[Bug]: [MacOs][SDK 10.0.201] Broken Cred Provider - Unable to use Azure Devops on MacOs for nuget packages (expect using full Rider, never the CLI)

[tebeco]

Description

This affect all devs using Mac + dotnet 10 + azure devops

Just in case it's installed or not and updated or not

dotnet tool install Microsoft.Artifacts.CredentialProvider.NuGet.Tool --global
dotnet tool updated --global --all 
# it does install 2.0.1

dotnet --version
10.0.202

dotnet restore --interactive --tlp:default=false -v:d


... LOTS OF TEXT ....
... LOTS OF TEXT ....
... LOTS OF TEXT ....
... LOTS OF TEXT ....

Exception type: Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: invalid_grant
HTTP StatusCode 400
CorrelationId bb882465-b8cb-4ee5-8435-11e49f93f47a
Microsoft Entra ID Error Code AADSTS70043
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)



... LOTS OF TEXT ....
... LOTS OF TEXT ....
... LOTS OF TEXT ....
... LOTS OF TEXT ....
... LOTS OF TEXT ENDING WITH ....



 Credential FMI Path: 
 
   [CredentialProvider]MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:04:42Z - 65b55d35-349e-4aee-ad1a-7ba5d6f6c949] === Token Acquisition (InteractiveRequest) started:
    Scopes: 499b84ac-1321-427f-aa17-267ca6975798/.default
   Authority Host: login.windows.net
   [CredentialProvider]MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:04:42Z - 65b55d35-349e-4aee-ad1a-7ba5d6f6c949] Broker is configured. Starting broker flow without knowing the broker installation app link. 
   [CredentialProvider]MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:04:42Z] [Runtime] Broker supported OS.
   [CredentialProvider]MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:04:42Z - 65b55d35-349e-4aee-ad1a-7ba5d6f6c949] Can invoke broker. Will attempt to acquire token with broker. 
   [CredentialProvider]MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:04:42Z] [RuntimeBroker] Calling SignInInteractivelyAsync this will show the account picker.
   [CredentialProvider]MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:04:42Z] [MSAL:0001]    INFO       SetAuthorityUri:78    Initializing authority from URI 'https://login.windows.net/a289d6c2-3b1f-4bc4-8fa0-6866ff300052/' without authority type, defaulting to MsSts
   [CredentialProvider]MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:04:42Z] [MSAL:0002]    INFO       -[MSAIBrokerClient isAuthorizationTypeSupported:]:856    Continue without redirectUri validation on unsigned app runtime flow
   [CredentialProvider]MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:04:42Z] [MSAL:0002]    INFO       -[MSAIBrokerClient shouldReCheckSsoExtState]:1443    Recheck decision: 0
   [CredentialProvider]MSAL Log (Error): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:04:42Z] [MSAL:0002]    ERROR      ErrorInternalImpl:134    Created an error: 4qj1c, StatusInternal::FallbackToNativeMsal, InternalEvent::None, Error Code 0, Context 'Authorization type is not supported for this request. Please make sure the device has been intuned.'


... DEAD LOCK FOR MINUTES HERE ...
... DEAD LOCK FOR MINUTES HERE ...
... DEAD LOCK FOR MINUTES HERE ...

this worked in the past years before the apparition of Microsoft.Artifacts.CredentialProvider.NuGet.Tool

Environment (OS/platform or image)

Mac M3 (ARM cpu)
MacOs 26.4.1
dotnet 10.0.202

### Tool versions

dotnet --version
10.0.202

dotnet --list-sdks
9.0.313 [/usr/local/share/dotnet/sdk]
10.0.103 [/usr/local/share/dotnet/sdk]
10.0.202 [/usr/local/share/dotnet/sdk]

dotnet --list-runtimes
Microsoft.AspNetCore.App 9.0.15 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 10.0.3 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 10.0.6 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 9.0.12 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 9.0.13 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 9.0.14 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 9.0.15 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 10.0.2 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 10.0.3 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 10.0.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 10.0.6 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

msbuild -version
zsh: command not found

Client/protocol path in use

Dotnet tool invocation

Credential Provider logs

[09:19:11.946 86048 Minimal] Log starts at 2026-04-15 09:19:11Z
[09:19:11.954 86048 Verbose] CredentialProvider.Microsoft/2.0.0+053290d000f2ad28f0b32244c27e76e05f5627ec (OSX; Arm64; Darwin 25.4.0 Darwin Kernel Version 25.4.0: Thu Mar 19 19:26:07 PDT 2026; root:xnu-12377.101.15~1/RELEASE_ARM64_T6031) CLR/8.0.23 (.NETCoreApp,Version=v8.0; osx-arm64; .NET 8.0.23)
[09:19:11.956 86048 Verbose] SessionToken cache location: /Users/ahgs/Library/Application Support/MicrosoftCredentialProvider/SessionTokenCache.dat
[09:19:11.994 86048 Verbose] Running in plug-in mode
[09:19:12.002 86048 Verbose] Handling 'Request' 'Initialize'. Time elapsed in ms: 1 - Payload: {"ClientVersion":"7.3.1","Culture":"en-RE","RequestTimeout":"00:00:30"}
[09:19:12.003 86048 Verbose] Command-line v2.0.0+053290d000f2ad28f0b32244c27e76e05f5627ec: /Users/ahgs/.nuget/plugins/netcore/CredentialProvider.Microsoft/CredentialProvider.Microsoft.dll -Plugin
[09:19:12.003 86048 Verbose] Sending response: 'Request' 'Initialize'. Time elapsed in ms: 2
[09:19:12.004 86048 Verbose] Time elapsed in milliseconds after sending response 'Request' 'Initialize': 3
[09:19:12.005 86048 Verbose] Handling 'Request' 'GetOperationClaims'. Time elapsed in ms: 0 - Payload: {}
[09:19:12.006 86048 Verbose] Sending response: 'Request' 'GetOperationClaims'. Time elapsed in ms: 1
[09:19:12.008 86048 Verbose] Time elapsed in milliseconds after sending response 'Request' 'GetOperationClaims': 3
[09:19:12.011 86048 Verbose] Handling 'Request' 'SetLogLevel'. Time elapsed in ms: 0 - Payload: {"LogLevel":"Debug"}
[09:19:12.012 86048 Verbose] Sending response: 'Request' 'SetLogLevel'. Time elapsed in ms: 0
[09:19:12.013 86048 Verbose] Time elapsed in milliseconds after sending response 'Request' 'SetLogLevel': 1
[09:19:12.016 86048 Verbose] Handling 'Request' 'GetAuthenticationCredentials'. Time elapsed in ms: 1 - Payload: {"Uri":"https://pkgs.dev.azure.com/THE_ORD_NAME_HERE/THE_PROJECT_NAME_HERE/_packaging/THERE_FEED_NAME_HERE/nuget/v3/index.json","IsRetry":false,"IsNonInteractive":false,"CanShowDialog":true}
[09:19:12.016 86048 Verbose] Creating a progress reporter with interval: 00:00:02
[09:19:12.017 86048 Verbose] Handling auth request, Uri: https://pkgs.dev.azure.com/THE_ORD_NAME_HERE/THE_PROJECT_NAME_HERE/_packaging/THERE_FEED_NAME_HERE/nuget/v3/index.json, IsRetry: False, IsNonInteractive: False, CanShowDialog: True
[09:19:12.017 86048 Verbose] URI: https://pkgs.dev.azure.com/THE_ORD_NAME_HERE/THE_PROJECT_NAME_HERE/_packaging/THERE_FEED_NAME_HERE/nuget/v3/index.json
[09:19:12.017 86048 Verbose] VstsBuildTaskServiceEndpointCredentialProvider - This credential provider must be run under the Team Build tasks for NuGet with external endpoint credentials. Appropriate environment variable needs to be set.
[09:19:12.017 86048 Verbose] Skipping NuGetCredentialProvider.CredentialProviders.VstsBuildTaskServiceEndpoint.VstsBuildTaskServiceEndpointCredentialProvider, cannot provide credentials for https://pkgs.dev.azure.com/THE_ORD_NAME_HERE/THE_PROJECT_NAME_HERE/_packaging/THERE_FEED_NAME_HERE/nuget/v3/index.json
[09:19:12.017 86048 Verbose] VstsBuildTaskCredentialProvider - This credential provider must be run under the Team Build tasks for NuGet. Appropriate environment variables must be set.
[09:19:12.017 86048 Verbose] Skipping NuGetCredentialProvider.CredentialProviders.VstsBuildTask.VstsBuildTaskCredentialProvider, cannot provide credentials for https://pkgs.dev.azure.com/THE_ORD_NAME_HERE/THE_PROJECT_NAME_HERE/_packaging/THERE_FEED_NAME_HERE/nuget/v3/index.json
[09:19:12.018 86048 Verbose] VstsCredentialProvider - Matched well-known Azure DevOps Service hostname: pkgs.dev.azure.com
[09:19:12.018 86048 Verbose] Using NuGetCredentialProvider.CredentialProviders.Vsts.VstsCredentialProvider to try to get credentials for https://pkgs.dev.azure.com/THE_ORD_NAME_HERE/THE_PROJECT_NAME_HERE/_packaging/THERE_FEED_NAME_HERE/nuget/v3/index.json.
[09:19:12.018 86048 Verbose] IsRetry: False
[09:19:12.024 86048 Verbose] Could not find cached SessionToken for https://pkgs.dev.azure.com/THE_ORD_NAME_HERE/THE_PROJECT_NAME_HERE/_packaging/THERE_FEED_NAME_HERE/nuget/v3/index.json
[09:19:12.029 86048 Verbose] GET https://pkgs.dev.azure.com/THE_ORD_NAME_HERE/THE_PROJECT_NAME_HERE/_packaging/THERE_FEED_NAME_HERE/nuget/v3/index.json
[09:19:12.954 86048 Verbose] Found AAD Authority from 401 headers: https://login.windows.net/a289d6c2-3b1f-4bc4-8fa0-6866ff300052
[09:19:12.956 86048 Verbose] VstsCredentialProvider - Using Entra authority: https://login.windows.net/a289d6c2-3b1f-4bc4-8fa0-6866ff300052
[09:19:12.965 86048   Debug] Using MSAL cache at /Users/ahgs/.local/.IdentityService/msal.cache
[09:19:13.020 86048   Debug] MSAL using Broker
[09:19:13.022 86048 Verbose] VstsCredentialProvider - Not running bearer token provider 'MSAL Service Principal'
[09:19:13.022 86048 Verbose] VstsCredentialProvider - Not running bearer token provider 'MSAL Managed Identity'
[09:19:13.022 86048 Verbose] VstsCredentialProvider - Attempting to acquire bearer token using provider 'MSAL Silent'
[09:19:13.028 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - 731859c7-0fd1-4c53-8010-ccffa7a3c01d] ==== GetAccounts started - GetAccounts ====
[09:19:13.028 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - 731859c7-0fd1-4c53-8010-ccffa7a3c01d] Account id filter: False
[09:19:13.042 86048   Debug] MSAL Log (Always): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z] [Internal cache] Clearing user token cache accessor.
[09:19:13.046 86048   Debug] MSAL Log (Always): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z] [Internal cache] Total number of cache partitions found while getting refresh tokens: 1. PartitionKey  False
[09:19:13.048 86048   Debug] MSAL Log (Always): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z] [Internal cache] Total number of cache partitions found while getting accounts: 1. PartitionKey  False
[09:19:13.048 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - 731859c7-0fd1-4c53-8010-ccffa7a3c01d] IsLegacyAdalCacheEnabled: yes
[09:19:13.050 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - 731859c7-0fd1-4c53-8010-ccffa7a3c01d] [Region discovery] Not using a regional authority. 
[09:19:13.051 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - 731859c7-0fd1-4c53-8010-ccffa7a3c01d] [Region discovery] Not using a regional authority. 
[09:19:13.051 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - 731859c7-0fd1-4c53-8010-ccffa7a3c01d] IsLegacyAdalCacheEnabled: yes
[09:19:13.052 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - 731859c7-0fd1-4c53-8010-ccffa7a3c01d] IsLegacyAdalCacheEnabled: yes
[09:19:13.053 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z] Found 1 cache accounts and 0 broker accounts
[09:19:13.053 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z] Returning 1 accounts
[09:19:13.053 86048   Debug] Found in cache: a289d6c2-3b1f-4bc4-8fa0-6866ff300052\_Alexandre.Hertogs.ext.AZ@sodexo.com
[09:19:13.053 86048   Debug] Attempting to use identity a289d6c2-3b1f-4bc4-8fa0-6866ff300052\_Alexandre.Hertogs.ext.AZ@sodexo.com
[09:19:13.054 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] MSAL MSAL.NetCore with assembly version '4.77.1.0'. CorrelationId(bb882465-b8cb-4ee5-8435-11e49f93f47a)
[09:19:13.055 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] === AcquireTokenSilent Parameters ===
[09:19:13.055 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] LoginHint provided: False
[09:19:13.056 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] Account provided: True
[09:19:13.056 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] ForceRefresh: False
[09:19:13.057 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] 
=== Request Data ===
Authority Provided? - True
Scopes - 499b84ac-1321-427f-aa17-267ca6975798/.default
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - bb882465-b8cb-4ee5-8435-11e49f93f47a
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 
FMI Path: 
Credential FMI Path: 

