Improve azd pipeline config error message when it fails in a Codespace due to Conditional Access Policy

[JeffreyCA]

• Make sure you've installed the latest version using instructions in the wiki

Output from azd version
azd version 1.11.0 (commit 5b92e06)

Describe the bug
When running azd pipeline config on an azd template inside of a GitHub Codespace, if I originally authenticated using azd auth login, it can fail while trying to create the service principal:

The error message says to run azd auth login --scope https://graph.microsoft.com/.default to reauthenticate, but that fails with:

The solution to this issue was to follow the steps in https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/troubleshoot?tabs=Browser#azd-pipeline-config-failure-due-to-conditional-access-policy to instead authenticate using azd auth login --use-device-code=false, which isn't clear from the original error message.

Running azd pipeline config --debug 2> debug.log in debug mode reveals the following error:

2024/11/14 23:26:54 main.go:50: Retry: =====> Try=1 for GET https://graph.microsoft.com/v1.0/applications(appId='az-dev-11-14-2024-23-26-54')
2024/11/14 23:26:54 azd_credential.go:37: POST https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token
--------------------------------------------------------------------------------
RESPONSE 400: 400 Bad Request
--------------------------------------------------------------------------------
{
  "error": "invalid_grant",
  "error_description": "AADSTS50005: User tried to log in to a device from a platform (Unknown) that's currently not supported through Conditional Access policy. Supported device platforms are: iOS, Android, Mac, and Windows flavors. Trace ID: cba361ee-c55a-4a28-a4ed-84f5d5143600 Correlation ID: 6af12d70-5003-4f3a-b6ac-8237166bea1c Timestamp: 2024-11-14 23:26:54Z",
  "error_codes": [
    50005
  ],
  "timestamp": "2024-11-14 23:26:54Z",
  "trace_id": "cba361ee-c55a-4a28-a4ed-84f5d5143600",
  "correlation_id": "6af12d70-5003-4f3a-b6ac-8237166bea1c"
}
--------------------------------------------------------------------------------

To Reproduce

1. Open a template in a GitHub Codespace (e.g. https://codespaces.new/Azure-Samples/openai-chat-vision-quickstart)
2. Run azd auth login
3. Run azd pipeline config

Expected behavior
It may be helpful to surface the underlying error message (AADSTS50005: User...) to the output without needing --debug.

The current error message could also be improved to maybe suggest doing azd auth login --use-device-code=false or point to that troubleshooting article https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/troubleshoot?tabs=Browser#azd-pipeline-config-failure-due-to-conditional-access-policy

Environment
Information on your environment: GitHub Codespace

Additional context
@weikanglim, feel free to add your thoughts 🙂

[weikanglim]

Thanks @JeffreyCA for the detailed write up!

From what I've gathered, I think we'd want to:

1. Provide a more detailed error message, and;
2. Move the error text for "reauthentication required" into a suggestion (see ErrorWithSuggestion)

This would all end up contributing towards a better UX experience here.

Ideas

1. Instead of:

• failed creating application '': reaauthentication required ...

Consider:

• failed creating application '': acquiring token from <login.microsoftonline.com>: received response 'invalid_grant': AADSTS50005: User tried to log in to a device from a platform (Unknown) that's currently not supported through Conditional Access policy. ...

2. For non-terminal errors, print out the suggestion at the end:

Suggestion: Run `azd auth login --scope <scope>` to acquire a new token

Full example

Non-terminal error (default):

failed creating application '': acquiring token from <login.microsoftonline.com>: received response 'invalid_grant': AADSTS50005: token expired
Suggestion: Run `azd auth login --scope <scope>` to acquire a new token

Terminal error:

failed creating application '': acquiring token from <login.microsoftonline.com>: received response 'invalid_grant': AADSTS50005: User tried to log in to a device from a platform (Unknown)

That's where I'm at currently, but I'm always open to any suggestions.

@JeffreyCA FYI, I marked this as a 'good-first-issue' since this is a small error handling task; feel free to pick it up if you'd like, but otherwise we can keep it around for later.

[JeffreyCA]

Thanks for the suggestions.

Could you clarify why we'd want to keep the current suggestion, even though it may not help in this specific case? Is it related to this being Codespace-specific and that there are other situations where azd auth login --scope <scope> would actually work?

Also, could you explain what you mean by "terminal" vs. "non-terminal" errors?

[weikanglim]

Certainly. I meant "terminal" as in terminal state, i.e. non-recoverable error -- one that the user won't be able to fix by re-running the login command.

In this particular case, the error code AADSTS50005 suggests that the device is untrusted and won't be fixed regardless of re-running the login command.