After sucessfull login, azure says token is expired due to inactivity and command 'az login' asks to login again as I was not logged in before

[rsalvo-gopuff]

Describe the bug

I am using my personal PC where I have a Microsoft account logged in on my Windows and I need to access Azure cli for my work account.
So, when I type "az login" in prompt, it asks for which account to use. I select "Work or school account", type my work account, password and authenticator code. It then shows me a profile to chose (I select Developer) and that's it.
Then, just after it, I try to download credentials from azure and it gives an error saying that my token is expired due to innactivity.
If I type az login again it just go all over the steps again, so it didnt logged in in fact nor saved anything it seems. So I can not download credentials for my work account
I tried it using different browsers (as default) and still getting the same result.

Related command

I tried "az login" and "az login --username xxx --passwod xxx" but same result.

Errors

If I type az login, it does not say I am logged in, but shows again the screen to login. If I try to get credentials just after logged in (as in the debug script) it says my token is expired.

Issue script & Debug output

PS C:\Projects\cb> az login --debug
cli.knack.cli: Command arguments: ['login', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0000022526DBB2E0>, <function OutputProducer.on_global_arguments at 0x000002252715C180>, <function CLIQuery.on_global_arguments at 0x0000022527181580>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: profile 0.002 2 8
cli.azure.cli.core: Total (1) 0.002 2 8
cli.azure.cli.core: Loaded 2 groups, 8 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x00000225299431A0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\vkid_.azure\commands\2025-08-18.13-25-26.login.32036.log'.
az_command_data_logger: command args: login --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x000002252996BA60>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x00000225299AA2A0>, <function register_cache_arguments..add_cache_arguments at 0x00000225299AA3E0>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x00000225299AA480>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x000002252715C220>, <function CLIQuery.handle_query_parameter at 0x0000022527181620>, <function register_ids_argument..parse_ids_arguments at 0x00000225299AA340>]
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\vkid_\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\vkid_.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/organizations
msal.authority: openid_config("https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/organizations/kerberos', 'tenant_region_scope': None, 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
msal.application: Falls back to broker._signin_interactively()
cli.azure.cli.core.auth.identity: Select the account you want to log in with. For more information on login with Azure CLI, see https://go.microsoft.com/fwlink/?linkid=2271136
msal.broker: [MSAL:0001] INFO SetAuthorityUri:78 Initializing authority from URI 'https://login.microsoftonline.com/organizations' without authority type, defaulting to MsSts
msal.broker: [MSAL:0002] INFO SetCorrelationId:259 Set correlation ID: 99423e3b-7293-4eb7-a834-37081e0c3cc7
msal.broker: [MSAL:0002] INFO ExecuteInteractiveRequest:1195 The original authority is 'https://login.microsoftonline.com/organizations'
msal.broker: [MSAL:0002] WARNING TryNormalizeRealm:2523 No HomeAccountId provided to normalize the realm
msal.broker: [MSAL:0002] INFO ExecuteInteractiveRequest:1206 The normalized realm is ''
msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:216 Additional query parameter added successfully. Key: 'msal_client_sku' Value: 'MSAL.Python'
msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:216 Additional query parameter added successfully. Key: 'msal_client_ver' Value: '1.33.0b1'
msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:216 Additional query parameter added successfully. Key: 'msal_gui_thread' Value: 'true'
msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:216 Additional query parameter added successfully. Key: 'msal_request_type' Value: 'consumer_passthrough'
msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:239 Authority Realm: organizations
msal.broker: [MSAL:0002] WARNING TryEnqueueMsaDeviceCredentialAcquisitionAndContinue:1088 MsaDeviceOperationProvider is not available. Not attempting to register the device.
msal.broker: [MSAL:0003] WARNING ReturnResponseDueToMissingParameter:716 Attempted to read cache with a non-normalized realm, access token and ID token reads will fail
msal.broker: [MSAL:0003] WARNING ReturnResponseDueToMissingParameter:742 Missing Required parameters, but found no account to return.
msal.broker: [MSAL:0003] WARNING ReadAccountById:273 Account id is empty - account not found
msal.broker: [MSAL:0003] INFO GetCurrentWindowHandleForUIFlow:495 Specified brokerWindowHandle is valid.
msal.broker: [MSAL:0003] INFO SetCanonicalRealm:1241 Normalize realm to: '4fa55050-2f9e-4657-b7f2-634159953b9d'
msal.broker: [MSAL:0003] INFO LogTelemetryData:441 Printing Telemetry for Correlation ID: 99423e3b-7293-4eb7-a834-37081e0c3cc7
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: start_time, Value: 2025-08-18T16:25:26.000Z
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: api_name, Value: SignInInteractively
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: was_request_throttled, Value: false
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: authority_type, Value: AAD
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: access_token_expiry_time, Value: 2025-08-18T17:28:03.000Z
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: msal_version, Value: 1.1.0+local
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: client_id, Value: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: correlation_id, Value: 99423e3b-7293-4eb7-a834-37081e0c3cc7
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: broker_app_used, Value: true
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: stop_time, Value: 2025-08-18T16:25:56.000Z
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: msalruntime_version, Value: 0.18.1
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: original_authority, Value: https://login.microsoftonline.com/organizations
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: request_eligible_for_broker, Value: true
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: additional_query_parameters_count, Value: 4
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: read_token_last_error, Value: missing required parameter
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: auth_flow, Value: Broker
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: ui_event_count, Value: 1
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: wam_telemetry, Value: {"x_ms_clitelem":"1,0,0,,","ui_visible":true,"tenant_id":"4fa55050-2f9e-4657-b7f2-634159953b9d","scope":"https://management.core.windows.net//.default offline_access openid profile","redirect_uri":"ms-appx-web://Microsoft.AAD.BrokerPlugin/04b07795-8ddb-461a-bbee-02f9e1bf7b46","provider_id":"https://login.windows.net","prompt_behavior":"login","http_status":200,"http_event_count":5,"http_content_type":"application/json; charset=utf-8","http_content_size":8452,"device_join":"not_joined","correlation_id":"{99423e3b-7293-4eb7-a834-37081e0c3cc7}","client_id":"04b07795-8ddb-461a-bbee-02f9e1bf7b46","ccs_failover_v2":"1.P","cache_event_count":0,"broker_version":"10.0.26100.4768","authority":"https://login.microsoftonline.com/organizations","api_error_code":0,"account_join_on_start":"not_joined","account_join_on_end":"not_joined","account_id":"b68ecc4c-a349-40b4-b348-e01e6050e28f","silent_code":0,"silent_bi_sub_code":0,"silent_message":"","silent_status":3,"is_cached":0}
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: tenant_id, Value: 4fa55050-2f9e-4657-b7f2-634159953b9d
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: normalized_realm, Value: 4fa55050-2f9e-4657-b7f2-634159953b9d
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: write_token, Value: AT|ID