[09:19:13.058 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] === Token Acquisition (SilentRequest) started:
	 Scopes: 499b84ac-1321-427f-aa17-267ca6975798/.default
	Authority Host: login.windows.net
[09:19:13.062 86048   Debug] MSAL Log (Always): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z] [Internal cache] Clearing user token cache accessor.
[09:19:13.063 86048   Debug] MSAL Log (Always): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] [Internal cache] Total number of cache partitions found while getting access tokens: 1
[09:19:13.063 86048   Debug] MSAL Log (Always): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] [FindAccessTokenAsync] Discovered 2 access tokens in cache using partition key: 32d80421-7ccd-4ec7-bb31-ff7a60e12ca9.a289d6c2-3b1f-4bc4-8fa0-6866ff300052
[09:19:13.064 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] [Region discovery] Not using a regional authority. 
[09:19:13.065 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] Access token has expired or about to expire. [Current time (04/15/2026 09:19:13) - Expiration Time (03/23/2026 16:23:40 +00:00) - Extended Expiration Time (03/23/2026 16:23:40 +00:00)]
[09:19:13.067 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] [Region discovery] Not using a regional authority. 
[09:19:13.068 86048   Debug] MSAL Log (Always): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z] [Internal cache] Total number of cache partitions found while getting refresh tokens: 1. PartitionKey  True
[09:19:13.068 86048   Debug] MSAL Log (Always): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] [FindRefreshTokenAsync] Discovered 2 refresh tokens in cache using key: 32d80421-7ccd-4ec7-bb31-ff7a60e12ca9.a289d6c2-3b1f-4bc4-8fa0-6866ff300052
[09:19:13.069 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] [Region discovery] Not using a regional authority. 
[09:19:13.069 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] [FindRefreshTokenAsync] Refresh token found in the cache? - True
[09:19:13.070 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] [Instance Discovery] Instance discovery is enabled and will be performed
[09:19:13.070 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] [Region discovery] Not using a regional authority. 
[09:19:13.071 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:13Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] Fetching instance discovery from the network from host login.windows.net. 
[09:19:14.051 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:14Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] Authority validation enabled? True. 
[09:19:14.052 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:14Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] Authority validation - is known env? True. 
[09:19:15.281 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] Response status code does not indicate success: 400 (BadRequest). 
[09:19:15.282 86048   Debug] MSAL Log (Warning): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] Request retry failed.
[09:19:15.301 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] HttpStatusCode: 400: BadRequest
[09:19:15.303 86048   Debug] MSAL Log (Error): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] === Token Acquisition (1007) failed.
	Host: login.windows.net.
[09:19:15.304 86048   Debug] MSAL Log (Error): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] Exception type: Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: invalid_grant
HTTP StatusCode 400
CorrelationId bb882465-b8cb-4ee5-8435-11e49f93f47a
Microsoft Entra ID Error Code AADSTS70043
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging

[09:19:15.306 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] [Throttling] MsalUiRequiredException encountered - throttling for 120 seconds. 
[09:19:15.307 86048   Debug] MSAL Log (Warning): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] Refreshing the RT failed. Is the exception retryable? False. Is there an AT in the cache that is usable? False 
[09:19:15.307 86048   Debug] MSAL Log (Warning): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] Failed to refresh the RT and cannot use existing AT (expired or missing). 
[09:19:15.312 86048   Debug] MSAL Log (Error): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z - bb882465-b8cb-4ee5-8435-11e49f93f47a] Exception type: Microsoft.Identity.Client.MsalUiRequiredException
, ErrorCode: invalid_grant
HTTP StatusCode 400
CorrelationId bb882465-b8cb-4ee5-8435-11e49f93f47a
Microsoft Entra ID Error Code AADSTS70043
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
   at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

[09:19:15.313 86048   Debug] AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on 2026-03-23T14:54:07.2405830Z and the maximum allowed lifetime for this request is 43200. Trace ID: b5b636d5-c25c-4e86-b779-40135e788b00 Correlation ID: bb882465-b8cb-4ee5-8435-11e49f93f47a Timestamp: 2026-04-15 09:19:15Z
[09:19:15.314 86048 Verbose] VstsCredentialProvider - Bearer token provider 'MSAL Silent' didn't acquire a token
[09:19:15.314 86048 Verbose] VstsCredentialProvider - Attempting to acquire bearer token using provider 'MSAL Interactive'
[09:19:15.315 86048    Info] Use the opened dialog or browser window to log in. It may be behind other windows.
[09:19:15.321 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z - fbb75e05-7069-41f7-8c8a-1a76332f636b] MSAL MSAL.NetCore with assembly version '4.77.1.0'. CorrelationId(fbb75e05-7069-41f7-8c8a-1a76332f636b)
[09:19:15.322 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z - fbb75e05-7069-41f7-8c8a-1a76332f636b] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: System
ExtraScopesToConsent: 
Prompt: select_account
HasCustomWebUi: False
[09:19:15.322 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z - fbb75e05-7069-41f7-8c8a-1a76332f636b] 
=== Request Data ===
Authority Provided? - True
Scopes - 499b84ac-1321-427f-aa17-267ca6975798/.default
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - fbb75e05-7069-41f7-8c8a-1a76332f636b
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured: 
FMI Path: 
Credential FMI Path: 

[09:19:15.323 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z - fbb75e05-7069-41f7-8c8a-1a76332f636b] === Token Acquisition (InteractiveRequest) started:
	 Scopes: 499b84ac-1321-427f-aa17-267ca6975798/.default
	Authority Host: login.windows.net
[09:19:15.324 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z - fbb75e05-7069-41f7-8c8a-1a76332f636b] Broker is configured. Starting broker flow without knowing the broker installation app link. 
[09:19:15.325 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z] [Runtime] Broker supported OS.
[09:19:15.347 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z - fbb75e05-7069-41f7-8c8a-1a76332f636b] Can invoke broker. Will attempt to acquire token with broker. 
[09:19:15.350 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z] [RuntimeBroker] Calling SignInInteractivelyAsync this will show the account picker.
[09:19:15.353 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z] [MSAL:0001]	INFO   	SetAuthorityUri:78	Initializing authority from URI 'https://login.windows.net/a289d6c2-3b1f-4bc4-8fa0-6866ff300052/' without authority type, defaulting to MsSts
[09:19:15.363 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z] [MSAL:0002]	INFO   	-[MSAIBrokerClient isAuthorizationTypeSupported:]:856	Continue without redirectUri validation on unsigned app runtime flow
[09:19:15.363 86048   Debug] MSAL Log (Info): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z] [MSAL:0002]	INFO   	-[MSAIBrokerClient shouldReCheckSsoExtState]:1443	Recheck decision: 0
[09:19:15.364 86048   Debug] MSAL Log (Error): False MSAL 4.77.1.0 MSAL.NetCore .NET 8.0.23 MacOS [2026-04-15 09:19:15Z] [MSAL:0002]	ERROR  	ErrorInternalImpl:134	Created an error: 4qj1c, StatusInternal::FallbackToNativeMsal, InternalEvent::None, Error Code 0, Context 'Authorization type is not supported for this request. Please make sure the device has been intuned.'

Additional context

dunno when is started, it worked before dotnet global tool, I even wonder if the dotnet tool worked once or not
then never worked ever again

I just got today a KeyChain prompt, which for the last month was never prompted again.
Still failing at the exact same stack trace

[Yasedo-03]

Same issue here on Mac.
It used to work before, but now it fails consistently.
This does not seem isolated.

[tebeco]

@embetten dunno who's supposed to be active on not on this repo

[embetten]

Apologies for the delay, and thanks for reporting this. We’re actively investigating.
In the meantime, you may be able to unblock by disabling macOS broker support by setting ARTIFACTS_CREDENTIALPROVIDER_MSAL_ALLOW_BROKER=false. This will fall back to browser-based authentication if available.

[tebeco]

indeed, adding

$ export ARTIFACTS_CREDENTIALPROVIDER_MSAL_ALLOW_BROKER=false
$ dotnet restore --interactive --tlp:default=false -v:d      

seems to have directly opened my browser to prompt authentication through the browser, and then properly restore.

do you need more information that would help getting the tool fixed ?

[embetten]

@tebeco - I just need confirmation these are not intune joined devices and the expectation is to use browser auth or device code flow.

[tebeco]

I'm sure this entire cover but i assume it's not

it's a personal MacBook
it never joined any entra domain

i do use it
to restore from company feed
to connect with msteams app

i don't think these action would make it an inTune device, right ?

and yes for the expectations you mentionned

[tebeco]

I would be fine with either:

• use the browser to authenticate
• use the either directly the account
• use a device pin code
• I would also be fine if it would try or ask if I want to try using the az cli which i already used to az login
• it would be even better if that stores a very long time lived token inside KeyChain and refresh it for many many many days (but i'm unsure what's the security story on that)

[embetten]

hey all, just wanted to give an update. It looks to be a lock with the main thread / macOS broker integration (see above linked bug) when intune is not available on the machine. The current workaround is to set export ARTIFACTS_CREDENTIALPROVIDER_MSAL_ALLOW_BROKER=false

We are exploring further mitigations on our side including:

• Adding a broker timeout
• Detecting Intune/SSO availability ourselves

[tebeco]

the workaround for now is perfectly acceptable since it properly trigger authentication

this was probably the biggest blocker

if you need a test on a preview version of the tool
feel free to ping me here