Describe the bug
I need to use az.cli to list/add/remove group member and having two method. both are getting errors. this commend need to deploy to Azure Function, so I cannot use interactive method to login.
method 1: use account to login, account is set as the owner of the group. get error when az login
method 2: use service principle to login, service principle is set as the owner of the group, and grant GroupMember.Read.All API permission. then list group member, get error
Related command
method 1:
az login -u {account} -p {password}
method 2:
az login --service-principal -u {client_id} -p {client_secret} --tenant {tenant_id}
az ad group member list --group {group_name}
Errors
method 1:
RuntimeError: WsTrust server returned error in RSTR: {'reason': 'Failed Authentication: Account Locked.', 'code': 'oas:FailedAuthentication'}
method 2:
Insufficient privileges to complete the operation.
Issue script & Debug output
method 1:
cli.knack.cli: init debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0151E7F8>, <function OutputProducer.on_global_arguments at 0x018478E8>, <function CLIQuery.on_global_arguments at 0x018686B8>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: profile 0.020 2 8
cli.azure.cli.core: Total (1) 0.020 2 8
cli.azure.cli.core: Loaded 2 groups, 8 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03B1AAC8>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\tx937273.azure\commands\2023-11-28.20-02-53.login.21072.log'.
az_command_data_logger: command args: login -u {} -p {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x03B29708>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x03B54DE8>, <function register_cache_arguments..add_cache_arguments at 0x03B54E88>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x01847938>, <function CLIQuery.handle_query_parameter at 0x01868708>, <function register_ids_argument..parse_ids_arguments at 0x03B54E38>]
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\tx937273\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\tx937273.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.chinacloudapi.cn/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.chinacloudapi.cn/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.partner.microsoftonline.cn/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://microsoftgraph.chinacloudapi.cn/oidc/userinfo', 'authorization_endpoint': 'https://login.chinacloudapi.cn/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.chinacloudapi.cn/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.chinacloudapi.cn/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.chinacloudapi.cn/organizations/kerberos', 'tenant_region_scope': None, 'cloud_instance_name': 'partner.microsoftonline.cn', 'cloud_graph_host_name': 'graph.chinacloudapi.cn', 'msgraph_host': 'microsoftgraph.chinacloudapi.cn', 'rbac_url': 'https://pas.chinacloudapi.cn'}
msal.application: Broker enabled? False
msal.telemetry: Generate or reuse correlation_id: 559e0951-866b-4e40-9ee6-b2ea96bfbc45
msal.application: wstrust_endpoint = {'address': 'https://federation.gsk.com/idp/eyJ2c2lkIjoiaHR0cDpcL1wvZ3NrLmNvbVwvUGluZ0ZlZGVyYXRlIn0/sts.wst?TokenProcessorId=pfusernametp', 'action': 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue'}
cli.azure.cli.core.auth.binary_cache: save: C:\Users\tx937273.azure\msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: C:\Users\tx937273.azure\msal_http_cache.bin
urllib3.connectionpool: Starting new HTTPS connection (1): federation.gsk.com:443
urllib3.connectionpool: https://federation.gsk.com:443 "POST /idp/eyJ2c2lkIjoiaHR0cDpcL1wvZ3NrLmNvbVwvUGluZ0ZlZGVyYXRlIn0/sts.wst?TokenProcessorId=pfusernametp HTTP/1.1" 500 None
cli.azure.cli.core.auth.binary_cache: save: C:\Users\tx937273.azure\msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: C:\Users\tx937273.azure\msal_http_cache.bin
msal.wstrust_request: Unsuccessful WsTrust request receives: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"><s:Header><a:Action s:mustUnderstand="1" xmlns:a="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/soap/fault</a:Action><a:RelatesTo xmlns:a="http://www.w3.org/2005/08/addressing">urn:uuid:b5b89270-e6ea-42ec-87bd-cfc138de6c84</a:RelatesTo></s:Header><s:Body><s:Fault><s:Code><soap:Value xmlns:soap="http://www.w3.org/2003/05/soap-envelope">soap:Sender</soap:Value><s:Subcode><s:Value xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">oas:FailedAuthentication</s:Value></s:Subcode></s:Code><s:Reason><s:Text xml:lang="en">Failed Authentication: Invalid credentials.</s:Text></s:Reason></s:Fault></s:Body></s:Envelope>
