Azure · jiasli · Jul 3, 2025 · Jul 1, 2025 · evelyn-ys · Jul 3, 2025
@@ -59,7 +59,8 @@ def acquire_token(self, scopes, claims_challenge=None, **kwargs):
         from azure.cli.core.azclierror import AuthenticationError
         try:
             # Check if an access token is returned.
-            check_result(result, scopes=scopes, claims_challenge=claims_challenge)
+            check_result(result, tenant=self._msal_app.authority.tenant, scopes=scopes,
+                         claims_challenge=claims_challenge)
         except AuthenticationError as ex:
             # For VM SSH ('data' is passed), if getting access token fails because
             # Conditional Access MFA step-up or compliance check is required, re-launch

@@ -54,9 +54,20 @@ def test_generate_login_command(self):
         # No parameter is given
         assert _generate_login_command() == 'az login'
 
-        # scopes
+        # tenant
+        actual = _generate_login_command(tenant='21987a97-4e85-47c5-9a13-9dc3e11b2a9a')
+        assert actual == 'az login --tenant "21987a97-4e85-47c5-9a13-9dc3e11b2a9a"'
+
+        # scope
         actual = _generate_login_command(scopes=["https://management.core.windows.net//.default"])
-        assert actual == 'az login --scope https://management.core.windows.net//.default'
+        assert actual == 'az login --scope "https://management.core.windows.net//.default"'
+
+        # tenant and scopes
+        actual = _generate_login_command(tenant='21987a97-4e85-47c5-9a13-9dc3e11b2a9a',
+                                         scopes=["https://management.core.windows.net//.default"])
+        assert actual == ('az login --tenant "21987a97-4e85-47c5-9a13-9dc3e11b2a9a" '
+                          '--scope "https://management.core.windows.net//.default"')
+
 
 
 if __name__ == '__main__':

@@ -53,12 +53,21 @@ def aad_error_handler(error, **kwargs):
     raise AuthenticationError(error_description, msal_error=error, recommendation=recommendation)
 
 
-def _generate_login_command(scopes=None, claims_challenge=None):
+def _generate_login_command(tenant=None, scopes=None, claims_challenge=None):
 # Build recommendation message 
 if error_codes and 7000215 in error_codes: 
     recommendation = PASSWORD_CERTIFICATE_WARNING 
 else: 
     login_command = _generate_login_command(**kwargs) 
 check_result(result) 
 check_result(result, scopes=scopes) 
 # Build recommendation message 
 if error_codes and 7000215 in error_codes: 
     recommendation = PASSWORD_CERTIFICATE_WARNING 
 else: 
     login_command = _generate_login_command(**kwargs) 
 check_result(result) 
 check_result(result, scopes=scopes) 
     login_command = ['az login']
 
-    # Rejected by Conditional Access policy, like MFA
+    # Rejected by Conditional Access policy, like MFA.
+    # MFA status is not shared between tenants. Specifying tenant triggers the MFA process for that tenant.
+    # Double quotes are not necessary, but we add them following the best practice to avoid shell interpretation.
+    if tenant:
+        login_command.extend(['--tenant', f'"{tenant}"'])
+
+    # Some scopes (such as Graph) may require MFA while ARM may not.
+    # Specifying scope triggers the MFA process for that scope.
     if scopes:
-        login_command.append('--scope {}'.format(' '.join(scopes)))
+        login_command.append('--scope')
+        for s in scopes:
+            login_command.append(f'"{s}"')
 
     # Rejected by CAE
     if claims_challenge: