question

HERMESThomasDuvivier-1452 avatar image
0 Votes"
HERMESThomasDuvivier-1452 asked MarileeTurscak-MSFT answered

Azure Active Directory error '(invalid_grant) AADSTS50078, you must refresh your multi-factor authentification

Hello,

I am developing an Azure Function in python via vscode. I've been working on it for a year or so.
I did not work on this project for a month or two, and when I came back to it this week and tried to debug the Azure Function locally, I got the following error:

DefaultAzureCredential.get_token failed: SharedTokenCacheCredential raised unexpected error "Azure Active Directory error '(invalid_grant) AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access 'MY_RESSOURCE_ID'.

The error is raised when I try to access the KeyVault here:

KVUri = os.environ["KEY_VAULT_ENDPOINT"]
credential = DefaultAzureCredential()
client = SecretClient(vault_url = KVUri, credential = credential)

I am contributor of the KeyVault and the Azure Function via a Resource Group (inherited), so this should not be a problem.

I used to simply connect to my Azure account via "az login" in Azure CLI or via "Azure: Sign in to Azure Cloud" or "Azure: Sign in", but this method does not seem to work anymore.

I tried

  • Emptying the cache in my web browser and in "Control Panel\User Accounts\Credential Manager", then re-loggin in, but it did not work although I had to do the multi-factor authentication

  • Uninstalling VSCode and re-installing it, then reboot my machine

  • Change the azure-identity version

  • Set the environment variables to authenticate as a workaround, but I still get the error "Incomplete environment configuration. Set variables: AZURE_TENANT_ID, AZURE_CLIENT_ID"

  • Update VSCode to its last version (1.61.2)

My client's Cloud Architect told me they did not change things that could have provoked this behavior.
There is an IP address restriction, but it did not change and my local debug already worked with this restriction in the past.

Could you please tell me what I should do to be able to debug my Azure Functions locally again ?
Whether it is on my machine, in the portal, or in the overall azure configuration.

Thanks !


CONFIG



Python 3.6.4
Windows 10.0.19042 build 19042
VSCode 1.61.2

Modules:

azure-functions==1.4.0
azure-functions-durable
azure-keyvault-secrets==4.2.0
dependency-injector==3.44.0
azure-identity==1.4.0
azure-storage-blob==12.8.1
pyodbc==4.0.30
pandas==1.1.4
numpy==1.19.3
tldextract==3.0.2
SQLAlchemy==1.4.20
matplotlib==3.3.4
requests==2.23.0
openpyxl==3.0.7
xlrd==2.0.1
xlwt==1.3.0

azure-ad-multi-factor-authenticationazure-ad-verifiable-credentials
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HERMESThomasDuvivier-1452 avatar image
0 Votes"
HERMESThomasDuvivier-1452 answered HERMESThomasDuvivier-1452 published

Here is the error in full:

SharedTokenCacheCredential.get_token failed: Azure Active Directory error '(invalid_grant) AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access '---'.
[2021-11-03T09:46:40.373Z] Trace ID: ---
[2021-11-03T09:46:40.378Z] Correlation ID: ---
[2021-11-03T09:46:40.383Z] Timestamp: 2021-11-03 09:46:40Z'
[2021-11-03T09:46:40.388Z] DefaultAzureCredential.get_token failed: SharedTokenCacheCredential raised unexpected error "Azure Active Directory error '(invalid_grant) AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access '---'.
[2021-11-03T09:46:40.393Z] Trace ID: ---
[2021-11-03T09:46:40.398Z] Correlation ID: ---
[2021-11-03T09:46:40.402Z] Timestamp: 2021-11-03 09:46:40Z'"
[2021-11-03T09:46:40.408Z] DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access '---'.
[2021-11-03T09:46:40.416Z] Trace ID: ---
[2021-11-03T09:46:40.420Z] Correlation ID: ----
[2021-11-03T09:46:40.424Z] Timestamp: 2021-11-03 09:46:40Z'
[2021-11-03T09:46:40.584Z] Executed 'Functions.Test' (Failed, Id=---, Duration=14683ms)
[2021-11-03T09:46:40.590Z] System.Private.CoreLib: Exception while executing function: Functions.Test. System.Private.CoreLib: Result: Failure
Exception: ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential: Azure Active Directory error '(invalid_grant) AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access '---'.
[2021-11-03T09:46:40.600Z] Trace ID: ---
[2021-11-03T09:46:40.605Z] Correlation ID: ---
[2021-11-03T09:46:40.611Z] Timestamp: 2021-11-03 09:46:40Z'
Stack: File "C:\Program Files\Microsoft\Azure Functions Core Tools\workers\python\3.6/WINDOWS/X64\azure_functions_worker\dispatcher.py", line 405, in handleinvocation_request
invocation_id, fi_context, fi.func, args)
File "C:\Users\thomas.duvivier\AppData\Local\Programs\Python\Python36\lib\concurrent\futures\thread.py", line 56, in run
result = self.fn(self.args, self.kwargs)
File "C:\Program Files\Microsoft\Azure Functions Core Tools\workers\python\3.6/WINDOWS/X64\azure_functions_worker\dispatcher.py", line 612, in _run_sync_func
func)(params)
File "C:\Program Files\Microsoft\Azure Functions Core Tools\workers\python\3.6/WINDOWS/X64\azure_functions_worker\extension.py", line 215, in _raw_invocation_wrapper
result = function(
*args)
File "C:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA_app
\Test_init.py", line 24, in main
password = client.get_secret("pwd-admin").value
File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA_app
.venv\lib\site-packages\azure\core\tracing\decorator.py", line 83, in wrapper_use_tracer
return func(args, kwargs)
File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA_app_.venv\lib\site-packages\azure\keyvault\secrets_client.py", line 72, in get_secret
kwargs
File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA_app_.venv\lib\site-packages\azure\keyvault\secrets_generated_operations_mixin.py", line 1475, in get_secret
return mixin_instance.get_secret(vault_base_url, secret_name, secret_version,
kwargs)
File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA_app_.venv\lib\site-packages\azure\keyvault\secrets_generated\v7_1\operations_key_vault_client_operations.py", line 276, in get_secret
pipeline_response = self._client._pipeline.run(request, stream=False,
*kwargs)
File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA_app.venv\lib\site-packages\azure\core\pipeline_base.py", line 211, in run
return first_node.send(pipeline_request) # type: ignore
File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA_app
.venv\lib\site-packages\azure\core\pipeline_base.py", line 71, in send
response = self.next.send(request)
File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA_app.venv\lib\site-packages\azure\core\pipeline_base.py", line 71, in send
response = self.next.send(request)
File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA_app
.venv\lib\site-packages\azure\core\pipeline_base.py", line 71, in send
response = self.next.send(request)
[Previous line repeated 1 more times]
File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA_app.venv\lib\site-packages\azure\core\pipeline\policies_redirect.py", line 158, in send
response = self.next.send(request)
File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA_app
.venv\lib\site-packages\azure\core\pipeline\policies_retry.py", line 445, in send
response = self.next.send(request)
File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA_app_.venv\lib\site-packages\azure\keyvault\secrets_shared\challenge_auth_policy.py", line 111, in send
self.handle_challenge(request, challenge)
File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA_app
.venv\lib\site-packages\azure\keyvault\secrets_shared\challenge_auth_policy.py", line 137, in _handle_challenge
self.token = self.credential.get_token(scope)
File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA_app
.venv\lib\site-packages\azure\identity_credentials\default.py", line 140, in get_token
return super(DefaultAzureCredential, self).get_token(scopes, *kwargs)
File "c:\Users\thomas.duvivier\source\repos\Intelligent Sourcing\ETL\ETL_AFA_app
.venv\lib\site-packages\azure\identity_credentials\chained.py", line 90, in get_token
raise ClientAuthenticationError(message=message)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image
1 Vote"
MarileeTurscak-MSFT answered

Hi @HERMESThomasDuvivier-1452,

This error can occur if Visual Studio Code loses its Azure authentication connection for some reason or your actual AD credentials have changed (for example, a password change). You can authenticate using az login using with your latest password and DefaultAzureCredential, as described here: https://stackoverflow.com/questions/67165101/azure-chainedtokencredential-fails-after-password-change


Another thing to try:

If you haven't done so already, please try turning off the setting, "Remember MFA for X Days" / "Don't ask again for X days"

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#how-the-feature-works

This feature can force interactive MFA to be requested after the specified days and your current tokens will be invalid.

Let me know if this helps at all. If you are still having this issue I will be happy to open a support case for you.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.