azure-dev Add `azd auth status` command

Users had to discover azd auth login --check-status to check authentication status, which is unintuitive compared to CLIs like gh that use auth status subcommands.

Changes

New command: azd auth status checks authentication status and displays user information
- Supports --output json for structured output
- Returns status success or unauthenticated with expiration time
- Shows credential expiration time in both text and JSON output formats
- No tenant or scope flags - checks current user's credentials only
Backward compatibility: azd auth login --check-status continues to work unchanged
- Updated to display credential expiration time for consistency with azd auth status

Usage

# New intuitive command
$ azd auth status
Not logged in, run `azd auth login` to login to Azure

# When logged in
$ azd auth status
Logged in to Azure as [email protected]

Credential expires on: 2024-01-15 10:30:45 UTC

# JSON output
$ azd auth status --output json
{
  "status": "unauthenticated"
}

# Or when logged in
$ azd auth status --output json
{
  "status": "success",
  "expiresOn": "2024-01-15T10:30:45Z"
}

# Old flag still works with same output
$ azd auth login --check-status
Logged in to Azure as [email protected]

Credential expires on: 2024-01-15 10:30:45 UTC

Implementation

Created auth_status.go with dedicated command registration in the auth command group. The command checks the current user's authentication status using default login scopes, without allowing tenant or scope overrides (since azd stores only one current user credential at a time). Both text and JSON output formats now include credential expiration information. Updated azd auth login --check-status to display the same credential expiration information for consistency.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Issue] Consider adding azd auth status</issue_title> <issue_description>I can check auth status like this

azd auth login --check-status

It took me a while to figure that out and needed help from the team.

It would be more intuitive to have

azd auth status

Like the gh cli: https://cli.github.com/manual/gh_auth</issue_description>

<agent_instructions>Please write as little code as possible to complete this task. Use the DRY principle and follow the style of the repo docs and maintainers here. </agent_instructions>

Comments on the Issue (you are @copilot in this section)

Fixes Azure/azure-dev#2898

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Dec 15 '25 14:12 Copilot

Love the idea - just have some open questions about the flags. @copilot - Please review token caching and if we support multiple tokens with different tenants/scopes.

Reviewed the auth system in commit bb9541f. The system stores a single "current user" credential (not multiple tokens). When CredentialForCurrentUser is called, it returns a credential that can fetch tokens on-demand with different scopes/tenants, but there's only one logged-in user at a time. The tenant-id and scope flags have been removed from azd auth status since they don't apply to status checking - the command now simply verifies the current user's credentials.

[!WARNING]

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

aka.ms

Triggering command: ./azd ./azd auth status --help go1.25.5 -c=4 -nolocalimports -importcfg /tmp/go-build2490742591/b766/importcfg -pack /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/tools/git/git.go git remo formatters/html/-p pper_tool.go x_amd64/compile (dns block)

Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd extension source add -n local -t file -l /home/REDACTED/work/azure-dev/azure-dev/cli/azd/extensions/registry.json --64 x_amd64/vet @v1. g_.a ache/go/1.25.5/x-ifaceassert x_amd64/vet /tmp/go-build249/opt/hostedtoolcache/go/1.25.5/x64/pkg/tool/linux_amd64/vet i/reflow/indent x86_64-linux-gnu-bool x_amd64/vet (dns block)

Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd extension list --source local --output json x_amd64/vet . me/protoimpl --64 x_amd64/vet @v1. g_.a olang.org/grpc@v-ifaceassert x_amd64/vet --gdwarf-5 zd/pkg/azure -o x_amd64/vet (dns block)

westus-0.in.applicationinsights.azure.com

Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd telemetry upload x_amd64/vet -p g_.a -trimpath x_amd64/vet -I (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled

Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Dec 15 '25 19:12 Copilot

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

[!WARNING]

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

aka.ms

Triggering command: ./azd ./azd auth status -goversion go1.25.5 -c=4 -nolocalimports -importcfg /tmp/go-build1303810283/b766/importcfg -pack /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/tools/git/git.go 09.o conf fips140/aes pper_tool.go as user.email internal/oauth/o-o (dns block)

