Azure · isra-fel · Jul 3, 2025 · Jul 4, 2025
diff --git a/src/Accounts/Accounts.Test/SilentReAuthByTenantCmdletTest.cs b/src/Accounts/Accounts.Test/SilentReAuthByTenantCmdletTest.cs
@@ -55,9 +55,11 @@ public class SilentReAuthByTenantCmdletTest
         private const string fakeToken = "fakertoken";
 
         private const string body200 = @"{{""value"":[{{""id"":""/tenants/{0}"",""tenantId"":""{0}"",""countryCode"":""US"",""displayName"":""AzureSDKTeam"",""domains"":[""AzureSDKTeam.onmicrosoft.com"",""azdevextest.com""],""tenantCategory"":""Home""}}]}}";
-        private const string body401 = @"{""error"":{""code"":""AuthenticationFailed"",""message"":""Authentication failed.""}}";
-        private const string WwwAuthenticateIP = @"Bearer authorization_uri=""https://login.windows.net/"", error=""invalid_token"", error_description=""Tenant IP Policy validate failed."", claims=""eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNjEzOTgyNjA2In0sInhtc19ycF9pcGFkZHIiOnsidmFsdWUiOiIxNjcuMjIwLjI1NS40MSJ9fX0=""";
-
+        private const string bodyErrorMessage401 = "Authentication failed.";
+        private const string body401 = @"{""error"":{""code"":""AuthenticationFailed"",""message"":"""+bodyErrorMessage401+@"""}}";
+        private const string claimsChallengeBase64 = "eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNjEzOTgyNjA2In0sInhtc19ycF9pcGFkZHIiOnsidmFsdWUiOiIxNjcuMjIwLjI1NS40MSJ9fX0=";
+        private const string WwwAuthenticateIP = @"Bearer authorization_uri=""https://login.windows.net/"", error=""invalid_token"", error_description=""Tenant IP Policy validate failed."", claims="""+ claimsChallengeBase64+@"""";
+        private const string identityExceptionMessage = "Exception from Azure Identity.";
         XunitTracingInterceptor xunitLogger;
 
         public class GetAzureRMTenantCommandMock : GetAzureRMTenantCommand
@@ -171,7 +173,7 @@ public void SilentReauthenticateFailure()
                         {
                             return new ValueTask<AccessToken>(new AccessToken(fakeToken, DateTimeOffset.Now.AddHours(1)));
                         }
-                        throw new CredentialUnavailableException("Exception from Azure Identity.");
+                        throw new CredentialUnavailableException(identityExceptionMessage);
                     }
                     ));
                 AzureSession.Instance.RegisterComponent(nameof(AzureCredentialFactory), () => mockAzureCredentialFactory.Object, true);
@@ -191,8 +193,10 @@ public void SilentReauthenticateFailure()
                 // Act
                 cmdlet.InvokeBeginProcessing();
                 AuthenticationFailedException e = Assert.Throws<AuthenticationFailedException>(() => cmdlet.ExecuteCmdlet());
-                string errorMessage = $"Exception from Azure Identity.{Environment.NewLine}authorization_uri: https://login.windows.net/{Environment.NewLine}error: invalid_token{Environment.NewLine}error_description: Tenant IP Policy validate failed.{Environment.NewLine}claims: eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNjEzOTgyNjA2In0sInhtc19ycF9pcGFkZHIiOnsidmFsdWUiOiIxNjcuMjIwLjI1NS40MSJ9fX0={Environment.NewLine}";
-                Assert.Equal(errorMessage, e.Message);
+                Assert.Contains(identityExceptionMessage, e.Message);
+                Assert.Contains(bodyErrorMessage401, e.Message);
+                Assert.Contains("Connect-AzAccount", e.Message);
+                Assert.Contains(claimsChallengeBase64, e.Message);
                 cmdlet.InvokeEndProcessing();
             }
             finally

diff --git a/src/Accounts/Accounts/ChangeLog.md b/src/Accounts/Accounts/ChangeLog.md
@@ -19,6 +19,7 @@
 -->
 
 ## Upcoming Release
+* Refined the error message when a cmdlet fails because of policy violations about Multi-Factor Authentication (MFA) to provide more actionable guidance.
 
 ## Version 5.1.1
 * Updated the date in the message about multi-factor authentication (MFA). For more details, see https://go.microsoft.com/fwlink/?linkid=2276971

diff --git a/src/Accounts/Accounts/CommonModule/ContextAdapter.cs b/src/Accounts/Accounts/CommonModule/ContextAdapter.cs
@@ -200,14 +200,13 @@ internal async Task<HttpResponseMessage> AuthenticationHelper(IAzureContext cont
             {
                 var response = await next(request, cancelToken, cancelAction, signal);
 
-                if (response.MatchClaimsChallengePattern())
+                if (response.MatchClaimsChallengePattern(out var claimsChallenge))
                 {
                     //get token again with claims challenge
                     if (accessToken is IClaimsChallengeProcessor processor)
                     {
                         try
                         {
-                            var claimsChallenge = ClaimsChallengeUtilities.GetClaimsChallenge(response);
                             if (!string.IsNullOrEmpty(claimsChallenge))
                             {
                                 await processor.OnClaimsChallenageAsync(newRequest, claimsChallenge, cancelToken).ConfigureAwait(false);
@@ -219,7 +218,7 @@ internal async Task<HttpResponseMessage> AuthenticationHelper(IAzureContext cont
                         }
                         catch (AuthenticationFailedException e)
                         {
-                            throw e.WithAdditionalMessage(response?.GetWwwAuthenticateMessage());
+                            throw e.WithAdditionalMessage(ClaimsChallengeUtilities.FormatClaimsChallengeErrorMessage(claimsChallenge, await response?.Content?.ReadAsStringAsync()));
                         }
                     }
                 }

diff --git a/src/Accounts/Authentication/Authentication/IClaimsChallengeProcessor.cs b/src/Accounts/Authentication/Authentication/IClaimsChallengeProcessor.cs
@@ -29,7 +29,7 @@ public interface IClaimsChallengeProcessor
         /// <param name="request">The origin request that responds with a claim challenge</param>
         /// <param name="claimsChallenge">Claims challenge string</param>
         /// <param name="cancellationToken">Cancellation token</param>
-        /// <returns>Successful or not</returns>
+        /// <returns>A boolean indicated whether the request should be retried</returns>
         ValueTask<bool> OnClaimsChallenageAsync(HttpRequestMessage request, string claimsChallenge, CancellationToken cancellationToken);
     }
 }
diff --git a/src/Accounts/Authentication/ClaimsChallengeHandler.cs b/src/Accounts/Authentication/ClaimsChallengeHandler.cs
@@ -14,7 +14,6 @@
 
 using Azure.Identity;
 using System;
-using System.Net;
 using System.Net.Http;
 using System.Threading;
 using System.Threading.Tasks;
@@ -34,18 +33,19 @@ public ClaimsChallengeHandler(IClaimsChallengeProcessor claimsChallengeProcessor
         protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
         {
             var response = await base.SendAsync(request, cancellationToken);
-            if (response.MatchClaimsChallengePattern())
+            if (response.MatchClaimsChallengePattern(out var claimsChallenge))
             {
                 try
                 {
-                    if (await OnChallengeAsync(request, response, cancellationToken))
+                    if (await OnChallengeAsync(claimsChallenge, request, response, cancellationToken))
                     {
                         return await base.SendAsync(request, cancellationToken);
                     }
                 }
                 catch (AuthenticationFailedException e)
                 {
-                    throw e.WithAdditionalMessage(response?.GetWwwAuthenticateMessage());
+                    string additionalErrorMessage = ClaimsChallengeUtilities.FormatClaimsChallengeErrorMessage(claimsChallenge, await response?.Content?.ReadAsStringAsync());
+                    throw e.WithAdditionalMessage(additionalErrorMessage);
                 }
             }
             return response;
@@ -59,14 +59,13 @@ public virtual object Clone()
         /// Executed in the event a 401 response with a WWW-Authenticate authentication challenge header is received after the initial request.
         /// </summary>
         /// <remarks>This implementation handles common authentication challenges such as claims challenges. Service client libraries may derive from this and extend to handle service specific authentication challenges.</remarks>
+        /// <param name="claimsChallenge"></param>
         /// <param name="requestMessage">The HttpMessage to be authenticated.</param>
         /// <param name="cancellationToken">Cancellation token</param>
         /// <param name="responseMessage"></param>
         /// <returns>A boolean indicated whether the request should be retried</returns>
-        protected virtual async Task<bool> OnChallengeAsync(HttpRequestMessage requestMessage, HttpResponseMessage responseMessage, CancellationToken cancellationToken)
+        protected virtual async Task<bool> OnChallengeAsync(string claimsChallenge, HttpRequestMessage requestMessage, HttpResponseMessage responseMessage, CancellationToken cancellationToken)
         {
-            var claimsChallenge = ClaimsChallengeUtilities.GetClaimsChallenge(responseMessage);
-
             if (!string.IsNullOrEmpty(claimsChallenge))
             {
                 return await ClaimsChallengeProcessor.OnClaimsChallenageAsync(requestMessage, claimsChallenge, cancellationToken).ConfigureAwait(false);