[NoBrainer] Get rid of issuer and MFA exceptions when working with Visual Studio Credential in local development environment

Lately I nearly got crazy when working with Visual Studio Credential in ASP.NET Web API project. For Test, Int and Prod environments I usually use Managed Identity and for local development I prefer using Visual Studio Credential for i.e. accessing Azure Key Vault or Azure Storage Account services. In this example, access key authentication is anyway not an option for local development as the storage container is configured with authentication method Azure AD User Account.

The setup and configuration of the blob service client in source code looks as follows:

services.AddAzureClients(builder =>
{
	builder.ConfigureDefaults(Configuration.GetSection("AzureDefaults"));
	builder.UseCredential(Environment.IsDevelopment()
		? new DefaultAzureCredential(new DefaultAzureCredentialOptions
		{
			VisualStudioTenantId = Configuration.GetSection(Constants.AzureAd).GetValue<string>("TenantId"),
			ExcludeEnvironmentCredential = true,
			ExcludeManagedIdentityCredential = true
		})
		: new DefaultAzureCredential(new DefaultAzureCredentialOptions { ExcludeEnvironmentCredential = true }));
	builder.AddBlobServiceClient(Configuration.GetSection("Storage"));
});

Unfortunately the DefaultAzureCredential for local development only works sometimes but most of the times I get exceptions like the following when accessing the storage account.

Status: 401 (Server failed to authenticate the request. Please refer to the information in the www-authenticate header.)
ErrorCode: InvalidAuthenticationInfo

Additional Information:
AuthenticationErrorDetail: Issuer validation failed. Issuer did not match.

Due to a configuration change made by the admin such as a Conditional Access policy, per-user enforcement, or because you moved to a new location, the user must use multi-factor authentication to access the resource. Retry with a new authorize request for the resource.

I found some threads at StackOverflow and in Microsoft Community and also some issues on GitHub about that. However none of the proposed solutions solved my problem. Then I stumbled upon the following blog post. The solution there seemed to be too simple but it actually solved my problem! Big thanks to Jon Gallant, the author, which saved me a lot of additional troubles!

https://blog.jongallant.com/2021/08/visual-studio-re-enter-credentials/

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Website Powered by WordPress.com.

Up ↑

%d bloggers like this: