vscode-azureresourcegroups icon indicating copy to clipboard operation
vscode-azureresourcegroups copied to clipboard
verified publisher icon microsoft

The `exportAuthRecord` process does not respect the tenant when running in /azure

Open bwateratmsft opened this issue 3 months ago • 2 comments

When running in /azure, e.g. in a BAMI tenant, the tenant ID is passed to the Azure Cloud Shell extension and used to sign in. However, exportAuthRecord does not pick up that tenant ID at all, and consequently, exports an authentication record that will not work with DefaultAzureCredential.

Additionally, even when passing in tenantId to DefaultAzureCredential's options, and with the @azure.argTenant setting altered to correct the tenant set by exportAuthRecord, I still cannot get DefaultAzureCredential to work. I also tried signing in to Azure CLI with az login --use-device-code -t <tenantId>, and while that was successful, DefaultAzureCredential is still failing.

/cc @g2vinay @alexweininger @meeraharidasa

bwateratmsft avatar Sep 04 '25 16:09 bwateratmsft

This should now be resolved.

  1. DAC worked with az login and by setting AZURE_TOKEN_CREDENTIALS to dev. (was getting blocked by MI auth in cloud shell)
  2. @azure.argTenant was fixed by installing the extension back I believe.

g2vinay avatar Sep 04 '25 21:09 g2vinay

It's been worked around (mostly via using AzureCliCredential) but I wouldn't call it resolved :smile:

bwateratmsft avatar Sep 05 '25 19:09 bwateratmsft