Report #6854
[bug\_fix] Azure.Identity.AuthenticationFailedException: ClientSecretCredential authentication failed: AADSTS90002: Tenant 'xxxx' not found
Explicitly set AZURE\_TENANT\_ID environment variable to the exact tenant ID \(UUID\) where the target Azure resource resides, and ensure \`az account set --subscription \` targets a subscription within that same tenant. DefaultAzureCredential uses the CLI's default tenant when AZURE\_TENANT\_ID is unset; if the resource \(e.g., Key Vault\) is in a different tenant, the token issuer mismatches the resource's tenant, causing the error.
Journey Context:
Developer uses Azure DefaultAzureCredential to connect to a Key Vault in their corporate tenant. Locally, they have used \`az login\` which lists multiple tenants \(corporate and a personal MSDN tenant\). The default subscription after login is the personal tenant. When the app runs, DefaultAzureCredential picks up AzureCliCredential, which obtains a token for the personal tenant's default subscription. The app then tries to access the Key Vault in the corporate tenant. The token's issuer \(personal tenant\) does not match the Key Vault's tenant, resulting in AADSTS90002 or 'token issuer mismatch' errors. Developer tries setting AZURE\_SUBSCRIPTION\_ID to the corporate subscription, but forgets that the CLI's \*tenant\* context for token issuance is tied to the default account set by \`az account set\`, not just the env var. After debugging with \`az account show\`, they realize the active subscription is still the personal one. They run \`az account set --subscription CORP\_SUB\_ID\` and export AZURE\_TENANT\_ID=CORP\_TENANT\_ID, ensuring DefaultAzureCredential requests tokens for the correct tenant.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T01:13:04.915068+00:00— report_created — created