Azure Active Directory error '(invalid_grant) AADSTS50078, you must refresh your multi-factor authentification

(HERMES) Thomas Duvivier 1 Reputation point
2021-11-03T09:50:43.397+00:00

Hello,

I am developing an Azure Function in python via vscode. I've been working on it for a year or so.
I did not work on this project for a month or two, and when I came back to it this week and tried to debug the Azure Function locally, I got the following error:

DefaultAzureCredential.get_token failed: SharedTokenCacheCredential raised unexpected error "Azure Active Directory error '(invalid_grant) AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access 'MY_RESSOURCE_ID'.

The error is raised when I try to access the KeyVault here:

KVUri = os.environ["KEY_VAULT_ENDPOINT"]
credential = DefaultAzureCredential()
client = SecretClient(vault_url = KVUri, credential = credential)

I am contributor of the KeyVault and the Azure Function via a Resource Group (inherited), so this should not be a problem.

I used to simply connect to my Azure account via "az login" in Azure CLI or via "Azure: Sign in to Azure Cloud" or "Azure: Sign in", but this method does not seem to work anymore.

I tried

  • Emptying the cache in my web browser and in "Control Panel\User Accounts\Credential Manager", then re-loggin in, but it did not work although I had to do the multi-factor authentication
  • Uninstalling VSCode and re-installing it, then reboot my machine
  • Change the azure-identity version
  • Set the environment variables to authenticate as a workaround, but I still get the error "Incomplete environment configuration. Set variables: AZURE_TENANT_ID, AZURE_CLIENT_ID"
  • Update VSCode to its last version (1.61.2)

My client's Cloud Architect told me they did not change things that could have provoked this behavior.
There is an IP address restriction, but it did not change and my local debug already worked with this restriction in the past.

Could you please tell me what I should do to be able to debug my Azure Functions locally again ?
Whether it is on my machine, in the portal, or in the overall azure configuration.

Thanks !

CONFIG

--
Python 3.6.4
Windows 10.0.19042 build 19042
VSCode 1.61.2

Modules:

azure-functions==1.4.0
azure-functions-durable
azure-keyvault-secrets==4.2.0
dependency-injector==3.44.0
azure-identity==1.4.0
azure-storage-blob==12.8.1
pyodbc==4.0.30
pandas==1.1.4
numpy==1.19.3
tldextract==3.0.2
SQLAlchemy==1.4.20
matplotlib==3.3.4
requests==2.23.0
openpyxl==3.0.7
xlrd==2.0.1
xlwt==1.3.0

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,662 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 34,306 Reputation points Microsoft Employee
    2021-11-05T20:15:48.573+00:00

    Hi @(HERMES) Thomas Duvivier ,

    This error can occur if Visual Studio Code loses its Azure authentication connection for some reason or your actual AD credentials have changed (for example, a password change). You can authenticate using az login using with your latest password and DefaultAzureCredential, as described here: https://stackoverflow.com/questions/67165101/azure-chainedtokencredential-fails-after-password-change

    Another thing to try:

    If you haven't done so already, please try turning off the setting, "Remember MFA for X Days" / "Don't ask again for X days"

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#how-the-feature-works

    This feature can force interactive MFA to be requested after the specified days and your current tokens will be invalid.

    Let me know if this helps at all. If you are still having this issue I will be happy to open a support case for you.

    2 people found this answer helpful.
    0 comments
  2. (HERMES) Thomas Duvivier 1 Reputation point
    2021-11-03T09:53:24.437+00:00

    Here is the error in full:

    SharedTokenCacheCredential.get_token failed: Azure Active Directory error '(invalid_grant) AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access '---'.
    [2021-11-03T09:46:40.373Z] Trace ID: ---
    [2021-11-03T09:46:40.378Z] Correlation ID: ---
    [2021-11-03T09:46:40.383Z] Timestamp: 2021-11-03 09:46:40Z'
    [2021-11-03T09:46:40.388Z] DefaultAzureCredential.get_token failed: SharedTokenCacheCredential raised unexpected error "Azure Active Directory error '(invalid_grant) AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access '---'.
    [2021-11-03T09:46:40.393Z] Trace ID: ---
    [2021-11-03T09:46:40.398Z] Correlation ID: ---
    [2021-11-03T09:46:40.402Z] Timestamp: 2021-11-03 09:46:40Z'"
    [2021-11-03T09:46:40.408Z] DefaultAzureCredential failed to retrieve a token from the included credentials.
    Attempted credentials:
    EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
    ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
    SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access '---'.
    [2021-11-03T09:46:40.416Z] Trace ID: ---
    [2021-11-03T09:46:40.420Z] Correlation ID: ----
    [2021-11-03T09:46:40.424Z] Timestamp: 2021-11-03 09:46:40Z'
    [2021-11-03T09:46:40.584Z] Executed 'Functions.Test' (Failed, Id=---, Duration=14683ms)
    [2021-11-03T09:46:40.590Z] System.Private.CoreLib: Exception while executing function: Functions.Test. System.Private.CoreLib: Result: Failure
    Exception: ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
    Attempted credentials:
    EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
    ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
    SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access '---'.
    [2021-11-03T09:46:40.600Z] Trace ID: ---
    [2021-11-03T09:46:40.605Z] Correlation ID: ---
    [2021-11-03T09:46:40.611Z] Timestamp: 2021-11-03 09:46:40Z'
    Stack: File "C:\Program Files\Microsoft\Azure Functions Core Tools\workers\python\3.6/WINDOWS/X64\azure_functions_worker\dispatcher.py", line 405, in _handle__invocation_request
    invocation_id, fi_context, fi.func, args)
    File "C:\Users\thomas.duvivier\AppData\Local\Programs\Python\Python36\lib\concurrent\futures\thread.py", line 56, in run
    result = self.fn(*self.args, **self.kwargs)
    File "C:\Program Files\Microsoft\Azure Functions Core Tools\workers\python\3.6/WINDOWS/X64\azure_functions_worker\dispatcher.py", line 612, in _run_sync_func
    func)(params)
    File "C:\Program Files\Microsoft\Azure Functions Core Tools\workers\python\3.6/WINDOWS/X64\azure_functions_worker\extension.py", line 215, in _raw_invocation_wrapper
    result = function(**args)
    File "C:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA__app__\Test__init__.py", line 24, in main
    password = client.get_secret("pwd-admin").value
    File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA__app__.venv\lib\site-packages\azure\core\tracing\decorator.py", line 83, in wrapper_use_tracer
    return func(*args, **kwargs)
    File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA__app__.venv\lib\site-packages\azure\keyvault\secrets_client.py", line 72, in get_secret
    **kwargs
    File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA__app__.venv\lib\site-packages\azure\keyvault\secrets_generated_operations_mixin.py", line 1475, in get_secret
    return mixin_instance.get_secret(vault_base_url, secret_name, secret_version, **kwargs)
    File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA__app__.venv\lib\site-packages\azure\keyvault\secrets_generated\v7_1\operations_key_vault_client_operations.py", line 276, in get_secret
    pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
    File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA__app__.venv\lib\site-packages\azure\core\pipeline_base.py", line 211, in run
    return first_node.send(pipeline_request) # type: ignore
    File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA__app__.venv\lib\site-packages\azure\core\pipeline_base.py", line 71, in send
    response = self.next.send(request)
    File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA__app__.venv\lib\site-packages\azure\core\pipeline_base.py", line 71, in send
    response = self.next.send(request)
    File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA__app__.venv\lib\site-packages\azure\core\pipeline_base.py", line 71, in send
    response = self.next.send(request)
    [Previous line repeated 1 more times]
    File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA__app__.venv\lib\site-packages\azure\core\pipeline\policies_redirect.py", line 158, in send
    response = self.next.send(request)
    File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA__app__.venv\lib\site-packages\azure\core\pipeline\policies_retry.py", line 445, in send
    response = self.next.send(request)
    File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA__app__.venv\lib\site-packages\azure\keyvault\secrets_shared\challenge_auth_policy.py", line 111, in send
    self._handle_challenge(request, challenge)
    File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA__app__.venv\lib\site-packages\azure\keyvault\secrets_shared\challenge_auth_policy.py", line 137, in _handle_challenge
    self._token = self._credential.get_token(scope)
    File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA__app__.venv\lib\site-packages\azure\identity_credentials\default.py", line 140, in get_token
    return super(DefaultAzureCredential, self).get_token(*scopes, **kwargs)
    File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA__app__.venv\lib\site-packages\azure\identity_credentials\chained.py", line 90, in get_token
    raise ClientAuthenticationError(message=message)

    0 comments