Azure CLI command to resolve refresh token error

Question

What specific syntax or commands need to be added to the sequence of Azure CLI commands below in order to remove the root cause of the AADSTS700082 error so that the commands can run without error?

And what is going on behind the scenes to cause this seemingly senseless error?

C:\path\to\dir>az login --service-principal -u long-alpha-numeric-id -p long-pass-word --tenant 88888888-4444-4444-4444-121212121212  
[  
  {  
    "cloudName": "AzureCloud",
    "homeTenantId": "88888888-4444-4444-4444-121212121212",
    "id": "11111111-1111-1111-1111-111111111111",
    "isDefault": true,
    "managedByTenants": [],
    "name": "SomeName",
    "state": "Enabled",
    "tenantId": "88888888-4444-4444-4444-121212121212",
    "user": {
      "name": "long-alpha-numeric-id",
      "type": "servicePrincipal"
    }
  },
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "88888888-4444-4444-4444-121212121212",
    "id": "22222222-2222-2222-2222-222222222222",
    "isDefault": false,
    "managedByTenants": [],
    "name": "AnotherName",
    "state": "Enabled",
    "tenantId": "88888888-4444-4444-4444-121212121212",
    "user": {
      "name": "long-alpha-numeric-id",
      "type": "servicePrincipal"
    }
  }
]  

C:\path\to\dir>az account set --subscription 12345678-1234-1234-1234-123456789012

C:\path\to\dir>az group create --name myRG --location eastus
AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2023-05-04T21:19:28.1452801Z and was inactive for 90.00:00:00. Trace ID: 87654321-4321-4321-4321-210987654321 Correlation ID: 80808080-4040-4040-4040-121212121212 Timestamp: 2023-11-14 01:23:55Z    
Interactive authentication is needed. Please run:
az login --scope https://management.core.windows.net//.default  

The secret long-pass-word is valid and up to date for the service principal with ID long-alpha-numeric-id. I confirmed this in the Entra Directory in the Azure Portal.

The az login --service-principal -u long-alpha-numeric-id -p long-pass-word --tenant 88888888-4444-4444-4444-121212121212 command seems to run successfully, as you can see above.

The az account set --subscription 12345678-1234-1234-1234-123456789012 command also runs without error when a valid subscription ID is passed into it.

But the az group create --name myRG --location eastus command is throwing the AADSTS700082 error as you can see if you scroll to the bottom of the output in the OP above.

What gives?

This needs to be run completely in automation, so we cannot try the Interactive authentication that is suggested in the error message.

Answer 1

AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2023-05-04T21:19:28.1452801Z and was inactive for 90.00:00:00. Trace ID: 87654321-4321-4321-4321-210987654321 Correlation ID: 80808080-4040-4040-4040-121212121212 Timestamp: 2023-11-14 01:23:55Z Interactive authentication is needed. Please run: az login --scope https://management.core.windows.net//.default

The error usually occurs if the refresh token has been expired and to resolve the error, you need to re-run az login.

In your case, the error is due to the existing az session that needs to be logged out.

Hence to resolve the error, execute az logout and the re-run the commands:

az logout

az login --service-principal -u ClientID -p ClientSecret --tenant TenantID

az account set --subscription SubscriptionID

az group create --name RukRG --location eastus

Resource group created successfully: