AADSTS50020: User account '{EmailHidden}' from identity provider does not exist in tenant 'Microsoft Services' and cannot access the application

Question

Using Azure.Identity Running dotnet 6.0.302 On Windows 10 Visual Studio 2022 v17.1.5 App Type - Asp.Net Core Web Api

I am trying to implement Azure App Configuration.

While using DefaultCredentials() the attempt to obtain an authentication token fails at all levels of credential types. I tried providing a user assigned managed identity but no avail.

I notice something fishy in the logs though. there are instances of Azure.RequestFailedException: A socket operation was attempted to an unreachable network. (169.254.169.254:80) but i am not sure what the ip address refers to.

Please Note:-

1. I could not ping this ip address from my PC.
2. The error is same irrespective of using a Managed Identity. So using just new DefaultAzureCredential() without any parameters also throws the same error.

I am using my personal Azure Subscription.

Kindly provide guidance to solve this issue and move forward.

Here is my WebApi configuration

 var builder = WebApplication.CreateBuilder(args);

// Setup a listener to monitor logged events.
using AzureEventSourceListener listener = AzureEventSourceListener.CreateConsoleLogger();
var defaultClientCredentialsOptions = new DefaultAzureCredentialOptions()
{
    Diagnostics =
    {
        LoggedHeaderNames = { "x-ms-request-id" },
        LoggedQueryParameters = { "api-version" },
        IsLoggingContentEnabled = true
    }
};

// Plugin App Configuration Store
var appConfigStore = builder.Configuration.GetConnectionString("EshopClone:AppConfiguration");
var userAssignedMIClientId = builder.Configuration["UserAssignedMIClientId"];
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = userAssignedMIClientId });

builder.Host.ConfigureAppConfiguration(hostBuilder =>
{
    hostBuilder.AddAzureAppConfiguration(options =>
    {
        options.Connect(appConfigStore)
            .ConfigureKeyVault(kv =>
            {
                kv.SetCredential(credential);
            });
    });
});

Here is the detailed error:

EshopClone\Services\Catalog\Catalog.Api\bin\Debug\net6.0\Catalog.Api.exe (process 38972) exited with code -1.
To automatically close the console when debugging stops, enable Tools->Options->Debugging->Automatically close the console when debugging stops.
Press any key to close this window . . .
EshopClone\Services\Catalog\Catalog.Api\bin\Debug\net6.0\Catalog.Api.exe (process 43516) exited with code -1.
To automatically close the console when debugging stops, enable Tools->Options->Debugging->Automatically close the console when debugging stops.
Press any key to close this window . . .[Informational] Azure-Core: Request [2a2c1a3c-7c03-4ccf-b529-82ebe89b1db0] GET https://myappconfigurationurl.azconfig.io/kv/?key=REDACTED&label=REDACTED&api-version=1.0
Accept:application/vnd.microsoft.appconfig.kv+json
Correlation-Context:REDACTED
User-Agent:Microsoft.Extensions.Configuration.AzureAppConfiguration/5.1.0,azsdk-net-Data.AppConfiguration/1.2.0,(.NET 6.0.7; Microsoft Windows 10.0.19044)
x-ms-client-request-id:2a2c1a3c-7c03-4ccf-b529-82ebe89b1db0
x-ms-return-client-request-id:true
x-ms-content-sha256:REDACTED
Date:Sun, 31 Jul 2022 01:22:01 GMT
Authorization:REDACTED
client assembly: Azure.Data.AppConfiguration
[Informational] Azure-Core: Response [2a2c1a3c-7c03-4ccf-b529-82ebe89b1db0] 200 OK (01.1s)
Server:openresty/1.17.8.2
Date:Sun, 31 Jul 2022 01:22:14 GMT
Transfer-Encoding:chunked
Connection:keep-alive
Sync-Token:zAJw6V16=NToxOSMxOTk0ODMyOA==;sn=19948328
x-ms-request-id:a969b01a-edd4-4b14-b38f-c37c0aee185f
x-ms-client-request-id:2a2c1a3c-7c03-4ccf-b529-82ebe89b1db0
x-ms-correlation-request-id:a969b01a-edd4-4b14-b38f-c37c0aee185f
Access-Control-Allow-Origin:*
Access-Control-Allow-Credentials:true
Access-Control-Expose-Headers:REDACTED
Strict-Transport-Security:max-age=15724800; includeSubDomains
Content-Type:application/vnd.microsoft.appconfig.kvset+json; charset=utf-8

[Informational] Azure-Core: Request [7b3aebb0-5882-41fd-8c4c-3f2cb359ef15] GET https://mykeyvault.vault.azure.net/secrets/Catalog-Api-KVMessage/?api-version=7.2
Accept:application/json
x-ms-client-request-id:7b3aebb0-5882-41fd-8c4c-3f2cb359ef15
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Security.KeyVault.Secrets/4.2.0,(.NET 6.0.7; Microsoft Windows 10.0.19044)
Content-Type:application/json
client assembly: Azure.Security.KeyVault.Secrets
[Warning] Azure-Core: Error response [7b3aebb0-5882-41fd-8c4c-3f2cb359ef15] 401 Unauthorized (00.2s)
Cache-Control:no-cache
Pragma:no-cache
WWW-Authenticate:Bearer authorization="https://login.windows.net/8f75f741-333d-429e-a535-e1304c1dd62d", resource="https://vault.azure.net"
x-ms-keyvault-region:eastus
x-ms-client-request-id:7b3aebb0-5882-41fd-8c4c-3f2cb359ef15
x-ms-request-id:fa78180c-6723-4459-a182-ca2decfecaad
x-ms-keyvault-service-version:1.9.472.5
x-ms-keyvault-network-info:conn_type=Ipv4;addr=76.205.200.211;act_addr_fam=InterNetwork;
X-Content-Type-Options:REDACTED
Strict-Transport-Security:REDACTED
Date:Sun, 31 Jul 2022 01:22:14 GMT
Content-Length:97
Content-Type:application/json; charset=utf-8
Expires:-1

[Informational] Azure-Identity: DefaultAzureCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 7b3aebb0-5882-41fd-8c4c-3f2cb359ef15
[Informational] Azure-Identity: EnvironmentCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 7b3aebb0-5882-41fd-8c4c-3f2cb359ef15
[Informational] Azure-Identity: EnvironmentCredential.GetToken was unable to retrieve an access token. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 7b3aebb0-5882-41fd-8c4c-3f2cb359ef15 Exception: Azure.Identity.CredentialUnavailableException (0x80131500): EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
[Informational] Azure-Identity: ManagedIdentityCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 7b3aebb0-5882-41fd-8c4c-3f2cb359ef15
[Informational] Azure-Core: Request [5fb9375f-1c4c-40b6-9ecc-ee29f260e34b] GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=REDACTED&client_id=REDACTED
Metadata:REDACTED
x-ms-client-request-id:5fb9375f-1c4c-40b6-9ecc-ee29f260e34b
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.0,(.NET 6.0.7; Microsoft Windows 10.0.19044)
client assembly: Azure.Identity
[Informational] Azure-Core: Request [5fb9375f-1c4c-40b6-9ecc-ee29f260e34b] exception Azure.RequestFailedException: A socket operation was attempted to an unreachable network. (169.254.169.254:80)
 ---> System.Net.Http.HttpRequestException: A socket operation was attempted to an unreachable network. (169.254.169.254:80)
 ---> System.Net.Sockets.SocketException (10051): A socket operation was attempted to an unreachable network.
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken)
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token)
   at System.Net.Sockets.Socket.<ConnectAsync>g__WaitForConnectWithCancellation|277_0(AwaitableSocketAsyncEventArgs saea, ValueTask connectTask, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Azure.Core.Pipeline.HttpClientTransport.ProcessAsync(HttpMessage message, Boolean async)
   --- End of inner exception stack trace ---
   at Azure.Core.Pipeline.HttpClientTransport.ProcessAsync(HttpMessage message, Boolean async)
   at Azure.Core.Pipeline.HttpPipelineTransportPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.ResponseBodyPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)   at Azure.Core.Pipeline.LoggingPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
[Informational] Azure-Core: Request [5fb9375f-1c4c-40b6-9ecc-ee29f260e34b] retry number 1 took 00.1s
[Informational] Azure-Core: Request [5fb9375f-1c4c-40b6-9ecc-ee29f260e34b] GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=REDACTED&client_id=REDACTED
Metadata:REDACTED
x-ms-client-request-id:5fb9375f-1c4c-40b6-9ecc-ee29f260e34b
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.0,(.NET 6.0.7; Microsoft Windows 10.0.19044)
client assembly: Azure.Identity
[Informational] Azure-Core: Request [5fb9375f-1c4c-40b6-9ecc-ee29f260e34b] exception Azure.RequestFailedException: A socket operation was attempted to an unreachable network. (169.254.169.254:80)
 ---> System.Net.Http.HttpRequestException: A socket operation was attempted to an unreachable network. (169.254.169.254:80)
 ---> System.Net.Sockets.SocketException (10051): A socket operation was attempted to an unreachable network.
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken)
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token)
   at System.Net.Sockets.Socket.<ConnectAsync>g__WaitForConnectWithCancellation|277_0(AwaitableSocketAsyncEventArgs saea, ValueTask connectTask, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Azure.Core.Pipeline.HttpClientTransport.ProcessAsync(HttpMessage message, Boolean async)
   --- End of inner exception stack trace ---
   at Azure.Core.Pipeline.HttpClientTransport.ProcessAsync(HttpMessage message, Boolean async)
   at Azure.Core.Pipeline.HttpPipelineTransportPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.ResponseBodyPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)   at Azure.Core.Pipeline.LoggingPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
[Informational] Azure-Core: Request [5fb9375f-1c4c-40b6-9ecc-ee29f260e34b] retry number 2 took 00.0s
[Informational] Azure-Core: Request [5fb9375f-1c4c-40b6-9ecc-ee29f260e34b] GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=REDACTED&client_id=REDACTED
Metadata:REDACTED
x-ms-client-request-id:5fb9375f-1c4c-40b6-9ecc-ee29f260e34b
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.0,(.NET 6.0.7; Microsoft Windows 10.0.19044)
client assembly: Azure.Identity
[Informational] Azure-Core: Request [5fb9375f-1c4c-40b6-9ecc-ee29f260e34b] exception Azure.RequestFailedException: A socket operation was attempted to an unreachable network. (169.254.169.254:80)
 ---> System.Net.Http.HttpRequestException: A socket operation was attempted to an unreachable network. (169.254.169.254:80)
 ---> System.Net.Sockets.SocketException (10051): A socket operation was attempted to an unreachable network.
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken)
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token)
   at System.Net.Sockets.Socket.<ConnectAsync>g__WaitForConnectWithCancellation|277_0(AwaitableSocketAsyncEventArgs saea, ValueTask connectTask, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Azure.Core.Pipeline.HttpClientTransport.ProcessAsync(HttpMessage message, Boolean async)
   --- End of inner exception stack trace ---
   at Azure.Core.Pipeline.HttpClientTransport.ProcessAsync(HttpMessage message, Boolean async)
   at Azure.Core.Pipeline.HttpPipelineTransportPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.ResponseBodyPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)   at Azure.Core.Pipeline.LoggingPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
[Informational] Azure-Core: Request [5fb9375f-1c4c-40b6-9ecc-ee29f260e34b] retry number 3 took 00.0s
[Informational] Azure-Core: Request [5fb9375f-1c4c-40b6-9ecc-ee29f260e34b] GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=REDACTED&client_id=REDACTED
Metadata:REDACTED
x-ms-client-request-id:5fb9375f-1c4c-40b6-9ecc-ee29f260e34b
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Identity/1.6.0,(.NET 6.0.7; Microsoft Windows 10.0.19044)
client assembly: Azure.Identity
[Informational] Azure-Core: Request [5fb9375f-1c4c-40b6-9ecc-ee29f260e34b] exception Azure.RequestFailedException: A socket operation was attempted to an unreachable network. (169.254.169.254:80)
 ---> System.Net.Http.HttpRequestException: A socket operation was attempted to an unreachable network. (169.254.169.254:80)
 ---> System.Net.Sockets.SocketException (10051): A socket operation was attempted to an unreachable network.
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken)
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token)
