Unable to authenticate within the scope of an Azure Container Registry

[andrei-dascalu]

Describe the bug

Given the command

az login --scope https://<my ACR name>.azurecr.io/.default --tenant <tenant id>

I receive the following error after performing the browser login:

Authentication failed

invalid_resource: AADSTS500011: The resource principal named https://<my ACR name>.azurecr.io was not found in the tenant named <my tenant name>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: c3ce5dd8-5846-48bd-b973-7d37aa7f8300 Correlation ID: a9a9d4e9-e675-43a2-96ba-302115800e59 Timestamp: 2024-11-29 06:54:41Z. (https://login.microsoftonline.com/error?code=500011)

You can log an issue at [Azure CLI GitHub Repository](https://github.com/azure/azure-cli/issues) and we will assist you in resolving it.

The ACR name exists and it's part of the tenant whose id I am supplying.

Related command

az login --scope https://.azurecr.io/.default --tenant

Errors

Authentication failed

invalid_resource: AADSTS500011: The resource principal named https://<my ACR name>.azurecr.io was not found in the tenant named <my tenant name>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: c3ce5dd8-5846-48bd-b973-7d37aa7f8300 Correlation ID: a9a9d4e9-e675-43a2-96ba-302115800e59 Timestamp: 2024-11-29 06:54:41Z. (https://login.microsoftonline.com/error?code=500011)

You can log an issue at [Azure CLI GitHub Repository](https://github.com/azure/azure-cli/issues) and we will assist you in resolving it.

Issue script & Debug output

cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x1026da5c0>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 3.301 seconds (init: 0.123, invoke: 3.178)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4294 in cache file under /Users/adascalu/.azure/telemetry/20241129090219906
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/homebrew/Cellar/azure-cli/2.67.0/libexec/bin/python /opt/homebrew/Cellar/azure-cli/2.67.0/libexec/lib/python3.12/site-packages/azure/cli/telemetry/__init__.py /Users/adascalu/.azure /Users/adascalu/.azure/telemetry/20241129090219906"
telemetry.process: Return from creating process 63658
telemetry.main: Finish creating telemetry upload process.

Expected behavior

successful login

Environment Summary

azure-cli 2.67.0

core 2.67.0
telemetry 1.1.0

Extensions:
account 0.2.5
alb 1.0.0
storage-preview 1.0.0b1

Dependencies:
msal 1.31.0
azure-mgmt-resource 23.1.1

Python location '/opt/homebrew/Cellar/azure-cli/2.67.0/libexec/bin/python'
Extensions directory '/Users/adascalu/.azure/cliextensions'

Python (Darwin) 3.12.7 (main, Oct 1 2024, 02:05:46) [Clang 16.0.0 (clang-1600.0.26.3)]

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Unable to login via az login --scope https://graph.microsoft.com/.default #28062

[jiasli]

AADSTS500011 is returned by Microsoft Entra ID service, not Azure CLI.

@andrei-dascalu, are you following any documentation or did you receive any error message that tells you to run az login --scope https://<my ACR name>.azurecr.io/.default --tenant <tenant id>?

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @toddysm, @luisdlp, @northtyphoon, @terencet-dev.