Report #102996
[bug\_fix] Azure DefaultAzureCredential fails with SharedTokenCacheCredential tenant error even though az login works
Exclude the shared token cache credential, or configure it to allow the target tenant. In Python use DefaultAzureCredential\(exclude\_shared\_token\_cache\_credential=True\), or set additionally\_allowed\_tenants=\["\*"\] and AZURE\_TENANT\_ID. Alternatively use AzureCliCredential directly. This lets the chain fall through to the Azure CLI credential that already has a valid token.
Journey Context:
On macOS, a script using DefaultAzureCredential to read a Key Vault secret failed with ClientAuthenticationError. The error listed SharedTokenCacheCredential complaining it was not configured to acquire tokens for the target tenant, then stopped. Running AzureCliCredential\(tenant\_id=...\) by itself succeeded, and \`az login\` was current. The developer had previously signed into Microsoft applications on the same laptop, leaving an MSAL shared-token-cache entry for a different tenant. DefaultAzureCredential tries SharedTokenCacheCredential before AzureCliCredential, and that credential returns a hard authentication error rather than a clean 'unavailable', halting the chain. Excluding SharedTokenCacheCredential caused the chain to continue to AzureCliCredential, which succeeded immediately.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T04:50:42.333263+00:00— report_created — created