1

I'm having some issues authenticating using DefaultAzureCredential.

If I run this code:

var credentials = new VisualStudioCredential();
var context = new TokenRequestContext(scopes: new string[] { _storageAccountUrl + "/.default" });
var token = await credentials.GetTokenAsync(context, new System.Threading.CancellationToken());

I get the following error:

TS003: Error, TS004: Unable to get access token. 'AADSTS50020: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '04f0c124-f2bc-4f59-8241-bf6df9866bbd'(VS with native MSA) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

However, if I change the credentials to

var credentials = new AzurePowerShellCredential();

It works!!

I'm logged in as the same user in Visual Studio as I am in PowerShell.

Does anyone know why this might be happening?

-UPDATE-

Thanks to @Juunas, using the following code works. But why is this necessary (but it isn't necessary with PowerShell)?

var options = new VisualStudioCredentialOptions() { TenantId = "TENANT-ID-HERE" };
var credentials = new VisualStudioCredential(options);
Donny Kwitty
  • 327
  • 2
  • 15
  • 1
    Have you tried defining the tenant id to the credential? – juunas Dec 24 '22 at 09:04
  • @juunas That works! Thanks! But why? It's my default tenant--why does it need to be specified? Is there a way to specify it elsewhere, rather than in code? – Donny Kwitty Dec 24 '22 at 15:52

1 Answers1

1

You need to specify the tenant in this case since you are using a personal MS account. I'm not 100% sure why powershell works but essentially a personal account doesn't have a home tenant like "normal" Azure AD accounts. This would also apply if your Azure AD account was a guest in the tenant that you are trying to access.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • Strange that I can publish to Azure through Visual Studio without providing this additional information – Donny Kwitty Dec 25 '22 at 06:52
  • In that situation Visual Studio gets a list of all your Azure AD tenants, selects one of them and lists the subscriptions there. You can then change the tenant as well if the default wasn't right. So VS also has a selected tenant in that situation. – juunas Dec 25 '22 at 12:45
  • Accorording to https://learn.microsoft.com/en-us/dotnet/api/azure.identity.visualstudiocredentialoptions?view=azure-dotnet TenantId -- The tenant ID the credential will be authenticated to by default. If not specified, the credential will authenticate to any requested tenant, and will default to the tenant the user originally authenticated to via the Visual Studio Azure Service Account dialog. I don't think there is an option to pick a tenant id when logging in. Is there? Is there a config somewhere where it can be set? Also--this isn't an issue when using AzureServiceTokenProvider – Donny Kwitty Dec 25 '22 at 14:31
  • Hmm.. the tenant selection option should be available when publishing to Azure from Visual Studio. – juunas Dec 25 '22 at 22:10
  • It is a good idea to specify the tenant ID always for the credentials in my opinion (except for ManagedIdentityCredential) – juunas Dec 25 '22 at 22:10