azure-sdk-for-python: Managed Identity incorrectly passes scopes to Managed Identity Endpoint

  • Package Name: azure.identity
  • Package Version: 1.12.0
  • Operating System: Linux / Azure App Services
  • Python Version: 3.9

Describe the bug A clear and concise description of what the bug is.

An unexpected error occured while fetching the AAD Token.Code: NoneMessage: An unexpected error occured while fetching the AAD Token.Stack:   File "/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py", line 448, in _handle__invocation_requestcall_result = await self._run_async_func(File "/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/dispatcher.py", line 724, in _run_async_funcreturn await ExtensionManager.get_async_invocation_wrapper(File "/azure-functions-host/workers/python/3.9/LINUX/X64/azure_functions_worker/extension.py", line 147, in get_async_invocation_wrapperresult = await function(**args)File "/home/site/wwwroot/function_app.py", line 78, in active_directory_httpawait read_active_directory(CreationContext.from_request(req))File "/home/site/wwwroot/active_directory.py", line 15, in read_active_directorytoken, expiry = await acquire_token(run, "Directory.Read.All")File "/home/site/wwwroot/azurerestapi.py", line 40, in acquire_tokentk = await cred.get_token(*scopes)File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/identity/aio/_internal/decorators.py", line 21, in wrappertoken = await fn(*args, **kwargs)File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/identity/aio/_credentials/managed_identity.py", line 120, in get_tokenreturn await self._credential.get_token(*scopes, **kwargs)File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/identity/aio/_internal/managed_identity_base.py", line 45, in get_tokenreturn await super().get_token(*scopes, **kwargs)File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/identity/aio/_internal/get_token_mixin.py", line 62, in get_tokentoken = await self._request_token(*scopes, **kwargs)File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/identity/aio/_internal/managed_identity_base.py", line 53, in _request_tokenreturn await cast(AsyncManagedIdentityClient, self._client).request_token(*scopes, **kwargs)File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/identity/aio/_internal/managed_identity_client.py"


2023-01-31T11:55:06.527572116Z  ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS500011: The resource principal named Directory.Read.All was not found in the tenant named CENSORED. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

To Reproduce

from azure.identity import ManagedIdentityCredential
ManagedIdentityCredential().get_token("Directory.Read.All") # also does not work with https://graph.microsoft.com/Directory.Read.All or https://graph.microsoft.com/.default

Expected behavior

Well, getting a token for Graph API should work. Also, why is ADAL mentioned in the log? I don’t want ADAL, I want MSAL

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 21 (9 by maintainers)

Most upvoted comments

Ok, I agree it all looks good. I’ll double check tomorrow why I have issues