Skip to content

fix(coding-agent): use UserTenantId for credential resolution#7078

Merged
rajeshkamal5050 merged 1 commit into
mainfrom
fix/coding-agent-tenant-credential
Mar 12, 2026
Merged

fix(coding-agent): use UserTenantId for credential resolution#7078
rajeshkamal5050 merged 1 commit into
mainfrom
fix/coding-agent-tenant-credential

Conversation

@vhvb1989

@vhvb1989 vhvb1989 commented Mar 11, 2026

Copy link
Copy Markdown
Member

Fix

Multiple extensions were using Subscription.TenantId (the resource tenant — the tenant that owns the subscription) when creating AzureDeveloperCLICredential after user subscription selection.

For multi-tenant/guest users, TenantId differs from UserTenantId (the tenant the user authenticated through). Using the resource tenant causes the credential to target a tenant the user may not have direct auth tokens for, resulting in AADSTS70043/AADSTS700082 "refresh token expired" errors.

Change

- tenantId = resp.Subscription.TenantId
+ tenantId = resp.Subscription.UserTenantId

This aligns all extensions with how azd core resolves credentials — SubscriptionsManager.LookupTenant() returns UserAccessTenantId, not TenantId.

For single-tenant users, TenantId == UserTenantId, so no behavior change.

Affected extensions

Extension Files
azure.coding-agent coding_agent_config.go
azure.ai.models custom.go, init.go
azure.ai.agents init.go, init_from_code.go
azure.ai.finetune init.go
microsoft.azd.ai.builder start.go
microsoft.azd.demo prompt.go

Extensions already correct (using LookupTenant()): azure.appservice, azure.ai.agents (parser.go, service_target_agent.go).

Fixes #7077
Related: #7070

The extension was using Subscription.TenantId (the resource tenant) to
create the AzureDeveloperCLICredential after subscription selection. For
multi-tenant/guest users, this differs from Subscription.UserTenantId
(the user access tenant), causing 'refresh token expired' errors.

This aligns the extension with how azd core resolves credentials via
SubscriptionsManager.LookupTenant(), which returns UserAccessTenantId.

Fixes #7077

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes multi-tenant/guest credential resolution in the azure.coding-agent extension by using the user access tenant (the tenant the user authenticated through) rather than the subscription’s resource tenant when creating the AzureDeveloperCLICredential, aligning behavior with azd core.

Changes:

  • Switch tenant selection from Subscription.TenantId to Subscription.UserTenantId when constructing AzureDeveloperCLICredentialOptions.
  • Keep subscription selection flow unchanged while ensuring the credential targets the correct tenant for token acquisition in multi-tenant scenarios.
Comments suppressed due to low confidence (1)

cli/azd/extensions/azure.coding-agent/internal/cmd/coding_agent_config.go:206

  • tenantID is now sourced from Subscription.UserTenantId (user auth tenant), but the same variable is later used to build the Azure Portal managed identity URL (the #@<tenant> segment). For guest/multi-tenant scenarios the portal blade typically needs the resource tenant (e.g., Subscription.TenantId or authConfig.TenantId) to show the subscription/resource group. Suggest splitting this into two variables (e.g., userTenantID for AzureDeveloperCLICredentialOptions.TenantID, and resourceTenantID for the portal link) to avoid breaking the portal instructions flow.
	tenantID := subscriptionResponse.Subscription.UserTenantId
	subscriptionID := subscriptionResponse.Subscription.Id

	cred, err := azidentity.NewAzureDeveloperCLICredential(&azidentity.AzureDeveloperCLICredentialOptions{
		TenantID: tenantID,

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@rajeshkamal5050 rajeshkamal5050 merged commit 6ac9299 into main Mar 12, 2026
21 checks passed
Comment on lines +202 to 203
tenantID := subscriptionResponse.Subscription.UserTenantId
subscriptionID := subscriptionResponse.Subscription.Id

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we verify other extensions don't have the same issue too?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll turn the engines on it :)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😂

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Audited all extensions. Found and fixed the same bug in 5 more:

Extension Files Status
azure.ai.models custom.go, init.go (2 spots) ❌ Fixed
azure.ai.agents init.go, init_from_code.go ❌ Fixed
azure.ai.finetune init.go (2 spots) ❌ Fixed
microsoft.azd.ai.builder start.go ❌ Fixed
microsoft.azd.demo prompt.go ❌ Fixed
azure.appservice swap.go ✅ Already correct (uses LookupTenant)
azure.ai.agents parser.go, service_target_agent.go ✅ Already correct (uses LookupTenant)

Pushed in b5c9ebf.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was me the entire time! :|

@rajeshkamal5050 rajeshkamal5050 added this to the Mar 2026 milestone Mar 18, 2026
jongio pushed a commit to jongio/azure-dev that referenced this pull request Mar 18, 2026
…7078)

The extension was using Subscription.TenantId (the resource tenant) to
create the AzureDeveloperCLICredential after subscription selection. For
multi-tenant/guest users, this differs from Subscription.UserTenantId
(the user access tenant), causing 'refresh token expired' errors.

This aligns the extension with how azd core resolves credentials via
SubscriptionsManager.LookupTenant(), which returns UserAccessTenantId.

Fixes Azure#7077

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jongio pushed a commit to jongio/azure-dev that referenced this pull request Mar 27, 2026
…7078)

The extension was using Subscription.TenantId (the resource tenant) to
create the AzureDeveloperCLICredential after subscription selection. For
multi-tenant/guest users, this differs from Subscription.UserTenantId
(the user access tenant), causing 'refresh token expired' errors.

This aligns the extension with how azd core resolves credentials via
SubscriptionsManager.LookupTenant(), which returns UserAccessTenantId.

Fixes Azure#7077

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jongio pushed a commit to jongio/azure-dev that referenced this pull request Mar 27, 2026
…7078)

The extension was using Subscription.TenantId (the resource tenant) to
create the AzureDeveloperCLICredential after subscription selection. For
multi-tenant/guest users, this differs from Subscription.UserTenantId
(the user access tenant), causing 'refresh token expired' errors.

This aligns the extension with how azd core resolves credentials via
SubscriptionsManager.LookupTenant(), which returns UserAccessTenantId.

Fixes Azure#7077

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jongio pushed a commit to jongio/azure-dev that referenced this pull request Mar 27, 2026
…7078)

The extension was using Subscription.TenantId (the resource tenant) to
create the AzureDeveloperCLICredential after subscription selection. For
multi-tenant/guest users, this differs from Subscription.UserTenantId
(the user access tenant), causing 'refresh token expired' errors.

This aligns the extension with how azd core resolves credentials via
SubscriptionsManager.LookupTenant(), which returns UserAccessTenantId.

Fixes Azure#7077

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jongio pushed a commit to jongio/azure-dev that referenced this pull request Mar 27, 2026
…7078)

The extension was using Subscription.TenantId (the resource tenant) to
create the AzureDeveloperCLICredential after subscription selection. For
multi-tenant/guest users, this differs from Subscription.UserTenantId
(the user access tenant), causing 'refresh token expired' errors.

This aligns the extension with how azd core resolves credentials via
SubscriptionsManager.LookupTenant(), which returns UserAccessTenantId.

Fixes Azure#7077

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Extensions use wrong tenant ID (TenantId vs UserTenantId) for credential resolution

5 participants