az login --identity fails due to "Unrecognizable WWW-Authenticate header"

[mkless]

Describe the bug

On an Azure-ARC managed Windows-Server, we try to connect to azure using the Managed Identity of the machine.
az login --identity fails with

The command failed with an unexpected error. Here is the traceback:
Unrecognizable WWW-Authenticate header: ...

At the same time on the same Windows Server connecting to Azure using the Azure Powershell Modules via
connect-azaccount -Identity and subsequently issued Get-AzAccessToken -ResourceUrl https://ossrdbms-aad.database.windows.net
works fine and deliver the token.

From my point of view a problem with azure cli.

Thanks in Advance and Kind regards,

Michael

Related command

az login --identity

Errors

The command failed with an unexpected error. Here is the traceback:
Unrecognizable WWW-Authenticate header: {'connection': 'close', 'content-type': 'text/html', 'cache-control': 'no-cache', 'x-frame-options': 'SAMEORIGIN', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'content-security-policy': "frame-ancestors 'self'", 'content-length': '4947'}
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 677, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 820, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 789, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 335, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 120, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 184, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 265, in login_with_managed_identity
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/msal_credentials.py", line 154, in acquire_token
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/managed_identity.py", line 329, in acquire_token_for_client
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/managed_identity.py", line 459, in _obtain_token
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/managed_identity.py", line 655, in _obtain_token_on_arc
msal.managed_identity.ManagedIdentityError: Unrecognizable WWW-Authenticate header: {'connection': 'close', 'content-type': 'text/html', 'cache-control': 'no-cache', 'x-frame-options': 'SAMEORIGIN', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'content-security-policy': "frame-ancestors 'self'", 'content-length': '4947'}
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues

Issue script & Debug output

az login --identity --debug
cli.knack.cli: Command arguments: ['login', '--identity', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0000024549E79C60>, <function OutputProducer.on_global_arguments at 0x000002454A409BC0>, <function CLIQuery.on_global_arguments at 0x000002454A45BC40>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Using packaged command index for profile 'latest'.
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules...
cli.azure.cli.core: Loaded command modules in parallel:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: profile 0.007 2 8
cli.azure.cli.core: Total (1) 0.015 2 8
cli.azure.cli.core: Loaded 2 groups, 8 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x000002454A59C680>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\admin-far.azure\commands\2026-05-07.13-39-43.login.20700.log'.
az_command_data_logger: command args: login --identity --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x000002454A5E6660>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x000002454A5E6700>, <function register_global_policy_argument..add_global_policy_argument at 0x000002454A5E6840>, <function register_cache_arguments..add_cache_arguments at 0x000002454A5E68E0>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x000002454A5E6980>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x000002454A409C60>, <function CLIQuery.handle_query_parameter at 0x000002454A45BCE0>, <function register_ids_argument..parse_ids_arguments at 0x000002454A5E67A0>]
cli.azure.cli.core.auth.msal_credentials: ManagedIdentityCredential.acquire_token: scopes=['https://management.core.windows.net//.default'], kwargs={}
msal.managed_identity: Obtaining token via managed identity on Azure Arc
urllib3.connectionpool: Starting new HTTP connection (1): proxy.dm-drogeriemarkt.com:8000
urllib3.connectionpool: http://proxy.dm-drogeriemarkt.com:8000 "GET http://localhost:40342/metadata/identity/oauth2/token?api-version=2020-06-01&resource=https%3A%2F%2Fmanagement.core.windows.net%2F HTTP/1.1" 403 4947
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 677, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 820, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 789, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 335, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 120, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 184, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 265, in login_with_managed_identity
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/msal_credentials.py", line 154, in acquire_token
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/managed_identity.py", line 329, in acquire_token_for_client
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/managed_identity.py", line 459, in _obtain_token
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/managed_identity.py", line 655, in _obtain_token_on_arc
msal.managed_identity.ManagedIdentityError: Unrecognizable WWW-Authenticate header: {'connection': 'close', 'content-type': 'text/html', 'cache-control': 'no-cache', 'x-frame-options': 'SAMEORIGIN', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'content-security-policy': "frame-ancestors 'self'", 'content-length': '4947'}

cli.azure.cli.core.azclierror: The command failed with an unexpected error. Here is the traceback:
az_command_data_logger: The command failed with an unexpected error. Here is the traceback:
cli.azure.cli.core.azclierror: Unrecognizable WWW-Authenticate header: {'connection': 'close', 'content-type': 'text/html', 'cache-control': 'no-cache', 'x-frame-options': 'SAMEORIGIN', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'content-security-policy': "frame-ancestors 'self'", 'content-length': '4947'}
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 677, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 820, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 789, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 335, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 120, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 184, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 265, in login_with_managed_identity
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/msal_credentials.py", line 154, in acquire_token
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/managed_identity.py", line 329, in acquire_token_for_client
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/managed_identity.py", line 459, in _obtain_token
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/managed_identity.py", line 655, in _obtain_token_on_arc
msal.managed_identity.ManagedIdentityError: Unrecognizable WWW-Authenticate header: {'connection': 'close', 'content-type': 'text/html', 'cache-control': 'no-cache', 'x-frame-options': 'SAMEORIGIN', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'content-security-policy': "frame-ancestors 'self'", 'content-length': '4947'}
az_command_data_logger: Unrecognizable WWW-Authenticate header: {'connection': 'close', 'content-type': 'text/html', 'cache-control': 'no-cache', 'x-frame-options': 'SAMEORIGIN', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'content-security-policy': "frame-ancestors 'self'", 'content-length': '4947'}
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 677, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 820, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 789, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 335, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 120, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/profile/custom.py", line 184, in login
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/_profile.py", line 265, in login_with_managed_identity
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/auth/msal_credentials.py", line 154, in acquire_token
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/managed_identity.py", line 329, in acquire_token_for_client
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/managed_identity.py", line 459, in _obtain_token
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\msal/managed_identity.py", line 655, in obtain_token_on_arc
msal.managed_identity.ManagedIdentityError: Unrecognizable WWW-Authenticate header: {'connection': 'close', 'content-type': 'text/html', 'cache-control': 'no-cache', 'x-frame-options': 'SAMEORIGIN', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'content-security-policy': "frame-ancestors 'self'", 'content-length': '4947'}
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x000002454A59C900>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 1.182 seconds (init: 0.149, invoke: 1.033)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 7832 in cache file under C:\Users\admin-far.azure\telemetry\20260507133944405
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init.pyc C:\Users\admin-far.azure C:\Users\admin-far.azure\telemetry\20260507133944405"
telemetry.process: Return from creating process 32952
telemetry.main: Finish creating telemetry upload process.

Expected behavior

az login --identity should work as the
powershell Command connect-azaccount -Identity on the same machine does.

Environment Summary

azure-cli 2.86.0

core 2.86.0
telemetry 1.1.0

Dependencies:
msal 1.35.1
azure-mgmt-resource 24.0.0

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users\admin-far.azure'
Extensions directory 'C:\Users\admin-far.azure\cliextensions'

Python (Windows) 3.13.13 (tags/v3.13.13:01104ce, Apr 7 2026, 19:25:48) [MSC v.1944 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

systeminfo:
C:\ProgramData\AzureConnectedMachineAgent\Tokens>systeminfo

Host Name: KASPISQLADM05
OS Name: Microsoft Windows Server 2022 Standard
OS Version: 10.0.20348 N/A Build 20348
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: dmTECH
Registered Organization: dmTECH GmbH
Product ID: 00454-10000-00001-AA020
Original Install Date: 01.03.2024, 08:22:17
System Boot Time: 13.04.2026, 01:54:27
System Manufacturer: VMware, Inc.
System Model: VMware20,1
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2993 Mhz
BIOS Version: VMware, Inc. VMW201.00V.24504846.B64.2501180339, 18.01.2025
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32

[yonzhan]

Thank you for opening this issue, we will look into it.

[mkless]

Hi, everyone

When can we expect a response on this matter?

Regards, Michael