azure-storage-azcopy: Unable to login with managed identity on remote server without UI

Which version of the AzCopy was used?

10.8.0

Which platform are you using? (ex: Windows, Mac, Linux)

Windows

What command did you run?

azcopy login --identity

What problem was encountered?

Failed to perform login command:
failed to encrypt token, Access is denied.

How can we reproduce the problem in the simplest way?

1. Create an Azure VM
2. Enable system managed identity
3. Login remotely via Powershell and PSRemoting. Do not login with RDP Prior!
4. Download and extract Azcopy with Powershell (see bellow)
5. Got to AzCopy install location and run azcopy login --identity

Download and install with powershell:

# Step 4, download and install
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
invoke-webrequest -uri https://aka.ms/downloadazcopy-v10-windows -outfile $env:TEMP/azcopy.zip
Expand-Archive $env:TEMP/azcopy.zip C:\Users\azureuser\azcopy

# Step 5, try to login
cd C:\Users\azureuser\azcopy\azcopy_windows_amd64_10.8.0
.\azcopy.exe login --identity

Have you found a mitigation/solution?

Logging in and out via RDP solves the issue and we’re able to run AzCopy login. However this isn’t viable since we’re using AzCopy as part of an automation script and we can’t just RDP on every server beforehand to make it work. Looking through the code, the error being printed is from https://github.com/Azure/azure-storage-azcopy/blob/a3d0fe3d607255cf9fdc1ef37b15e780ec04c4ca/common/credCache_windows.go#L177-L179 And the failing method seems to be https://github.com/Azure/azure-storage-azcopy/blob/a3d0fe3d607255cf9fdc1ef37b15e780ec04c4ca/common/credCache_windows.go#L257-L264 Which, the name of the flag “cryptProtectUIForbidden” seems to have a relation to UI and that seems to indicates that we need a UI session for AzCopy to work? Not entirely sure.