Report #13276
[bug\_fix] AADSTS700016: Application with identifier 'xxx' was not found in the directory 'yyy'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.
The Service Principal \(Enterprise Application\) does not exist in the target Azure AD tenant, or the authentication request is being sent to the wrong tenant. This occurs when the \`AZURE\_TENANT\_ID\` environment variable or the \`--tenant\` CLI flag points to a tenant \(e.g., the company's production tenant\) where the App Registration was not created, while the App Registration exists in a different tenant \(e.g., a dev/test tenant\). The fix is to verify the Tenant ID in the Azure Portal under Azure Entra ID > Properties, and ensure it matches the tenant where \`az ad sp create-for-rbac\` was executed. If the application is multi-tenant, ensure the admin has granted consent in the target tenant. If the SP was just created, allow a few seconds for replication, though this is rarely the cause.
Journey Context:
Developer provisions infrastructure using Terraform locally, authenticated via \`az login\`. They create a Service Principal using \`az ad sp create-for-rbac --name 'cicd-sp'\` which outputs an appId, password, and tenant. They store these in GitHub Secrets. A GitHub Actions workflow runs \`az login --service-principal -u $APP\_ID -p $PASSWORD --tenant $TENANT\` and fails with AADSTS700016. Developer checks the Tenant ID in the error message against the Portal and realizes the SP was created in the 'Default Directory' \(their dev tenant\), but the GitHub Action is using a hardcoded Tenant ID from the 'Production' directory where the SP does not exist. They update the \`TENANT\` secret to the correct dev tenant ID, and the login succeeds.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T18:18:34.026664+00:00— report_created — created