AADSTS700024: Client assertion is not within its valid time range.

[isra-fel]

Description

Can you please help us with following issue:

We've encountered an issue potentially linked to the Az.Storage cmdlet command. A customer reported this problem within a long-running pipeline designed to store data in an Azure Storage Account, utilizing the New-AzStorageContext and Set-AzStorageBlobContent cmdlets. This process authenticates to Azure using a federated token.

According to the stack trace, an error occurs roughly 55 minutes after the script starts, coinciding with the access token's expiration. The NewAzureStorageContext function attempts to renew the token but fails, generating the following error: "Client assertion is not within its valid time range. Current time: 2024-02-28T09:53:28.3990795Z, assertion valid from: 2024-02-28T08:57:57.0000000Z, expiry time of assertion: 2024-02-28T09:07:57.0000000Z." The token, which has a 10-minute lifespan, is identified as a federated token. We suspect that New-AzStorageContext attempts to use this short-lived federated token to refresh the access token, leading to failure upon the federated token's expiration.

Is it standard practice for New-AzStorageContext to employ a federated token for refreshing the access token?

If this behavior is not anticipated, could you provide any insights into the potential causes of this issue?

Issue script & Debug output

An error has occurred that was not properly handled. Additional information is shown below. The PowerShell process will exit.

2024-02-28T09:53:28.4544101Z Unhandled exception. MSAL.NetCore.4.49.1.0.MsalServiceException:

2024-02-28T09:53:28.4544494Z            ErrorCode: invalid_client

2024-02-28T09:53:28.4546639Z Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See [https://aka.ms/msal-net-invalid-client](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fmsal-net-invalid-client&data=05%7C02%7Cigortsoi%40microsoft.com%7C6b6de2a5de574995a9cd08dc39062b92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638447945881838012%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=XJvFG8RJxWz2v8E3mqSHLj8LNTOAAHzqZ1pfrNiA8aE%3D&reserved=0) for details.  Original exception: AADSTS700024: Client assertion is not within its valid time range. Current time: 2024-02-28T09:53:28.3990795Z, assertion valid from 2024-02-28T08:57:57.0000000Z, expiry time of assertion 2024-02-28T09:07:57.0000000Z. Review the documentation at [https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-certificate-credentials&data=05%7C02%7Cigortsoi%40microsoft.com%7C6b6de2a5de574995a9cd08dc39062b92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638447945881849600%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=t3F%2B7IHZwwuPtFlTVj5Mz8KCCMOkBF62qwYflpKr2Io%3D&reserved=0) . Trace ID: f138e6d0-dc83-4626-8cd7-d972a7500e00 Correlation ID: 61054eac-dd48-453b-ad65-99387a33af78 Timestamp: 2024-02-28 09:53:28Z

2024-02-28T09:53:28.4548292Z    at Microsoft.Identity.Client.Internal.Requests.RequestBase.HandleTokenRefreshErrorAsync(MsalServiceException e, MsalAccessTokenCacheItem cachedAccessTokenItem)

2024-02-28T09:53:28.4548758Z    at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)

2024-02-28T09:53:28.4549154Z    at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

2024-02-28T09:53:28.4549856Z    at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken)

2024-02-28T09:53:28.4550676Z    at Microsoft.Azure.PowerShell.Authenticators.Identity.MsalConfidentialClient.AcquireTokenForClientCoreAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken)

2024-02-28T09:53:28.4551277Z    at Microsoft.Azure.PowerShell.Authenticators.Identity.MsalConfidentialClient.AcquireTokenForClientAsync(String[] scopes, String tenantId, Boolean async, CancellationToken cancellationToken)

2024-02-28T09:53:28.4551765Z    at Microsoft.Azure.PowerShell.Authenticators.Identity.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)

2024-02-28T09:53:28.4552236Z    at Microsoft.Azure.PowerShell.Authenticators.Identity.ClientAssertionCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)

2024-02-28T09:53:28.4552668Z    at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.Renew()

2024-02-28T09:53:28.4553030Z    at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.AuthorizeRequest(Action`2 authTokenSetter)

2024-02-28T09:53:28.4553465Z    at Microsoft.WindowsAzure.Commands.Storage.Common.Cmdlet.NewAzureStorageContext.GetTokenStrFromAccessToken(IAccessToken accessToken)

2024-02-28T09:53:28.4553940Z    at Microsoft.WindowsAzure.Commands.Storage.Common.Cmdlet.NewAzureStorageContext.<>c__DisplayClass103_0.<<GetTokenRenewer>b__0>d.MoveNext()

2024-02-28T09:53:28.4554392Z --- End of stack trace from previous location ---

2024-02-28T09:53:28.4554698Z    at Microsoft.Azure.Storage.Auth.TokenCredential.RenewTokenAsync(Object state)

2024-02-28T09:53:28.4555023Z    at System.Threading.Tasks.Task.<>c.<ThrowAsync>b__128_1(Object state)

2024-02-28T09:53:28.4555326Z    at System.Threading.QueueUserWorkItemCallback.Execute()

2024-02-28T09:53:28.4555611Z    at System.Threading.ThreadPoolWorkQueue.Dispatch()

2024-02-28T09:53:28.4555914Z    at System.Threading.PortableThreadPool.WorkerThread.WorkerThreadStart()

