Az login to AzureStackUser cloud "access token has been obtained for wrong audience"

Michael Clagett 191 Reputation points
2020-06-10T15:36:00.543+00:00

Hi --

I recently blew away my azure stack installation and reinstalled from scratch. Now on my Windows 10 machine when I try to login using the azure cli in Powershell I get the following results:

PS C:\Windows\system32> az login
You have logged in. Now let us find all the subscriptions to which you have access...
The access token has been obtained for wrong audience or resource 'https://management.mclagetthotmail.onmicrosoft.com/ae0ac4c6-2334-47e2-89e0-96eecd9222d1'. It should exactly match with one of the allowed audiences 'https://management.mclagetthotmail.onmicrosoft.com/508e2d8d-27cd-40da-96ec-17e276e1bff2','https://graph.windows.net/'.

I cleared the local az cli cache with az account clear but it is telling me to log in now and I just experience the above error. Anybody have any thoughts?

When I list my available clouds I get the following:

PS C:\Windows\system32> az cloud list
IsActive Name Profile

False AzureCloud latest
False AzureChinaCloud latest
False AzureUSGovernment latest
False AzureGermanCloud latest
True AzureStackUser 2019-03-01-hybrid

So the desired AzureStack cloud is there and is the active one.

Azure Stack Hub
Azure Stack Hub
An extension of Azure for running apps in an on-premises environment and delivering Azure services in a datacenter.
178 questions
0 comments
Accepted answer
  1. Michael Clagett 191 Reputation points
    2020-07-11T01:03:26.747+00:00

    Finally figured this out:

    It was a matter of my not understanding the AzureStackUser and AzureStackAdmin clouds well enough. With Azure Stack there are two separate clouds that must be registered with Azure CLI. The AzureStackUser cloud represents the set of objects managed through portal.local.azurestack.external and the AzureStackAdmin cloud represents the set of objects managed through adminportal.local.azurestack.external. My issue was that that I was trying to connect to AzureStackUser and had forgotten the step of registering the cloud with Azure CLI.

    After I registered the AzureStackUser cloud, then I was able to logon, although no subscriptions were listed until I created a subscription by subscribing to an offer proferred from the AzureStackAdmin cloud. Once I understood all this, I was able to also register the AzureStackAdmin cloud (with mostly the same parameters, but a few needing to be prefaced with admin -- so, e.g. adminmanagement.local.azurestack.external instead of management.local.azurestack.external). This immediately made avalable the three subscriptions that are automatically added to the admin portal.

    All is good now.

    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. TravisCragg-MSFT 5,676 Reputation points Microsoft Employee
    2020-06-16T05:38:15.62+00:00

    It is strange that it does not detect AzureCloud as being active. The first thing I would try is make sure that you can sign in to the Azure Portal using the same account.

    Also, try to switch to Azure public cloud manually using

    az cloud set -n <environmentname>

    Next, try forcing the login to use the appropriate tenant by logging in using

    az login -u <Active directory global administrator or user account. For example: username@<aadtenant>.onmicrosoft.com> --tenant <Azure Active Directory Tenant name. For example: myazurestack.onmicrosoft.com>

    It is possible that you configured the default to be an Azure Stack login, and those 2 commands should force you back to a public cloud.

    You might also want to try uninstalling and reinstalling the CLI, and reviewing your CLI settings.

    0 comments
  2. Michael Clagett 191 Reputation points
    2020-06-23T12:03:50.223+00:00

    Thank you very much for your response. Unfortunately, I believe I may not have been clear enough in my previous message: it is not the public Azure Cloud I am having difficulty logging into, but rather my AzureStackUser Azure Stack cloud. I have tried everything I can think of and am still experiencing this issue. It is a real nuisance, because although I am able to log in to all the portals (portal.azure.com, portal.local.azurestack.external, and adminportal.local.azurestack.external) and have full access to all functionality with no problems, a number of the tutorials I am trying to work through use Azure Stack CLI.

    Last night I tested my Azure Stack install with Test-AzureStack. One of the services failed (Azure Stack Fabric Management Controller Service Fabric Applications), but I stopped, rebooted, and then restarted Azure Stack and now all tests pass. But the problem still persists.

    I do have access to az in powershell. And I can successfully switch back and forth between having the public Azure Cloud cloud and my AzureStackUser Azure Stack cloud active (I am successfully able to issue az cloud list and az cloud set commands). But whenever I login (either interactively with just az login or passing in the credentials as parameters) I always receive the following error:

    You have logged in. Now let us find all the subscriptions to which you have access...
    The access token has been obtained for wrong audience or resource 'https://management.mclagetthotmail.onmicrosoft.com/ae0ac4c6-2334-47e2-89e0-96eecd9222d1'. It should exactly match with one of the allowed audiences 'https://management.mclagetthotmail.onmicrosoft.com/508e2d8d-27cd-40da-96ec-17e276e1bff2','https://graph.windows.net/'.

    I tried az account set both with my Pay-As-You-Go subscription id from portal.azure.com and the Default Provider Subscription from adminportal.local.azurestack.external, but Azure CLI recognizes neither of them as belonging to AzureStackUser:

    The subscription of 'ae0715b8-fb60-4e1b-a077-51a77327ca25' doesn't exist in cloud 'AzureStackUser'. (this is the Default Subscription Provider id)

    The subscription of '3ebbb293-72a1-454a-b43f-ce03810f6138' doesn't exist in cloud 'AzureStackUser'. (this is the Pay-As-You-Go id).

    The credentials I am using are a user I added in my Azure AD (at portal.azure.com) with Owner privileges.

    I have run out of ideas. Is there another specifically Azure CLI forum that I might be able to submit this to? I would really like to get beyond this impediment. Thanks.

    0 comments
  3. Michael Clagett 191 Reputation points
    2020-06-23T12:05:49.953+00:00

    Oh, I forgot to mention one thing. I have uninstalled and reinstalled Azure CLI a few times, most recently installing the latest (2.7.0) version. This issue still persists. I also installed Azure CLI on another server and experience exactly the same thing.

    0 comments
  4. Michael Clagett 191 Reputation points
    2020-06-23T12:12:51.21+00:00

    And one more thing... The functionality of Azure Stack itself seems fine. I have installed an AKS cluster and a private Docker container registry and am able to interact with each just fine with the Kubectl and Docker CLI tools from the same machines that I am experiencing this issues on. Also in the portals, all resources seem fine. The only issue I see is that there is a persistent warning: Low disk space for Azure Stack infrastructure. The error tells me it gets triggered whenever there is less than 2GB of space on AZS-ERCS01 (I have something like 1.9909 GB). But this message was (Ibelieve) present even when the Azure CLI was working, so I don't think it has anything to do with this, although I can't swear to this for sure.

    0 comments