Triggering command: ./azd ./azd auth login --check-status go1.25.5 -c=4 -nolocalimports -importcfg /tmp/go-build1303810283/b764/importcfg -pack /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/templates/awesome_source.go /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/templates/file_source.go conf 3810283/b114/_pk-p ha7i/8WcolSuzHy2github.com/fsnotify/fsnotify/internal 3810283/b114=> user.email nk (dns block)

Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd telemetry upload -goversion go1.25.5 -c=4 -nolocalimports -importcfg /tmp/go-build1303810283/b765/importcfg -pack /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/github/remote.go u/13/cc1 conf fips140/aes CNhX/TGuM4eXS92-golang.org/x/text/internal/format s user.email 3810283/b077/ (dns block)

westus-0.in.applicationinsights.azure.com

Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd telemetry upload -goversion go1.25.5 -c=4 -nolocalimports -importcfg /tmp/go-build1303810283/b765/importcfg -pack /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/github/remote.go u/13/cc1 conf fips140/aes CNhX/TGuM4eXS92-golang.org/x/text/internal/format s user.email 3810283/b077/ (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled

Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Dec 15 '25 21:12 Copilot

@copilot apply changes based on the comments in this thread

Dec 19 '25 19:12 JeffreyCA

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

[!WARNING]

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

aka.ms

Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd extension source add -n local -t file -l /home/REDACTED/work/azure-dev/azure-dev/cli/azd/extensions/registry.json -o x_amd64/vet rtcf IpqHkBKBg 64/src/encoding/-ifaceassert x_amd64/vet -I g/grpc/balancer/--norc -imultiarch x_amd64/vet (dns block)

Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd extension list --source local --output json x_amd64/vet --gdwarf-5 ce/internal/x -o x_amd64/vet -E 2YPvgxQ14 om/!masterminds/-ifaceassert x_amd64/vet /server.go g/protobuf/inter--norc -imultiarch x_amd64/vet (dns block)

Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd extension install azure.ai.agents --source local --version 0.1.3-preview -pthread noop -fmessage-length-bool x_amd64/vet -w 9XzwVZ338 -o/tmp/go-build8-ifaceassert x_amd64/vet base.go g/grpc/internal/--norc /tmp/go-build816--noprofile x_amd64/vet (dns block)

westus-0.in.applicationinsights.azure.com

Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd telemetry upload x_amd64/vet -w Fkbb9o_XW om/mitchellh/cop-ifaceassert x_amd64/vet -c /azure-sdk-for-g--norc /tmp/go-build816--noprofile x_amd64/vet -I e-dev/cli/azd/pkg/cosmosdb/cosmo-errorsas pkg/mod/github.com/!azure/azure--ifaceassert x_amd64/vet --gdwarf-5 pring/decimal -o x_amd64/vet (dns block)

Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd telemetry upload x_amd64/vet -o DkaSV14Pe rg/x/[email protected] x_amd64/vet -p AD/microsoft-aut--norc -lang=go1.24 x_amd64/vet 3959 elemetry.io/proto/[email protected]/co-errorsas -I x_amd64/vet .1.1/api_client./home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd estGoFiles,XTestGoFiles,CompiledGoFiles,Export,DepOnly,Imports,ImportMap,TestImports,XTestImpor -o x_amd64/vet (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled

Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Dec 19 '25 19:12 Copilot

/azp run azure-dev - cli

Dec 19 '25 19:12 JeffreyCA

Azure Pipelines successfully started running 1 pipeline(s).

Dec 19 '25 19:12 azure-pipelines[bot]

Expiry time shows "access token" expiry time NOT ID token expiry token

@copilot check this comment and update if needed

Dec 23 '25 19:12 vhvb1989

Expiry time shows "access token" expiry time NOT ID token expiry token

@copilot check this comment and update if needed

Reviewed @weikanglim's comment. The current implementation shows the access token expiry time (which is short-lived, typically ~15 minutes and auto-refreshed).

As @weikanglim noted, this could be confusing since the user's auth session remains valid longer. However, showing the ID token expiry instead might also be misleading since it can be revoked independently.

Options for addressing this:

Remove expiry display entirely - Only show login status and account info
Move to debug/log output - Keep it for diagnostic purposes but not in normal user output
Keep as-is - Accept that it shows access token expiry as technical information
Add clarifying text - E.g., "Access token expires on: ..." to make it clear this is just the token, not the session

Please clarify which approach is preferred and I'll implement it.

Dec 23 '25 19:12 Copilot