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: storage_write, Value: DAT|DID|DAC
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: storage_read, Value: DAC
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: is_successful, Value: true
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: authorization_type, Value: Interactive
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: api_error_context, Value: PII logging enabled on client.
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: transfer_token_error, Value: PII logging enabled on client.
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: server_suberror_code, Value: PII logging enabled on client.
msal.broker: [MSAL:0003] INFO LogTelemetryData:449 Key: request_duration, Value: 29652
msal.broker: [MSAL:0003] INFO LogTelemetryData:454 Printing Execution Flow:
msal.broker: [MSAL:0003] INFO LogTelemetryData:462 {"t":"646u1","tid":2,"ts":0,"l":2},{"t":"4s7ub","tid":2,"ts":1,"l":2},{"t":"4sufd","tid":2,"ts":1,"s":2,"l":2},{"t":"4swgg","tid":2,"ts":1,"s":1,"l":2},{"t":"4swgf","tid":2,"ts":1,"s":1,"l":2},{"t":"4swgi","tid":3,"ts":1,"s":1,"l":2},{"t":"8dqim","tid":3,"ts":1,"l":2},{"t":"8dqkl","tid":3,"ts":1,"l":2,"a":9,"ie":0},{"t":"4ly8o","tid":3,"ts":1,"l":2},{"t":"54uxe","tid":2,"ts":1,"l":2},{"t":"4wqm9","tid":4,"ts":2804,"l":2},{"t":"4o9ak","tid":4,"ts":2804,"l":2},{"t":"4o9ai","tid":4,"ts":2805,"l":2},{"t":"8dql1","tid":4,"ts":29627,"l":2},{"t":"4qopb","tid":4,"ts":29627,"l":2},{"t":"8dqkn","tid":4,"ts":29627,"l":2,"a":5,"ie":1},{"t":"8dqko","tid":4,"ts":29627,"l":2,"a":9,"ie":1},{"t":"8dqkr","tid":4,"ts":29627,"l":2},{"t":"4sufd","tid":4,"ts":29627,"s":2,"l":2},{"t":"4swgg","tid":4,"ts":29627,"s":2,"l":2},{"t":"4swgf","tid":4,"ts":29627,"s":1,"l":2},{"t":"4swgi","tid":3,"ts":29627,"s":2,"l":2},{"t":"8b2yn","tid":3,"ts":29627,"l":2},{"t":"8dqlh","tid":3,"ts":29627,"l":2},{"t":"8dqli","tid":3,"ts":29627,"l":2},{"t":"8dqln","tid":3,"ts":29627,"l":2},{"t":"8dqih","tid":3,"ts":29627,"l":2},{"t":"4qnnm","tid":3,"ts":29628,"l":2,"a":3,"ie":0},{"t":"4myjh","tid":3,"ts":29629,"l":2},{"t":"4myjg","tid":3,"ts":29630,"l":2},{"t":"4myjf","tid":3,"ts":29631,"l":2},{"t":"4myjh","tid":3,"ts":29632,"l":2},{"t":"4myjg","tid":3,"ts":29633,"l":2},{"t":"4myjf","tid":3,"ts":29634,"l":2},{"t":"4qnnl","tid":3,"ts":29634,"l":2,"a":3,"ie":1},{"t":"4qnng","tid":3,"ts":29634,"l":2,"a":2,"ie":0},{"t":"4qnnf","tid":3,"ts":29635,"l":2,"a":2,"ie":1},{"t":"4qnne","tid":3,"ts":29635,"l":2,"a":3,"ie":0},{"t":"4myjh","tid":3,"ts":29635,"l":2},{"t":"4myjg","tid":3,"ts":29636,"l":2},{"t":"4myjf","tid":3,"ts":29637,"l":2},{"t":"4qnnd","tid":3,"ts":29637,"l":2,"a":3,"ie":1},{"t":"6xuag","tid":3,"ts":29643,"l":2},{"t":"4waym","tid":3,"ts":29643,"l":2}
msal.token_cache: event={
"_account_id": "b68ecc4c-a349-40b4-b348-e01e6050e28f",
"client_id": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"data": {},
"environment": "login.microsoftonline.com",
"grant_type": "broker",
"response": {
"_account_id": "b68ecc4c-a349-40b4-b348-e01e6050e28f",
"_msalruntime_telemetry": {
"DATA LIMITED": "Full MSALRuntime telemetry not yet implemented",
"api_error_context": "Error context redacted, value may be written to log.",
"api_name": "SignInInteractively",
"broker_app_used": "true",
"client_id": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"correlation_id": "99423e3b-7293-4eb7-a834-37081e0c3cc7",
"is_successful": "true",
"msal_version": "1.1.0+local",
"msalruntime_version": "0.18.1"
},
"access_token": "",
"client_info": "eyJ1aWQiOiJiNjhlY2M0Yy1hMzQ5LTQwYjQtYjM0OC1lMDFlNjA1MGUyOGYiLCJ1dGlkIjoiNGZhNTUwNTAtMmY5ZS00NjU3LWI3ZjItNjM0MTU5OTUzYjlkIiwicHJlZmVycmVkX3VzZXJuYW1lIjoicm9kcmlnby52YXNjb25jZWxvc3NhbHZvQGdvcHVmZi5jb20ifQ",
"expires_in": 3727,
"id_token": "",
"id_token_claims": "********",
"scope": "https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default",
"token_type": "bearer"
},
"scope": [
"https://management.core.windows.net//user_impersonation",
"https://management.core.windows.net//.default"
],
"token_endpoint": "https://login.microsoftonline.com/organizations/oauth2/v2.0/token"
}

