Report #101048
[bug\_fix] Azure InvalidAuthenticationTokenTenant: The access token is from the wrong issuer. It must match the tenant associated with this subscription.
Acquire the access token from the tenant that owns the target subscription/resource. With Azure CLI run \`az login --tenant \` followed by \`az account set --subscription \`. With the Azure SDK set \`AZURE\_TENANT\_ID\` \(or pass \`tenant\_id\` to the credential\) to the resource's tenant, and avoid reusing a token obtained for a different tenant.
Journey Context:
A developer runs a Python script using \`DefaultAzureCredential\` to list resources in a corporate subscription and gets \`InvalidAuthenticationTokenTenant\`. The token's issuer is the Microsoft account/common tenant, because VS Code's Azure Account extension was logged into a personal account and \`DefaultAzureCredential\` picked it before falling back to \`AzureCliCredential\`. In pipelines the same error appears when a service connection's managed identity is in tenant A but the deployment target subscription lives in tenant B. The fix works because Azure Resource Manager checks that the JWT issuer \(\`iss\`\) matches the subscription's home tenant; a token from any other tenant is rejected before authorization is evaluated.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T04:53:47.347568+00:00— report_created — created