AdalUserMismatchException thrown when accessing multiple tenants

[schuettecarsten]

Description

AdalUserMismatchException thrown when accessing multiple tenants

The original name of our Azure AD was @teamneusta.onmicrosoft.com. Our users were invited to several customer Azure ADs as guest users. Customers granted us different rights using RBAC in their azure subscriptions.

Some days ago, our Azure AD was merged/synchronized with our On-Premise AD and our login names changed from @teamneusta.onmicrosoft.com to @neusta.de.

We can still access the customers resources without any issues, but we cannot use PowerShell to access their services. When running Get-AzureRmSubscription -TenantID $tenantid, we get WARNUNG: Unable to acquire token for tenant 'a461a7f3-....' errors.

The problem is that Azure still reports the old user names from the tenants during login. Internally, PowerShell modules validates the reported user name with the login name and throws an AdalUserMismatchException.

Module Version

---------- -------    ----                                ----------------
Script     5.7.0      AzureRM

Environment Data

----                           -----
PSVersion                      5.1.17134.48
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17134.48
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Debug Output

DEBUG: 06/07/2018 19:08:29:  - WindowsFormsWebAuthenticationDialogBase: Navigating to
'https://login.microsoftonline.com/<REMOVED>/oauth2/authorize?resource=https://management.co
re.windows.net/&client_id=<REMOVED>2&response_type=code&haschrome=1&redirect_uri=urn:ietf:wg:
oauth:2.0:oob&login_hint=cschuette@neusta.de&client-request-id=<REMOVED>&prompt=attempt_none
&amr_values=pwd&x-client-SKU=.NET&x-client-Ver=2.28.3.860&x-client-CPU=x64&x-client-OS=Microsoft Windows NT
10.0.17134.0&site_id=501358&display=popup'.
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Error: 4 :
DEBUG: 06/07/2018 19:08:30: 568fbec4-c0d3-472f-8f79-71c679b5232e - <RunAsync>d__0:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalUserMismatchException: User 'cschuette@teamneusta.onmicrosoft.com'
returned by service does not match user 'cschuette@neusta.de' in the request
   bei
Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.PostTokenRequest(AuthenticationResult
result)
   bei Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.<RunAsync>d__0.MoveNext()
 ErrorCode: user_mismatch
 RequestedUser: cschuette@neusta.de
 ReturnedUser: cschuette@teamneusta.onmicrosoft.com

[markcowl]

@schuettecarsten Unfortunately, this is a known issue: #1665

The problem, as you surmised, is that AD is returning a different user id than the id you logged in with. For now, the best mitigation is to log in to a specific tenant using the -TenantId parameter to Add-AzureRmAccount.

We have a designed fix for this, but there is currently no schedule for its release

[schuettecarsten]

Thank you, yes, #1665 is the same issue. I searched for AdalMismatchException before but did not get any results. Sorry for the duplicate.