AzureCliCredential failure to login: ERROR: AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. #32275
Description
Describe the bug
When attempting to authenticate using AzureCliCredential in a Python application run in the Cloud Shell, the token retrieval fails due to Conditional Access policies enforced by the organization.
Related command
python agents.py
Errors
AzureCliCredential.get_token_info failed: WARNING: A Cloud Shell credential problem occurred. When you report the issue with the error below, please mention the hostname 'SandboxHost-638962873599915520'
ERROR: AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: d4a92b79-a6d3-4e96-bd52-1ba089ed3d00 Correlation ID: ab9df912-3c11-4e46-ab2b-804ceb7cca13 Timestamp: 2025-10-17 09:35:23Z
Issue script & Debug output
Add references
Add references
import asyncio
from typing import cast
from agent_framework import ChatMessage, Role, SequentialBuilder, WorkflowOutputEvent
from agent_framework.azure import AzureAIAgentClient
from azure.identity import AzureCliCredential
from azure.identity import ClientSecretCredential
async def main():
# Agent instructions
summarizer_instructions="""
Summarize the customer's feedback in one short sentence. Keep it neutral and concise.
Example output:
App crashes during photo upload.
User praises dark mode feature.
"""
classifier_instructions="""
Classify the feedback as one of the following: Positive, Negative, or Feature request.
"""
action_instructions="""
Based on the summary and classification, suggest the next action in one short sentence.
Example output:
Escalate as a high-priority bug for the mobile team.
Log as positive feedback to share with design and marketing.
Log as enhancement request for product backlog.
"""
# Create the chat client
# Create the chat client
credential = AzureCliCredential()
# Set up credential
tenant_id = "cbede638-a3d9-459f-8f4e-24ced73b4e5e"
# credential = ClientSecretCredential(
# tenant_id=tenant_id,
# client_id="your-client-id",
# client_secret="your-client-secret"
# )
async with (
AzureAIAgentClient(async_credential=credential) as chat_client,
):
# Create agents
# Create agents
summarizer = chat_client.create_agent(
instructions=summarizer_instructions,
name="summarizer",
)
classifier = chat_client.create_agent(
instructions=classifier_instructions,
name="classifier",
)
action = chat_client.create_agent(
instructions=action_instructions,
name="action",
)
# Initialize the current feedback
# Initialize the current feedback
feedback="""
I use the dashboard every day to monitor metrics, and it works well overall.
But when I'm working late at night, the bright screen is really harsh on my eyes.
If you added a dark mode option, it would make the experience much more comfortable.
"""
# Build sequential orchestration
# Build sequential orchestration
workflow = SequentialBuilder().participants([summarizer, classifier, action]).build()
# Run and collect outputs
# Run and collect outputs
outputs: list[list[ChatMessage]] = []
async for event in workflow.run_stream(f"Customer feedback: {feedback}"):
if isinstance(event, WorkflowOutputEvent):
outputs.append(cast(list[ChatMessage], event.data))
# Display outputs
# Display outputs
if outputs:
for i, msg in enumerate(outputs[-1], start=1):
name = msg.author_name or ("assistant" if msg.role == Role.ASSISTANT else "user")
print(f"{'-' * 60}\n{i:02d} [{name}]\n{msg.text}")
if name == "main":
asyncio.run(main())
Expected behavior
To login the agents
Environment Summary
azure-cli 2.76.0 *
core 2.76.0 *
telemetry 1.1.0
Dependencies:
msal 1.33.0b1
azure-mgmt-resource 23.3.0
Python location '/home/liviu/ai-agents/Labfiles/05-agent-orchestration/Python/labenv/bin/python3.12'
Config directory '/home/liviu/.azure'
Extensions directory '/home/liviu/.azure/cliextensions'
Python (Linux) 3.12.9 (main, Jul 29 2025, 01:30:13) [GCC 13.2.0]
Legal docs and information: aka.ms/AzureCliLegal
Additional context
No response