Skip to content

Get-AzADServicePrincipal fails with AuthenticationFailedException - SharedTokenCacheCredential authentication failed when used from custom Az environment #27948

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
abatishchev opened this issue Jun 12, 2025 · 3 comments
Closed

Get-AzADServicePrincipal fails with AuthenticationFailedException - SharedTokenCacheCredential authentication failed when used from custom Az environment #27948

abatishchev opened this issue Jun 12, 2025 · 3 comments
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. Possible-Solution Similar-Issue

Comments

@abatishchev
Copy link

Description

I created a custom Az environment by cloning Production (AzureCloud) and changing a few properties:

$prod = Get-AzEnvironment -Name AzureCloud
Add-AzEnvironment -Name Canary `
  -ActiveDirectoryAuthority $prod.ActiveDirectoryAuthority `
  -ActiveDirectoryServiceEndpointResourceId $prod.ActiveDirectoryServiceEndpointResourceId `
  -AdTenant $prod.AdTenant `
  -ResourceManagerEndpoint 'https://eastus2euap.management.azure.com' `
  -ManagementPortalUrl $prod.ManagementPortalUrl `
  -ServiceManagementUrl $prod.ServiceManagementUrl `
  -GraphEndpoint $prod.GraphEndpoint `
  -GraphEndpointResourceId $prod.GraphEndpointResourceId `
  -MicrosoftGraphUrl $prod.MicrosoftGraphUrl `
  -MicrosoftGraphEndpointResourceId $prod.MicrosoftGraphEndpointResourceId

Then I log into it:

Login-AzAccount -Environment Canary -Tenant $tenant -Subscription $sub

However, the Az AD commands fail now, e.g.:

Get-AzADApplication -DisplayName $name

Issue script & Debug output

DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: Client side pagination is enabled for this cmdlet
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /applications?$filter=displayName%20eq%20%27ats-local%27
DEBUG: RequestCreated: /v1.0/applications?$filter=displayName%20eq%20%27ats-local%27
DEBUG: HeaderParametersAdded:
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/v1.0/applications?$filter=displayName eq %27ats-local%27

Headers:
x-ms-client-request-id        : 3684e77c-3426-44b7-9b23-1b7bec63c118
CommandName                   : Az.MSGraph.internal\Get-AzADApplication
FullCommandName               : Get-AzADApplication_List
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v10.0.0,PSVersion/v7.5.1,Az.MSGraph/7.8.1

Body:



DEBUG: BeforeCall:
DEBUG: Finally:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: [CmdletException]: Received Exception with message 'AuthenticationFailedException - SharedTokenCacheCredential authentication failed:  :    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.SharedTokenCacheCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.GetAccessTokenAsync(String callerClassName, String parametersLog, TokenCredential tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken, String tenantId, String userId, String homeAccountId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IDictionary`2 optionalParameters)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass15_0.<AuthorizeRequest>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthorizeRequest(IAzureContext context, HttpRequestMessage request, CancellationToken cancellationToken, String endpointResourceIdKey, String endpointSuffixKey, Func`6 tokenAudienceConverter, IDictionary`2 extensibleParamters)
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthenticationHelper(IAzureContext context, String endpointResourceIdKey, String endpointSuffixKey, HttpRequestMessage request, CancellationToken cancelToken, Action cancelAction, Func`4 signal, Func`5 next, Func`6 tokenAudienceConverter)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass10_0.<<AddAuthorizeRequestHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass9_0.<<AddPatchRequestUriHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Module.SendAsync(HttpRequestMessage request, IEventListener callback, ISendAsync next)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication(String consistencyLevel, String Search, String Filter, Nullable`1 Count, String[] Orderby, String[] Select, String[] Expand, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Cmdlets.GetAzADApplication_List.ProcessRecordAsync()
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Cmdlets.GetAzADApplication_List.ProcessRecordAsync()'
DEBUG: CmdletException: AuthenticationFailedException - SharedTokenCacheCredential authentication failed:  :    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.SharedTokenCacheCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.SharedTokenCacheCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.GetAccessTokenAsync(String callerClassName, String parametersLog, TokenCredential tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken, String tenantId, String userId, String homeAccountId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IDictionary`2 optionalParameters)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass15_0.<AuthorizeRequest>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthorizeRequest(IAzureContext context, HttpRequestMessage request, CancellationToken cancellationToken, String endpointResourceIdKey, String endpointSuffixKey, Func`6 tokenAudienceConverter, IDictionary`2 extensibleParamters)
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthenticationHelper(IAzureContext context, String endpointResourceIdKey, String endpointSuffixKey, HttpRequestMessage request, CancellationToken cancelToken, Action cancelAction, Func`4 signal, Func`5 next, Func`6 tokenAudienceConverter)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass10_0.<<AddAuthorizeRequestHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass9_0.<<AddPatchRequestUriHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Module.SendAsync(HttpRequestMessage request, IEventListener callback, ISendAsync next)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.MSGraph.ApplicationsApplicationListApplication(String consistencyLevel, String Search, String Filter, Nullable`1 Count, String[] Orderby, String[] Select, String[] Expand, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Cmdlets.GetAzADApplication_List.ProcessRecordAsync()
   at Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Cmdlets.GetAzADApplication_List.ProcessRecordAsync()
Get-AzADApplication_List: C:\Users\alexbat\OneDrive - Microsoft\Documents\PowerShell\Modules\Az.Resources\8.0.0\MSGraph.Autorest\custom\Get-AzADApplication.ps1:221
Line |
 221 |      Az.MSGraph.internal\Get-AzADApplication @PSBoundParameters
     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | SharedTokenCacheCredential authentication failed:
DEBUG: CmdletProcessRecordEnd:
DEBUG: AzureQoSEvent:  Module: Az.Resources:8.0.0; CommandName: Get-AzADApplication; PSVersion: 7.5.1; IsSuccess: True; Duration: 00:00:00.7917628; SanitizeDuration: 00:00:00

