 72, in get_secret
bundle = self._client.get_secret(
^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/keyvault/secrets/_generated/_operations_mixin.py", line 1640, in get_secret
return mixin_instance.get_secret(vault_base_url, secret_name, secret_version, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/keyvault/secrets/_generated/v7_4/operations/_key_vault_client_operations.py", line 760, in get_secret
pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 229, in run
return first_node.send(pipeline_request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
response = self.next.send(request)
^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
response = self.next.send(request)
^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
response = self.next.send(request)
^^^^^^^^^^^^^^^^^^^^^^^
[Previous line repeated 2 more times]
File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/policies/_redirect.py", line 197, in send
response = self.next.send(request)
^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/policies/_retry.py", line 532, in send
response = self.next.send(request)
^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/policies/_authentication.py", line 156, in send
request_authorized = self.on_challenge(request, response)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/keyvault/secrets/_shared/challenge_auth_policy.py", line 112, in on_challenge
self.authorize_request(request, scope, tenant_id=challenge.tenant_id)
File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/policies/_authentication.py", line 133, in authorize_request
self._request_token(*scopes, **kwargs)
File "/opt/az/lib/python3.12/site-packages/azure/core/pipeline/policies/_authentication.py", line 94, in _request_token
self._token = cast(SupportsTokenInfo, self._credential).get_token_info(*scopes, options=options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/credential_adaptor.py", line 43, in get_token_info
msal_result = self._credential.acquire_token(list(scopes), **msal_kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/msal_credentials.py", line 62, in acquire_token
check_result(result, scopes=scopes, claims_challenge=claims_challenge)
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/util.py", line 128, in check_result
aad_error_handler(result, **kwargs)
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/auth/util.py", line 53, in aad_error_handler
raise AuthenticationError(error_description, msal_error=error, recommendation=recommendation)
azure.cli.core.azclierror.AuthenticationError: AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: a998bcc7-a002-490a-a582-b6bf25847700 Correlation ID: 1d69ca0a-0340-45ca-a1b1-720b28ebe2d3 Timestamp: 2025-06-24 09:01:24Z

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/az/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 666, in execute
raise ex
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 734, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 703, in _run_job
result = cmd_copy(params)
^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 336, in call
return self.handler(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 135, in keyvault_command_handler
return keyvault_exception_handler(ex)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 49, in keyvault_exception_handler
raise CLIError(ex)
knack.util.CLIError: AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: a998bcc7-a002-490a-a582-b6bf25847700 Correlation ID: 1d69ca0a-0340-45ca-a1b1-720b28ebe2d3 Timestamp: 2025-06-24 09:01:24Z

cli.azure.cli.core.azclierror: AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: a998bcc7-a002-490a-a582-b6bf25847700 Correlation ID: 1d69ca0a-0340-45ca-a1b1-720b28ebe2d3 Timestamp: 2025-06-24 09:01:24Z
az_command_data_logger: AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: a998bcc7-a002-490a-a582-b6bf25847700 Correlation ID: 1d69ca0a-0340-45ca-a1b1-720b28ebe2d3 Timestamp: 2025-06-24 09:01:24Z
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7ffa0c94c400>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 1.694 seconds (init: 0.224, invoke: 1.470)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4298 in cache file under /home/noshapir/.azure/telemetry/20250624090124289
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.12/site-packages/azure/cli/telemetry/init.py /home/noshapir/.azure /home/noshapir/.azure/telemetry/20250624090124289"
telemetry.process: Return from creating process 17707
telemetry.main: Finish creating telemetry upload process.

Expected behavior

show cert

Environment Summary

azure-cli 2.74.0

core 2.74.0
telemetry 1.1.0

Dependencies:
msal 1.32.3
azure-mgmt-resource 23.3.0

Python location '/opt/az/bin/python3'
Config directory '/home/noshapir/.azure'
Extensions directory '/home/noshapir/.azure/cliextensions'

Python (Linux) 3.12.10 (main, May 27 2025, 09:12:37) [GCC 13.3.0]

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.