az login --use-device-code fails

[parth21999]

Describe the bug

I tried logging in in using az login --use-device-code

I get an error message saying "AADSTS900561: The endpoint only accepts POST requests. Received a GET request."

Copied from login errors:
Error Code: 53003
Request Id: 25ab1408-9854-4204-be22-719af9910400
Correlation Id: 148787df-c02d-4cbe-947e-481164f67f03
Timestamp: 2026-01-09T00:38:22.547Z
App name: Microsoft Azure CLI
App id: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
IP address: 20.236.10.66
Device identifier: 46941ad3-56a6-4c67-9e8e-a45227c6baba
Device platform: Windows 10
Device state: Compliant

Related command

az login --use-device-code

Errors

Error Code: 53003
Request Id: 25ab1408-9854-4204-be22-719af9910400
Correlation Id: 148787df-c02d-4cbe-947e-481164f67f03
Timestamp: 2026-01-09T00:38:22.547Z
App name: Microsoft Azure CLI
App id: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
IP address: 20.236.10.66
Device identifier: 46941ad3-56a6-4c67-9e8e-a45227c6baba
Device platform: Windows 10
Device state: Compliant

Issue script & Debug output

PS D:\r2\temp> az login --use-device-code --debug
cli.knack.cli: Command arguments: ['login', '--use-device-code', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0000022881AA45E0>, <function OutputProducer.on_global_arguments at 0x00000228820399E0>, <function CLIQuery.on_global_arguments at 0x000002288208B920>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: profile 0.011 2 8
cli.azure.cli.core: Total (1) 0.011 2 8
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 2 groups, 8 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x000002288407D1C0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\paaggarwal.azure\commands\2026-01-08.16-48-05.login.50204.log'.
az_command_data_logger: command args: login --use-device-code --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x00000228848BE700>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x0000022884934A40>, <function register_cache_arguments..add_cache_arguments at 0x0000022884934C20>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x0000022884934CC0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x0000022882039A80>, <function CLIQuery.handle_query_parameter at 0x000002288208B9C0>, <function register_ids_argument..parse_ids_arguments at 0x0000022884934AE0>]
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\paaggarwal\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\paaggarwal.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/organizations
msal.authority: openid_config("https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic', 'self_signed_tls_client_auth'], 'jwks_uri': 'https://login.microsoftonline.com/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/organizations/kerberos', 'mtls_endpoint_aliases': {'token_endpoint': 'https://mtlsauth.microsoft.com/organizations/oauth2/v2.0/token'}, 'tls_client_certificate_bound_access_tokens': True, 'tenant_region_scope': None, 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /organizations/oauth2/v2.0/devicecode HTTP/1.1" 200 501
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code AW26RGGEE to authenticate.
msal.telemetry: Generate or reuse correlation_id: dc86f532-115e-49b2-99af-ffabd5f32b51
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /organizations/oauth2/v2.0/token HTTP/1.1" 400 501
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /organizations/oauth2/v2.0/token HTTP/1.1" 400 501
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /organizations/oauth2/v2.0/token HTTP/1.1" 400 501
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /organizations/oauth2/v2.0/token HTTP/1.1" 400 501
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /organizations/oauth2/v2.0/token HTTP/1.1" 400 501
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /organizations/oauth2/v2.0/token HTTP/1.1" 400 501
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /organizations/oauth2/v2.0/token HTTP/1.1" 400 501
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /organizations/oauth2/v2.0/token HTTP/1.1" 400 501
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /organizations/oauth2/v2.0/token HTTP/1.1" 400 501
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /organizations/oauth2/v2.0/token HTTP/1.1" 400 501
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /organizations/oauth2/v2.0/token HTTP/1.1" 400 501
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /organizations/oauth2/v2.0/token HTTP/1.1" 400 501
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /organizations/oauth2/v2.0/token HTTP/1.1" 400 501
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /organizations/oauth2/v2.0/token HTTP/1.1" 400 501

Expected behavior

login should succeed

Environment Summary

PS D:\r2\temp> az --version
azure-cli 2.77.0 *

core 2.77.0 *
telemetry 1.1.0

Extensions:
azure-devops 1.0.2

Dependencies:
msal 1.34.0b1
azure-mgmt-resource 23.3.0

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users\paaggarwal.azure'
Extensions directory 'C:\Users\paaggarwal.azure\cliextensions'

Python (Windows) 3.13.7 (tags/v3.13.7:bcee1c3, Aug 14 2025, 14:15:11) [MSC v.1944 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

No response

[azure-client-tools-bot-prd]

Hi @parth21999,

2.77.0 is not the latest Azure CLI(2.81.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[parth21999]

Hi @parth21999,

2.77.0 is not the latest Azure CLI(2.81.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

I tried with the latest version, same issue.

[jiasli]

There are 2 errors in this issue:

1. AADSTS900561: The endpoint only accepts POST requests. Received a GET request. Could you share how the error is triggered? Are you manually visiting https://login.microsoftonline.com/organizations/oauth2/v2.0/token in a web browser?
2. 53003: This is by design for Microsoft tenant. See [Microsoft internal] Microsoft tenant forbids device code flow #32420.