[Bug] Service Accounts that are exempt of doing MFA, fail to authenticate using WAM

[gustavoaca1997]

Library version used

4.59.0

.NET version

.NET Standard 2.0

Scenario

PublicClient - desktop app

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

User is using a service account that is exempt of doing MFA. AcquireTokenSilentAsync will fail with this error:

MSAL.Desktop.4.59.0.0.MsalUiRequiredException: 
2024/04/22 03:34:52 PM     ErrorCode: wam_no_account_for_id
2024/04/22 03:34:52 PM  Microsoft.Identity.Client.MsalUiRequiredException: Could not find a WAM account for the selected user. Error: Status: AccountNotFound
2024/04/22 03:34:52 PM  Context: Account with id '(pii)' not found
2024/04/22 03:34:52 PM  Tag: 0x1f553780
2024/04/22 03:34:52 PM     at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.<ExecuteAsync>d__5.MoveNext()
2024/04/22 03:34:52 PM  --- End of stack trace from previous location where exception was thrown ---
2024/04/22 03:34:52 PM     at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
2024/04/22 03:34:52 PM     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
2024/04/22 03:34:52 PM     at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__12.MoveNext()
2024/04/22 03:34:52 PM  --- End of stack trace from previous location where exception was thrown ---
2024/04/22 03:34:52 PM     at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
2024/04/22 03:34:52 PM     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
2024/04/22 03:34:52 PM     at Microsoft.Identity.Client.ApiConfig.Executors.ClientApplicationBaseExecutor.<ExecuteAsync>d__2.MoveNext()
2024/04/22 03:34:52 PM  --- End of stack trace from previous location where exception was thrown ---
2024/04/22 03:34:52 PM     at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
2024/04/22 03:34:52 PM     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
2024/04/22 03:34:52 PM     at Microsoft.Engineering.VPackLite.Auth.NetworkCredentialProvider.<AcquireEntraIDTokenAsync>d__22.MoveNext()
2024/04/22 03:34:52 PM     StatusCode: 0 
2024/04/22 03:34:52 PM     ResponseBody:  
2024/04/22 03:34:52 PM     Headers: 

But if we use IWA, it will succeed. This is problematic because IWA doesn't read from the Token Cache so we need to implement a custom cache for that scenario.

Relevant code snippets

// This is how we invoke Acquire Token Silent with WAM
this.App.AcquireTokenSilent(scopes, existingAccount)
                    .WithCorrelationId(this.correlationId)
                    .ExecuteAsync();

// This is how we invoke Acquire Token with IWA
this.App.AcquireTokenByIntegratedWindowsAuth(scopes)
                    .WithCorrelationId(this.correlationId)
                    .ExecuteAsync(CancellationToken.None);

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

[iulico-1]

Can you provide the exact repro steps ? Are you sign-ed in Windows with your Entry ID account ?

[localden]

@gustavoaca1997 to also add to what @iulico-1 is asking, is this for a Microsoft service account (that is, used inside the Microsoft tenant)?

[iulico-1]

@gustavoaca1997, few more questions regarding the repro steps:

• Was the service account removed from WAM by any chance to the user ?
• When you say service account do you mean that this account can only handle Username and Password ROPC auth ?