Run az login command through Service fabric application got error: ERROR: (pii). Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 557973639

[averitas]

Describe the bug

Our project is based on Service fabric cluster. We have a script execution module it will use PowerShell SDK to run commands or start with new process using powershell.exe.
Our cluster has installed az cli. When we run code like this we got error:

var results = ps.AddScript("az login --only-show-errors --user $adminUPN --password $adminPassword --output none").Invoke();
if (ps.HadErrors)
{
    Console.WriteLine("PowerShell command has error");
    string errors = string.Join(",", ps.Streams.Error.Select(e => e.ToString()));
    throw new UnrecoverableException($"Run PS command: \n\r[{cmd}] error: \n\r[{errors}]");
}

Error:
ERROR: (pii). Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 557973639,Please explicitly log in with:,az login

Related command

az login --only-show-errors --user $adminUPN --password $adminPassword --output none

Errors

ERROR: (pii). Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 557973639,Please explicitly log in with:,az login

Issue script & Debug output

DEBUG: cli.knack.cli: Command arguments: ['login', '--debug', '--user', 'admin@*.onmicrosoft.com', '--password', '', '--output', 'none'],DEBUG: cli.knack.cli: init debug log:,Cannot enable color.,DEBUG: cli.knack.cli: Event: Cli.PreExecute [],DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x02142C08>, <function OutputProducer.on_global_arguments at 0x022837A8>, <function CLIQuery.on_global_arguments at 0x022A22A8>],DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [],DEBUG: cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile'],DEBUG: cli.azure.cli.core: Loading command modules:,DEBUG: cli.azure.cli.core: Name Load Time Groups Commands,DEBUG: cli.azure.cli.core: profile 0.005 2 8,DEBUG: cli.azure.cli.core: Total (1) 0.005 2 8,DEBUG: cli.azure.cli.core: Loaded 2 groups, 8 commands.,DEBUG: cli.azure.cli.core: Found a match in the command table.,DEBUG: cli.azure.cli.core: Raw command : login,DEBUG: cli.azure.cli.core: Command table: login,DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x02EB95C8>],DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\WF-HibK59HkTWkC44X\.azure\commands\2025-01-02.08-26-17.login.7600.log'.,INFO: az_command_data_logger: command args: login --debug --user {} --password {} --output {},DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x02EF1168>],DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [],DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x02EF11B8>, <function register_cache_arguments..add_cache_arguments at 0x02F08438>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x02F08488>],DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [],DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [],DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x022837F8>, <function CLIQuery.handle_query_parameter at 0x022A22F8>, <function register_ids_argument..parse_ids_arguments at 0x02F083E8>],WARNING: cli.azure.cli.command_modules.profile.custom: Authentication with username and password in the command line is strongly discouraged. Use one of the recommended authentication methods based on your requirements. For more details, see https://go.microsoft.com/fwlink/?linkid=2276314,DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\WF-HibK59HkTWkC44X\\.azure\\msal_token_cache.bin', encrypt=True,DEBUG: cli.azure.cli.core.auth.binary_cache: load: C:\Users\WF-HibK59HkTWkC44X\.azure\msal_http_cache.bin,DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None),DEBUG: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/organizations,DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration\") = {'token_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/organizations/kerberos', 'tenant_region_scope': None, 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'},DEBUG: msal.application: Broker enabled? True,DEBUG: msal.broker: [MSAL:0001]\tWARNING\tSetAuthorityUri:78\tInitializing authority from URI 'https://login.microsoftonline.com/organizations' without authority type, defaulting to MsSts,DEBUG: msal.broker: [MSAL:0001]\tINFO \tSetCorrelationId:258\tSet correlation ID: ee79d23d-99df-4a40-a715-74b7ac66ed1c,DEBUG: msal.broker: [MSAL:0001]\tINFO \tEnqueueBackgroundRequest:1000\tThe original authority is 'https://login.microsoftonline.com/organizations',DEBUG: msal.broker: [MSAL:0001]\tINFO \tModifyAndValidateAuthParameters:243\tAuthority Realm: organizations,DEBUG: msal.broker: [MSAL:0001]\tWARNING\tTryEnqueueMsaDeviceCredentialAcquisitionAndContinue:1052\tMsaDeviceOperationProvider is not available. Not attempting to register the device.,DEBUG: msal.broker: [MSAL:0002]\tERROR \tErrorInternalImpl:134\tCreated an error: 7q6ch, StatusInternal::Unexpected, InternalEvent::None, Error Code -2147023584, Context '(pii)',DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:422\tPrinting Telemetry for Correlation ID: ee79d23d-99df-4a40-a715-74b7ac66ed1c,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: start_time, Value: 2025-01-02T08:26:18.000Z,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: api_name, Value: AcquireTokenUsernamePassword,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: was_request_throttled, Value: false,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: request_duration, Value: 12,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: authority_type, Value: Unknown,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: msal_version, Value: 1.1.0+local,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: client_id, Value: 04b07795-8ddb-461a-bbee-02f9e1bf7b46,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: correlation_id, Value: ee79d23d-99df-4a40-a715-74b7ac66ed1c,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: broker_app_used, Value: true,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: stop_time, Value: 2025-01-02T08:26:18.000Z,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: msalruntime_version, Value: 0.16.2,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: original_authority, Value: https://login.microsoftonline.com/organizations,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: request_eligible_for_broker, Value: true,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: additional_query_parameters_count, Value: 0,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: is_successful, Value: false,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: auth_flow, Value: Broker,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: broker_error_location, Value: 7q6ch,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: api_error_code, Value: -2147023584,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: api_error_tag, Value: 7q6ch,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: api_status_code, Value: StatusInternal::Unexpected,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: api_error_context, Value: (pii),DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: all_error_tags, Value: 7q6ch|7q6ch,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:430\tKey: authorization_type, Value: UsernamePassword,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:435\tPrinting Execution Flow:,DEBUG: msal.broker: [MSAL:0002]\tINFO \tLogTelemetryData:443\t{"t":"646u1","tid":1,"ts":0,"l":2},{"t":"4s7uc","tid":1,"ts":0,"l":2},{"t":"4sufd","tid":1,"ts":0,"s":2,"l":2},{"t":"4swgg","tid":1,"ts":0,"s":1,"l":2},{"t":"4swgf","tid":1,"ts":0,"s":1,"l":2},{"t":"4swgi","tid":2,"ts":0,"s":1,"l":2},{"t":"8b2yn","tid":2,"ts":0,"l":2},{"t":"8dqkx","tid":2,"ts":0,"l":2},{"t":"8dqil","tid":2,"ts":0,"l":2},{"t":"8b2hs","tid":2,"ts":0,"l":2},{"t":"5b8fg","tid":2,"ts":0,"l":2},{"t":"694nj","tid":2,"ts":0,"l":2,"a":10,"ie":0},{"t":"4ygzh","tid":2,"ts":0,"l":2},{"t":"4wqnh","tid":2,"ts":0,"l":2},{"t":"5xbm9","tid":2,"ts":11,"l":2},{"t":"4ruy6","tid":2,"ts":11,"l":2},{"t":"694nk","tid":2,"ts":12,"l":2,"a":10,"ie":1},{"t":"8dqk1","tid":2,"ts":12,"l":2},{"t":"646u1","tid":2,"ts":12,"l":2},DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last):, File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke, File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 666, in execute, File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 733, in _run_jobs_serially, File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 703, in _run_job, File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 336, in call, File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler, File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 173, in login, File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 179, in login, File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 187, in login_with_username_password, File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 149, in check_result, File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 53, in aad_error_handler,azure.cli.core.azclierror.AuthenticationError: (pii). Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 557973639,System.Management.Automation.RemoteException,ERROR: cli.azure.cli.core.azclierror: (pii). Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 557973639,ERROR: az_command_data_logger: (pii). Status: Response_Status.Status_Unexpected, Error code: -2147023584, Tag: 557973639,Please explicitly log in with:,az login,DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x02EB9708>],INFO: az_command_data_logger: exit code: 1,INFO: cli.main: Command ran in 1.143 seconds (init: 0.395, invoke: 0.748),INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1,INFO: telemetry.client: Accumulated 0 events. Flush the clients.,INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1,INFO: telemetry.save: Save telemetry record of length 4231 in cache file under C:\Users\WF-HibK59HkTWkC44X\.azure\telemetry\20250102082618346,INFO: telemetry.main: Begin creating telemetry upload process.,INFO: telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\init.pyc C:\Users\WF-HibK59HkTWkC44X\.azure C:\Users\WF-HibK59HkTWkC44X\.azure\telemetry\20250102082618346",INFO: telemetry.process: Return from creating process 11872,INFO: telemetry.main: Finish creating telemetry upload process.

