Terraform 1.11 with azurerm provider Terraform plan fails with 401 authentication issue when backend and azurerm provider are in different tenants

[ctienshi]

Terraform Version

1.11.2

Terraform Configuration Files

  backend "azurerm" {
    subscription_id  = "xxx"
    resource_group_name  = "xxx"
    storage_account_name = "xxx"
    container_name  = "xxx"
    key  = "terraform.tfstate"
    use_azuread_auth     = true
  }
}

# Configure the Azure provider
provider "azurerm" {
  features {}
  subscription_id     = var.subscription_id
  tenant_id               = var.tenant_id
  storage_use_azuread = true
}

Debug Output

│ Error: error loading state: executing request: unexpected status 401 (401 Server failed to authenticate the request. Please refer to the information in the www-authenticate header.) with InvalidAuthenticationInfo: Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
│ RequestId:9b2503f8-501e-0052-2696-99b6f3000000
│ Time:2025-03-20T12:48:14.1906967Z

Expected Behavior

Terraform 1.10.x worked fine.

Actual Behavior

Authentication fails when Terraform plan is run.

│ Error: error loading state: executing request: unexpected status 401 (401 Server failed to authenticate the request. Please refer to the information in the www-authenticate header.) with InvalidAuthenticationInfo: Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
│ RequestId:9b2503f8-501e-0052-2696-99b6f3000000
│ Time:2025-03-20T12:48:14.1906967Z

Steps to Reproduce

terraform init -backend-config=container_name=test
terraform plan

Additional Context

Terraform back is in a storage account in a different Azure tenant. The Azurem provider is configured to deploy the resources in a different Azure tenant. This worked fine with Terraform 1.10.x. After the upgrade to 1.11.2 this starts to fail

References

No response

Generative AI / LLM assisted development?

No response

[jbardin]

Hi @ctienshi,

Your issue title says that the provider fails, but the error indicates it has to do with the state storage. The provider and backend are configured separately, and run from different processes entirely, can you show how the provider is involved in the failure?

[ctienshi]

@jbardin We have two Azure tenants. The backend is in one tenant, and the azurerm provider is pointed to the other tenant. Following are the steps that we follow.

1. az login to the backend tenant where the backend storage account is
2. terraform init to the backend.
3. az login to the tenant where the azurerm provider is pointed to
4. terraform plan

Following is the backend configuration which is in one tenant.

backend "azurerm" {
    subscription_id  = "xxx"
    resource_group_name  = "xxx"
    storage_account_name = "xxx"
    container_name  = "xxx"
    key  = "terraform.tfstate"
    use_azuread_auth     = true
  }
}

Azurerm provider pointing to a different tenant.

provider "azurerm" {
  features {}
  subscription_id     = var.subscription_id
  tenant_id               = var.tenant_id
  storage_use_azuread = true
}

This config and the steps worked before with Terraform 1.10. But with the latest 1.11.2 it throws the error. This is the failure after running the Terraform plan.

│ Error: error loading state: executing request: unexpected status 401 (401 Server failed to authenticate the request. Please refer to the information in the www-authenticate header.) with InvalidAuthenticationInfo: Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
│ RequestId:9b2503f8-501e-0052-2696-99b6f3000000
│ Time:2025-03-20T12:48:14.1906967Z

Seems after login into the azurerm provider tenant it starts to look for the backend storage account in that second tenant and throws the error.