[ADFS] [Edge] [AzureStack] Connect-AzAccount : InteractiveBrowserCredential authentication failed: Value cannot be null. Could not find tenant id for provided tenant domain '98b8267d-e97f-426e-8b3f-7956511fd63f'

[keystroke]

Description

When setting-up Az to connect to a local environment like Azure Stack Hub, I am not able to sign-in interactively.

I have tried every variation of cloud parameters and configuration, disabling WAM and disabling the v2 login experience / flow, and it still fails.

Connect-AzAccount : InteractiveBrowserCredential authentication failed: Value cannot be null.
Parameter name: tenantId
Could not find tenant id for provided tenant domain '98b8267d-e97f-426e-8b3f-7956511fd63f'. Please ensure that the provided user is found
in the provided tenant domain.

Issue script & Debug output

PS C:\> $DebugPreference='Continue'

PS C:\> Connect-AzAccount -Environment 'Foo' -Tenant '98b8267d-e97f-426e-8b3f-7956511fd63f' -Verbose
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 1:55:16 AM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'UserWithSubscriptionId'.
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True]
.
DEBUG: 1:55:16 AM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 1:55:16 AM - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 1:55:16 AM - Using Autosave scope 'CurrentUser'
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [DefaultSubscriptionForLogin], Module = [], Cmdlet = []. Returning default value [].
VERBOSE: Performing the operation "log in" on target "User account in environment 'Foo'".
DEBUG: 1:55:16 AM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 1:55:16 AM - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 1:55:16 AM - Using Autosave scope 'CurrentUser'
Please select the account you want to login with.

DEBUG: 1:55:16 AM - [InteractiveUserAuthenticator] Calling InteractiveBrowserCredential.AuthenticateAsync with TenantId:'adfs', Scopes:'https
://management.domain/openid', AuthorityHost:'https://login.domain/adfs', RedirectUri:'http://localhost
:8405/'
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ https://management.domain/openid ] ParentRequestId: 
DEBUG: Executing interactive authentication workflow inline.
DEBUG: InteractiveBrowserCredential.Authenticate was unable to retrieve an access token. Scopes: [ https://management.domain/openid ] ParentRequestId:  Exception: Azure.Identity.AuthenticationFailedException (0x80131500): InteractiveBrowserCredential authentication failed: Value cannot be null.
Parameter name: tenantId
 ---> System.ArgumentNullException (0x80004003): Value cannot be null.
Parameter name: tenantId
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [EnableErrorRecordsPersistence], Module = [], Cmdlet = []. Returning default value [False].
Connect-AzAccount : InteractiveBrowserCredential authentication failed: Value cannot be null.
Parameter name: tenantId
Could not find tenant id for provided tenant domain '98b8267d-e97f-426e-8b3f-7956511fd63f'. Please ensure that the provided user is found in the provided tenant domain.
At line:1 char:1
+ Connect-AzAccount -Environment 'Foo' -Tenant '98b8267d-e97f-426e ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Connect-AzAccount], ArgumentNullException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand
 
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True]
.
DEBUG: 1:55:16 AM - [ConfigManager] Got [Off] from [LoginExperienceV2], Module = [], Cmdlet = [].
DEBUG: 1:55:16 AM - [ConfigManager] Got [False] from [EnableLoginByWam], Module = [], Cmdlet = [].
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:4.0.0; CommandName: Connect-AzAccount; PSVersion: 5.1.20348.2031; IsSuccess: False; Duration: 00:0
0:00.4483324; SanitizeDuration: 00:00:00; Exception: InteractiveBrowserCredential authentication failed: Value cannot be null.
Parameter name: tenantId
Could not find tenant id for provided tenant domain '98b8267d-e97f-426e-8b3f-7956511fd63f'. Please ensure that the provided user is found in the provided tenant domain.;
DEBUG: 1:55:16 AM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 1:55:16 AM - ConnectAzureRmAccountCommand end processing.

Environment data

PS C:\> $PSVersionTable

Name                           Value                                                                                                        
----                           -----                                                                                                        
PSVersion                      5.1.20348.2031                                                                                               
PSEdition                      Desktop                                                                                                      
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                      
BuildVersion                   10.0.20348.2031                                                                                              
CLRVersion                     4.0.30319.42000                                                                                              
WSManStackVersion              3.0                                                                                                          
PSRemotingProtocolVersion      2.3                                                                                                          
SerializationVersion           1.1.0.1

Module versions

PS C:\> Get-Module Az*

ModuleType Version    Name                                ExportedCommands                                                                  
---------- -------    ----                                ----------------                                                                  
Script     4.0.0      Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault...}

Error output

PS C:\> Resolve-AzError
DEBUG: 2:25:40 AM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 2:25:40 AM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 2:25:40 AM - using account id 'fb05dcc3-f65d-4f89-bc32-b1e0f8cd8378'...
DEBUG: 2:25:40 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 2:25:40 AM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].


