Skip to content

Could not find tenant id for provided tenant domain. Please ensure that the provided service principal is found in the provided tenant domain. #24652

Open
@Jonsey1980

Description

@Jonsey1980

Description

using Connect-AzAccount using a service principal with code below:

_$clientSecret = '{Secret}' | ConvertTo-SecureString -AsPlainText -Force
$connectCreds = New-Object -TypeName System.Management.Automation.PSCredential `
-ArgumentList '{SPN ID}', $clientSecret
Connect-AzAccount -ServicePrincipal -Credential $connectCreds -Tenant '{tenant id}'_ 

this works of one server, but fails of another - we are unable to diagnose why - versions:

  • az = 11.5.0
  • az.accounts: = 2.17.0
  • Az.Resources = 6.16.1
  • Az.Network = 7.4.1
  • Az.Compute = 7.2.0

error message

_Connect-AzAccount : ClientSecretCredential authentication failed: Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a
custom retry policy in ClientOptions.RetryPolicy.
Could not find tenant id for provided tenant domain '{tenantID}'. Please ensure that the provided service principal
'{{SPN ID}' is found in the provided tenant domain.
At line:15 char:1

  • Connect-AzAccount -ServicePrincipal -Credential $connectCreds -Tenan ...
  • CategoryInfo : CloseError: (:) [Connect-AzAccount], ArgumentNullException
  • FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand_

ErrorRecord : Run Connect-AzAccount to login.
Message : Run Connect-AzAccount to login.
Data : {}
InnerException :
TargetSite : Void HandleException(System.Runtime.ExceptionServices.ExceptionDispatchInfo)
StackTrace : at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.HandleException(ExceptionDispatchInfo capturedException)
at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
HelpLink :
Source : Microsoft.Azure.PowerShell.Cmdlets.ResourceManager
HResult : -2146233079

Issue script & Debug output

DEBUG: Request [31c393df-c813-4ba8-9df5-94ecde422400] exception Azure.RequestFailedException: An error occurred while sending the request. ---> System.Net.Http.HttpRequestException: An error 
occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: T
he client and server cannot communicate, because they do not possess a common algorithm
   at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
   at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
   at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
   at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
   at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.BeginWrite(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback asyncCallback, Object asyncState)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.HttpClientTransport.<ProcessAsync>d__12.MoveNext()
   --- End of inner exception stack trace ---
   at Azure.Core.Pipeline.HttpClientTransport.<ProcessAsync>d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.HttpPipelineTransportPolicy.<ProcessAsync>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.ResponseBodyPolicy.<ProcessAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Azure.Core.Pipeline.LoggingPolicy.<ProcessAsync>d__9.MoveNext()

Environment data

Name                           Value                                                                                                                                                          
----                           -----                                                                                                                                                          
PSVersion                      5.1.14393.6343                                                                                                                                                 
PSEdition                      Desktop                                                                                                                                                        
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                        
BuildVersion                   10.0.14393.6343                                                                                                                                                
CLRVersion                     4.0.30319.42000                                                                                                                                                
WSManStackVersion              3.0                                                                                                                                                            
PSRemotingProtocolVersion      2.3                                                                                                                                                            
SerializationVersion           1.1.0.1

Module versions

az = 11.5.0
az.accounts: = 2.17.0
Az.Resources = 6.16.1
Az.Network = 7.4.1
Az.Compute = 7.2.0

Error output

Message        : The client and server cannot communicate, because they do not possess a common algorithm
StackTrace     :    at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
                    at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
                    at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
                    at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
                    at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
                    at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
                    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
                    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
                    at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
                    at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
                    at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
                    at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
                    at System.Net.TlsStream.BeginWrite(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback asyncCallback, Object asyncState)
                    at System.Net.ConnectStream.WriteHeaders(Boolean async)
Exception      : System.ComponentModel.Win32Exception
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount -ServicePrincipal -Credential $connectCreds -Tenant 'f009f285-5242-433a-9365-daa1edf145c3'
                 
Position       : At line:43 char:1
                 + Connect-AzAccount -ServicePrincipal -Credential $connectCreds -Tenant ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 1

TLS 1.1 and TLS 1.2 is enabled on the server

Activity

added
bugThis issue requires a change to an existing behavior in the product in order to be resolved.
needs-triageThis is a new issue that needs to be triaged to the appropriate team.
on Apr 18, 2024
added
needs-triageThis is a new issue that needs to be triaged to the appropriate team.
and removed
needs-triageThis is a new issue that needs to be triaged to the appropriate team.
on Apr 18, 2024
AzureStackNerd

AzureStackNerd commented on May 1, 2024

@AzureStackNerd

I have the same issue since this morning using an Azure Powershell tasks in Azure DevOps

Connect-AzAccount: /home/vsts/work/_tasks/AzurePowerShell_72a1931b-effb-4d2e-8fd8-f8472a07cb62/5.238.11/InitializeAz.ps1:111
Line |
 111 |      $null = Connect-AzAccount -ServicePrincipal -Tenant $endpointObje …
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | ClientAssertionCredential authentication failed: AADSTS90061: Request to
     | External OIDC endpoint failed. Trace ID:
     | 903c7eca-7598-457d-a199-1753f6b8ca00 Correlation ID:
     | 0d8656dd-3d7f-41dd-899f-c62e7e055118 Timestamp: 2024-05-01 08:26:48Z
     | Could not find tenant id for provided tenant domain
     | 'xxxxxxxx-xxxx-0000-0000-xxxxxxxxxxxxx'

re-created the service connection (with workload identity (automatic)), just to make sure. But that did not help.

It was working fine yesterday

Makzemann

Makzemann commented on May 1, 2024

@Makzemann

Exact same issue on our side, was working fine yesterday

xcITs-Xian

xcITs-Xian commented on May 1, 2024

@xcITs-Xian

More or less the same issue here since this morning (May 1st 2024).
For us it is happening in an Azure DevOps Power Shell task (Azure PowerShell 5.*) during deployment. Yesterday and everything was fine, the deployment was running several times without issues, since today always the same error. Nothing was changed in DevOps since yesterday.

2024-05-01T11:36:52.6226881Z VERBOSE: Command [Connect-AzAccount] failed the maximum number of 5 times.
2024-05-01T11:36:52.7452685Z ##[error]AADSTS50166: Request to External OIDC endpoint failed. Trace ID: bc766619-5c69-4b24-b49d-9905bdfc4400 Correlation ID: 42cdd13a-028c-421d-baa5-19f540815535 Timestamp: 2024-05-01 11:36:54Z
Could not find tenant id for provided tenant domain 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx'. 
2024-05-01T11:36:52.8173333Z ##[error]PowerShell exited with code '1'.
xcITs-Xian

xcITs-Xian commented on May 1, 2024

@xcITs-Xian
AstridMalanka01

AstridMalanka01 commented on Jun 4, 2024

@AstridMalanka01

Good morning, any update?

added
AccountsIssues in Az.Accounts except authentication related
on Jun 5, 2024
JonathonAnderson

JonathonAnderson commented on Jul 17, 2024

@JonathonAnderson

Still having this issue

Nerigal

Nerigal commented on Nov 21, 2024

@Nerigal

Bump, Having the exact same issue

Az = 13.0.0
Az.accounts: = 4.0
Az.Compute = 9.0

smithg6

smithg6 commented on Jan 23, 2025

@smithg6

Bump. Having almost the same issue, but using installed cert.pfx thumbprint from our service principal along with spn ID, tenant ID, etc. Was able to work around this by forcing uninstall of Az.Accounts 4.x and enforcing 3.0.0 (for anyone out there still struggling on this one).

Fail state:
Az = 11.1.0
Az.Accounts = 4.0.2

lbouriez

lbouriez commented on May 15, 2025

@lbouriez
Contributor

Hello,

We are currently experiencing this issue across all our pipelines in Azure DevOps. It is affecting multiple service connections and service principals.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    AccountsIssues in Az.Accounts except authentication relatedbugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reported

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @lbouriez@smithg6@AzureStackNerd@Nerigal@JonathonAnderson

        Issue actions

          Could not find tenant id for provided tenant domain. Please ensure that the provided service principal is found in the provided tenant domain. · Issue #24652 · Azure/azure-powershell