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 139, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 157, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 179, in login_with_username_password
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1649, in acquire_token_by_username_password
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1676, in _acquire_token_by_username_password_federated
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/wstrust_request.py", line 60, in send_request
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/wstrust_response.py", line 49, in parse_response
RuntimeError: WsTrust server returned error in RSTR: {'reason': 'Failed Authentication: Invalid credentials.', 'code': 'oas:FailedAuthentication'}
cli.azure.cli.core.azclierror: The command failed with an unexpected error. Here is the traceback:
az_command_data_logger: The command failed with an unexpected error. Here is the traceback:
cli.azure.cli.core.azclierror: WsTrust server returned error in RSTR: {'reason': 'Failed Authentication: Invalid credentials.', 'code': 'oas:FailedAuthentication'}
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 139, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 157, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 179, in login_with_username_password
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1649, in acquire_token_by_username_password
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1676, in _acquire_token_by_username_password_federated
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/wstrust_request.py", line 60, in send_request
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/wstrust_response.py", line 49, in parse_response
RuntimeError: WsTrust server returned error in RSTR: {'reason': 'Failed Authentication: Invalid credentials.', 'code': 'oas:FailedAuthentication'}
az_command_data_logger: WsTrust server returned error in RSTR: {'reason': 'Failed Authentication: Invalid credentials.', 'code': 'oas:FailedAuthentication'}
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 139, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 157, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 179, in login_with_username_password
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1649, in acquire_token_by_username_password
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1676, in acquire_token_by_username_password_federated
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/wstrust_request.py", line 60, in send_request
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/wstrust_response.py", line 49, in parse_response
RuntimeError: WsTrust server returned error in RSTR: {'reason': 'Failed Authentication: Invalid credentials.', 'code': 'oas:FailedAuthentication'}
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03B1AC08>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 4.520 seconds (init: 1.278, invoke: 3.242)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 7057 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init.pyc C:\Users\tx937273.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.
method 2:
cli.knack.cli: init debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0145E7F8>, <function OutputProducer.on_global_arguments at 0x015878E8>, <function CLIQuery.on_global_arguments at 0x015A86B8>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: role 0.031 17 61
cli.azure.cli.core: Total (1) 0.031 17 61
cli.azure.cli.core: Loaded 17 groups, 61 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : ad group member list
cli.azure.cli.core: Command table: ad group member list
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03A5AAC8>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\tx937273.azure\commands\2023-11-28.20-04-31.ad_group_member_list.13560.log'.
az_command_data_logger: command args: ad group member list --group {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x03A69708>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x03A94DE8>, <function register_cache_arguments..add_cache_arguments at 0x03A94E88>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x01587938>, <function CLIQuery.handle_query_parameter at 0x015A8708>, <function register_ids_argument..parse_ids_arguments at 0x03A94E38>]
cli.azure.cli.core.util: Retrieving token for resource https://microsoftgraph.chinacloudapi.cn
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\tx937273\.azure\service_principal_entries.bin', encrypt=True
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\tx937273\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\tx937273.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.chinacloudapi.cn/8e8b2939-7a7b-4edd-8140-2262ffcd2b7c/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.chinacloudapi.cn/8e8b2939-7a7b-4edd-8140-2262ffcd2b7c/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.partner.microsoftonline.cn/8e8b2939-7a7b-4edd-8140-2262ffcd2b7c/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://microsoftgraph.chinacloudapi.cn/oidc/userinfo', 'authorization_endpoint': 'https://login.chinacloudapi.cn/8e8b2939-7a7b-4edd-8140-2262ffcd2b7c/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.chinacloudapi.cn/8e8b2939-7a7b-4edd-8140-2262ffcd2b7c/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.chinacloudapi.cn/8e8b2939-7a7b-4edd-8140-2262ffcd2b7c/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.chinacloudapi.cn/8e8b2939-7a7b-4edd-8140-2262ffcd2b7c/kerberos', 'tenant_region_scope': 'AS', 'cloud_instance_name': 'partner.microsoftonline.cn', 'cloud_graph_host_name': 'graph.chinacloudapi.cn', 'msgraph_host': 'microsoftgraph.chinacloudapi.cn', 'rbac_url': 'https://pas.chinacloudapi.cn'}
msal.application: Broker enabled? False
msal.application: Region to be used: None
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://microsoftgraph.chinacloudapi.cn/.default',), kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 2dd74ccc-1860-4705-b89c-dc041cffc46d
cli.azure.cli.core.util: Request URL: 'https://microsoftgraph.chinacloudapi.cn/v1.0/groups?$filter=displayName%20eq%20%27test_tx%27'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util: 'User-Agent': 'python/3.11.5 (Windows-10-10.0.19045-SP0) AZURECLI/2.54.0 (MSI)'
cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util: 'Accept': '/'
cli.azure.cli.core.util: 'Connection': 'keep-alive'
cli.azure.cli.core.util: 'x-ms-client-request-id': 'f978f8b9-6e32-44f7-8ed2-9b175b825426'
cli.azure.cli.core.util: 'CommandName': 'ad group member list'
cli.azure.cli.core.util: 'ParameterSetName': '--group --debug'
cli.azure.cli.core.util: 'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): microsoftgraph.chinacloudapi.cn:443
urllib3.connectionpool: https://microsoftgraph.chinacloudapi.cn:443 "GET /v1.0/groups?$filter=displayName%20eq%20%27test_tx%27 HTTP/1.1" 403 None
cli.azure.cli.core.util: Response status: 403
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Cache-Control': 'no-cache'
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': '38e2ae7f-1982-4c49-9396-4ee994bfad2f'
cli.azure.cli.core.util: 'client-request-id': '38e2ae7f-1982-4c49-9396-4ee994bfad2f'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"China East","Slice":"E","Ring":"6","ScaleUnit":"001","RoleInstance":"SH1NEPF0000074C"}}'
cli.azure.cli.core.util: 'Date': 'Tue, 28 Nov 2023 12:04:36 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2023-11-28T12:04:37","request-id":"38e2ae7f-1982-4c49-9396-4ee994bfad2f","client-request-id":"38e2ae7f-1982-4c49-9396-4ee994bfad2f"}}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_validators.py", line 25, in validate_group
File "uuid.py", line 178, in init
ValueError: badly formed hexadecimal UUID string
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 1004, in send_raw_request
azure.cli.core.azclierror.HTTPError: Forbidden({"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2023-11-28T12:04:37","request-id":"38e2ae7f-1982-4c49-9396-4ee994bfad2f","client-request-id":"38e2ae7f-1982-4c49-9396-4ee994bfad2f"}}})
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/invocation.py", line 113, in _validation
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 859, in _validate_arg_level
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_validators.py", line 27, in validate_group
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_validators.py", line 16, in _get_group_count_and_id
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 244, in group_list
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 55, in _send
azure.cli.command_modules.role._msgrpah._graph_client.GraphError: Insufficient privileges to complete the operation.
cli.azure.cli.core.azclierror: Insufficient privileges to complete the operation.
az_command_data_logger: Insufficient privileges to complete the operation.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03A5AC08>]
az_command_data_logger: exit code: 2
cli.main: Command ran in 6.909 seconds (init: 1.309, invoke: 5.600)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3458 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init_.pyc C:\Users\tx937273.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.
Expected behavior
at least one method should work, or have another method to work around
Environment Summary
azure-cli 2.54.0
core 2.54.0
telemetry 1.1.0
Dependencies:
msal 1.24.0b2
azure-mgmt-resource 23.1.0b2
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\tx937273.azure\cliextensions'
Python (Windows) 3.11.5 (tags/v3.11.5:cce6ba9, Aug 24 2023, 14:21:31) [MSC v.1936 32 bit (Intel)]
Legal docs and information: aka.ms/AzureCliLegal
Additional context
No response
Describe the bug
I need to use az.cli to list/add/remove group member and having two method. both are getting errors. this commend need to deploy to Azure Function, so I cannot use interactive method to login.
method 1: use account to login, account is set as the owner of the group. get error when az login
method 2: use service principle to login, service principle is set as the owner of the group, and grant GroupMember.Read.All API permission. then list group member, get error
Related command
method 1:
az login -u {account} -p {password}
method 2:
az login --service-principal -u {client_id} -p {client_secret} --tenant {tenant_id}
az ad group member list --group {group_name}
Errors
method 1:
RuntimeError: WsTrust server returned error in RSTR: {'reason': 'Failed Authentication: Account Locked.', 'code': 'oas:FailedAuthentication'}
method 2:
Insufficient privileges to complete the operation.
Issue script & Debug output
method 1:
cli.knack.cli: init debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0151E7F8>, <function OutputProducer.on_global_arguments at 0x018478E8>, <function CLIQuery.on_global_arguments at 0x018686B8>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: profile 0.020 2 8
cli.azure.cli.core: Total (1) 0.020 2 8
cli.azure.cli.core: Loaded 2 groups, 8 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03B1AAC8>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\tx937273.azure\commands\2023-11-28.20-02-53.login.21072.log'.
az_command_data_logger: command args: login -u {} -p {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x03B29708>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x03B54DE8>, <function register_cache_arguments..add_cache_arguments at 0x03B54E88>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x01847938>, <function CLIQuery.handle_query_parameter at 0x01868708>, <function register_ids_argument..parse_ids_arguments at 0x03B54E38>]
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\tx937273\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\tx937273.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.chinacloudapi.cn/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.chinacloudapi.cn/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.partner.microsoftonline.cn/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://microsoftgraph.chinacloudapi.cn/oidc/userinfo', 'authorization_endpoint': 'https://login.chinacloudapi.cn/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.chinacloudapi.cn/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.chinacloudapi.cn/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.chinacloudapi.cn/organizations/kerberos', 'tenant_region_scope': None, 'cloud_instance_name': 'partner.microsoftonline.cn', 'cloud_graph_host_name': 'graph.chinacloudapi.cn', 'msgraph_host': 'microsoftgraph.chinacloudapi.cn', 'rbac_url': 'https://pas.chinacloudapi.cn'}
msal.application: Broker enabled? False
msal.telemetry: Generate or reuse correlation_id: 559e0951-866b-4e40-9ee6-b2ea96bfbc45
msal.application: wstrust_endpoint = {'address': 'https://federation.gsk.com/idp/eyJ2c2lkIjoiaHR0cDpcL1wvZ3NrLmNvbVwvUGluZ0ZlZGVyYXRlIn0/sts.wst?TokenProcessorId=pfusernametp', 'action': 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue'}
cli.azure.cli.core.auth.binary_cache: save: C:\Users\tx937273.azure\msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: C:\Users\tx937273.azure\msal_http_cache.bin
urllib3.connectionpool: Starting new HTTPS connection (1): federation.gsk.com:443
urllib3.connectionpool: https://federation.gsk.com:443 "POST /idp/eyJ2c2lkIjoiaHR0cDpcL1wvZ3NrLmNvbVwvUGluZ0ZlZGVyYXRlIn0/sts.wst?TokenProcessorId=pfusernametp HTTP/1.1" 500 None
cli.azure.cli.core.auth.binary_cache: save: C:\Users\tx937273.azure\msal_http_cache.bin
cli.azure.cli.core.auth.binary_cache: save: C:\Users\tx937273.azure\msal_http_cache.bin
msal.wstrust_request: Unsuccessful WsTrust request receives: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"><s:Header><a:Action s:mustUnderstand="1" xmlns:a="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/soap/fault</a:Action><a:RelatesTo xmlns:a="http://www.w3.org/2005/08/addressing">urn:uuid:b5b89270-e6ea-42ec-87bd-cfc138de6c84</a:RelatesTo></s:Header><s:Body><s:Fault><s:Code><soap:Value xmlns:soap="http://www.w3.org/2003/05/soap-envelope">soap:Sender</soap:Value><s:Subcode><s:Value xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">oas:FailedAuthentication</s:Value></s:Subcode></s:Code><s:Reason><s:Text xml:lang="en">Failed Authentication: Invalid credentials.</s:Text></s:Reason></s:Fault></s:Body></s:Envelope>