   HistoryId: 20


Message        : InteractiveBrowserCredential authentication failed: Value cannot be null.
                 Parameter name: tenantId
                 Could not find tenant id for provided tenant domain '98b8267d-e97f-426e-8b3f-7956511fd63f'. Please ensure that the provided user is found in the provided tenant domain.
StackTrace     :    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantIdOrName, String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, 
                 IOpenIDConfiguration openIDConfigDoc, Action`1 promptAction, String name, Boolean shouldPopulateContextList, Int32 maxContextPopulation, String authScope, Boolean IsInteractiveContextSelectionEnabled)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass134_2.<ExecuteCmdlet>b__7()
                    at System.Threading.Tasks.Task`1.InnerInvoke()
                    at System.Threading.Tasks.Task.Execute()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass134_1.<ExecuteCmdlet>b__1(AzureRmProfile localProfile, RMProfileClient profileClient, String name)
                    at Microsoft.Azure.Commands.Profile.Common.AzureContextModificationCmdlet.ModifyContext(Action`2 contextAction)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.SetContextWithOverwritePrompt(Action`3 setContextAction)
                    at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.ArgumentNullException
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount -Environment Foo -Tenant 98b8267d-e97f-426e-8b3f-7956511fd63f -Verbose
Position       : At line:1 char:1
                 + Connect-AzAccount -Environment Foo -Tenant 98b8267d-e97f-426e ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 20

DEBUG: 2:25:40 AM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
Message        : InteractiveBrowserCredential authentication failed: Value cannot be null.
                 Parameter name: tenantId
StackTrace     :    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
                    at Azure.Identity.InteractiveBrowserCredential.<AuthenticateImplAsync>d__51.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.InteractiveBrowserCredential.<AuthenticateAsync>d__48.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.<GetAccessTokenAsync>d__34.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, 
                 String resourceId)
                    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount account, IAzureEnvironment environment, String tenantId, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId)
                    at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantIdOrName, String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, 
                 IOpenIDConfiguration openIDConfigDoc, Action`1 promptAction, String name, Boolean shouldPopulateContextList, Int32 maxContextPopulation, String authScope, Boolean IsInteractiveContextSelectionEnabled)
Exception      : Azure.Identity.AuthenticationFailedException
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount -Environment Foo -Tenant 98b8267d-e97f-426e-8b3f-7956511fd63f -Verbose
Position       : At line:1 char:1
                 + Connect-AzAccount -Environment Foo -Tenant 98b8267d-e97f-426e ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 20

DEBUG: 2:25:40 AM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
Message        : Value cannot be null.
                 Parameter name: tenantId
StackTrace     :    at Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder`1.WithTenantId(String tenantId)
                    at Azure.Identity.MsalPublicClient.<AcquireTokenInteractiveCoreAsync>d__15.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.MsalPublicClient.<AcquireTokenInteractiveAsync>d__14.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.InteractiveBrowserCredential.<GetTokenViaBrowserLoginAsync>d__53.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Azure.Identity.InteractiveBrowserCredential.<AuthenticateImplAsync>d__51.MoveNext()
Exception      : System.ArgumentNullException
InvocationInfo : {Connect-AzAccount}
Line           : Connect-AzAccount -Environment Foo -Tenant 98b8267d-e97f-426e-8b3f-7956511fd63f -Verbose
Position       : At line:1 char:1
                 + Connect-AzAccount -Environment Foo -Tenant 98b8267d-e97f-426e ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 20

[keystroke]

Same thing using 'adfs' for the tenantId:

PS C:\> Connect-AzAccount -Environment Foo -Tenant adfs -Verbose
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 2:28:48 AM - ConnectAzureRmAccountCommand begin processing with ParameterSet 'UserWithSubscriptionId'.
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 2:28:48 AM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 2:28:48 AM - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 2:28:48 AM - Using Autosave scope 'CurrentUser'
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [DefaultSubscriptionForLogin], Module = [], Cmdlet = []. Returning default value [].
VERBOSE: Performing the operation "log in" on target "User account in environment 'Foo'".
DEBUG: 2:28:48 AM - Autosave setting from startup session: 'CurrentUser'
DEBUG: 2:28:48 AM - No autosave setting detected in environment variable 'AzContextAutoSave'. 
DEBUG: 2:28:48 AM - Using Autosave scope 'CurrentUser'
Please select the account you want to login with.

