az login failing with "User cancelled the Accounts Control Operation" after double upgrading to 2.61.0

[darkoa-msft]

Describe the bug

I type az login (or az login --tenant my_tenant), account selector pops up in the native browser window but in the terminal window I see the error from the title. Selecting an account does nothing, only closing the popup works but the terminal window appears frozen. When I redirected the output, the "script" completed.

This started happening after I upgraded from 2.59.0 to 2.61.0. I ran the second az upgrade because of extensions but I noted that accounts package upgraded at that time (not originally), did not think much of it.

Related command

az login

Errors

User cancelled the Accounts Control Operation.. Status: Response_Status.Status_UserCanceled, Error code: 0, Tag: 528315210

nit: both canceled and cancelled are correct, but please pick one and stick with it

Issue script & Debug output

az : DEBUG: cli.knack.cli: Command arguments: ['login', '--debug']
At line:1 char:1

• az login --debug > login.out 2> login.err

•   + CategoryInfo          : NotSpecified: (DEBUG: cli.knac...in', '--debug']:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
  
  

DEBUG: cli.knack.cli: init debug log:
Cannot enable color.
DEBUG: cli.knack.cli: Event: Cli.PreExecute []
DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at
0x000001AF1FD7F880>, <function OutputProducer.on_global_arguments at 0x000001AF1FF060C0>, <function
CLIQuery.on_global_arguments at 0x000001AF1FF33C40>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
DEBUG: cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
DEBUG: cli.azure.cli.core: Loading command modules:
DEBUG: cli.azure.cli.core: Name Load Time Groups Commands
DEBUG: cli.azure.cli.core: profile 0.009 2 8
DEBUG: cli.azure.cli.core: Total (1) 0.009 2 8
DEBUG: cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
DEBUG: cli.azure.cli.core: Loading extensions:
DEBUG: cli.azure.cli.core: Name Load Time Groups Commands Directory
DEBUG: cli.azure.cli.core: Total (0) 0.000 0 0
DEBUG: cli.azure.cli.core: Loaded 2 groups, 8 commands.
DEBUG: cli.azure.cli.core: Found a match in the command table.
DEBUG: cli.azure.cli.core: Raw command : login
DEBUG: cli.azure.cli.core: Command table: login
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function
AzCliLogging.init_command_file_logging at 0x000001AF22E5A340>]
DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to
'C:\Users\darkoa.azure\commands\2024-06-12.10-31-30.login.13048.log'.
INFO: az_command_data_logger: command args: login --debug
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function
register_global_subscription_argument..add_subscription_parameter at 0x000001AF22E967A0>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function
register_ids_argument..add_ids_arguments at 0x000001AF22EC47C0>, <function
register_cache_arguments..add_cache_arguments at 0x000001AF22EC4900>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at
0x000001AF1FF06160>, <function CLIQuery.handle_query_parameter at 0x000001AF1FF33CE0>, <function
register_ids_argument..parse_ids_arguments at 0x000001AF22EC4860>]
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence:
location='C:\Users\darkoa\.azure\msal_token_cache.bin', encrypt=True
DEBUG: cli.azure.cli.core.auth.binary_cache: load: C:\Users\darkoa.azure\msal_http_cache.bin
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None,
status=None)
INFO: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/organizations
DEBUG: msal.authority:
openid_config("https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration") =
{'token_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token',
'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri':
'https://login.microsoftonline.com/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query',
'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'],
'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid',
'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantid}/v2.0',
'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo',
'authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize',
'device_authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode',
'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint':
'https://login.microsoftonline.com/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss',
'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat',
'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'],
'kerberos_endpoint': 'https://login.microsoftonline.com/organizations/kerberos', 'tenant_region_scope': None,
'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host':
'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? True
DEBUG: msal.application: Falls back to broker._signin_interactively()
WARNING: cli.azure.cli.core.auth.identity: Please select the account you want to log in with.
DEBUG: msal.broker: [MSAL:0001] WARNING SetAuthorityString:98 Initializing authority from string
'https://login.microsoftonline.com/organizations' without authority type, defaulting to MsSts
DEBUG: msal.broker: [MSAL:0002] INFO SetCorrelationId:273 Set correlation ID: b5ea8778-b3cc-4d0c-85ae-b5354e38b0c8
DEBUG: msal.broker: [MSAL:0002] INFO ExecuteInteractiveRequest:1103 The original authority is
'https://login.microsoftonline.com/organizations'
DEBUG: msal.broker: [MSAL:0002] WARNING TryNormalizeRealm:2295 No HomeAccountId provided to normalize the realm
DEBUG: msal.broker: [MSAL:0002] INFO ExecuteInteractiveRequest:1114 The normalized realm is ''
DEBUG: msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:191 Additional query parameter added
successfully. Key: '(pii)' Value: '(pii)'
DEBUG: msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:191 Additional query parameter added
successfully. Key: '(pii)' Value: '(pii)'
DEBUG: msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:215 Authority Realm: organizations
DEBUG: msal.broker: [MSAL:0003] WARNING ReturnResponseDueToMissingParameter:643 Attempted to read cache with a
non-normalized realm, access token and ID token reads will fail
DEBUG: msal.broker: [MSAL:0003] WARNING ReadAccountById:227 Account id is empty - account not found
DEBUG: msal.broker: [MSAL:0004] INFO ErrorInternalImpl:116 Created an error: 55xnk, StatusInternal::UserCanceled,
InternalEvent::None, Context 'User cancelled the Accounts Control Operation.'
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:383 Printing Telemetry for Correlation ID:
b5ea8778-b3cc-4d0c-85ae-b5354e38b0c8
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: start_time, Value: 2024-06-12T17:31:31.000Z
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: api_name, Value: SignInInteractively
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: was_request_throttled, Value: false
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: authority_type, Value: Unknown
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: msal_version, Value: 1.1.0+local
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: api_status_code, Value: StatusInternal::UserCanceled
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: client_id, Value:
04b07795-8ddb-461a-bbee-02f9e1bf7b46
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: correlation_id, Value:
b5ea8778-b3cc-4d0c-85ae-b5354e38b0c8
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: broker_app_used, Value: true
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: stop_time, Value: 2024-06-12T17:31:31.000Z
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: all_error_tags, Value: 55xnk
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: msalruntime_version, Value: 0.14.2-alpha1
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: original_authority, Value:
https://login.microsoftonline.com/organizations
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: additional_query_parameters_count, Value: 2
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: read_token_last_error, Value: missing required
parameter
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: request_eligible_for_broker, Value: true
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: auth_flow, Value: Broker
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: ui_event_count, Value: 1
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: authorization_type, Value: Interactive
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: api_error_code, Value: 0
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: api_error_tag, Value: 55xnk
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: api_error_context, Value: User cancelled the
Accounts Control Operation.
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: is_successful, Value: false
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:391 Key: request_duration, Value: 55
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:396 Printing Execution Flow:
DEBUG: msal.broker: [MSAL:0004] INFO LogTelemetryData:404 {"t":"646u1","tid":2,"ts":0,"l":2},{"t":"4s7ub","tid":2,"t
s":1,"l":2},{"t":"4sufd","tid":2,"ts":1,"s":2,"l":2},{"t":"4swgg","tid":2,"ts":1,"s":1,"l":2},{"t":"4swgf","tid":2,"ts"
:1,"s":1,"l":2},{"t":"4swgi","tid":3,"ts":1,"s":1,"l":2},{"t":"8dqim","tid":3,"ts":1,"l":2},{"t":"8dqkl","tid":3,"ts":1
,"l":2,"a":9,"ie":0},{"t":"54uxd","tid":2,"ts":2,"l":2},{"t":"8dqkn","tid":4,"ts":52,"l":2,"a":5,"ie":1},{"t":"8dqko","
tid":4,"ts":52,"l":2,"a":9,"ie":1},{"t":"646u1","tid":4,"ts":52,"l":2}
DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py",
line 664, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py",
line 731, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py",
line 701, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py",
line 334, in call
File
"D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py",
line 121, in handler
File
"D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py",
line 158, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 172, in
login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/identity.py", line
166, in login_with_auth_code
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 139,
in check_result
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/util.py", line 43, in
aad_error_handler
azure.cli.core.azclierror.AuthenticationError: User cancelled the Accounts Control Operation.. Status:
Response_Status.Status_UserCanceled, Error code: 0, Tag: 528315210

