Skip to content

Extensions use wrong tenant ID (TenantId vs UserTenantId) for credential resolution #7077

Description

@vhvb1989

Bug

The azure.coding-agent extension uses Subscription.TenantId (the resource tenant — the tenant that owns the subscription) when creating the AzureDeveloperCLICredential after the user selects a subscription via PromptSubscription.

tenantID := subscriptionResponse.Subscription.TenantId // resource tenant
cred, err := azidentity.NewAzureDeveloperCLICredential(&azidentity.AzureDeveloperCLICredentialOptions{
    TenantID: tenantID,
})

However, azd core resolves credentials using UserAccessTenantId (the tenant the user authenticated through to access the subscription). This is what SubscriptionsManager.LookupTenant() returns (subscriptions_manager.go:129).

For single-tenant users, TenantId == UserTenantId, so there is no issue. For multi-tenant or guest users, these values differ. Using TenantId causes the credential to target a tenant the user may not have direct auth tokens for, resulting in AADSTS70043 / AADSTS700082 "refresh token expired" errors when trying to create resources (e.g., Managed Identity, Resource Group).

Repro (multi-tenant user)

  1. azd auth login (authenticates to home tenant)
  2. azd coding-agent config
  3. Select a subscription that the user accesses as a guest in a different tenant
  4. Proceed to the MSI creation step → error: refresh token expired

Expected

The extension should use Subscription.UserTenantId (proto field user_tenant_id) instead of Subscription.TenantId, matching how azd core resolves credentials.

Workaround

Run azd init and azd env set AZURE_SUBSCRIPTION_ID <subscription-id> before running azd coding-agent config. This causes azd's credential provider to resolve the correct tenant via LookupTenant().

Related

Discovered via #7070

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions