Az module is using device authentication as default authentication type, however the device authentication cannot pass the device info in the session hence caused CA policy block.

[Faith921]

Description

Hi team,
Cx has encountered the issue when fetching secret in KV using compliant device.
Background information:
The organization has a CA policy which only allows complaint device access
The Powershell version is 7. As documented, when PS version is 7, device authentication is set as default authentication type.

Then following issue happens:
Run the command Connect-azaccount, this trigger device authentication.
Then cx has been re-directed to device authentication page, pasted the code and then being requested for user credential sign in.
Cx account has successfully signed in to the Powershell session then.
Then we use this command Set-AzContext Pulsars(subscription name) to locate the subscription ID where the Key Vault is stored and it works fine.
However when we try to fetch the Key Vault Secret using the command Get-AzKeyVaultSecret, it seems that the sign-in session does not pass the device status information and getting blocked by CA policy: ‘Security - Non-compliant InTune Devices’

The fact is cx's device is compliant already. We have engaged AAD Auth colleague and they have explained that
when we run the “Connect-azaccount” and trigger device authentication, you need to open a browser outside of PowerShell to finish the device code auth. The whole authentication progress will be accomplished in the browser scope, which will make the PowerShell cannot get the device info. And when you run the command “Get-AzKeyVaultSecret”, PowerShell cannot pop up a browser window to utilize the PRT to get device info. That’s why you will meet the error.

This seems to be a design behavior for device authentication, but as indicated PS 7 will use device auth as default authentication type, more and more customer may encounter the issue in the future.

We have consulted our Key Vault product group, they have advised that since AKV dev team doesn't really own the PowerShell modules, especially the auth infrastructure and The error interaction_required looks like PSH is refusing to show a pop-up window for collecting credentials. Indeed best to involve Azure Powershell team.

Thank you in advance and please let me know if anything else needed from my side.

Steps to reproduce

Environment data

Module versions

Debug output

Error output

[dingmeng-xue]

@Faith921 , CA policy makes behavior is different from normal path. We'd like to get more information before solution.

Is it possible you upgrade Az.Accounts to the latest preview release 2.0.1-preview and try again?

[erich-wang]

@Faith921, is the compliant device CA policy applying to KeyVault only? Which Cloud App do you choose in the step "Cloud apps or actions" during creating CA policy?

[Faith921]

Hi Erich, Thanks for your checking. Basically the CA policy is not applied to Key Vault only but to all cloud apps and excluded a few other Cloud App. So Key Vault scenario should be in the CA policy scope. We have tested the same in our environment and this behavior can be reproduced. Best Regards, Faith Deng Support Engineer Azure – Identity +86 2152638155 Working Hours: M-F, 7:00am – 4:00pm GMT+8 Need help outside of my working hours? Locate an engineer: azurebu@microsoft.com<mailto:azurebu@microsoft.com> Manager: tao.ma@microsoft.com<mailto:tao.ma@microsoft.com> [Image result for microsoft logo] From: erich-wang <notifications@github.com> Sent: Friday, September 4, 2020 14:29 To: Azure/azure-powershell <azure-powershell@noreply.github.com> Cc: Faith Deng <Shengyu.Deng@microsoft.com>; Mention <mention@noreply.github.com> Subject: Re: [Azure/azure-powershell] Az module is using device authentication as default authentication type, however the device authentication cannot pass the device info in the session hence caused CA policy block. (#12844) @Faith921<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.jpy.wang%2FFaith921&data=02%7C01%7CShengyu.Deng%40microsoft.com%7C1ea4d9569efc4c74c9b708d8509bcffc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637347977433757658&sdata=W0sgXLcHJGP9WyYq%2FdunOd54QZmCqk5m2Nrq5iZJ5qY%3D&reserved=0>, is the compliant device CA policy applying to KeyVault only? Which Cloud App do you choose in the step "Cloud apps or actions" during creating CA policy? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.jpy.wang%2FAzure%2Fazure-powershell%2Fissues%2F12844%23issuecomment-686941926&data=02%7C01%7CShengyu.Deng%40microsoft.com%7C1ea4d9569efc4c74c9b708d8509bcffc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637347977433757658&sdata=lMZyJQAeDH1DdUboD5cq%2B4g%2B8pQ5IWhQGUOEB%2Fy85Lo%3D&reserved=0>, or unsubscribe<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.jpy.wang%2Fnotifications%2Funsubscribe-auth%2FAQ3IUIDLRV2SSCFNNU7UG43SECCKZANCNFSM4QULIQ6A&data=02%7C01%7CShengyu.Deng%40microsoft.com%7C1ea4d9569efc4c74c9b708d8509bcffc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637347977433767653&sdata=U9fQb0TduCgUHi6F%2BaZyTAvasGU7gV5tC56wiz2ZXCk%3D&reserved=0>.

[Faith921]

Hi Dingmeng, We tried to upgrade the Az.Account on our Win 10 VM, however failed the same with below errors on multiple machines: [cid:image002.jpg@01D682D8.48C93120] Could you please kindly help and advise if the command is correct to update Az.Account? Thank you in advance, Faith From: Dingmeng Xue <notifications@github.com> Sent: Friday, September 4, 2020 13:14 To: Azure/azure-powershell <azure-powershell@noreply.github.com> Cc: Faith Deng <Shengyu.Deng@microsoft.com>; Mention <mention@noreply.github.com> Subject: Re: [Azure/azure-powershell] Az module is using device authentication as default authentication type, however the device authentication cannot pass the device info in the session hence caused CA policy block. (#12844) @Faith921<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.jpy.wang%2FFaith921&data=02%7C01%7CShengyu.Deng%40microsoft.com%7C218d89dabe80486a233908d850914d73%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637347932292514183&sdata=ZReFvvo64KCsDPqJb%2BI8mJRpE6%2FZi4m%2F3kilid7mcQs%3D&reserved=0> , CA policy makes behavior is different from normal path. We'd like to get more information before solution. Is it possible you upgrade Az.Accounts to the latest preview release 2.0.1-preview and try again? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.jpy.wang%2FAzure%2Fazure-powershell%2Fissues%2F12844%23issuecomment-686911792&data=02%7C01%7CShengyu.Deng%40microsoft.com%7C218d89dabe80486a233908d850914d73%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637347932292524179&sdata=kEh3xIVFwr7NxwyGoM7kDfmL10g5fCj5VrMBDr7pOL4%3D&reserved=0>, or unsubscribe<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.jpy.wang%2Fnotifications%2Funsubscribe-auth%2FAQ3IUIEECQCUCJAUP6BT2ZTSEBZQXANCNFSM4QULIQ6A&data=02%7C01%7CShengyu.Deng%40microsoft.com%7C218d89dabe80486a233908d850914d73%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637347932292524179&sdata=7YoSAZA9wrpCZkW8PTTkeo0OPZSNmC5pyZLu%2Ba4%2FpxI%3D&reserved=0>.

[dingmeng-xue]

Install-Module -Name Az.Accounts -AllowPrerelease

Restart your powershell and Connect-AzAccount again. Then you call below code to ensure correct version is loaded.

Get-Module -Name Az.Accounts

[Faith921]

Hi Dingmeng, Thanks for the response. We have installed the latest version of Az.Account module while it seems the it generated a new error indicating the refresh token can not be found when we finished the device authentication outside the Powershell in a browser: [cid:image002.jpg@01D686CE.5692E220] Please note that before we upgrade the version, the session will get refresh token from Powershell, however did not pass CA policy due to lack of device information, however this time, it seems we can not get refresh token at all. If anything else needed from our side, please kindly let us know. Thanks again, Faith From: Dingmeng Xue <notifications@github.com> Sent: Friday, September 4, 2020 16:33 To: Azure/azure-powershell <azure-powershell@noreply.github.com> Cc: Faith Deng <Shengyu.Deng@microsoft.com>; Mention <mention@noreply.github.com> Subject: Re: [Azure/azure-powershell] Az module is using device authentication as default authentication type, however the device authentication cannot pass the device info in the session hence caused CA policy block. (#12844) Install-Module -Name Az.Accounts -AllowPrerelease Restart your powershell and Connect-AzAccount again. Then you call below code to ensure correct version is loaded. Get-Module -Name Az.Accounts — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.jpy.wang%2FAzure%2Fazure-powershell%2Fissues%2F12844%23issuecomment-687008246&data=02%7C01%7CShengyu.Deng%40microsoft.com%7C52968bd3b9784e5020b608d850ad234d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637348051838517690&sdata=hnBBUvOenNBKgu9%2Ff6WLbr8EUsaJeNCMdOhTYmzI4WA%3D&reserved=0>, or unsubscribe<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.jpy.wang%2Fnotifications%2Funsubscribe-auth%2FAQ3IUIGA4MWVKCKCYKH5WDDSECQ35ANCNFSM4QULIQ6A&data=02%7C01%7CShengyu.Deng%40microsoft.com%7C52968bd3b9784e5020b608d850ad234d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637348051838517690&sdata=ikhR%2FWKK3iQXefMsW9bqnE49yhPvljnag89C%2FpIXlTE%3D&reserved=0>.