Report #57089
[bug\_fix] Azure DefaultAzureCredential picks AzureCliCredential for wrong tenant
Run \`az login --tenant \` to explicitly authenticate to the tenant containing the App Registration, or set the \`AZURE\_TENANT\_ID\` environment variable to force the credential to request tokens for the correct tenant. The root cause is that AzureCliCredential uses the default subscription's tenant from \`az login\`, which may differ from the tenant where the application is registered, causing 'AADSTS700016: Application not found in directory' errors.
Journey Context:
A developer is working on a multi-tenant application using \`DefaultAzureCredential\` from the Azure Identity SDK. The application has an App Registration in their employer's tenant \(Tenant A\). The developer recently helped a client and ran \`az login\` which switched their default Azure CLI context to the client's tenant \(Tenant B\). When they run the application locally, \`DefaultAzureCredential\` successfully finds the Azure CLI token, but API calls immediately fail with 'AADSTS700016: Application with identifier 'xxxxx' was not found in the directory 'Tenant B'. The developer checks the App Registration in the portal and confirms it exists. They check environment variables and AZURE\_TENANT\_ID is not set. They enable verbose logging in Azure Identity and see it's using AzureCliCredential and the token's 'tid' claim matches Tenant B. They run \`az account show\` and see the subscription is from the client tenant. They run \`az login --tenant --allow-no-subscriptions\` to authenticate back to their employer's tenant without needing a subscription there. The application now works. They realize \`DefaultAzureCredential\` has no way to know which tenant the App Registration lives in unless explicitly configured, and the CLI's default tenant acts as a silent trap.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T02:18:46.925581+00:00— report_created — created