Unable to authenticate Azure CLI for FrontDoor Container setup — MSAL cache error and Conditional Access block (53003)?

Question

I'm following the FrontDoor Container setup instructions at: [https://eng.ms/docs/engineering-enablement-and-operations/commerce-platforms/partner-center-marketplace/sales-partner-foundations/portal-platform/portal-foundations/frontdoor-containers]

Environment:

• Windows 10 Dev Box
• Azure CLI (latest version)
• Docker Desktop (Windows containers mode)
• Connected to Azure VPN
• CoreIdeneity got approved more than 24 hours

Issue 1 — MSAL token cache error:

After running ContainerImageDownload.ps1, I successfully log in via az login, select my subscription (PC_FrontDoor_DEV), and choose FrontDoor version v1/v2. The script then fails with:

The script tries to get an access token for https://vault.azure.net to read the FDDevContainer Key Vault, but az account get-access-token --resource https://vault.azure.net also fails with the same MSAL cache error.

I have tried: az cache purge, az account clear, deleting msal_token_cache.* files, and re-logging — same result.

Issue 2 — Conditional Access block (Error 53003):

When logging in from my local machine (not Dev Box), az login is blocked by Conditional Access:

Error Code: 53003

App name: Microsoft Azure CLI

App id: 04b07795-8ddb-461a-bbee-02f9e1bf7b46

IP address: 20.236.10.129

Device platform: Windows 10

Device state: Compliant

Even az login --use-device-code is blocked.

Questions:

1. Has my account been fully onboarded with the required Key Vault access policy on FDDevContainer? What do I possibly miss?
2. Is there a known Conditional Access policy blocking Azure CLI access for this setup?

Answer 1

Hello Summer Xia

As discussed offline, please check with the Conditional access Admin as this error usually occurs if the Admin has created conditional access.

If the resolution was helpful, kindly take a moment to accept answer and upvote it 👍 it as a token of appreciation.