Update:

I tried using the command with a different windows user account and it worked fine. So i deleted the C:\Users\<user>\.azure

And it works.

Maybe, upgrade comand should be updated to remove the conflictual configuration.

Hi Jiasli, My issue was resolved after deleting all the files and folders under C:\Users<username>.azure folder and tried to reinstall Azure CLI from windows powershell(run as Administrator) with the below command. It’s working fine now.

Command:

$ProgressPreference = ‘SilentlyContinue’; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList ‘/I AzureCLI.msi /quiet’; rm .\AzureCLI.msi

Thanks!!

Questions

• Have you copied ~/.azure folder from another computer or mounted it into a container?
• Could you share the detailed steps you followed to trigger this error?

Workaround

First, you may try to clear the credential cache and re-login:

az account clear
az login

If this still doesn’t help, you may temporarily turn off token cache encryption. (⚠ This is an internal experimental config option. We may change it or drop it anytime.)

az config set core.encrypt_token_cache=false
az login

The solution was to delete files in $HOME/.azure

I had the same issue with az version 2.49.0. I’m running Windows 10. I did not change my password in the past few weeks, and I never used the azure client on this computer. This is a company device, and I also didn’t use the azure client on my previous ones. Until now, I connected to a jumphost via ssh that had the azure cli installed, but now I can’t because our infra department changed their MFA policy, and I can only use azure cli on the same computer on which I opened the browser and logged in. I deleted the .azure folder and reinstalled azure cli. az account clear produced the same error. Nothing helped, except for

az config set core.encrypt_token_cache=false

Now it works. But it keeps me wondering what else is broken or will be in the future. It’s an “experimental feature” anyway.

Microsoft, why can’t we have nice tools? Or proper error messages? Or our problems taken care of?

set core.encrypt _token_cache=false is always the answer. Every time it happens to me or anyone i know, anyway

az login

A web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with az login --use-device-code.

It did open in the browser all ok, and got this in the console

Decryption failed: [WinError -2146893813] Key not valid for use in specified state… App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError

You need to reticulate your splines.

For me worked removing .azure folder: C:\users<your user>.azure

Before it I’ve executed the command too: az upgrade

But removing folder just could works, The problem I think was when I used Az Cloud Shell and Powershell togheter

I ran in to the same issue today. I had a password change several days ago, needed to run an az command today which prompted me that the grant was no longer valid. Was able to az login again and work as expected. Several hours later, I started seeing this issue with any az command. I was able to move forward by deleting msal_token.cache.bin and msal_http_cache.bin and relogging in.

it could be a sequence of operation causing our token cache file to be created unencrypted (by older version of Az CLI?)

The old ADAL-based Azure CLI saves tokens to ~/.azure/accessTokens.json, while the new MSAL-based Azure CLI saves tokens to ~/.azure/msal_token_cache.json or ~/.azure/msal_token_cache.bin (enrypted), so they work independently.

My issue was resolved after deleting all the files and folders under C:\Users<username>.azure folder and tried to reinstall Azure CLI from windows powershell(run as Administrator) with the below command. It’s working fine now.

Congrats @vperala for recovering from the issue. Can you tell us more on the history of that C:\Users\username\.azure folder? Did you manually copy it from a different computer?

• If your answer is yes, then the error is expected (it is a security feature), although @jiasli and I may still consider some User eXperience (UX) improvement here.
• If your answer is no, then it could be a sequence of operation causing our token cache file to be created unencrypted (by older version of Az CLI?), and then upgrading to Az CLI v2.30+ would attempt to decrypt that file and failed. This would become a migration faq, then.

+ MSAL developer @rayluo

Same as https://github.com/Azure/azure-cli/issues/17186 happened for the old beta version.

@vperala, have you copied .azure from/to another computer? Could you share the detailed steps you followed to trigger this error? Thanks.

Probably. Yes it was running as an account that didn’t necessarily log in and I didn’t think that should be a requirement? I switched to Linux to solve this problem 😃

I ran into this as well on a Windows VM where I ran az login --tenant {tenant name} for the first time after reseting my password on the VM through the Azure portal (maybe that has the same affect of resetting the password from computer management which causes this issue?).

In addition to what kierke-gaard got, I got a message with a bit more info when I passed the “–debug” option:

msal_extensions.persistence.PersistenceDecryptionError: [Errno -2146893813] Decryption failed: [Errno -2146893813] Key not valid for use in specified state. App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError: 'C:\\Users\\myuser\\.azure\\msal_token_cache.bin

Based on that Github wiki in the error message, I figured that the file it printed at the end was the file it was having trouble with (and likely got corrupted with the password reset), so I moved that to my home directory, ran the “az login --tenant {tenant name}” command again, and everything worked! It looks like it regenerated that file with the new login.

After I changed my windows 11 password, I couldn’t use my az cli anymore. For whatever command I’m getting: “Decryption failed: [WinError -2146893813] Key not valid for use in specified state… App developer may consider this guidance: https://github.com/AzureAD/microsoft-authentication-extensions-for-python/wiki/PersistenceDecryptionError”

After deleting in the .azure folder msal_*.bin and relogging it works like a charm again

I started getting the error in 2.36.0. Tried upgrading to 2.39.0 but continued to get the same error. Deleting the .Azure worked like a charm for me.

From a fresh machine installation of Windows 11, Azure CLI installed and upgraded by using chocolatey. The first login was after the upgrade, where I received the error within #22937. Once the C:\Users<user>.azure folder had been removed authentication worked.

Agree with @jiasli 's triage. By the way, a suggestion to @jiasli : you can convert this issue into a Q&A in Az CLI’s Github Discussion, and then select your answer as “chosen answer”. This way, it remains visible to future customers, therefore you can safely close those stale issues like #17186.

Or even better, either Az CLI or MSAL EX could perhaps catch that exception and convert it to something like RuntimeError: Unable to decrypt token cache. Did you copy token cache from another computer?