az login error in interactive mode

[oceanshade]

Describe the bug

when run this command:
az login --tenant vgc.partner.onmschina.cn
A web browser has been opened at https://login.partner.microsoftonline.cn/a12a82ff-eb68-4d6d-b3c7-c4fb2d2220e5/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with az login --use-device-code.
then the interactive pop up window of microsoft edge showed up and then I input my azure account for this tenant to login, it looks authentication verified successfully, but finally it told me that authentication failed with the following message:
AADSTS500011: The resource principal named https://management.core.windows.net/ was not found in the tenant named VGC. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: f19a3214-aaac-4396-bd0b-f19506925a01 Correlation ID: 596ef644-de7c-4adf-b839-0c25b846cd7b Timestamp: 2025-02-12 09:53:39Z

Related command

az login --tenant vgc.partner.onmschina.cn

Errors

Authentication failed
invalid_resource: AADSTS500011: The resource principal named https://management.core.windows.net/ was not found in the tenant named VGC. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: 33290a63-148d-49bb-9b1b-71dd408e2901 Correlation ID: 229a5269-8e56-49e5-aba9-d47a8a7e92f5 Timestamp: 2025-02-12 09:50:16Z. (https://login.partner.microsoftonline.cn/error?code=500011)

Issue script & Debug output

az login --tenant vgc.partner.onmschina.cn
A web browser has been opened at https://login.partner.microsoftonline.cn/a12a82ff-eb68-4d6d-b3c7-c4fb2d2220e5/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with az login --use-device-code.
AADSTS500011: The resource principal named https://management.core.windows.net/ was not found in the tenant named VGC. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: 33290a63-148d-49bb-9b1b-71dd408e2901 Correlation ID: 229a5269-8e56-49e5-aba9-d47a8a7e92f5 Timestamp: 2025-02-12 09:50:16Z

Authentication failed
invalid_resource: AADSTS500011: The resource principal named https://management.core.windows.net/ was not found in the tenant named VGC. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: 33290a63-148d-49bb-9b1b-71dd408e2901 Correlation ID: 229a5269-8e56-49e5-aba9-d47a8a7e92f5 Timestamp: 2025-02-12 09:50:16Z. (https://login.partner.microsoftonline.cn/error?code=500011)

Expected behavior

it can be login successfully to use azure cli

Environment Summary

azure-cli 2.44.1 *

core 2.44.1 *
telemetry 1.0.8 *

Dependencies:
msal 1.20.0
azure-mgmt-resource 21.1.0b1

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\gw029di.azure\cliextensions'

Python (Windows) 3.10.8 (tags/v3.10.8:aaaf517, Oct 11 2022, 16:37:59) [MSC v.1933 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

No response

[azure-client-tools-bot-prd]

Hi @oceanshade,

2.44.1 is not the latest Azure CLI(2.69.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Unable to authenticate within the scope of an Azure Container Registry #30445
• bash run "az login --scope https://management.azure.com/.default " raise error #22831
• Unable to authenticate to Azure China Portal #25358
• AzureCliCredential using AzureChinaCloud gives principal named not found in tenant error using public cloud ARM URL (https://management.azure.com) instead of China ARM (https://management.chinacloudapi.cn) Error 500011 #16696

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

The error AADSTS500011 is from AAD service, not Azure CLI. Are you using the AzureCloud public cloud? In sovereign clouds or Azure Stack, the resource URI of ARM is different. For example, in AzureChinaCloud, it's https://management.chinacloudapi.cn. Please make sure you are using the correct ARM URI and try again. If you still can't solve it, please contact Azure Support or your cloud administrator.

Reference:

• bash run "az login --scope https://management.azure.com/.default " raise error #22831 (comment)

Solution 2:

Ok, I was able to get this working. There are two typos in the credential_scopes examples given for AzureChinaCloud in the page linked in Reproduce steps (https://docs.microsoft.com/en-us/azure/developer/python/azure-sdk-sovereign-domain). The scope needs a / after the host url and should not have a ' at the end. This works: credential_scopes=[AZURE_CHINA_CLOUD.endpoints.resource_manager + "/.default"] This does not: credential_scopes=[AZURE_CHINA_CLOUD.endpoints.resource_manager + ".default'"] The argument needs to be used for any auth *Client (ResourceManagementClient, ComputeManagementClient, NetworkManagementClient, StorageManagementClient, etc).

Reference:

• AzureCliCredential using AzureChinaCloud gives principal named not found in tenant error using public cloud ARM URL (https://management.azure.com) instead of China ARM (https://management.chinacloudapi.cn) Error 500011 #16696 (comment)