Bug
The azure.coding-agent extension uses Subscription.TenantId (the resource tenant — the tenant that owns the subscription) when creating the AzureDeveloperCLICredential after the user selects a subscription via PromptSubscription.
tenantID := subscriptionResponse.Subscription.TenantId // resource tenant
cred, err := azidentity.NewAzureDeveloperCLICredential(&azidentity.AzureDeveloperCLICredentialOptions{
TenantID: tenantID,
})
However, azd core resolves credentials using UserAccessTenantId (the tenant the user authenticated through to access the subscription). This is what SubscriptionsManager.LookupTenant() returns (subscriptions_manager.go:129).
For single-tenant users, TenantId == UserTenantId, so there is no issue. For multi-tenant or guest users, these values differ. Using TenantId causes the credential to target a tenant the user may not have direct auth tokens for, resulting in AADSTS70043 / AADSTS700082 "refresh token expired" errors when trying to create resources (e.g., Managed Identity, Resource Group).
Repro (multi-tenant user)
azd auth login (authenticates to home tenant)
azd coding-agent config
- Select a subscription that the user accesses as a guest in a different tenant
- Proceed to the MSI creation step → error: refresh token expired
Expected
The extension should use Subscription.UserTenantId (proto field user_tenant_id) instead of Subscription.TenantId, matching how azd core resolves credentials.
Workaround
Run azd init and azd env set AZURE_SUBSCRIPTION_ID <subscription-id> before running azd coding-agent config. This causes azd's credential provider to resolve the correct tenant via LookupTenant().
Related
Discovered via #7070
Bug
The
azure.coding-agentextension usesSubscription.TenantId(the resource tenant — the tenant that owns the subscription) when creating theAzureDeveloperCLICredentialafter the user selects a subscription viaPromptSubscription.However, azd core resolves credentials using
UserAccessTenantId(the tenant the user authenticated through to access the subscription). This is whatSubscriptionsManager.LookupTenant()returns (subscriptions_manager.go:129).For single-tenant users,
TenantId == UserTenantId, so there is no issue. For multi-tenant or guest users, these values differ. UsingTenantIdcauses the credential to target a tenant the user may not have direct auth tokens for, resulting inAADSTS70043/AADSTS700082"refresh token expired" errors when trying to create resources (e.g., Managed Identity, Resource Group).Repro (multi-tenant user)
azd auth login(authenticates to home tenant)azd coding-agent configExpected
The extension should use
Subscription.UserTenantId(proto fielduser_tenant_id) instead ofSubscription.TenantId, matching how azd core resolves credentials.Workaround
Run
azd initandazd env set AZURE_SUBSCRIPTION_ID <subscription-id>before runningazd coding-agent config. This causes azd's credential provider to resolve the correct tenant viaLookupTenant().Related
Discovered via #7070