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 139, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 157, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 179, in login_with_username_password
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1649, in acquire_token_by_username_password
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1676, in _acquire_token_by_username_password_federated
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/wstrust_request.py", line 60, in send_request
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/wstrust_response.py", line 49, in parse_response
RuntimeError: WsTrust server returned error in RSTR: {'reason': 'Failed Authentication: Invalid credentials.', 'code': 'oas:FailedAuthentication'}
cli.azure.cli.core.azclierror: The command failed with an unexpected error. Here is the traceback:
az_command_data_logger: The command failed with an unexpected error. Here is the traceback:
cli.azure.cli.core.azclierror: WsTrust server returned error in RSTR: {'reason': 'Failed Authentication: Invalid credentials.', 'code': 'oas:FailedAuthentication'}
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 139, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 157, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 179, in login_with_username_password
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1649, in acquire_token_by_username_password
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1676, in _acquire_token_by_username_password_federated
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/wstrust_request.py", line 60, in send_request
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/wstrust_response.py", line 49, in parse_response
RuntimeError: WsTrust server returned error in RSTR: {'reason': 'Failed Authentication: Invalid credentials.', 'code': 'oas:FailedAuthentication'}
az_command_data_logger: WsTrust server returned error in RSTR: {'reason': 'Failed Authentication: Invalid credentials.', 'code': 'oas:FailedAuthentication'}
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 139, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 157, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line 179, in login_with_username_password
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1649, in acquire_token_by_username_password
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/application.py", line 1676, in acquire_token_by_username_password_federated
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/wstrust_request.py", line 60, in send_request
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/wstrust_response.py", line 49, in parse_response
RuntimeError: WsTrust server returned error in RSTR: {'reason': 'Failed Authentication: Invalid credentials.', 'code': 'oas:FailedAuthentication'}
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03B1AC08>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 4.520 seconds (init: 1.278, invoke: 3.242)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 7057 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init.pyc C:\Users\tx937273.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.
method 2:
cli.knack.cli: init debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0145E7F8>, <function OutputProducer.on_global_arguments at 0x015878E8>, <function CLIQuery.on_global_arguments at 0x015A86B8>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: role 0.031 17 61
cli.azure.cli.core: Total (1) 0.031 17 61
cli.azure.cli.core: Loaded 17 groups, 61 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : ad group member list
cli.azure.cli.core: Command table: ad group member list
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03A5AAC8>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\tx937273.azure\commands\2023-11-28.20-04-31.ad_group_member_list.13560.log'.
az_command_data_logger: command args: ad group member list --group {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x03A69708>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x03A94DE8>, <function register_cache_arguments..add_cache_arguments at 0x03A94E88>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x01587938>, <function CLIQuery.handle_query_parameter at 0x015A8708>, <function register_ids_argument..parse_ids_arguments at 0x03A94E38>]
cli.azure.cli.core.util: Retrieving token for resource https://microsoftgraph.chinacloudapi.cn
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\tx937273\.azure\service_principal_entries.bin', encrypt=True
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\tx937273\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\tx937273.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.chinacloudapi.cn/8e8b2939-7a7b-4edd-8140-2262ffcd2b7c/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.chinacloudapi.cn/8e8b2939-7a7b-4edd-8140-2262ffcd2b7c/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.partner.microsoftonline.cn/8e8b2939-7a7b-4edd-8140-2262ffcd2b7c/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://microsoftgraph.chinacloudapi.cn/oidc/userinfo', 'authorization_endpoint': 'https://login.chinacloudapi.cn/8e8b2939-7a7b-4edd-8140-2262ffcd2b7c/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.chinacloudapi.cn/8e8b2939-7a7b-4edd-8140-2262ffcd2b7c/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.chinacloudapi.cn/8e8b2939-7a7b-4edd-8140-2262ffcd2b7c/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.chinacloudapi.cn/8e8b2939-7a7b-4edd-8140-2262ffcd2b7c/kerberos', 'tenant_region_scope': 'AS', 'cloud_instance_name': 'partner.microsoftonline.cn', 'cloud_graph_host_name': 'graph.chinacloudapi.cn', 'msgraph_host': 'microsoftgraph.chinacloudapi.cn', 'rbac_url': 'https://pas.chinacloudapi.cn'}
msal.application: Broker enabled? False
msal.application: Region to be used: None
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://microsoftgraph.chinacloudapi.cn/.default',), kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 2dd74ccc-1860-4705-b89c-dc041cffc46d
cli.azure.cli.core.util: Request URL: 'https://microsoftgraph.chinacloudapi.cn/v1.0/groups?$filter=displayName%20eq%20%27test_tx%27'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util: 'User-Agent': 'python/3.11.5 (Windows-10-10.0.19045-SP0) AZURECLI/2.54.0 (MSI)'
cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util: 'Accept': '/'
cli.azure.cli.core.util: 'Connection': 'keep-alive'
cli.azure.cli.core.util: 'x-ms-client-request-id': 'f978f8b9-6e32-44f7-8ed2-9b175b825426'
cli.azure.cli.core.util: 'CommandName': 'ad group member list'
cli.azure.cli.core.util: 'ParameterSetName': '--group --debug'
cli.azure.cli.core.util: 'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): microsoftgraph.chinacloudapi.cn:443
urllib3.connectionpool: https://microsoftgraph.chinacloudapi.cn:443 "GET /v1.0/groups?$filter=displayName%20eq%20%27test_tx%27 HTTP/1.1" 403 None
cli.azure.cli.core.util: Response status: 403
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Cache-Control': 'no-cache'
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': '38e2ae7f-1982-4c49-9396-4ee994bfad2f'
cli.azure.cli.core.util: 'client-request-id': '38e2ae7f-1982-4c49-9396-4ee994bfad2f'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"China East","Slice":"E","Ring":"6","ScaleUnit":"001","RoleInstance":"SH1NEPF0000074C"}}'
cli.azure.cli.core.util: 'Date': 'Tue, 28 Nov 2023 12:04:36 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2023-11-28T12:04:37","request-id":"38e2ae7f-1982-4c49-9396-4ee994bfad2f","client-request-id":"38e2ae7f-1982-4c49-9396-4ee994bfad2f"}}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_validators.py", line 25, in validate_group
File "uuid.py", line 178, in init
ValueError: badly formed hexadecimal UUID string
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 1004, in send_raw_request
azure.cli.core.azclierror.HTTPError: Forbidden({"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2023-11-28T12:04:37","request-id":"38e2ae7f-1982-4c49-9396-4ee994bfad2f","client-request-id":"38e2ae7f-1982-4c49-9396-4ee994bfad2f"}}})
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/invocation.py", line 113, in _validation
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 859, in _validate_arg_level
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_validators.py", line 27, in validate_group
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_validators.py", line 16, in _get_group_count_and_id
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 244, in group_list
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 55, in _send
azure.cli.command_modules.role._msgrpah._graph_client.GraphError: Insufficient privileges to complete the operation.
cli.azure.cli.core.azclierror: Insufficient privileges to complete the operation.
az_command_data_logger: Insufficient privileges to complete the operation.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03A5AC08>]
az_command_data_logger: exit code: 2
cli.main: Command ran in 6.909 seconds (init: 1.309, invoke: 5.600)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3458 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init_.pyc C:\Users\tx937273.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.
Expected behavior
at least one method should work, or have another method to work around
Environment Summary
azure-cli 2.54.0
core 2.54.0
telemetry 1.1.0
Dependencies:
msal 1.24.0b2
azure-mgmt-resource 23.1.0b2
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\tx937273.azure\cliextensions'
Python (Windows) 3.11.5 (tags/v3.11.5:cce6ba9, Aug 24 2023, 14:21:31) [MSC v.1936 32 bit (Intel)]
Legal docs and information: aka.ms/AzureCliLegal
Additional context
No response