Azure CLI task fails with `AADSTS700024` after 5 minutes

[jiasli]

MSAL introduced a regression in 1.27.0 (AzureAD/microsoft-authentication-extensions-for-python#127, AzureAD/microsoft-authentication-library-for-python#644) which is adopted by Azure CLI 2.59.0 (#28556).

This regression makes MSAL's ConfidentialClientApplication bypass msal_extensions.token_cache.PersistedTokenCache, so access tokens are no longer retrieved from the token cache. Instead, every command now retrieves a new access token from the AAD Security Token Service (STS). Any commands fails with AADSTS700024 after the ID token expires (5 minutes on GitHub Actions, 10 minutes on Azure DevOps).

Originally posted by @jiasli in #28708 (comment)

[jiasli]

Workarounds

Adopt either workarounds:

1. Use service principal secret for authentication:

   • GitHub Actions: https://github.com/marketplace/actions/azure-login#login-with-a-service-principal-secret
   • Azure DevOps: https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure

2. [GitHub Actions only] In Azure CLI Action azure/cli@v2, specify azcliversion to use an older version of Azure CLI below 2.59.0, such as 2.58.0: https://github.com/marketplace/actions/azure-cli-action

[jiasli]

We plan to fix this issue in the next Azure CLI release: https://github.com/Azure/azure-cli/milestone/141

Official Release: 04/30/2024
Azure CLI version: 2.60.0

For now, to get unblocked, please follow the instructions at #28737 (comment).

[andre-qumulo]

@jiasli Thank you for the update. Just for clarity, what, specifically, will get fixed? Will we still need the code to continue requesting the OID token in the background or will we just need to use Azure CLI 2.60.0?