Skip to content

{Auth} Add --tenant to the re-authentication message#31742

Merged
jiasli merged 1 commit intoAzure:devfrom
jiasli:login-tenant
Jul 3, 2025
Merged

{Auth} Add --tenant to the re-authentication message#31742
jiasli merged 1 commit intoAzure:devfrom
jiasli:login-tenant

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Jul 1, 2025
edited
Loading

Related command
az login

Description
Similar to #17738

MFA status is not shared between tenants. az login will only trigger MFA on the home tenant, but not guest tenants.

Following acquire_token_silent_with_error calls (such as az account get-access-token --tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a) on guest tenants will fail with

SubError: basic_action V2Error: invalid_grant AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'.

Testing Guide

> az login
Authentication failed against tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a 'AzureSDKTeam': SubError: basic_action V2Error: invalid_grant AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'. Trace ID: 18d82f67-1fbf-4ca5-819a-1deef63b1e00 Correlation ID: 04bb878d-61ca-4c18-9fdc-6c68999653e4 Timestamp: 2025-07-01 08:16:05Z. Status: Response_Status.Status_InteractionRequired, Error code: 3399614476, Tag: 557973645
If you need to access subscriptions in the following tenants, please use `az login --tenant TENANT_ID`.
54826b22-38d6-4fb2-bad9-b7b93a3e9c5a 'AzureSDKTeam'

> az account get-access-token --tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a
SubError: basic_action V2Error: invalid_grant AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'. Trace ID: d8cfcd78-1e1a-42ec-8ca0-0bf3c96a2000 Correlation ID: ebbeb7f6-495a-4e50-9fa4-19e08628b3af Timestamp: 2025-07-01 08:35:24Z. Status: Response_Status.Status_InteractionRequired, Error code: 3399614476, Tag: 557973645
Please explicitly log in with:
az login --tenant "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a" --scope "https://management.core.windows.net//.default"

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jul 1, 2025
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.9
️✔️acs
️✔️latest
️✔️3.12
️✔️3.9
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.9
️✔️ams
️✔️latest
️✔️3.12
️✔️3.9
️✔️apim
️✔️latest
️✔️3.12
️✔️3.9
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.9
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️aro
️✔️latest
️✔️3.12
️✔️3.9
️✔️backup
️✔️latest
️✔️3.12
️✔️3.9
️✔️batch
️✔️latest
️✔️3.12
️✔️3.9
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.9
️✔️billing
️✔️latest
️✔️3.12
️✔️3.9
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.9
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.9
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.9
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.9
️✔️config
️✔️latest
️✔️3.12
️✔️3.9
️✔️configure
️✔️latest
️✔️3.12
️✔️3.9
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.9
️✔️container
️✔️latest
️✔️3.12
️✔️3.9
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.9
️✔️core
️✔️latest
️✔️3.12
️✔️3.9
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.9
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.9
️✔️dls
️✔️latest
️✔️3.12
️✔️3.9
️✔️dms
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.9
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.9
️✔️find
️✔️latest
️✔️3.12
️✔️3.9
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.9
️✔️identity
️✔️latest
️✔️3.12
️✔️3.9
️✔️iot
️✔️latest
️✔️3.12
️✔️3.9
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.9
️✔️lab
️✔️latest
️✔️3.12
️✔️3.9
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️maps
️✔️latest
️✔️3.12
️✔️3.9
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.9
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.9
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.9
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.9
️✔️network
️✔️latest
️✔️3.12
️✔️3.9
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.9
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.9
️✔️profile
️✔️latest
️✔️3.12
️✔️3.9
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.9
️✔️redis
️✔️latest
️✔️3.12
️✔️3.9
️✔️relay
️✔️latest
️✔️3.12
️✔️3.9
️✔️resource
️✔️latest
️✔️3.12
️✔️3.9
️✔️role
️✔️latest
️✔️3.12
️✔️3.9
️✔️search
️✔️latest
️✔️3.12
️✔️3.9
️✔️security
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.9
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.9
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.9
️✔️sql
️✔️latest
️✔️3.12
️✔️3.9
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.9
️✔️storage
️✔️latest
️✔️3.12
️✔️3.9
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.9
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.9
️✔️util
️✔️latest
️✔️3.12
️✔️3.9
️✔️vm
️✔️latest
️✔️3.12
️✔️3.9

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jul 1, 2025
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@yonzhan
Copy link
Collaborator

yonzhan commented Jul 1, 2025

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions
Copy link

github-actions bot commented Jul 1, 2025

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Jul 1, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added the ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group label Jul 1, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added the Account az login/account label Jul 1, 2025
@jiasli jiasli marked this pull request as ready for review July 1, 2025 09:19
Copilot AI review requested due to automatic review settings July 1, 2025 09:19
@jiasli jiasli requested review from bebound and evelyn-ys as code owners July 1, 2025 09:19
Copilot AI reviewed Jul 1, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds tenant support to the re-authentication prompt and standardizes quoting for scopes in the generated az login command.

