[BUG] `CredentialUnavailableException` doesn't include reason for Broker credential failure

[afscrome]

Library name and version

Azure.Identity 1.14.0-beta.3 / Azure.Identity.Broker 1.3.0-beta.2

Describe the bug

If a failure occurs with the new development broker credentials, reasons for this failure don't seem to show up in CredentialUnavailableException.

Expected behavior

I'd expect the reason for the broker credential failure to show up on the CredentialUnavailableException exception from DefaultAzureCredential.

In this case, something like

- InteractiveBrowserCredential authentication failed: Account has previously been signed out of this application.

Actual behavior

No details are provided on failure

      Failed to find valid Authentication method - DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot
      - EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
      - WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
      - VisualStudioCredential authentication failed: Process "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\IDE\CommonExtensions\Microsoft\Asal\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS001: This account 'REDACTED' needs re-authentication. Please go to Tools->Options->Azure Services Authentication, and re-authenticate the account you want to use..
      - AzureCliCredential authentication failed: Please run 'az login' to set up account
      - AzurePowerShellCredential authentication failed: Az.Accounts module >= 2.2.0 is not installed.
      - AzureDeveloperCliCredential authentication failed: Please run 'azd auth login' from a command prompt to authenticate before using this credential.
      - InteractiveBrowserCredential authentication failed:

If I enable the AzureEventSourceLogForwarder, I can get some more detailed error - I'd expect this error to show up in the Account has previously been signed out of this application. text to show up in the CredentialUnavailableException

[17:12:34.331] fail: Azure.Identity[10]
      False MSAL 4.69.1.0 MSAL.NetCore .NET 9.0.3 Microsoft Windows 10.0.22621 [2025-04-14 16:12:34Z] [RuntimeBroker] failed_to_acquire_token_silently_from_broker WAM Error
 Error Code: 0
 Error Message: Account has previously been signed out of this application.
 Internal Error Code: 540940121

[17:12:34.335] dbug: Azure.Identity[7]
      False MSAL 4.69.1.0 MSAL.NetCore .NET 9.0.3 Microsoft Windows 10.0.22621 [2025-04-14 16:12:34Z - fc9c8b76-46a0-48b6-b4fe-25a3b2ac6512] Broker could not satisfy silent request.
[17:12:34.344] fail: Azure.Identity[10]
      False MSAL 4.69.1.0 MSAL.NetCore .NET 9.0.3 Microsoft Windows 10.0.22621 [2025-04-14 16:12:34Z - fc9c8b76-46a0-48b6-b4fe-25a3b2ac6512] Exception type: Microsoft.Identity.Client.MsalUiRequiredException
      , ErrorCode: failed_to_acquire_token_silently_from_broker
      HTTP StatusCode 0
      CorrelationId fc9c8b76-46a0-48b6-b4fe-25a3b2ac6512
      To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
         at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
      --- End of stack trace from previous location ---
         at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

Reproduction Steps

using var forwarder = new AzureEventSourceLogForwarder(loggerFactory);
//forwarder.Start();
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions()
{
    // Managed Identity Credentials are slow, and not typically used in docker scenarios
    ExcludeManagedIdentityCredential = true,
});
var token = await credential.GetTokenAsync(new(scopes: ["https://management.azure.com/.default"]));

Environment

dotnet:

.NET SDK:
 Version:           9.0.201
 Commit:            071aaccdc2
 Workload version:  9.0.200-manifests.a3a1a094
 MSBuild version:   17.13.13+1c2026462

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.22621
 OS Platform: Windows
 RID:         win-x64
 Base Path:   C:\Program Files\dotnet\sdk\9.0.201\

.NET workloads installed:
 [aspire]
   Installation Source: VS 17.13.35919.96
   Manifest Version:    8.2.2/8.0.100
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.aspire\8.2.2\WorkloadManifest.json
   Install Type:              Msi

Configured to use loose manifests when installing new manifests.

Host:
  Version:      9.0.3
  Architecture: x64
  Commit:       831d23e561

.NET SDKs installed:
  6.0.428 [C:\Program Files\dotnet\sdk]
  8.0.408 [C:\Program Files\dotnet\sdk]
  9.0.100 [C:\Program Files\dotnet\sdk]
  9.0.200 [C:\Program Files\dotnet\sdk]
  9.0.201 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 6.0.36 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 7.0.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.14 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.15 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 9.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 9.0.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 9.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 6.0.36 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.14 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.15 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 9.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 9.0.2 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 9.0.3 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 6.0.36 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 8.0.14 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 8.0.15 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 9.0.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 9.0.2 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 9.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

Other architectures found:
  x86   [C:\Program Files (x86)\dotnet]
    registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]