ERROR: cli.azure.cli.core.azclierror: User cancelled the Accounts Control Operation.. Status:
Response_Status.Status_UserCanceled, Error code: 0, Tag: 528315210
ERROR: az_command_data_logger: User cancelled the Accounts Control Operation.. Status:
Response_Status.Status_UserCanceled, Error code: 0, Tag: 528315210
Please explicitly log in with:
az login
DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at
0x000001AF22E5A5C0>]
INFO: az_command_data_logger: exit code: 1
INFO: cli.main: Command ran in 1.304 seconds (init: 0.630, invoke: 0.673)
INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1
INFO: telemetry.client: Accumulated 0 events. Flush the clients.
INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1
INFO: telemetry.save: Save telemetry record of length 4868 in cache
INFO: telemetry.main: Begin creating telemetry upload process.
INFO: telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program
Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init_.pyc C:\Users\darkoa.azure"
INFO: telemetry.process: Return from creating process
INFO: telemetry.main: Finish creating telemetry upload process.

Expected behavior

I expect to be able to login by selecting the account, but the login already failed before I had a chance to select it.

Environment Summary

{
"azure-cli": "2.61.0",
"azure-cli-core": "2.61.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"azure-device": "0.0.2",
"azure-devops": "1.0.1",
"azure-iot": "255.255.2.1",
"eventgrid": "1.0.0b1"
}
}

Additional context

[yonzhan]

Thank you for opening this issue, we will look into it.

[RyanS-J]

I also have this issue with:

azure-cli                         2.61.0

core                              2.61.0
telemetry                          1.1.0

Dependencies:
msal                              1.28.0
azure-mgmt-resource               23.1.1

I have just reverted to 2.55.0 and this now works.

[yizhoumo]

Having the same issue with 2.61.0 in elevated terminal (Administrator). It works in non-elevated terminal.

[darkoa-msft]

@yonzhan Any updates here? And why is this not a bug? I am not asking a question, looks like a regression to me.

[jiasli]

Duplicate of #28997

[jstapleton27]

Just experienced the same issue, this morning.