DEBUG: 2:28:48 AM - [InteractiveUserAuthenticator] Calling InteractiveBrowserCredential.AuthenticateAsync with TenantId:'adfs', Scopes:'https://management.domain/openid', AuthorityHost:'https://login.domain/adfs', RedirectUri:'http://localhost:
8405/'
DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ https://management.domain/openid ] ParentRequestId: 
DEBUG: Executing interactive authentication workflow inline.
DEBUG: InteractiveBrowserCredential.Authenticate was unable to retrieve an access token. Scopes: [ https://management.domain/openid ] ParentRequestId:  Exception: Azure.Identity.AuthenticationFailedException (0x80131500): InteractiveBrowserCredential authentication failed: Value cannot be null.
Parameter name: tenantId
 ---> System.ArgumentNullException (0x80004003): Value cannot be null.
Parameter name: tenantId
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [EnableErrorRecordsPersistence], Module = [], Cmdlet = []. Returning default value [False].
Connect-AzAccount : InteractiveBrowserCredential authentication failed: Value cannot be null.
Parameter name: tenantId
Could not find tenant id for provided tenant domain 'adfs'. Please ensure that the provided user is found in the provided tenant domain.
At line:1 char:1
+ Connect-AzAccount -Environment Foo -Tenant adfs -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Connect-AzAccount], ArgumentNullException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand
 
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 2:28:48 AM - [ConfigManager] Got [Off] from [LoginExperienceV2], Module = [], Cmdlet = [].
DEBUG: 2:28:48 AM - [ConfigManager] Got [False] from [EnableLoginByWam], Module = [], Cmdlet = [].
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:4.0.0; CommandName: Connect-AzAccount; PSVersion: 5.1.20348.2031; IsSuccess: False; Duration: 00:00:00.1419362; SanitizeDuration: 00:00:00; Exception: InteractiveBrowserCredential authentication failed: Value cannot be null.
Parameter name: tenantId
Could not find tenant id for provided tenant domain 'adfs'. Please ensure that the provided user is found in the provided tenant domain.;
DEBUG: 2:28:48 AM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 2:28:48 AM - ConnectAzureRmAccountCommand end processing.

[keystroke]

Here is environment configuration:

PS C:\> Get-AzEnvironment -Name Azure.local | fl *

Name                                              : Foo
Type                                              : User-defined
EnableAdfsAuthentication                          : True
OnPremise                                         : True
ActiveDirectoryServiceEndpointResourceId          : https://managment.domain
AdTenant                                          : 98b8267d-e97f-426e-8b3f-7956511fd63f
GalleryUrl                                        : 
ManagementPortalUrl                               : 
ServiceManagementUrl                              : 
PublishSettingsFileUrl                            : 
ResourceManagerUrl                                : https://managment.domain
SqlDatabaseDnsSuffix                              : 
StorageEndpointSuffix                             : domain
ActiveDirectoryAuthority                          : https://login.domain/adfs
GraphUrl                                          : https://graph.domain
GraphEndpointResourceId                           : 
TrafficManagerDnsSuffix                           : 
AzureKeyVaultDnsSuffix                            : .vault.domain
DataLakeEndpointResourceId                        : 
AzureDataLakeStoreFileSystemEndpointSuffix        : 
AzureDataLakeAnalyticsCatalogAndJobEndpointSuffix : 
AzureKeyVaultServiceEndpointResourceId            : 
ContainerRegistryEndpointSuffix                   : .edgeacr.domain
AzureOperationalInsightsEndpointResourceId        : 
AzureOperationalInsightsEndpoint                  : 
AzureAnalysisServicesEndpointSuffix               : 
AnalysisServicesEndpointResourceId                : 
AzureAttestationServiceEndpointSuffix             : 
AzureAttestationServiceEndpointResourceId         : 
AzureSynapseAnalyticsEndpointSuffix               : 
AzureSynapseAnalyticsEndpointResourceId           : 
VersionProfiles                                   : {}
ExtendedProperties                                : {[MicrosoftGraphEndpointResourceId, https://graph.domain]}
BatchEndpointResourceId                           : 

[isra-fel]

Depending on Azure/azure-sdk-for-net#47584