Environment variables:
  Not set

global.json file:
  S:\REDACTED\global.json

Learn more:
  https://aka.ms/dotnet/info

Download .NET:
  https://aka.ms/dotnet/download

Visual Studio:

Microsoft Visual Studio Enterprise 2022
Version 17.13.5
VisualStudio.17.Release/17.13.5+35919.96
Microsoft .NET Framework
Version 4.8.09032

Installed Version: Enterprise

Visual C++ 2022   00476-80000-00000-AA768
Microsoft Visual C++ 2022

ASP.NET and Web Tools   17.13.124.35287
ASP.NET and Web Tools

Azure App Service Tools v3.0.0   17.13.124.35287
Azure App Service Tools v3.0.0

Azure Functions and Web Jobs Tools   17.13.124.35287
Azure Functions and Web Jobs Tools

C# Tools   4.13.0-3.25167.3+73eff2b5de2ad38ec602c0a9e82f9125fb85992b
C# components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.

Common Azure Tools   1.10
Provides common services for use by Azure Mobile Services and Microsoft Azure Tools.

GitHub Copilot   17.13.441.19478
GitHub Copilot is an AI pair programmer that helps you write code faster and with less work.

Microsoft Azure Tools for Visual Studio   2.9
Support for Azure Cloud Services projects

Microsoft JVM Debugger   1.0
Provides support for connecting the Visual Studio debugger to JDWP compatible Java Virtual Machines

Node.js Tools   1.5.61125.7 Commit Hash:d387982a7546304d617ed77b6d390e04b6558274
Adds support for developing and debugging Node.js apps in Visual Studio

NuGet Package Manager   6.13.2
NuGet Package Manager in Visual Studio. For more information about NuGet, visit https://docs.nuget.org/

Office Developer Tools for Visual Studio   17.10.35513.00
Microsoft Office Developer Tools for Visual Studio

Razor (ASP.NET Core)   17.13.3.2512306+41f62d0b8021cafc33bdefdb7e0198c8d2eb59ac
Provides languages services for ASP.NET Core Razor.

SQL Server Data Tools   17.13.3.1
Microsoft SQL Server Data Tools

Test Adapter for Boost.Test   1.0
Enables Visual Studio's testing tools with unit tests written for Boost.Test.  The use terms and Third Party Notices are available in the extension installation directory.

Test Adapter for Google Test   1.0
Enables Visual Studio's testing tools with unit tests written for Google Test.  The use terms and Third Party Notices are available in the extension installation directory.

TypeScript Tools   17.0.31211.2001
TypeScript Tools for Microsoft Visual Studio

Visual Basic Tools   4.13.0-3.25167.3+73eff2b5de2ad38ec602c0a9e82f9125fb85992b
Visual Basic components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.

Visual F# Tools   17.13.0-beta.25154.2+82a3f54f7140a62e6398403451098c4517747c02
Microsoft Visual F# Tools

Visual Studio IntelliCode   2.2
AI-assisted development for Visual Studio.

Workflow Manager Tools 1.0   1.0
This package contains the necessary Visual Studio integration components for Workflow Manager.

[github-actions]

Hello @afscrome. I'm an AI assistant for the azure-sdk-for-net repository. I have some suggestions that you can try out while the team gets back to you.

• Confirm that the broker failure messages (e.g. Account has previously been signed out errors) are visible when detailed diagnostic logging is enabled. This can be done using the AzureEventSourceLogForwarder and ensuring MSAL PII logging is activated.
• Note that the current design of CredentialUnavailableException does not surface detailed broker error reasons in its exception message. We recognize this gap and are considering ways to include these extra details in future releases.
• In the meantime, you may capture additional error information by consulting the logs from the broker process (as seen in your detailed event logs) or by enabling extended MSAL logging via MSAL logging guidance.
• For further troubleshooting, please refer to the DefaultAzureCredential troubleshooting guide which outlines various credential failure scenarios.

The team will get back to you shortly, hopefully this helps in the meantime.

[christothes]

@afscrome Thanks for reporting this. We'll look into providing a more helpful exception message.

[afscrome]

For anyone coming across the "Account has previously been signed out of this application." issue, the "fix" was to log in to Azure CLI, however after doing this, the Azure CLI credentials win because they are first in the credential chain. At which point the only way I could force credential to go through the broker was to exclude the Azure CLI from the credential chain.

[christothes]

For anyone coming across the "Account has previously been signed out of this application." issue, the "fix" was to log in to Azure CLI, however after doing this, the Azure CLI credentials win because they are first in the credential chain. At which point the only way I could force credential to go through the broker was to exclude the Azure CLI from the credential chain.

You can also log in via our broker credential support described here.

[afscrome]

That seems to be exactly what I need. Thanks @christothes .

(I will leave this issue open though around including the error details in CredentialUnavailableException)