Azure Machine Learning: Fixing Authentication Error AADSTS70020 / AADSTS70016

Migrating your Azure Machine Learning Workspace to a new subscription can be a daunting task. You’ve recreated your setup, scheduled your pipelines, finished your python scripts and are eager to start using it. But wait, an unexpected Authentication Error AADSTS70020 or AADSTS70016 is halting your progress! In this blog post, we’ll dive into the solution for this issue, helping you seamlessly move your workspace and keep your data science projects on track.

Understanding the Authentication Error AADSTS70020 / AADSTS70016 issue

I stumbled upon those two errors after I’ve rebuilt all my pipelines in a new Azure Machine Learning Workspace. The exact errorcodes looks like this:

Got exception when invoking script at line 29 in function azureml_main: 'AuthenticationError: AADSTS70016: OAuth 2.0 device flow error. Authorization is pending. Continue polling.


Got exception when invoking script at line 29 in function azureml_main: 'AuthenticationError: AADSTS70020: The provided value for the input parameter 'device_code' is not valid. This device code has expired.

If you’ve encountered those errors in your python scripts, you’re not alone. Those error stems from a change in how Azure handles authentication during workspace access. Previously, you could use a straightforward method, but things have evolved.

The Outdated Way: Avoid It!

subscription_id = '00000000-1111-2222-3333-4444444444444'
resource_group = 'YourResourcegroup'
workspace_name = 'MyWorkspaceName'
workspace = Workspace(subscription_id, resource_group, workspace_name)

In the past, you might have accessed accessing your workspace like this in python. It was as simple as providing the subscription ID, resource group, and workspace name. However, this method is outdated and no longer reliable due to authentication timeouts. This is because a forced authentication is done when we try to retrieve the workspace object and this is done via InteractiveBrowser authentication – practically a code is shared in the logs at runtime execution. Since Microsoft is not actively taking further the code and pursuing an authentication, the authentication timeouts and the pipeline job considers a failure as it couldn’t complete the Python execution code. Old pipelines do still work, but new pipelines won’t run with this code anymore.

Updating your code

Therefore, I would like to propose you an easier approach to obtain the workspace object directly from the current run (execution) context, like shared below:

from azureml.core import Run

def azureml_main(dataframe1 = None, dataframe2 = None):
    run = Run.get_context(allow_offline=True)
    workspace = run.experiment.workspace

Conclusion

In this blog post, we’ve uncovered the AuthenticationError AADSTS70020 and AADSTS70016 obstacle that can hinder your Azure Machine Learning Workspace migration. By switching authentication method and updating your python code, you can confidently move your workspace to a new subscription and continue your data science journey without interruptions.

Leave a comment