Retrieving tenants and subscriptions for the selection...
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/organizations
msal.authority: openid_config("https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/organizations/kerberos', 'tenant_region_scope': None, 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token_info: scopes=('https://management.core.windows.net//.default',), options={}
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://management.core.windows.net//.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 011f4f9f-abfb-4520-942e-86f432412d60
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/tenants?api-version=2022-12-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'f2a8cb0e-7c4f-11f0-a44f-b920d3888fee'
cli.azure.cli.core.sdk.policies: 'CommandName': 'login'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.76.0 (MSI) azsdk-python-core/1.35.0 Python/3.12.10 (Windows-11-10.0.26100-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /tenants?api-version=2022-12-01 HTTP/1.1" 200 496
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '496'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-tenant-reads': '249'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '40b31869-20c6-41cd-a4b4-c2ccab466dd9'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '40b31869-20c6-41cd-a4b4-c2ccab466dd9'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'BRAZILSOUTH:20250818T162651Z:40b31869-20c6-41cd-a4b4-c2ccab466dd9'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 96C59F85111B402CAF01F6FFF8207949 Ref B: RIO201060612049 Ref C: 2025-08-18T16:26:51Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Mon, 18 Aug 2025 16:26:50 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"value":[{"id":"/tenants/4fa55050-2f9e-4657-b7f2-634159953b9d","tenantId":"4fa55050-2f9e-4657-b7f2-634159953b9d","countryCode":"US","displayName":"AD","tenantBrandingLogoUrl":"-sptwtvbd-7d66opipp5mo/logintenantbranding/0/bannerlogo?ts=637865215638645240"}]}
cli.azure.cli.core._profile: Finding subscriptions under tenant 4fa55050-2f9e-4657-b7f2-634159953b9d 'goBrands Inc'
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/4fa55050-2f9e-4657-b7f2-634159953b9d
msal.authority: openid_config("https://login.microsoftonline.com/4fa55050-2f9e-4657-b7f2-634159953b9d/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/4fa55050-2f9e-4657-b7f2-634159953b9d/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/4fa55050-2f9e-4657-b7f2-634159953b9d/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/4fa55050-2f9e-4657-b7f2-634159953b9d/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/4fa55050-2f9e-4657-b7f2-634159953b9d/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/4fa55050-2f9e-4657-b7f2-634159953b9d/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/4fa55050-2f9e-4657-b7f2-634159953b9d/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/4fa55050-2f9e-4657-b7f2-634159953b9d/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token_info: scopes=('https://management.core.windows.net//.default',), options={}
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://management.core.windows.net//.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 5715e092-97b0-4ea7-8736-4c18a93a8097
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions?api-version=2022-12-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'f2a8cb0e-7c4f-11f0-a44f-b920d3888fee'
cli.azure.cli.core.sdk.policies: 'CommandName': 'login'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.76.0 (MSI) azsdk-python-core/1.35.0 Python/3.12.10 (Windows-11-10.0.26100-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions?api-version=2022-12-01 HTTP/1.1" 200 6364
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '6364'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-tenant-reads': '249'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'a299d22b-f4eb-4bec-9f58-896c40658657'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': 'a299d22b-f4eb-4bec-9f58-896c40658657'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'BRAZILSOUTH:20250818T162651Z:a299d22b-f4eb-4bec-9f58-896c40658657'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 2CA39996E28A48CB8534123E1C0E9CE9 Ref B: RIO201060612033 Ref C: 2025-08-18T16:26:51Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Mon, 18 Aug 2025 16:26:51 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"value":[{"id":"/subscriptions/0c0c4cf4-12e5-4d96-862a-655e121e073b","authorizationSource":"RoleBased","managedByTenants":[{"tenantId":"7584ba9c-dd91-4745-***3}}

