The access token is from the wrong issuer

@Dhariwal, Jaanvi Thanks for reaching out.

It seems like you are facing an authentication issue while deploying container apps environment through Terraform. The error message suggests that the access token is from the wrong issuer, and it must match one of the tenants associated with this subscription.

To resolve this issue, you can try the following steps:

• Make sure that the tenant ID and subscription ID are correct in your Terraform configuration file.
• Check if the Azure CLI is logged in with the correct account. You can use the following command to check:

az account show

• If the account is not correct, you can use the following command to log in:

az login

• If you are using a service principal for authentication, make sure that the service principal has the correct permissions to access the subscription and the tenant.
• Try using a different authority (URL) to get the token. You can use the following command to set the authority:

az cloud set --name AzureCloud

This will set the authority to 'https://login.microsoftonline.com/'.

• The other reason could be as mentioned in the error "if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later". In case if you have transferred the subscription to different tenant then please wait for some hours and retry the operation again.

If none of the above step's work, please provide more information about your Terraform configuration file and the steps you have taken so far.

I have tried everything but nothing worked, I am logging in through az login --tenant <tenant-id>, az account show told that I am in right subscription and tenant, other resources are being created in desired resource groups, but only while creating container apps environment I am having this error.

@Dhariwal, Jaanvi Just to confirm you are not performing the cross-tenant operation. I will suggest you create a bug here to track it and terraform team can assist you further.

Hello, I am also having the same exact issue when trying to list my datastores via the azure.ai.ml.MLClient.from_config() method. The link to creating a bug was not available as well. I have not transferred my subscription. The azureml.core.Workspace.datastores method works perfectly, but I am struggling to get MLClient() to work. I need MLClient for loading and importing data locally to my machine to run MLFlow pipelines locally on my machine for testing.

Hello all - was there a solution to this issue? I am having the same problem with Terraform.

Scenario: https://developer.hashicorp.com/terraform/tutorials/azure/aks

• Logged in with "az login"
• Terraform apply failed with SubscriptionNotFound - for some reason it's trying to use a different sub-id
• I then added "subscription_id" to the Terraform provider block, using the sub-id associated with my Azure account
• terraform apply failed with the 401 "The access token is from the wrong issuer 'https://sts.windows.net/<diifferent tenant id>'"