You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This code currently uses Account().LookupTenant(...) and then performs Graph service principal discovery plus RBAC role assignment. Since LookupTenant() returns the access tenant, this path should be reviewed to confirm whether it must instead use the subscription/resource tenant.
Several extensions call LookupTenant(...) or persist AZURE_TENANT_ID during explicit-subscription flows. Many of these may be correct access-tenant scenarios, but they should be audited and documented so we are consistent about when to use:
UserTenantId / LookupTenant() for user credential acquisition
Subscription.TenantId for resource-tenant principal / RBAC operations
Background
PR #7549 fixed core azd tenant selection by distinguishing:
UserAccessTenantId/ protoUserTenantId) used to acquire credentials for a signed-in userSubscription.TenantId) that owns the subscription and its RBAC stateThat PR intentionally stayed core-only. A follow-up extension audit found a separate cleanup worth tracking.
This is broader than #7077, which fixed one extension path with the same access-tenant issue.
The extension-facing APIs already expose both values on
azdext.Subscription, so this should not require new gRPC surface area.Follow-up work
Fix generated extension templates
The generated Go / JS / .NET prompt samples currently use
PromptSubscription().Subscription.TenantIdwhen creatingAzureDeveloperCliCredential.These are access-tenant credential scenarios and should use
UserTenantIdinstead.Files:
extensions/microsoft.azd.extensions/internal/resources/languages/go/internal/cmd/prompt.go.tmplextensions/microsoft.azd.extensions/internal/resources/languages/javascript/commands/prompt.jsextensions/microsoft.azd.extensions/internal/resources/languages/dotnet/commands/PromptCommand.csFix resource-tenant extension flows
At least one extension path looks like the same class of bug that Fix principal tenant resolution and simplify subscription lookup #7549 fixed in core:
extensions/azure.ai.agents/internal/project/agent_identity_rbac.goThis code currently uses
Account().LookupTenant(...)and then performs Graph service principal discovery plus RBAC role assignment. SinceLookupTenant()returns the access tenant, this path should be reviewed to confirm whether it must instead use the subscription/resource tenant.Audit remaining explicit-subscription fallback paths
Several extensions call
LookupTenant(...)or persistAZURE_TENANT_IDduring explicit-subscription flows. Many of these may be correct access-tenant scenarios, but they should be audited and documented so we are consistent about when to use:UserTenantId/LookupTenant()for user credential acquisitionSubscription.TenantIdfor resource-tenant principal / RBAC operationsCandidate files:
extensions/azure.appservice/internal/cmd/swap.goextensions/azure.ai.models/internal/cmd/init.goextensions/azure.ai.models/internal/cmd/custom.goextensions/azure.ai.agents/internal/cmd/init_foundry_resources_helpers.goextensions/azure.ai.finetune/internal/cmd/init.goextensions/azure.ai.agents/internal/project/service_target_agent.goAcceptance criteria
UserTenantIdforPromptSubscription-based credential creationLookupTenant()usages as access-tenant casesRelated