[Tenant and subscription selection]

No Subscription name Subscription ID Tenant

---

[1] Catalog, Search & Recs d4856ee4-fc07-4bfc-8861-ab7a5ab2ceb1 goBrands Inc
[2] Core Infrastructure b9b15371-eb9c-4629-a109-70a74b2edefd goBrands Inc
[3] Core Infrastructure Development 5bc7af92-e1c7-444a-9155-57d637742bb2 goBrands Inc
[4] Core Platform cc4a6c57-2273-478a-b44a-092e0ad8f86f goBrands Inc
[5] Data Science 55e539a9-38b7-4d29-9aad-9200d2b62404 goBrands Inc
[6] Data Science Databricks ef1cf4bf-dd90-41b2-b1bf-47a0978dd8c7 goBrands Inc
[7] * Development efae3db4-a6f1-430a-9624-eead6aad28a5 goBrands Inc
[8] Driver Scheduling 3e984ea6-499c-4a1d-ae10-fbaa3c8b4231 goBrands Inc
[9] Identity Authentication 7170001a-ad2e-4af3-8279-cec62507b965 goBrands Inc
[10] Production 0c0c4cf4-12e5-4d96-862a-655e121e073b goBrands Inc
[11] Supply Chain 0fa958ca-8e32-4c72-a3d9-8e16f18ecddd goBrands Inc
[12] UAT da08366a-7449-477a-acfe-2a75f6aa30ea goBrands Inc
[13] Warehouse af815fdd-8d27-42be-80cd-f59805fe64f4 goBrands Inc

The default is marked with an *; the default tenant is 'goBrands Inc' and subscription is 'Development' (efae3db4-a6f1-430a-9624-eead6aad28a5).

Select a subscription and tenant (Type a number or Enter for no changes):

Tenant: goBrands Inc
Subscription: Development (efae3db4-a6f1-430a-9624-eead6aad28a5)

[Announcements]
With the new Azure CLI login experience, you can select the subscription you want to use more easily. Learn more about it and its configuration at https://go.microsoft.com/fwlink/?linkid=2271236

If you encounter any problem, please open an issue at https://aka.ms/azclibug

cli.azure.cli.command_modules.profile.custom: [Warning] The login output has been updated. Please be aware that it no longer displays the full list of available subscriptions by default.

cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function resource_group_transform at 0x000002252996B7E0>, <function x509_from_base64_to_hex_transform at 0x000002252996B880>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0000022529943420>]
az_command_data_logger: exit code: 0
cli.main: Command ran in 32.683 seconds (init: 0.195, invoke: 32.488)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4275 in cache file under C:\Users\vkid.azure\telemetry\20250818132558964
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init.pyc C:\Users\vkid_.azure C:\Users\vkid_.azure\telemetry\20250818132558964"
telemetry.process: Return from creating process 39992
telemetry.main: Finish creating telemetry upload process.

PS C:\Projects\cb> make development-credentials

node '.make/scripts/setupenv.js' dev
Fetching secrets for dev
Fetching https://kv-***-eus.vault.azure.net/secrets/BDG-EVENT-HUB-BROKER-CS
Error: Command failed: az keyvault secret show --id "https://kv-***-eus.vault.azure.net/secrets/BDG-EVENT-HUB-BROKER-CS"
ERROR: V2Error: invalid_grant AADSTS700082: The refresh token has expired due to inactivity.�The token was issued on 2025-05-02T16:43:10.2836664Z and was inactive for 12:00:00. Trace ID: 23b5c9ef-0006-4c36-99ea-06fc3fe4a300 Correlation ID: df04c783-ecf8-456c-9681-fbad80d14468 Timestamp: 2025-08-18 16:27:01Z. Status: Response_Status.Status_InteractionRequired, Error code: 3399614467, Tag: 558133255

