Az AD cmdlets return a "Continuous Access Evaluation" error from Azure Pipeline

[akvMS]

Description

Running the Azure DevOps pipeline as yaml code and getting the error message "##[error][InvalidAuthenticationToken] : Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied"

trigger: none

pool:
  vmImage: 'windows-latest'

steps:

- task: AzurePowerShell@5
  displayName: 'Get-AzADServicePrincipal - AzurePowerShell@5'
  inputs:
    azureSubscription: 'DEV'
    ScriptType: 'InlineScript'
    azurePowerShellVersion: 'LatestVersion'
    #preferredAzurePowerShellVersion: '12.0.0'
    pwsh: true
    Inline: |
      $ServicePrincipaldisplayName = 'test-app01'
      $sp = Get-AzADServicePrincipal -DisplayName $ServicePrincipaldisplayName
      if (!$sp) {
        throw 'Unable to get service principal'
      }
      $objId = $sp.Id
      Write-Host "ServicePrincipal ObjectId: $objId"

Issue script & Debug output

##[debug]Error record:
##[debug]Get-AzADServicePrincipal_List: C:\Modules\az_12.5.0\Az.Resources\7.6.0\MSGraph.Autorest\custom\Get-AzADServicePrincipal.ps1:221
##[debug]Line |
##[debug] 221 |      Az.MSGraph.internal\Get-AzADServicePrincipal @PSBoundParameters
##[debug]     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##[debug]     | Continuous access evaluation resulted in challenge with result: InteractionRequired and code:
##[debug]     | LocationConditionEvaluationSatisfied
##[debug]
##[debug]Script stack trace:
##[debug]at Get-AzADServicePrincipal<Process>, C:\Modules\az_12.5.0\Az.Resources\7.6.0\MSGraph.Autorest\internal\ProxyCmdletDefinitions.ps1: line 1692
##[debug]at Get-AzADServicePrincipal<Process>, C:\Modules\az_12.5.0\Az.Resources\7.6.0\MSGraph.Autorest\custom\Get-AzADServicePrincipal.ps1: line 221
##[debug]at Get-AzADServicePrincipal<Process>, C:\Modules\az_12.5.0\Az.Resources\7.6.0\MSGraph.Autorest\exports\ProxyCmdletDefinitions.ps1: line 5283
##[debug]at <ScriptBlock>, D:\a\_temp\e7f9b4db-0e3e-4623-bf0c-c22df142d66a.ps1: line 54
##[debug]at <ScriptBlock>, <No file>: line 1
##[debug]Exception:
##[debug]System.Exception: [InvalidAuthenticationToken] : Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied
##[error][InvalidAuthenticationToken] : Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied
##[debug]Processed: ##vso[task.logissue source=TaskInternal;type=error][InvalidAuthenticationToken] : Continuous access evaluation resulted in challenge with result: InteractionRequired and code: LocationConditionEvaluationSatisfied
##[debug]Exit code: 1
##[debug]Leaving Invoke-VstsTool.
##[error]PowerShell exited with code '1'.
##[debug]Processed: ##vso[task.logissue correlationId=3371b477-c5aa-4ccb-9398-d389e753df72;source=TaskInternal;type=error]PowerShell exited with code '1'.
##[debug]Processed: ##vso[task.complete result=Failed]Error detected

Environment data

Starting: Get-AzADServicePrincipal - AzurePowerShell@5
==============================================================================
Task         : Azure PowerShell
Description  : Run a PowerShell script within an Azure environment
Version      : 5.257.0
Author       : Microsoft Corporation
Help         : https://aka.ms/azurepowershelltroubleshooting
==============================================================================

Module versions

Name              : Az.Accounts
Path              : C:\Modules\az_12.5.0\Az.Accounts\5.1.1\Az.Accounts.psm1
Description       : Microsoft Azure PowerShell - Accounts credential management cmdlets for Azure Resource Manager in 
                    Windows PowerShell and PowerShell Core.
                    
                    For more information on account credential management, please visit the following: 
                    https://learn.microsoft.com/powershell/azure/authenticate-azureps
Guid              : 17a2feff-488b-47f9-8729-e2cec094624c
Version           : 5.1.1
ModuleBase        : C:\Modules\az_12.5.0\Az.Accounts\5.1.1
ModuleType        : Script
PrivateData       : {[PSData, System.Collections.Hashtable]}
AccessMode        : ReadWrite
ExportedAliases   : {[Add-AzAccount, Add-AzAccount], [Get-AzDomain, Get-AzDomain], [Invoke-AzRest, Invoke-AzRest], 
                    [Login-AzAccount, Login-AzAccount]…}
ExportedCmdlets   : {[Add-AzEnvironment, Add-AzEnvironment], [Clear-AzConfig, Clear-AzConfig], [Clear-AzContext, 
                    Clear-AzContext], [Clear-AzDefault, Clear-AzDefault]…}
ExportedFunctions : {}
ExportedVariables : {}
NestedModules     : {Microsoft.Azure.PowerShell.Cmdlets.Accounts}

Error output

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Az AD cmdlets return a "Continuous Access Evaluation" error. #16766

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

To temporarily disable CAE in Azure PowerShell, set the environment variable AZURE_IDENTITY_DISABLE_CP1 to true, disconnect the Azure account, and reconnect:

$env:AZURE_IDENTITY_DISABLE_CP1="true" 
Disconnect-AzAccount
Connect-AzAccount

Reference:

• Az AD cmdlets return a "Continuous Access Evaluation" error. #16766 (comment)
• Az AD cmdlets return a "Continuous Access Evaluation" error. #16766 (comment)

Solution 2:

Create a new conditional access rule applying to all cloud apps, but no other conditions. Under the session access controls, set 'customize continuous access evaluation' to 'disable'. After disconnecting and reconnecting the Azure PowerShell session, the commands should run without error. You can disable or delete the conditional access rule when you're done so CAE is enabled again. Reference: https://www.vansurksum.com/2021/10/30/continuous-access-evaluation-configuration-is-now-part-of-conditional-access

Reference:

• Az AD cmdlets return a "Continuous Access Evaluation" error. #16766 (comment)

Solution 3:

Upgrade to Az.Accounts version 2.7.3 or later, which includes support for CAE. If you need to install a preview version, use the following commands:

Install-Module -Name Az.Tools.Installer -Repository PSGallery -RequiredVersion 0.2.0
Install-AzModule -Path https://azposhpreview.blob.core.windows.net/public/Az.Accounts.2.7.999.nupkg

Reference:

• Az AD cmdlets return a "Continuous Access Evaluation" error. #16766 (comment)
• Az AD cmdlets return a "Continuous Access Evaluation" error. #16766 (comment)

Powered by issue-sentinel

[isra-fel]

Quick question @akvMS which type of authentication does the service connection 'DEV' have? Is it a service principal or

[akvMS]

Quick question @akvMS which type of authentication does the service connection 'DEV' have? Is it a service principal or

Service connection is created using "workload identity federation".