Environment data

Name                           Value
----                           -----
PSVersion                      7.5.1
PSEdition                      Core
GitCommitId                    7.5.1
OS                             Microsoft Windows 10.0.26100
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     8.0.0                 Az.Resources

Error output


      		
    

      
  





        



            
            

              
            

        

      


      
    








      

    



      

  
            

    

      
    

    


      

          @abatishchev
abatishchev




            added
      

  bug

  This issue requires a change to an existing behavior in the product in order to be resolved.

      

  needs-triage

  This is a new issue that needs to be triaged to the appropriate team.

  labels


      Jun 12, 2025

    

  



    

    

      
    

    


      

          @microsoft-github-policy-service
microsoft-github-policy-service
bot



          removed
  the 

  needs-triage

  This is a new issue that needs to be triaged to the appropriate team.
 label


      Jun 12, 2025

    

  



    







      

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      



      

  


  

    

  





      


        


  
    

      
          
Here are some similar issues that might help you. Please check if they can solve your problem.





Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)


Solution 1:


When you use the latest version of Az.Resource, AzAD feature is using MSGraph API. So you need to configure below 2 parameters when you add environment.


[-MicrosoftGraphEndpointResourceId <String>]
[-MicrosoftGraphUrl <String>]


Reference:



Solution 2:


In case anyone has further issues with trying to use Get-AzAD cmdlets in Azure Dogfood its because the guidance above no longer works as the endpoints for Microsoft Graph are actually different:


-GraphUrl "https://graph.ppe.windows.net/"
-GraphEndpointResourceId "https://graph.ppe.windows.net/"
-MicrosoftGraphEndpointResourceId "https://graph.microsoft-ppe.com/"
-MicrosoftGraphUrl "https://graph.microsoft-ppe.com/v1.0/"


Reference:



Powered by issue-sentinel

      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
      



  

  @isra-fel





  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
  Member


      

  


  

    

  





      


        


  
    

      
          
The problem is some of the properties such as MicrosoftGraphEndpointResourceId are under a nested data structure.


PS C:\Users\> $prod = Get-AzEnvironment -Name AzureCloud
PS C:\Users\[3.67s]> $prod.MicrosoftGraphEndpointResourceId
PS C:\Users\[0.03s]> $prod.ExtendedProperties.MicrosoftGraphUrl #<---- note the ExtendedProperties here
https://graph.microsoft.com
PS C:\Users\[0.04s]> $prod.ExtendedProperties.MicrosoftGraphEndpointResourceId
https://graph.microsoft.com/


This design was to prevent binary breaking change BTW

      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
      



  

  @abatishchev





  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      



      

  Author


  


  

    

      

      
            abatishchev
  

      

      

      commented


        Jun 13, 2025


      
  

  

    
      

        
          edited
          
        
        
      

    
    
      
  
        
      Loading


  
    
  



    


  





      


        


  
    

      
          
Fix:


$prod = Get-AzEnvironment -Name AzureCloud
Set-AzEnvironment -Name Canary `
   # same as above
  -MicrosoftGraphUrl $prod.ExtendedProperties.MicrosoftGraphUrl `
  -MicrosoftGraphEndpointResourceId $prod.ExtendedProperties.MicrosoftGraphEndpointResourceId


Thanks, @isra-fel !!

      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
            

    











  
  

    

      

  





  




  
  

              

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



  






  
                  




    

  


      
  

    Assignees
  



        

    No one assigned







      


  


  

    Labels
  



    

      

    bug

  This issue requires a change to an existing behavior in the product in order to be resolved.
  

    Possible-Solution

  

    Similar-Issue









      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    

      
        

          
    

    Development
  




            
    
No branches or pull requests







      
    

  




      

    

  
      

  

    

      2 participants
    

    

        
          @abatishchev 
        
          @isra-fel