microsoft
[PROPOSAL] Have the general best practices mention the troubleshooting guide
I was using Claude Sonnet 4 to try and list KV secrets and ran into the following issue:
"status":500, "message": "Error retrieving secrets from vault vicolinamanualtests: The ChainedTokenCredential failed due to an unhandled exception: The current credential is not configured to acquire tokens for tenant 70a036f6-8e4d-4615-bad6-149c02e7720d. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add \u0022*\u0022 to AdditionallyAllowedTenants to allow acquiring tokens for any tenant. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/multitenant/troubleshoot. To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azmcp/troubleshooting."
Turns out it was because he tenantId the CustomChainedCredential.CreateVsCodeBrokerCredential() obtained from VS Code's authRecord.json file did not match the one my key vault resides on.
Out troubleshooting guide says to use the --tenant-id parameter in the tool call when faced with an incorrect subscription or tenant context (although only mentioned for a 403 status code), so I was able to get the agent to do this after explicitly telling it to, but it could not figure it out on its own, which brings me to the point of this post: Should we tell agents to also check out the TROUBLESHOOTING.md file when providing it with our best practices? It would have certainly saved me some time — and I'm familiar with the server, can't imagine how bad it could go for someone that's more distanced from it or Azure itself.