  • Enhanced _generate_login_command to accept a tenant parameter and wrap arguments in double quotes.
  • Split --scope invocation so each scope is individually quoted.
  • Updated MSAL credentials to pass the tenant into check_result, enabling the tenant flag in the recommendation.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
src/azure-cli-core/azure/cli/core/auth/util.py Extended _generate_login_command to handle tenant and improve quoting
src/azure-cli-core/azure/cli/core/auth/tests/test_util.py Added test for tenant+scope scenario (missing a standalone scopes-only test)
src/azure-cli-core/azure/cli/core/auth/msal_credentials.py Forwarded tenant from MSAL app authority into check_result
Comments suppressed due to low confidence (2)

src/azure-cli-core/azure/cli/core/auth/util.py:52

  • The call to _generate_login_command in aad_error_handler doesn’t pass the new tenant kwarg, so recommendations will never include --tenant. Update it to _generate_login_command(tenant=kwargs.get('tenant'), scopes=scopes, claims_challenge=claims_challenge).
    from azure.cli.core.azclierror import AuthenticationError

src/azure-cli-core/azure/cli/core/auth/tests/test_util.py:57

  • The standalone scopes-only path is no longer tested after removing the previous test for scopes alone. Add a test case for _generate_login_command(scopes=[...]) without a tenant to ensure it still generates the correct command.
        # tenant and scopes

evelyn-ys
evelyn-ys reviewed Jul 3, 2025
View reviewed changes
src/azure-cli-core/azure/cli/core/auth/util.py


def _generate_login_command(scopes=None, claims_challenge=None):
def _generate_login_command(tenant=None, scopes=None, claims_challenge=None):
Copy link
Member

@evelyn-ys evelyn-ys Jul 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we append the tenant info in re-login recommendation msg only for some error code (for example AADSTS50076)?

Now it seems all failure cases will append this except for 7000215

azure-cli/src/azure-cli-core/azure/cli/core/auth/util.py

Lines 43 to 47 in cf56331

# Build recommendation message
if error_codes and 7000215 in error_codes:
recommendation = PASSWORD_CERTIFICATE_WARNING
else:
login_command = _generate_login_command(**kwargs)

Copy link
Member Author

@jiasli jiasli Jul 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are many possible AADSTS errors. We cannot enumerate all of them. For example, if you haven't configured MFA in a tenant, acquire_token_silent will fail with

AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'.

If you have configured MFA in a tenant but didn't perform MFA in the browser before, acquire_token_silent will fail with

AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'.

It is a good practice to always specify --tenant so that Azure CLI can only access resources in the specified tenant and also trigger MFA as required by that tenant.

Copy link
Member

@evelyn-ys evelyn-ys Jul 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My concern is whether there will be any cases that adding tenant id during login is misleading? If no such case, then I'm good with this

Copy link
Member Author

@jiasli jiasli Jul 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cannot think of a case where adding tenant ID is misleading.

--tenant will not be shown for managed identity and Cloud Shell:

azure-cli/src/azure-cli-core/azure/cli/core/auth/msal_credentials.py

Line 155 in 4177017

check_result(result)

azure-cli/src/azure-cli-core/azure/cli/core/auth/msal_credentials.py

Line 132 in 4177017

check_result(result, scopes=scopes)

@jiasli jiasli merged commit 378d1bb into Azure:dev Jul 3, 2025
48 checks passed
@jiasli jiasli deleted the login-tenant branch July 3, 2025 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bebound bebound bebound approved these changes

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms

@yonzhan yonzhan Awaiting requested review from yonzhan

Assignees

@jiasli jiasli

Labels

Account az login/account ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot

Projects

None yet

Milestone

August 2025 (2025-08-05)

Development

Successfully merging this pull request may close these issues.

5 participants

@jiasli @yonzhan @bebound @evelyn-ys @zhoxing-ms

Comments