Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[BUG] Wrong tenant id in the exception when a tenant domain does not exist
See original GitHub issueLibrary name and version
Azure.Identity v1.6.0
Describe the bug
The wrong tenant id is included in the exception message when switching from a valid tenant id to an invalid one.
See Reproduction Steps section for more details.
Expected behavior
The exception message should contain the domain/id of the invalid tenant.
DeviceCodeCredential authentication failed: AADSTS90002: Tenant 'invalidtenant.com' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.
Actual behavior
The previous valid tenant id is included in the exception message. It looks like the error message is using the tenant id in the authentication record instead of the one specified in InteractiveBrowserCredentialOptions.TenantId.
authEx.Message
AADSTS90002: Tenant 'VALID_TENANT_ID' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.
authEx.StackTrace
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
at Azure.Identity.InteractiveBrowserCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.InteractiveBrowserCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
Reproduction Steps
static async Task<InteractiveBrowserCredential> GetInteractiveBrowserCredentialAsync(string tenantId, string[] scopes)
{
string clientId = "CLIENT_ID";
string cacheName = "CACHE_NAME";
string authRecordPath = "PATH_TO_AUTH_RECORD";
var interactiveOptions = new InteractiveBrowserCredentialOptions
{
ClientId = clientId,
TenantId = tenantId,
TokenCachePersistenceOptions = new TokenCachePersistenceOptions { Name = cacheName }
};
if (!File.Exists(authRecordPath))
{
var interactiveBrowserCredential = new InteractiveBrowserCredential(interactiveOptions);
var authRecord = await interactiveBrowserCredential.AuthenticateAsync(new TokenRequestContext(scopes)).ConfigureAwait(false);
// Write auth record to file.
await WriteAuthRecordAsync(authRecord, authRecordPath).ConfigureAwait(false);
return interactiveBrowserCredential;
}
else
{
// Read auth record from file.
interactiveOptions.AuthenticationRecord = await ReadAuthRecordAsync(authRecordPath).ConfigureAwait(false);
return new InteractiveBrowserCredential(interactiveOptions);
}
}
try
{
string[] scopes = new[] { "user.read" };
string tenantId = "VALID_TENANT_ID";
// 1st authentication attempt using a valid tenant id.
var tokenCredential = await GetInteractiveBrowserCredentialAsync(tenantId, scopes);
var token = await tokenCredential.GetTokenAsync(new TokenRequestContext(scopes)).ConfigureAwait(false);
// 2nd authentication attempt using an invalid tenant id ("invalidtenant.com").
var tokenCredential2 = await GetInteractiveBrowserCredentialAsync("invalidtenant.com", scopes);
var token2 = await tokenCredential2.GetTokenAsync(new TokenRequestContext(scopes)).ConfigureAwait(false);
}
catch (AuthenticationFailedException authEx)
{
// Throws exception with the tenant id from the 1st attempt i.e., VALID_TENANT_ID.
// The exception should ideally contain `invalidtenant.com` as the invalid tenant id.
}
The code above throws the right exception (AADSTS90002) with the wrong tenant id from the 1st attempt in the exception message.
AADSTS90002: Tenant 'VALID_TENANT_ID' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.
Environment
No response
Issue Analytics
- State:
- Created a year ago
- Comments:6 (3 by maintainers)
Top Results From Across the Web
User account from identity provider does not exist in tenant ...
The error message states: User account {email} from identity provider {idp} does not exist in tenant {tenant} and cannot access the application ...
Read more >User account does not exist in tenant - Office 365
Message: AADSTS90072: User account 'user@domain.com' from identity provider 'https://p Opens a new windowrovider.net' does not exist in tenant ' ...
Read more >Office 365 Integration Bug Workarounds : r/Wazuh
DataServiceException: Tenant <tenantID> does not exist.“ ... tab brings the error: “Sorry, we couldn't update your organization settings.
Read more >Azure AD App got the wrong user to authenticate
Getting this error is expected because the app's setting does not allow different tenant/directory's user to authenticate.
Read more >Cannot create a new tenant after migrating to 4.3.X #1360
It looks like the tenant is created but the admin user is not added. In the database the tenant is added but there...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Chatted offline about this - we validated that this error messages comes directly from AAD. I’ll follow up with them to report the problem.
Thank you for your feedback. Tagging and routing to the team members best able to assist.