at genericNodeError (node:internal/errors:984:15)
at wrappedFn (node:internal/errors:538:14)
at ChildProcess.exithandler (node:child_process:422:12)
at ChildProcess.emit (node:events:524:28)
at maybeClose (node:internal/child_process:1104:16)
at ChildProcess._handle.onexit (node:internal/child_process:304:5) {

code: 1,
killed: false,
signal: null,
cmd: 'az keyvault secret show --id "https://kv-c***-eus.vault.azure.net/secrets/BDG-EVENT-HUB-BROKER-CS"',
stdout: '',
stderr: 'ERROR: V2Error: invalid_grant AADSTS700082: The refresh token has expired due to inactivity.�The token was issued on 2025-05-02T16:43:10.2836664Z and was inactive for 12:00:00. Trace ID: 23b5c9ef-0006-4c36-99ea-06fc3fe4a300 Correlation ID: df04c783-ecf8-456c-9681-fbad80d14468 Timestamp: 2025-08-18 16:27:01Z. Status: Response_Status.Status_InteractionRequired, Error code: 3399614467, Tag: 558133255\r\n'
}
Fetching https://kv-***eus.vault.azure.net/secrets/BDG-EVENT-HUB-NAMESPACE-CS
Error: Command failed: az keyvault secret show --id "https://kv-***-eus.vault.azure.net/secrets/BDG-EVENT-HUB-NAMESPACE-CS"
ERROR: V2Error: invalid_grant AADSTS700082: The refresh token has expired due to inactivity.�The token was issued on 2025-05-02T16:43:10.2836664Z and was inactive for 12:00:00. Trace ID: 23b5c9ef-0006-4c36-99ea-06fc3fe4a300 Correlation ID: df04c783-ecf8-456c-9681-fbad80d14468 Timestamp: 2025-08-18 16:27:01Z. Status: Response_Status.Status_InteractionRequired, Error code: 3399614467, Tag: 558133255

at genericNodeError (node:internal/errors:984:15)
at wrappedFn (node:internal/errors:538:14)
at ChildProcess.exithandler (node:child_process:422:12)
at ChildProcess.emit (node:events:524:28)
at maybeClose (node:internal/child_process:1104:16)
at ChildProcess._handle.onexit (node:internal/child_process:304:5) {

code: 1,
killed: false,
signal: null,
cmd: 'az keyvault secret show --id "https://kv-***-eus.vault.azure.net/secrets/BDG-EVENT-HUB-NAMESPACE-CS"',
stdout: '',
stderr: 'ERROR: V2Error: invalid_grant AADSTS700082: The refresh token has expired due to inactivity.�The token was issued on 2025-05-02T16:43:10.2836664Z and was inactive for 12:00:00. Trace ID: 23b5c9ef-0006-4c36-99ea-06fc3fe4a300 Correlation ID: df04c783-ecf8-456c-9681-fbad80d14468 Timestamp: 2025-08-18 16:27:01Z. Status: Response_Status.Status_InteractionRequired, Error code: 3399614467, Tag: 558133255\r\n'
}
Fetching https://kv-***-eus.vault.azure.net/secrets/BDG-EVENT-HUB-NAMESPACE

PS C:\Projects\cb>

Expected behavior

Once I executed successfully az login, I should able to download the credentials and should not get an error that the token is expired.

Environment Summary

azure-cli 2.76.0

core 2.76.0
telemetry 1.1.0

Dependencies:
msal 1.33.0b1
azure-mgmt-resource 23.3.0

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users\vkid_.azure'
Extensions directory 'C:\Users\vkid_.azure\cliextensions'

Python (Windows) 3.12.10 (tags/v3.12.10:0cc8128, Apr 8 2025, 12:21:36) [MSC v.1943 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[rsalvo-gopuff]

I was able to get credentials after cleaning the old access token using "az account clear".