WAM does not integrate with browser's password manager

[elygre]

az login says that you are preparing to switch to WAM (Web Authentication Manager). The message says "To help us collect feedback on the new login experience, you may opt-in to use WAM by running the following commands", which indicates that you want feedback. At the same time, you don't say where, so I chose this channel.

My feedback: WAM does not seem to integrate with my password manager. This creates a much more annoying workflow: The WAM-window opens, i select the username, I have to switch to a browser, open the password manager, copy the password, return to the WAM-window, paste the password, submit the login, switch to my command line.

The corresponding browser-login is much simpler: The browser opens, I select the username, password is automatically filled, I submit, and switch to the command line.

So, for me, the important command is az config set core.allow_broker=false, which I hope will remain operational.

[yonzhan]

@jiasli for awareness

[rayluo]

WAM does not seem to integrate with my password manager. This creates a much more annoying workflow: The WAM-window opens, i select the username, I have to switch to a browser, open the password manager, copy the password, return to the WAM-window, paste the password, submit the login, switch to my command line.

Hi @elygre , did you need to do that just once, or did you need to do that for every "az login" even for the same account?

[elygre]

So there are two levels of "az login".

• First, when Azure requires a login, because for example "Your organizational policy requires you to sign in again after a certain time period." In these scenarios I need to enter a password, and the WAM password dialog does not integrate with my password manager -- and probably not with any password manager?
• Second, if I for example open a new shell and execute a new "az login" before the login expiration, then a new login is not required, and a new password is not required, and therefore the password manager integration is not required.

For my organization, the login lifetime is measured in a few hours, and I need multiple "real" logins during a workday.

[ms6073]

Wanted to comment that on my Win 10 laptop, running the suggested commands resulted in my no longer being able to to actually login to the azure client!

az config set core.allow_broker=false
az account clear
az login

After which login attempts returned a variety of errors, the most common that was repeated with each logon attempt was as follows. Fortunately I stumbled across the OP and was able to resolve the issue setting core.allow_broker=true:

Winrt exception was thrown during GetTokenSilently '(pii)'.. Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 590996738
Please explicitly log in with: az login

[rayluo]

Wanted to comment that on my Win 10 laptop, running the suggested commands resulted in my no longer being able to to actually login to the azure client!

az config set core.allow_broker=false az account clear az login

After which login attempts returned a variety of errors, the most common that was repeated with each logon attempt was as follows. Fortunately I stumbled across the OP and was able to resolve the issue setting core.allow_broker=true:

Winrt exception was thrown during GetTokenSilently '(pii)'.. Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 590996738 Please explicitly log in with: az login

Are you sure you did not actually use the "...allow_broker=true" or "...false" in the opposite way? That error message would only show up when broker was in effect.

[ms6073]

Sorry, may have juxtaposed the cmds. Our organization requires additional authentication in which a web page opens and prompts for the password and then have to complete 2FA using MS Authenticator app, and after the login is approved, the page refreshed with the prompt about WAM and I decided to run the cmds as outlined on that webpage.

[rayluo]

Winrt exception was thrown during GetTokenSilently '(pii)'.. Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 590996738 Please explicitly log in with: az login

@ms6073, would you mind re-enabling broker by setting "allow_broker=true", and then reproduce the problem while running "az login --debug", and then send the logs to us? You can find our email from our github profile.
CC: @MSamWils, @jiasli .

[ms6073]

Regards, Michael (Replay may have been sent from Android - so forgive teh typos)

On Thu, Apr 6, 2023 at 6:49 PM Ray Luo ***@***.***> wrote: Winrt exception was thrown during GetTokenSilently '(pii)'.. Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 590996738 Please explicitly log in with: az login @ms6073 <https://github.com/ms6073>, would you mind re-enabling broker by setting "allow_broker=true", and then reproduce the problem while running "az login --debug", and then send the logs to us? You can find our email from our github profile. CC: @MSamWils <https://github.com/MSamWils>, @jiasli <https://github.com/jiasli> . — Reply to this email directly, view it on GitHub <#25787 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHLKNQAA6KE3EM3I7TNVYC3W75I7HANCNFSM6AAAAAAVY6CJEU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