2024-02-28T09:53:28.4556170Z            StatusCode: 401

2024-02-28T09:53:28.4558040Z            ResponseBody: {"error":"invalid_client","error_description":"AADSTS700024: Client assertion is not within its valid time range. Current time: 2024-02-28T09:53:28.3990795Z, assertion valid from 2024-02-28T08:57:57.0000000Z, expiry time of assertion 2024-02-28T09:07:57.0000000Z. Review the documentation at [https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-certificate-credentials&data=05%7C02%7Cigortsoi%40microsoft.com%7C6b6de2a5de574995a9cd08dc39062b92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638447945881855995%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=9My228m88stlW24HRySuZn3Cb0a2X%2FnSl4mAWKW6QEg%3D&reserved=0) . Trace ID: f138e6d0-dc83-4626-8cd7-d972a7500e00 Correlation ID: 61054eac-dd48-453b-ad65-99387a33af78 Timestamp: 2024-02-28 09:53:28Z","error_codes":[700024],"timestamp":"2024-02-28 09:53:28Z","trace_id":"f138e6d0-dc83-4626-8cd7-d972a7500e00","correlation_id":"61054eac-dd48-453b-ad65-99387a33af78","error_uri":[https://login.microsoftonline.com/error?code=700024](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flogin.microsoftonline.com%2Ferror%3Fcode%3D700024&data=05%7C02%7Cigortsoi%40microsoft.com%7C6b6de2a5de574995a9cd08dc39062b92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638447945881861947%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=jw9qfbZzjMnWy001JPqaTTpl4WiSvrWy3I%2Fsv%2FuSHRA%3D&reserved=0)}

Environment data

N/A

Module versions

N/A

Error output

No response

[igortsoi]

Is there any progress?

[msJinLei]

Hi @igortsoi , the behavior is expected.
When you run the cmdlet, our module firstly try to get the acquire the access token from the local token cache. If the cached token expires, we will try to re-authenticate automatically using the saved context information. For federated token workflow, we are do the re-authentication with the saved federated token. If the federated token also expires, you have to run Connect-AzAccounts again.
And so in the case mentioned, you have to acquire the federated token and run Connect-AzAccounts for every 55 minutes. This is due to the token lifetime.

[igortsoi]

Thank you!

[geekzter]

@msJinLei Thanks.

I performed an experiment to refresh the federated token stored in a background job (Start-Job). See example.

• How destructive is performing Connect-AzAccount -FederatedToken from a background job? Can this break any ongoing operations in the main script?
• Is there another method to refresh the federated token stored by PowerShell Az?

[msJinLei]

@msJinLei Thanks.

I performed an experiment to refresh the federated token stored in a background job (Start-Job). See example.

• How destructive is performing Connect-AzAccount -FederatedToken from a background job? Can this break any ongoing operations in the main script?

The running cmdlet won't be affected. The next cmdlet will be affected if the cached access token is refreshed.

When the access token doesn't expire, you use the same applicationId, tenantId and a different federated token to connect Az.Accounts, the cached access token won't refresh.

• Is there another method to refresh the federated token stored by PowerShell Az?

What is to refresh is access token.
Please run Disconnect-AzAccount and run Connect-AzAccount with a new federated token again

[brynn-code]

+1 on this issue, seems the default expire time span is 1h, but we also encountered the error after 10 minutes, wondering if there is some lifetime policy for Microsoft tenant itself which caused the token expired. (I don't have permission to see the policy, just guess according to this doc: https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes

[imarpan26]

+1 we are also facing same issue, Token is expiring after 10 min. How to keep it alive or how to regenerated federated identity token?

[shawn-beeson]

I am having this same error when provisioning a bicep template using Azure DevOps pipeline. The pipeline runs for 55 minutes then spits this error:
Could not fetch access token for Azure. Status code: invalid_client, status message: Error(s): 700024 - Timestamp: 2025-04-15 15:03:03Z - Description: AADSTS700024: Client assertion is not within its valid time range

I have no ability to refresh the token during the template processing step of the pipeline.

[jrdevops1]

I had this issue and after a bit of research stumbled across this article: https://learn.microsoft.com/en-us/azure/devops/pipelines/release/troubleshoot-workload-identity?view=azure-devops#error-messages

The solution stated here is:

if the error happens after approximately 1 hour, use a service connection with Workload identity federation and a Managed Identity instead. Managed Identity tokens have a lifetime of around 24 hours.
If the error happens before 1 hour but after 10 minutes, move commands that (implicitly) request an access token to e.g. access Azure storage to the beginning of your script. The access token will be cached for subsequent commands.

The second case is what was occurring so at the beginning of the script I put the following right after Set-AzContext -SubscriptionId $subscriptionId :

# ARM (management) token fetch
Get-AzAccessToken -ResourceUrl 'https://management.azure.com/'
# Storage data‑plane token fetch
Get-AzAccessToken -ResourceUrl 'https://storage.azure.com/'

I think it's important to point out here I was trying to run a PowerShell script using the AzurePowerShell@5 task on an Azure Devops pipeline when I came across this. As stated I was indeed using a service connection with Workload identity federation and a managed identity.

I think its because the command New-AzStorageContext -StorageAccountName contosostorage -UseConnectedAccount retrieves a token.

If more than 10 minutes have elapsed since the original JWT was issued, MSAL will try and fail to renew it.

If you run the Get-AzAccessToken commands at the beginning of your script / commands , then it will obtain and cache the tokens for 1 hour.