Expected behavior

We expect az login without error.

Environment Summary

{
"azure-cli": "2.67.0",
"azure-cli-core": "2.67.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"communication": "1.5.1"
}
}

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• "az login" error from PowerShell #26860

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

It is a proxy error, please check your proxy configuration.

Caused by ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 405 Method Not Allowed'))

Reference:

• "az login" error from PowerShell #26860 (comment)

Solution 2:

Please make sure Python can access public internet through your proxy. This can be verified with:

& "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe" -c "import requests; print(requests.get('https://login.microsoftonline.com/').status_code)"

To check the settings of your proxy,

• If proxy is configured via HTTPS_PROXY or HTTP_PROXY environment variable, please make sure it is pointed to the right URL by running ls env:.
• On Windows, this can also be found in Control Panel -> Internet Options -> Connections -> LAN settings -> Proxy server -> Advanced

Reference:

• "az login" error from PowerShell #26860 (comment)

[averitas]

Here are some similar issues that might help you. Please check if they can solve your problem.

• "az login" error from PowerShell #26860

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

It is a proxy error, please check your proxy configuration.

Caused by ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 405 Method Not Allowed'))

Reference:

• "az login" error from PowerShell #26860 (comment)

Solution 2:

Please make sure Python can access public internet through your proxy. This can be verified with:

& "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe" -c "import requests; print(requests.get('https://login.microsoftonline.com/').status_code)"

To check the settings of your proxy,

• If proxy is configured via HTTPS_PROXY or HTTP_PROXY environment variable, please make sure it is pointed to the right URL by running ls env:.
• On Windows, this can also be found in Control Panel -> Internet Options -> Connections -> LAN settings -> Proxy server -> Advanced

Reference:

• "az login" error from PowerShell #26860 (comment)

Not proxy or network issue. I got 200.OK when calling https://login.microsoftonline.com

[rayluo]

Not sure whether broker is expected to work on a service fabric cluster. You may try az config set core.enable_broker_on_windows=false to see how that goes. (Updated the command with @jiasli 's suggestion below. Thanks, Jiashuo!)

[jiasli]

The latest command to turn off WAM/broker on Windows is

az config set core.enable_broker_on_windows=false

For more details, see https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-interactively#sign-in-with-web-account-manager-wam-on-windows

[averitas]

It works. Thanks folks.