Priority
(Urgent) I can't use the CLI
Description
If I login without specifying the cloud to my GCC Low / USGov Cloud tenant, the login succeeds.
But when I try something like m365 flow list -e <env GUID> I get the following error:
Error: Request for GCC tenant is not applicable in the current unitedstates cloud.
If I try to login specifying the cloud via m365 login --cloud UsGov the login fails saying it can't find my account.
This leads me to believe it's using the USGov high end points to authenticate, and not the commercial endpoints.
Because GCC Low uses Commercial endpoints for authentication; Please see the diagram below for more info:
Steps to reproduce
Try to login to a GCC Low environment and list the flows -- notice that the --cloud USGov option does not work and is behaving as if it's a GCC High login.
Expected results
GCC Low should use the regular commercial endpoints to login (i.e. https://login.microsoftonline.com/{{TenantId}}/oauth2/v2.0/token with scopes such as https://gov.service.flow.microsoft.us//.default) , and still be able to query for the list of flows via https://gov.api.flow.microsoft.us/providers/Microsoft.ProcessSimple/environments/{{envId}}/flows/, etc.
Actual results
Can't login to GCC Low -- Can't list flows when logged in as commercial.
Diagnostics
m365 login --cloud USGov --debug
Executing command login with options {"options":{"cloud":"USGov","debug":true,"output":"json"}}
Executing command as 'REDACTED', appId: 31359c7f-bd7e-475c-86db-fdb8c937548e, tenantId: 807536a6-a6b1-4893-a013-70509c59ebbb
Logging out from Microsoft 365...
Signing in to Microsoft 365...
No token found for resource https://graph.microsoft.com.
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/[email protected] : Info - getTokenCache called
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/[email protected] : Info - CacheManager:getIdToken - Returning ID token
Starting Auth.ensureAccessTokenWithDeviceCode. resource: https://graph.microsoft.com, debug: true
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/[email protected] : Info - acquireTokenByDeviceCode called
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/[email protected] : Verbose - initializeRequestScopes called
[Tue, 18 Jun 2024 16:31:50 GMT] : [878d2feb-ed02-46c3-a898-118309dee46e] : @azure/[email protected] : Verbose - buildOauthClientConfiguration called
[Tue, 18 Jun 2024 16:31:50 GMT] : [878d2feb-ed02-46c3-a898-118309dee46e] : @azure/[email protected] : Verbose - createAuthority called
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/[email protected] : Verbose - Attempting to get cloud discovery metadata from authority configuration
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/[email protected] : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/[email protected] : Verbose - Found cloud discovery metadata from hardcoded values.
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/[email protected] : Verbose - Attempting to get endpoint metadata from authority configuration
[Tue, 18 Jun 2024 16:31:50 GMT] : [] : @azure/[email protected] : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
[Tue, 18 Jun 2024 16:31:50 GMT] : [878d2feb-ed02-46c3-a898-118309dee46e] : @azure/[email protected] : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.us/common/oauth2/v2.0/token.
[Tue, 18 Jun 2024 16:31:50 GMT] : [878d2feb-ed02-46c3-a898-118309dee46e] : @azure/[email protected] : Verbose - Device code client created
Response:
{
userCode: 'REDACTED',
deviceCode: 'REDACTED',
verificationUri: 'https://microsoft.com/deviceloginus',
expiresIn: 900,
interval: 5,
message: 'To sign in, use a web browser to open the page https://microsoft.com/deviceloginus and enter the code REDACTED to authenticate.'
}
[Tue, 18 Jun 2024 16:31:51 GMT] : [878d2feb-ed02-46c3-a898-118309dee46e] : @azure/[email protected] : Info - Authorization pending. Continue polling.
🌶️ To sign in, use a web browser to open the page https://microsoft.com/deviceloginus and enter the code REDACTED to authenticate.
You can see here it's directing us to use https://microsoft.com/deviceloginus -- but for GCC Low it should be doing a regular devicelogin.
The difference between GCC and commercial is that the scopes are different. The APIs are all at .us locations, but we login with Commercial Azure AD.
CLI for Microsoft 365 version
v7.9.0
nodejs version
v20.14.0
Operating system (environment)
Windows
Shell
PowerShell
cli doctor
{
"os": {
"platform": "win32",
"version": "Windows 11 Enterprise",
"release": "10.0.22631"
},
"cliVersion": "7.9.0",
"nodeVersion": "v20.14.0",
"cliAadAppId": "31359c7f-bd7e-475c-86db-fdb8c937548e",
"cliAadAppTenant": "common",
"authMode": "DeviceCode",
"cliEnvironment": "",
"cliConfig": {},
"roles": [],
"scopes": {
"https://graph.microsoft.com": [
"AllSites.FullControl",
"AppCatalog.ReadWrite.All",
"ChannelMember.ReadWrite.All",
"ChannelMessage.Send",
"ChannelSettings.ReadWrite.All",
"Directory.AccessAsUser.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityProvider.ReadWrite.All",
"Mail.ReadWrite",
"Mail.Send",
"Policy.Read.All",
"Reports.Read.All",
"Tasks.ReadWrite",
"Team.Create",
"TeamMember.ReadWrite.All",
"TeamsApp.ReadWrite.All",
"TeamsAppInstallation.ReadWriteForUser",
"TeamSettings.ReadWrite.All",
"TeamsTab.ReadWrite.All",
"TermStore.ReadWrite.All",
"User.Invite.All",
"User.ReadWrite.All",
"profile",
"openid",
"email"
],
"https://management.azure.com/": [
"user_impersonation"
]
}
}
Additional Info
Let me know if you need me to test a specific build or something. -- As-is, I can't use this on my customer's GCC tenant. -- I can share a login flow that works using Postman if it helps.
Priority
(Urgent) I can't use the CLI
Description
If I login without specifying the cloud to my GCC Low / USGov Cloud tenant, the login succeeds.
But when I try something like
m365 flow list -e <env GUID>I get the following error:If I try to login specifying the cloud via
m365 login --cloud UsGovthe login fails saying it can't find my account.This leads me to believe it's using the USGov high end points to authenticate, and not the commercial endpoints.
Because GCC Low uses Commercial endpoints for authentication; Please see the diagram below for more info:
Steps to reproduce
Try to login to a GCC Low environment and list the flows -- notice that the --cloud USGov option does not work and is behaving as if it's a GCC High login.
Expected results
GCC Low should use the regular commercial endpoints to login (i.e.
https://login.microsoftonline.com/{{TenantId}}/oauth2/v2.0/tokenwith scopes such ashttps://gov.service.flow.microsoft.us//.default) , and still be able to query for the list of flows viahttps://gov.api.flow.microsoft.us/providers/Microsoft.ProcessSimple/environments/{{envId}}/flows/, etc.Actual results
Can't login to GCC Low -- Can't list flows when logged in as commercial.
Diagnostics
You can see here it's directing us to use https://microsoft.com/deviceloginus -- but for GCC Low it should be doing a regular devicelogin.
The difference between GCC and commercial is that the scopes are different. The APIs are all at .us locations, but we login with Commercial Azure AD.
CLI for Microsoft 365 version
v7.9.0
nodejs version
v20.14.0
Operating system (environment)
Windows
Shell
PowerShell
cli doctor
{
"os": {
"platform": "win32",
"version": "Windows 11 Enterprise",
"release": "10.0.22631"
},
"cliVersion": "7.9.0",
"nodeVersion": "v20.14.0",
"cliAadAppId": "31359c7f-bd7e-475c-86db-fdb8c937548e",
"cliAadAppTenant": "common",
"authMode": "DeviceCode",
"cliEnvironment": "",
"cliConfig": {},
"roles": [],
"scopes": {
"https://graph.microsoft.com": [
"AllSites.FullControl",
"AppCatalog.ReadWrite.All",
"ChannelMember.ReadWrite.All",
"ChannelMessage.Send",
"ChannelSettings.ReadWrite.All",
"Directory.AccessAsUser.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityProvider.ReadWrite.All",
"Mail.ReadWrite",
"Mail.Send",
"Policy.Read.All",
"Reports.Read.All",
"Tasks.ReadWrite",
"Team.Create",
"TeamMember.ReadWrite.All",
"TeamsApp.ReadWrite.All",
"TeamsAppInstallation.ReadWriteForUser",
"TeamSettings.ReadWrite.All",
"TeamsTab.ReadWrite.All",
"TermStore.ReadWrite.All",
"User.Invite.All",
"User.ReadWrite.All",
"profile",
"openid",
"email"
],
"https://management.azure.com/": [
"user_impersonation"
]
}
}
Additional Info
Let me know if you need me to test a specific build or something. -- As-is, I can't use this on my customer's GCC tenant. -- I can share a login flow that works using Postman if it helps.