Bug report: login --cloud USGov is forcing UsGovHigh logins.
Closed this issue ยท 9 comments
Priority
(Urgent) I can't use the CLI
Description
If I login without specifying the cloud to my GCC Low / USGov Cloud tenant, the login succeeds.
But when I try something like m365 flow list -e <env GUID> I get the following error:
Error: Request for GCC tenant is not applicable in the current unitedstates cloud.
If I try to login specifying the cloud via m365 login --cloud UsGov the login fails saying it can't find my account.
This leads me to believe it's using the USGov high end points to authenticate, and not the commercial endpoints.
Because GCC Low uses Commercial endpoints for authentication; Please see the diagram below for more info:
Steps to reproduce
Try to login to a GCC Low environment and list the flows -- notice that the --cloud USGov option does not work and is behaving as if it's a GCC High login.
Expected results
GCC Low should use the regular commercial endpoints to login (i.e. https://login.microsoftonline.com/{{TenantId}}/oauth2/v2.0/token with scopes such as https://gov.service.flow.microsoft.us//.default) , and still be able to query for the list of flows via https://gov.api.flow.microsoft.us/providers/Microsoft.ProcessSimple/environments/{{envId}}/flows/, etc.
Actual results
Can't login to GCC Low -- Can't list flows when logged in as commercial.
Diagnostics
m365 login --cloud USGov --debug
Executing command login with options {"options":{"cloud":"USGov","debug":true,"output":"json"}}
Executing command as 'REDACTED', appId: 31359c7f-bd7e-475c-86db-fdb8c937548e, tenantId: 807536a6-a6b1-4893-a013-70509c59ebbb
Logging out from Microsoft 365...
Signing in to Microsoft 365...
No token found for resource https://graph.microsoft.com.
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/msal-node@2.7.0 : Info - getTokenCache called
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/msal-common@14.9.0 : Info - CacheManager:getIdToken - Returning ID token
Starting Auth.ensureAccessTokenWithDeviceCode. resource: https://graph.microsoft.com, debug: true
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/msal-node@2.7.0 : Info - acquireTokenByDeviceCode called
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/msal-node@2.7.0 : Verbose - initializeRequestScopes called
[Tue, 18 Jun 2024 16:31:50 GMT] : [878d2feb-ed02-46c3-a898-118309dee46e] : @azure/msal-node@2.7.0 : Verbose - buildOauthClientConfiguration called
[Tue, 18 Jun 2024 16:31:50 GMT] : [878d2feb-ed02-46c3-a898-118309dee46e] : @azure/msal-node@2.7.0 : Verbose - createAuthority called
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/msal-node@2.7.0 : Verbose - Attempting to get cloud discovery metadata from authority configuration
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/msal-node@2.7.0 : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/msal-node@2.7.0 : Verbose - Found cloud discovery metadata from hardcoded values.
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/msal-node@2.7.0 : Verbose - Attempting to get endpoint metadata from authority configuration
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/msal-node@2.7.0 : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
[Tue, 18 Jun 2024 16:31:50 GMT] : [878d2feb-ed02-46c3-a898-118309dee46e] : @azure/msal-node@2.7.0 : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.us/common/oauth2/v2.0/token.
[Tue, 18 Jun 2024 16:31:50 GMT] : [878d2feb-ed02-46c3-a898-118309dee46e] : @azure/msal-node@2.7.0 : Verbose - Device code client created
Response:
{
userCode: 'REDACTED',
deviceCode: 'REDACTED',
verificationUri: 'https://microsoft.com/deviceloginus',
expiresIn: 900,
interval: 5,
message: 'To sign in, use a web browser to open the page https://microsoft.com/deviceloginus and enter the code REDACTED to authenticate.'
}
[Tue, 18 Jun 2024 16:31:51 GMT] : [878d2feb-ed02-46c3-a898-118309dee46e] : @azure/msal-common@14.9.0 : Info - Authorization pending. Continue polling.
๐ถ๏ธ To sign in, use a web browser to open the page https://microsoft.com/deviceloginus and enter the code REDACTED to authenticate.
You can see here it's directing us to use https://microsoft.com/deviceloginus -- but for GCC Low it should be doing a regular devicelogin.
The difference between GCC and commercial is that the scopes are different. The APIs are all at .us locations, but we login with Commercial Azure AD.
CLI for Microsoft 365 version
v7.9.0
nodejs version
v20.14.0
Operating system (environment)
Windows
Shell
PowerShell
cli doctor
{
"os": {
"platform": "win32",
"version": "Windows 11 Enterprise",
"release": "10.0.22631"
},
"cliVersion": "7.9.0",
"nodeVersion": "v20.14.0",
"cliAadAppId": "31359c7f-bd7e-475c-86db-fdb8c937548e",
"cliAadAppTenant": "common",
"authMode": "DeviceCode",
"cliEnvironment": "",
"cliConfig": {},
"roles": [],
"scopes": {
"https://graph.microsoft.com": [
"AllSites.FullControl",
"AppCatalog.ReadWrite.All",
"ChannelMember.ReadWrite.All",
"ChannelMessage.Send",
"ChannelSettings.ReadWrite.All",
"Directory.AccessAsUser.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityProvider.ReadWrite.All",
"Mail.ReadWrite",
"Mail.Send",
"Policy.Read.All",
"Reports.Read.All",
"Tasks.ReadWrite",
"Team.Create",
"TeamMember.ReadWrite.All",
"TeamsApp.ReadWrite.All",
"TeamsAppInstallation.ReadWriteForUser",
"TeamSettings.ReadWrite.All",
"TeamsTab.ReadWrite.All",
"TermStore.ReadWrite.All",
"User.Invite.All",
"User.ReadWrite.All",
"profile",
"openid",
"email"
],
"https://management.azure.com/": [
"user_impersonation"
]
}
}
Additional Info
Let me know if you need me to test a specific build or something. -- As-is, I can't use this on my customer's GCC tenant. -- I can share a login flow that works using Postman if it helps.
Thank you @BrainSlugs83 for bringing it up.
We will look into it ASAP.
Thanks for the detailed info @BrainSlugs83, your extra information helps quite a lot!
It's always hard to develop stuff for tenants we don't have access to ๐
Changing the login flow for USGov to commercial endpoints is quite easy as far as I can see. However, currently, all Power Automate commands we provide only work with public cloud tenants. If I'm not mistaken, we encountered some issues to make it work for non-public clouds, or we couldn't find the right endpoint (#1931).
Since currently we're not supporting Power Automate commands for non-public clouds, it might be a good idea to create a separate issue for this and keep this issue to fix the login issue.
Let's involve @waldekmastykarz in this thread since he worked on the non-public support a few months ago.
thanks @milanholemans for the clarify about the Power Automate commands.
I had a quick check in code and it seems we might be doing it wrong for the login command as well.
it seems for any of the USGov... CloudType we use the same AzureCloudInstance which in this case is AzureUsGovernment but as pointed out we for the USGov we should be using AzurePublic
due to that, we get
which I think is the problem
Thank you for bringing this to our attention @BrainSlugs83 and sharing the additional information about GCC. Like @Adam-it pointed out, it's a bug on our end. We'll get this fixed asap. Sorry for the trouble.
As for lack of support for non-public clouds for Power Platform commands, it's currently by-design, and we're tracking it in here: #4746
@BrainSlugs83 we've just released a new beta release with a fix to the login command that should solve your case.
May I kindly ask you to double check and let us know it is ok now?
Thanks for using CLI for Microsoft 365 and for helping us improve it. You Rock ๐คฉ
Cheers ๐
Sure, I'll check it out tomorrow. Sorry for the delay.
@BrainSlugs83 we've just released a new beta release with a fix to the login command that should solve your case. May I kindly ask you to double check and let us know it is ok now? Thanks for using CLI for Microsoft 365 and for helping us improve it. You Rock ๐คฉ Cheers ๐
Well, the login to my USGov account is working now -- but without #4746, I'm not really able to test anything beyond the login.
If you could post your findings on how to obtain power automate flows on USGov tenants on that issue, that would be helpful.