   at System.Net.Sockets.Socket.<ConnectAsync>g__WaitForConnectWithCancellation|277_0(AwaitableSocketAsyncEventArgs saea, ValueTask connectTask, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Azure.Core.Pipeline.HttpClientTransport.ProcessAsync(HttpMessage message, Boolean async)
   --- End of inner exception stack trace ---
   at Azure.Core.Pipeline.HttpClientTransport.ProcessAsync(HttpMessage message, Boolean async)
   at Azure.Core.Pipeline.HttpPipelineTransportPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.ResponseBodyPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)   at Azure.Core.Pipeline.LoggingPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
[Informational] Azure-Identity: ManagedIdentityCredential.GetToken was unable to retrieve an access token. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 7b3aebb0-5882-41fd-8c4c-3f2cb359ef15 Exception: Azure.Identity.CredentialUnavailableException (0x80131500): ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.
 ---> System.AggregateException (0x80131500): Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry. (A socket operation was attempted to an unreachable network. (169.254.169.254:80)) (A socket operation was attempted to an unreachable network. (169.254.169.254:80)) (A socket operation was attempted to an unreachable network. (169.254.169.254:80)) (A socket operation was attempted to an unreachable network. (169.254.169.254:80))
 ---> Azure.RequestFailedException (0x80131500): A socket operation was attempted to an unreachable network. (169.254.169.254:80)
 ---> System.Net.Http.HttpRequestException (0x80004005): A socket operation was attempted to an unreachable network. (169.254.169.254:80)
 ---> System.Net.Sockets.SocketException (0x80004005): A socket operation was attempted to an unreachable network.
[Informational] Azure-Identity: VisualStudioCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 7b3aebb0-5882-41fd-8c4c-3f2cb359ef15
[Informational] Azure-Identity: VisualStudioCredential.GetToken was unable to retrieve an access token. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 7b3aebb0-5882-41fd-8c4c-3f2cb359ef15 Exception: Azure.Identity.CredentialUnavailableException (0x80131500): Process "C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Asal\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS004: Unable to get access token.  'AADSTS50020: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '872cd9fa-d31f-45e0-9eab-6e460a02d1f1'(Visual Studio) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Trace ID: 72758044-988d-4eb7-a02a-88b03cc98b00
Correlation ID: 9ab458cd-36b1-4fcb-b9c5-a6fda19b3704
Timestamp: 2022-07-31 01:22:23Z'.
 ---> System.InvalidOperationException (0x80131509): TS003: Error, TS004: Unable to get access token.  'AADSTS50020: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '872cd9fa-d31f-45e0-9eab-6e460a02d1f1'(Visual Studio) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Trace ID: 72758044-988d-4eb7-a02a-88b03cc98b00
Correlation ID: 9ab458cd-36b1-4fcb-b9c5-a6fda19b3704
Timestamp: 2022-07-31 01:22:23Z'
[Informational] Azure-Identity: VisualStudioCodeCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 7b3aebb0-5882-41fd-8c4c-3f2cb359ef15
[Informational] Azure-Identity: VisualStudioCodeCredential.GetToken was unable to retrieve an access token. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 7b3aebb0-5882-41fd-8c4c-3f2cb359ef15 Exception: Azure.Identity.CredentialUnavailableException (0x80131500): Stored credentials not found. Need to authenticate user in VSCode Azure Account. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/vscodecredential/troubleshoot
 ---> System.InvalidOperationException (0x80131509): CredRead has failed but error is unknown.
[Informational] Azure-Identity: AzureCliCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 7b3aebb0-5882-41fd-8c4c-3f2cb359ef15
[Informational] Azure-Identity: AzureCliCredential.GetToken was unable to retrieve an access token. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 7b3aebb0-5882-41fd-8c4c-3f2cb359ef15 Exception: Azure.Identity.CredentialUnavailableException (0x80131500): Azure CLI not installed
[Informational] Azure-Identity: AzurePowerShellCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 7b3aebb0-5882-41fd-8c4c-3f2cb359ef15
[Informational] Azure-Identity: AzurePowerShellCredential.GetToken was unable to retrieve an access token. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 7b3aebb0-5882-41fd-8c4c-3f2cb359ef15 Exception: Azure.Identity.CredentialUnavailableException (0x80131500): Az.Account module >= 2.2.0 is not installed.
[Informational] Azure-Identity: DefaultAzureCredential.GetToken was unable to retrieve an access token. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 7b3aebb0-5882-41fd-8c4c-3f2cb359ef15 Exception: Azure.Identity.CredentialUnavailableException (0x80131500): DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot
- EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
- ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.
- Process "C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Asal\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS004: Unable to get access token.  'AADSTS50020: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '872cd9fa-d31f-45e0-9eab-6e460a02d1f1'(Visual Studio) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Trace ID: 72758044-988d-4eb7-a02a-88b03cc98b00
Correlation ID: 9ab458cd-36b1-4fcb-b9c5-a6fda19b3704
Timestamp: 2022-07-31 01:22:23Z'.
- Stored credentials not found. Need to authenticate user in VSCode Azure Account. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/vscodecredential/troubleshoot
- Azure CLI not installed
- Az.Account module >= 2.2.0 is not installed.
 ---> System.AggregateException (0x80131500): Multiple exceptions were encountered while attempting to authenticate. (EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot) (ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.) (Process "C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Asal\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS004: Unable to get access token.  'AADSTS50020: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '872cd9fa-d31f-45e0-9eab-6e460a02d1f1'(Visual Studio) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Trace ID: 72758044-988d-4eb7-a02a-88b03cc98b00
Correlation ID: 9ab458cd-36b1-4fcb-b9c5-a6fda19b3704
Timestamp: 2022-07-31 01:22:23Z'.) (Stored credentials not found. Need to authenticate user in VSCode Azure Account. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/vscodecredential/troubleshoot) (Azure CLI not installed) (Az.Account module >= 2.2.0 is not installed.)
 ---> Azure.Identity.CredentialUnavailableException (0x80131500): EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot

EshopClone\Services\Catalog\Catalog.Api\bin\Debug\net6.0\Catalog.Api.exe (process 45532) exited with code -1.
To automatically close the console when debugging stops, enable Tools->Options->Debugging->Automatically close the console when debugging stops.
Press any key to close this window . . .

Answer 1

You need to provide the correct TenantId for Visual Studio authentication:

new DefaultAzureCredential(new DefaultAzureCredentialOptions { VisualStudioTenantId = "<your_tenant_id>" })

The related part of your error log is:

Process "C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Asal\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS004: Unable to get access token. 'AADSTS50020: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '872cd9fa-d31f-45e0-9eab-6e460a02d1f1'(Visual Studio) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Answer 2

Your code uses a connection string to connect to Azure App Configuration and uses AAD (user-assigned managed identity) to connect to Key Vault (for Key Vault references). The problem is not with Azure App Configuration but with the Key Vault. Please make sure you granted your user-assigned managed identity the read permission to the secrets in your Key Vault.

Please check out the Grant your app access to Key Vault in the doc below:

https://learn.microsoft.com/azure/azure-app-configuration/use-key-vault-references-dotnet-core?tabs=core5x#grant-your-app-access-to-key-vault

Answer 3

All the exceptions including RequestFailedExcpetion ,AADSTS50020 (which are often caused by the DefaultAzureCredential authenticating an account other than the intended one or when that account does not have the correct permissions or roles assigned.) etc leads to saying User being Unauthorized to call that particular endpoint where your target might be on a different network for that endpoint which is leading to socket exception .

Please check following ways that can resolve the issue.

1. Sign out and sign in VS again. select Tools > Options menu to launch the Options dialog In Visual Studio. Navigate to the Azure Service Authentication options and sign in with your Azure Active Directory required account.

To try and get the right account to access, try using AzureCli, loggin into that one account and sign out of your others or with VS, make sure that the tokens are only being requested from that one account and not any other

use the below cli command account to verify the account which is currently logged in but before that please ensure the Azure CLI is properly installed. Installation instructions can be found here.

az account show

Once you've verified the Azure CLI is using correct account, you can validate that it’s able to obtain tokens for this account.

az account get-access-token --output json --resource https://management.core.windows.net

1. Update Visual Studio and packages to the latest version.

2. excluding the credential with the ExcludeXXXCredential property

3. Please Note that credentials such as the InteractiveBrowserCredential are not included by default which requires user interaction. You may have to enable or disable required credentials this when constructing the DefaultAzureCredential by setting for example:the includeInteractiveCredentials to true, or the ExcludeInteractiveBrowserCredential property to false in DefaultAzureCredentialOptions.

   Try by giving ExcludeVisualStudioCredential to true if above steps doesnt resolve the issue .Or you can include azurecli credential or others to for user authentication .

   var options = new DefaultAzureCredentialOptions()
   {
   
       ExcludeAzurePowerShellCredential = true,
       ExcludeEnvironmentCredential = true,
       ExcludeAzureCliCredential = true,
       ExcludeInteractiveBrowserCredential = false,
       ExcludeManagedIdentityCredential = true,
       ExcludeSharedTokenCacheCredential = true,
       ExcludeVisualStudioCodeCredential = true,
       ExcludeVisualStudioCredential = false
   };
   
   var cred = new DefaultAzureCredential(options);
   

4. Please ensure that the correct role is assigned to the account being used specific to that service rather than overall subscription role such as owner for subscription

5. Ensure that relevant environment variables are set prior to application

• To authenticate a service principal which is using a client secret, ensure the variables AZURE_CLIENT_ID, AZURE_TENANT_ID and AZURE_CLIENT_SECRET are properly set .

• And for managed identity for App Service make sure it is configured properly and environment variables like MSI_ENDPOINT and MSI_SECRET have been set in the environment. Instructions can be found here.

Please check Troubleshooting· GitHub

References:

1. azure sdk for net issues.github
2. Configure managed identities with Azure App Configuration | Microsoft Docs