az aks get-credentials fails with error AADSTS70043 - The refresh token has expired or is invalid due to sign-in frequency checks by conditional access

[BenjaminHerbert]

Describe the bug

Command Name
az aks get-credentials

Errors:

AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2020-12-07T12:15:47.8520000Z and the maximum allowed lifetime for this request is 172800.
Trace ID: 9958a6aa-3e9b-4470-9df7-7d0603262301
Correlation ID: c215e3d3-39fa-42e5-855c-4d93e362d308
Timestamp: 2020-12-09 13:10:42Z

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• az aks get-credentials --resource-group {} --name {}

Expected Behavior

I expect that I get valid credentials. If not working, due to some expired token, I expect that I am asked to relogin and fetch a valid token. If not, at least some information what to do to resolve the error.

Environment Summary

Linux-5.9.11-100.fc32.x86_64-x86_64-with-glibc2.2.5
Python 3.8.6
Installer: RPM

azure-cli 2.16.0

Extensions:
azure-devops 0.18.0

Additional Context

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/aks-pm.

Issue Details

---

Describe the bug

Command Name
az aks get-credentials

Errors:

AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2020-12-07T12:15:47.8520000Z and the maximum allowed lifetime for this request is 172800.
Trace ID: 9958a6aa-3e9b-4470-9df7-7d0603262301
Correlation ID: c215e3d3-39fa-42e5-855c-4d93e362d308
Timestamp: 2020-12-09 13:10:42Z

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• az aks get-credentials --resource-group {} --name {}

Expected Behavior

I expect that I get valid credentials. If not working, due to some expired token, I expect that I am asked to relogin and fetch a valid token. If not, at least some information what to do to resolve the error.

Environment Summary

Linux-5.9.11-100.fc32.x86_64-x86_64-with-glibc2.2.5
Python 3.8.6
Installer: RPM

azure-cli 2.16.0

Extensions:
azure-devops 0.18.0

Additional Context

Author:	BenjaminHerbert
Assignees:	-
Labels:	AKS, Service Attention
Milestone:	-

[jerry-santana]

@BenjaminHerbert were you able to fix it? I'm facing the same issue!

[jongio]

I'm seeing this with az account get-access-token as well.

adal.adal_error.AdalError: Get Token request returned http error: 400 and server response: {"error":"interaction_required","error_description":"AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2021-01-21T18:58:33.5955295Z and the maximum allowed lifetime for this request is 43200.\r\nTrace ID: 663734d6-d237-4d25-a2e9-5c0db0e79600\r\nCorrelation ID: d2aee7e8-ca4d-4448-a3c1-a97b2fcbc2ff\r\nTimestamp: 2021-01-23 00:02:57Z","error_codes":[70043],"timestamp":"2021-01-23 00:02:57Z","trace_id":"663734d6-d237-4d25-a2e9-5c0db0e79600","correlation_id":"d2aee7e8-ca4d-4448-a3c1-a97b2fcbc2ff","suberror":"token_expired"}

This shouldn't throw an exception. It should fail gracefully.

azsdke2e
azsdke2e2

[fengzhou-msft]

Rerun az login and CLI should get a new refresh token and fix the error. @jiasli @houk-ms to follow up on better error handling for this case.

[jongio]

Yeah, az login fixes it, just shouldn't be a code exception, more like an error would be great.

[amitlals]

I received this error while pulling heavy-weight docker to my registry, what should I do? any inputs highly appreciated.

AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2021-02-24T05:50:44.4338824Z and the maximum allowed lifetime for this request is 43200

[sherdana]

az login doesn't fix it for me