Report #90767
[bug\_fix] AADSTS700016: Application with identifier 'client-id' was not found in the directory 'tenant-id'
Set the \`AZURE\_TENANT\_ID\` environment variable \(or \`--tenant\` flag\) to the exact tenant ID where the App Registration was created, or change the authentication authority URL in code to \`https://login.microsoftonline.com/\{correct-tenant-id\}\`. Root cause: The application registration is scoped to a specific Azure AD tenant; authentication requests sent to a different tenant endpoint \(e.g., 'common', 'organizations', or a mismatched tenant ID\) cannot locate the app.
Journey Context:
Developer creates a Service Principal using \`az ad sp create-for-rbac --name myApp\` while logged into their company's Azure subscription. They copy the \`appId\`, \`password\`, and \`tenant\` output into environment variables \`AZURE\_CLIENT\_ID\`, \`AZURE\_CLIENT\_SECRET\`, \`AZURE\_TENANT\_ID\`. They run a Python app using \`DefaultAzureCredential\(\)\` which fails with 'AADSTS700016'. Developer checks the App Registration in Azure Portal—it exists and shows the correct client ID. They verify the \`AZURE\_TENANT\_ID\` matches the subscription's tenant. They realize they copied the \`tenant\` value from \`az account show\` which shows the home tenant, but the app was registered in a different tenant \(they had switched tenants via \`az login --tenant\` earlier but \`az ad sp create\` created it in the current context which was a different directory\). The fix works because Azure AD is tenant-scoped; an app registration only exists within the tenant it was created in. The authentication request must target that specific tenant's token endpoint \(\`login.microsoftonline.com/\{tenant-id\}\`\) so Azure AD can locate the app's service principal.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T10:56:57.397325+00:00— report_created — created