[BUG] Multiple Scopes for `AzureCliCredential` not supported

[eluchsinger]

Library name and version

Azure.Identity 1.13.2

Describe the bug

Hey team.

The AzureCliCredential authentication differs from ManagedIdentity authentication. This only works when deployed to Azure using Managed Identity, obviously not locally, because we're using ManagedIdentityCredential.

var credential = new ChainedTokenCredential(
                new ManagedIdentityCredential());
string[] scopes = ["https://graph.microsoft.com/.default", "Mail.Read"];
graphServiceClient = new GraphServiceClient(credential, scopes);

var result = await graphServiceClient.Users[userId]
                .Messages[emailId]
                .GetAsync();

Snipped simplified

But now the problem is that below code should work locally, but does not work. Azure CLI does not seem to know how to use multiple scopes.

var credential = new ChainedTokenCredential(
                new AzureCliCredential());
string[] scopes = ["https://graph.microsoft.com/.default", "Mail.Read"];
graphServiceClient = new GraphServiceClient(credential, scopes);

var result = await graphServiceClient.Users[userId]
                .Messages[emailId]
                .GetAsync();

Snipped simplified

The exception is:

Exception: Azure.Identity.AuthenticationFailedException: The ChainedTokenCredential failed due to an unhandled exception: AzureCliCredential authentication failed: To convert to a resource string the specified array must be exactly length 1 (Parameter 'scopes')
---> Azure.Identity.AuthenticationFailedException: AzureCliCredential authentication failed: To convert to a resource string the specified array must be exactly length 1 (Parameter 'scopes')
---> System.ArgumentException: To convert to a resource string the specified array must be exactly length 1 (Parameter 'scopes')
    at Azure.Identity.ScopeUtilities.ScopesToResource(String[] scopes)
    at Azure.Identity.AzureCliCredential.RequestCliAccessTokenAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
    at Azure.Identity.AzureCliCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)

This implementation difference leads to this code working on Azure, but not locally. It may be very big blocker, if this would prevent developers from using Managed Identity, because it's breaking local development.

Expected behavior

The AzureCliCredential should support multiple scopes and behave at least closely to how ManagedIdentity works.

Possible use cases that need this are for example (as shown in the snippets) accessing MS Graph using explicit scopes.

Actual behavior

AzureCliCredential throws an exception.

Exception: Azure.Identity.AuthenticationFailedException: The ChainedTokenCredential failed due to an unhandled exception: AzureCliCredential authentication failed: To convert to a resource string the specified array must be exactly length 1 (Parameter 'scopes')
---> Azure.Identity.AuthenticationFailedException: AzureCliCredential authentication failed: To convert to a resource string the specified array must be exactly length 1 (Parameter 'scopes')
---> System.ArgumentException: To convert to a resource string the specified array must be exactly length 1 (Parameter 'scopes')
    at Azure.Identity.ScopeUtilities.ScopesToResource(String[] scopes)
    at Azure.Identity.AzureCliCredential.RequestCliAccessTokenAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
    at Azure.Identity.AzureCliCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)

Reproduction Steps

var credential = new ChainedTokenCredential(
                new AzureCliCredential());
string[] scopes = ["https://graph.microsoft.com/.default", "Mail.Read"];
graphServiceClient = new GraphServiceClient(credential, scopes);

var result = await graphServiceClient.Users[userId]
                .Messages[emailId]
                .GetAsync();

Environment

.NET SDK:
Version: 9.0.102
Commit: cb83cd4923
Workload version: 9.0.100-manifests.43af17c7
MSBuild version: 17.12.18+ed8c6aec5

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[christothes]

Hi @eluchsinger
The AzureCliCredential invokes the az account get-access-token --resource <scope> command. I tried running that with --resource https://graph.microsoft.com/.default and it fails with this error:

(pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614475, Tag: 508634112
Please explicitly log in with:
az login --scope https://graph.microsoft.com/.default/.default

there is also a --scope switch, that we don't currently use. This works:
az account get-access-token --scope https://graph.microsoft.com/.default

However, the following fails:

az account get-access-token --scope https://graph.microsoft.com/.default User.Read
(pii). Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614471, Tag: 508634083
Please explicitly log in with:
az login --scope https://graph.microsoft.com/.default User.Read

If you were to get the access token using az account get-access-token , do you happen to know which command would get you the correct access token? We may want to open an issue over here to ask the CLI team if you don't.

[github-actions]

Hi @eluchsinger. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[github-actions]

Hi @eluchsinger, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!