azd pipeline config login issues

[chuwik]

• Make sure you've installed the latest version using instructions in the wiki

Output from azd version
azd version 1.2.0 (commit 99ea757)

Describe the bug
azd pipeline config is failing to create a service principal, asking me to reauthenticate with azd auth login --scope https://graph.microsoft.com/.default.. This command never succeeds, after I login successfully from a domain managed PC it still shows an error saying that my device must be managed by Microsoft to access the resource.

To Reproduce
azd auth login --use-device-code
azd pipeline config
azd auth login --scope https://graph.microsoft.com/.default.

Expected behavior
Login succeeds and azd can finish configuring the pipeline.

Environment
Information on your environment:
* Windows 11, Powershell 7.3.6

[rajeshkamal5050]

Seems similar to issue azd auth login with scope does not work #2277 @weikanglim @vhvb1989 do we have any workaround for this?

[weikanglim]

Hi @chuwik

From the error message, specifically "Your sign-in was successful but your admin requires the device requesting access to be managed by Microsoft to access this resource"

It looks like your sign-in was successful, but the device isn't trusted based on the configured policies on the Microsoft tenant.

I would try that following:

1. Make sure you're logged into Edge using your work profile and try logging in via Edge. This is usually the reason why the device isn't trusted.
2. Try reproducing this going to the Graph Explorer API and clicking the Person icon on the top right of the screen to sign in to your @Microsoft.com account to see if you get any additional errors.

[chuwik]

Both options check out:

• I'm using Edge with work profile, it's even showing a 'Managed by your organization' message in the Settings menu
• I can login without problems from the Graph Explorer

I'm running into login issues for azd provision too. Here's the chain of commands and errors I'm seeing:

azd auth login -> successful

azd provision -> ERROR: deployment failed: failing invoking action 'provision', error deploying infrastructure: starting deployment to subscription: login expired, run `azd auth login --scope https://management.core.windows.net//.default to log in

azd auth login --scope https://management.core.windows.net//.default -> successful

azd provision -> ERROR: deployment failed: failing invoking action 'provision', error deploying infrastructure: creating parameters file: fetching current principal id: getting tenant id for subscription . Error: failed to resolve user access to subscription with ID . If you recently gained access to this subscription, run azd auth login again to reload subscriptions. Otherwise, visit this subscription in Azure Portal using the browser, then run azd auth login.

I get stuck in this loop, but azd provision never succeeds.

Note: I'm an owner of the subscription, see it in the portal, etc. I've obscured the sub-id in the messages above.

[weikanglim]

If you run azd env get-values, does an entry for AZURE_SUBSCRIPTION_ID show up?

[chuwik]

It does.

I deleted ~/.azd and azd provision is now working. Will try with azd pipeline config after, maybe clearing that dir did the trick.

[chuwik]

Clearing .azd and retrying fixed all the auth issues I had, now I can run both azd provision and azd pipeline config. Feel free to close, I can provide more info if it can help you investigate. Unfortunately I didn't keep a copy of .azd before deleting it.

[weikanglim]

We were able to find a copy of an azd user's ~/.azd and track down the cause. Closing this in favor of #2659.