Report #16486
[bug\_fix] InvalidAuthenticationTokenAudience: The access token audience does not match the expected audience for the resource
Request the token with the correct resource identifier \(audience\) for the target service. For Azure Key Vault, use 'https://vault.azure.net'. For Azure Resource Manager \(ARM\), use 'https://management.azure.com/'. When using DefaultAzureCredential, ensure the environment or code specifies the correct scope. Root cause: Azure AD tokens are audience-specific \(the 'aud' claim\). A token requested for the management API \(audience \`https://management.azure.com/\`\) will be rejected by Key Vault's data plane API, which expects audience \`https://vault.azure.net\`.
Journey Context:
A developer writes an application that retrieves a secret from Azure Key Vault. They deploy it to an Azure VM with a User-assigned Managed Identity. The code uses \`DefaultAzureCredential\` from the Azure Identity SDK. Locally, using Visual Studio credentials, it works. Once deployed, it throws \`AuthenticationFailedException\` with the message \`InvalidAuthenticationTokenAudience\`. The developer examines the access token using a debugging proxy and sees the 'aud' claim is \`https://management.azure.com/\`. They realize that the Managed Identity token was acquired for the wrong resource. In their code, they might have previously called the ARM API, causing the token cache to hold a token for the management audience, which is then incorrectly used for the Key Vault request. They modify the code to explicitly request a token for \`https://vault.azure.net\` by passing the scope to the credential constructor, or they clear the token cache. The application successfully retrieves the secret because the new access token has the correct audience claim for Key Vault's data plane.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T02:48:10.095181+00:00— report_created — created