`Get-AzAccessToken -ResourceUrl "https://management.azure.com/"` fails when signed in using the `-AccessToken` parameter.

[shenglol]

Description

If users sign in using:

Connect-AzAccount -AccessToken

then running the following command:

Get-AzAcessToken -ResourceUrl "https//management.azure.com/"

will fail with the error:

Get-AzAccessToken: [AccessTokenAuthenticator] failed to retrieve access token for resource 'https://management.azure.com/';. Please ensure that you have provided the appropriate access tokens when using access token login.

However, Get-AzAcessToken -ResourceUrl "https//management.core.windows.net/" does work.

Also, if users authenticate using any other method (e.g., interactive, device code) without specifying -AccessToken, then both of the following succeed:

Get-AzAccessToken -ResourceUrl "https://management.azure.com/"
Get-AzAccessToken -ResourceUrl "https://management.core.windows.net/"

The issue seems to be related to #13527.

Could this be an edge case that the Connect-AzAccount cmdlet fail to handle?

Issue script & Debug output

Get-AzAccessToken -ResourceUrl "https://management.azure.com/" -Debug
DEBUG: 5:13:37 PM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 5:13:37 PM - GetAzureRmAccessTokenCommand begin processing with ParameterSet 'ResourceUrl'.
DEBUG: 5:13:37 PM - using account id 'shenglol'...
DEBUG: 5:13:37 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [Az.Accounts], Cmdlet = [Get-AzAccessToken]. Returning default value [True].
DEBUG: 5:13:37 PM - [ConfigManager] Got nothing from [DisableInstanceDiscovery], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 5:13:37 PM - [ConfigManager] Got nothing from [EnableErrorRecordsPersistence], Module = [Az.Accounts], Cmdlet = [Get-AzAccessToken]. Returning default value [False].
Get-AzAccessToken: [AccessTokenAuthenticator] failed to retrieve access token for resource 'https://management.azure.com/';. Please ensure that you have provided the appropriate access tokens when using access token login.
DEBUG: 5:13:37 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [Az.Accounts], Cmdlet = [Get-AzAccessToken]. Returning default value [True].
DEBUG: 5:13:37 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 5:13:37 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:5.1.0; CommandName: Get-AzAccessToken; PSVersion: 7.5.1; IsSuccess: False; Duration: 00:00:00.0081732; SanitizeDuration: 00:00:00; Exception: [AccessTokenAuthenticator] failed to retrieve access token for resource 'https://management.azure.com/';. Please ensure that you have provided the appropriate access tokens when using access token login.;
DEBUG: 5:13:37 PM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 5:13:37 PM - GetAzureRmAccessTokenCommand end processing.

Environment data

Name                           Value
----                           -----
PSVersion                      7.5.1
PSEdition                      Core
GitCommitId                    7.5.1
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     5.1.0                 Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}

Error output

Get-AzAccessToken: [AccessTokenAuthenticator] failed to retrieve access token for resource 'https://management.azure.com/';. Please ensure that you have provided the appropriate access tokens when using access token login.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Get-AzAccessToken fails when specifying resource url for ARM #13527

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

Please use Get-AzAccessToken -ResourceUrl "https://management.core.windows.net/", current version doesn't support URL alias yet, it only respects URL from (Get-AzEnvironment).ActiveDirectoryServiceEndpointResourceId, we may do some enhancement later.

Reference:

• Get-AzAccessToken fails when specifying resource url for ARM #13527 (comment)

Solution 2:

"management.core.windows.net" worked, thanks.

Reference:

• Get-AzAccessToken fails when specifying resource url for ARM #13527 (comment)

Powered by issue-sentinel

[isra-fel]

The cmdlet first looks up the actual resource URI according to the passed-in URI, the use it to obtain a token.

In the cases of signing in interactively, since there's a refresh token in the cache, no matter which URI is provided it can always obtain an access token silently.

However, when signing in with -AccessToken, there's no refresh token, meaning that unless the provided URI is an exact match, it cannot acquire a new token.

[isra-fel]

This behavior is by design, but we definitely should guide customers to use -ResourceTypeName for well-known resources, cause it provides superior accessiblity.

For example

Get-AzAccessToken -ResourceTypeName Arm