DEBUG: cli.knack.cli: Command arguments: ['login', '--debug'] DEBUG: cli.knack.cli: __init__ debug log: Cannot enable color. DEBUG: cli.knack.cli: Event: Cli.PreExecute [] DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x02FEB3D0>, <function OutputProducer.on_global_arguments at 0x031B9B68>, <function CLIQuery.on_global_arguments at 0x031D77C0>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] DEBUG: cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile'] DEBUG: cli.azure.cli.core: Loading command modules: DEBUG: cli.azure.cli.core: Name Load Time Groups Commands DEBUG: cli.azure.cli.core: profile 0.004 2 9 DEBUG: cli.azure.cli.core: Total (1) 0.004 2 9 DEBUG: cli.azure.cli.core: Loaded 2 groups, 9 commands. DEBUG: cli.azure.cli.core: Found a match in the command table. DEBUG: cli.azure.cli.core: Raw command : login DEBUG: cli.azure.cli.core: Command table: login DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03BB62F8>] DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\shepherdm3_apadm\.azure\commands\2023-04-10.08-10-00.login.12008.log'. INFO: az_command_data_logger: command args: login --debug DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x03BDE3D0>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x03BED2F8>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x03BED4F0>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x031B9BB0>, <function CLIQuery.handle_query_parameter at 0x031D7808>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x03BED4A8>] DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\shepherdm3_apadm\\.azure\\msal_token_cache.bin', encrypt=True DEBUG: cli.azure.cli.core.auth.binary_cache: load: C:\Users\shepherdm3_apadm\.azure\msal_http_cache.bin DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) DEBUG: msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/organizations/kerberos', 'tenant_region_scope': None, 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} DEBUG: msal.application: Broker enabled? True DEBUG: msal.application: Falls back to broker._signin_interactively() WARNING: cli.azure.cli.core.auth.identity: Please select the account you want to log in with. DEBUG: msal.broker: [MSAL:0001] INFO SetCorrelationId:220 Set correlation ID: c9f9c44a-48ff-4471-8797-90dfb026c2b4 DEBUG: msal.broker: [MSAL:0001] WARNING TryNormalizeRealm:2234 No HomeAccountId provided to normalize the realm DEBUG: msal.broker: [MSAL:0001] INFO ModifyAndValidateAuthParameters:147 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)' DEBUG: msal.broker: [MSAL:0001] INFO ModifyAndValidateAuthParameters:147 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)' DEBUG: msal.broker: [MSAL:0001] INFO ModifyAndValidateAuthParameters:164 Authority Realm: organizations DEBUG: msal.broker: [MSAL:0002] WARNING TryReadUniversalStorage:590 Attempted to read cache with a non-normalized realm, access token and ID token reads will fail DEBUG: msal.broker: [MSAL:0002] WARNING ReadAccountById:186 Account id is empty - account not found DEBUG: msal.broker: [MSAL:0003] ERROR ErrorInternalImpl:134 Created an error: 55xnl, StatusInternal::Unexpected, InternalEvent::None, Error Code -2147023584, Context 'Unexpected exception while waiting for accounts control to finish: '(pii)'' DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:299 Printing Telemetry for Correlation ID: c9f9c44a-48ff-4471-8797-90dfb026c2b4 DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: start_time, Value: 2023-04-10T13:10:00.000Z DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: api_name, Value: SignInInteractively DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: was_request_throttled, Value: false DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: request_duration, Value: 39 DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: authority_type, Value: Unknown DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: msal_version, Value: 1.0.0+local DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: client_id, Value: 04b07795-8ddb-461a-bbee-02f9e1bf7b46 DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: correlation_id, Value: c9f9c44a-48ff-4471-8797-90dfb026c2b4 DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: stop_time, Value: 2023-04-10T13:10:00.000Z DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: msalruntime_version, Value: 0.13.2 DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: request_eligible_for_broker, Value: true DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: broker_app_used, Value: false DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: ui_event_count, Value: 1 DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: additional_query_parameters_count, Value: 2 DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: read_token_last_error, Value: missing required parameter DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: authorization_type, Value: Interactive DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: api_error_code, Value: -2147023584 DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: api_error_tag, Value: 55xnl DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: api_status_code, Value: StatusInternal::Unexpected DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: api_error_context, Value: Unexpected exception while waiting for accounts control to finish: '(pii)' DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: all_error_tags, Value: 55xnl DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:307 Key: is_successful, Value: false DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:312 Printing Execution Flow: DEBUG: msal.broker: [MSAL:0003] INFO LogTelemetryData:318 {"t":"646u1","tid":1,"ts":0},{"t":"8dqim","tid":2,"ts":4},{"t":"8dqkl","tid":1,"ts":4,"a":9,"ie":0},{"t":"54uxd","tid":1,"ts":9},{"t":"8dqkn","tid":3,"ts":38,"a":5,"ie":1},{"t":"8dqko","tid":3,"ts":38,"a":9,"ie":1},{"t":"646u1","tid":3,"ts":39} DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last): File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 663, in execute File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 697, in _run_job File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 333, in __call__ File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 139, in login File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 154, in login File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 159, in login_with_auth_code File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 133, in check_result File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 43, in aad_error_handler azure.cli.core.azclierror.AuthenticationError: Unexpected exception while waiting for accounts control to finish: '(pii)'. Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 528315211 ERROR: cli.azure.cli.core.azclierror: Unexpected exception while waiting for accounts control to finish: '(pii)'. Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 528315211 ERROR: az_command_data_logger: Unexpected exception while waiting for accounts control to finish: '(pii)'. Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 528315211 Please explicitly log in with: az login DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03BB6418>] INFO: az_command_data_logger: exit code: 1 INFO: cli.__main__: Command ran in 0.720 seconds (init: 0.426, invoke: 0.294) INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1 INFO: telemetry.client: Accumulated 0 events. Flush the clients. INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1 INFO: telemetry.save: Save telemetry record of length 3511 in cache INFO: telemetry.check: Returns Positive. INFO: telemetry.main: Begin creating telemetry upload process. INFO: telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\shepherdm3_apadm\.azure" INFO: telemetry.process: Return from creating process INFO: telemetry.main: Finish creating telemetry upload process.

[rayluo]

Thanks for the logs. We will look into this. 👀

[MSamWils]

Hi @ms6073, may I ask did you "run as a different user" when launching the console for doing the az login?

[ms6073]

@MSamWils

Yes. I work for a large health care organization and the account I logon with is not a member of the local administrator's group, thus for operations that require administrator rights on the local machine such as installing or updating software, I use another AD account with applicable permissions. There is a 3rd AD account that I must use for administering things in Azure, but for each of these, I am opening/running the CMD window as the applicable AD account requiring me to enter username/password for each instance. Note that the use of multiple accounts is a pretty common occurrence for IT members in health care organizations as well as oil & gas, and more than likely banking/finance.

[MSamWils]

Hi @ms6073 , circle back on this topic since we would like to learn about your scenario and may be able to provide alternative solution if applicable. Can you please send me an email at samwils AT microsoft DOT com to discuss more about that? Thanks