fix(extensions): use UserTenantId for credential resolution across all extensions by vhvb1989 · Pull Request #7080 · Azure/azure-dev

vhvb1989 · 2026-03-12T01:15:09Z

Fix

Follow-up to #7078 — the same bug existed in 5 more extensions.

Multiple extensions were using Subscription.TenantId (the resource tenant) instead of Subscription.UserTenantId (the user access tenant) when creating AzureDeveloperCLICredential after subscription selection. For multi-tenant/guest users these differ, causing AADSTS70043/AADSTS700082 "refresh token expired" errors.

Change

- tenantId = resp.Subscription.TenantId
+ tenantId = resp.Subscription.UserTenantId

Affected extensions

Extension	Files	Spots
azure.ai.models	custom.go, init.go	3
azure.ai.agents	init.go, init_from_code.go	2
azure.ai.finetune	init.go	2
microsoft.azd.ai.builder	start.go	1
microsoft.azd.demo	prompt.go	1

Extensions already correct (using LookupTenant()): azure.appservice, azure.ai.agents (parser.go, service_target_agent.go).

For single-tenant users, TenantId == UserTenantId, so no behavior change.

Prevention: Copilot review instruction

Added .github/instructions/extensions.instructions.md — a path-scoped instruction file that targets cli/azd/extensions/**. When the Copilot PR reviewer analyzes future PRs that touch extension code, it will flag uses of Subscription.TenantId for credential creation and recommend Subscription.UserTenantId instead. This prevents the same bug from being reintroduced in existing or new extensions.

Fixes #7077
Related: #7070, #7078

Audit of all extensions found the same bug in 5 more extensions: - azure.ai.models (custom.go, init.go) - azure.ai.agents (init.go, init_from_code.go) - azure.ai.finetune (init.go) - microsoft.azd.ai.builder (start.go) - microsoft.azd.demo (prompt.go) Extensions using LookupTenant() (azure.appservice, azure.ai.agents parser.go/service_target_agent.go) are already correct since the server resolves to UserAccessTenantId. Fixes #7077 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot

Pull request overview

Fixes tenant selection for Azure Developer CLI credential creation across multiple azd extensions by using the user access tenant (Subscription.UserTenantId) instead of the resource tenant (Subscription.TenantId) after interactive subscription selection—aligning extension behavior with azd core and preventing multi-tenant/guest token refresh failures.

Changes:

Updated multiple extensions to set azureContext.Scope.TenantId (and related tenantId locals) from Subscription.UserTenantId after PromptSubscription.
Ensured subsequent credential creation and environment persistence flows use the corrected tenant value.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
cli/azd/extensions/microsoft.azd.demo/internal/cmd/prompt.go	Uses `UserTenantId` when building `AzureScope` from a prompted subscription.
cli/azd/extensions/microsoft.azd.ai.builder/internal/cmd/start.go	Uses `UserTenantId` when persisting prompted subscription context into the environment.
cli/azd/extensions/azure.ai.models/internal/cmd/init.go	Uses `UserTenantId` when prompting for subscription during init flows (env + context).
cli/azd/extensions/azure.ai.models/internal/cmd/custom.go	Uses `UserTenantId` when prompting for subscription in the lightweight “custom” flow.
cli/azd/extensions/azure.ai.finetune/internal/cmd/init.go	Uses `UserTenantId` when prompting for subscription during init flows.
cli/azd/extensions/azure.ai.agents/internal/cmd/init_from_code.go	Uses `UserTenantId` when prompting for subscription during init-from-code flow.
cli/azd/extensions/azure.ai.agents/internal/cmd/init.go	Uses `UserTenantId` when prompting for subscription during init flow.

Comments suppressed due to low confidence (3)

cli/azd/extensions/azure.ai.finetune/internal/cmd/init.go:606

The comment says this sets the subscription ID, but the code is setting AZURE_TENANT_ID. Please update the comment to match what is being written to the environment (tenant ID).

		// Set the subscription ID in the environment
		_, err = azdClient.Environment().SetValue(ctx, &azdext.SetEnvRequest{
			EnvName: env.Name,
			Key:     "AZURE_TENANT_ID",

cli/azd/extensions/azure.ai.agents/internal/cmd/init.go:652

The comment says this sets the subscription ID, but the code is setting AZURE_TENANT_ID. Please update the comment to match what is being written to the environment (tenant ID).

		// Set the subscription ID in the environment
		_, err = azdClient.Environment().SetValue(ctx, &azdext.SetEnvRequest{
			EnvName: env.Name,
			Key:     "AZURE_TENANT_ID",
			Value:   azureContext.Scope.TenantId,

cli/azd/extensions/microsoft.azd.ai.builder/internal/cmd/start.go:702

The comment says this sets the subscription ID, but the code is setting AZURE_TENANT_ID. Please update the comment to match what is being written to the environment (tenant ID).

		// Set the subscription ID in the environment
		_, err = azdClient.Environment().SetValue(ctx, &azdext.SetEnvRequest{
			EnvName: env.Name,
			Key:     "AZURE_TENANT_ID",
			Value:   azureContext.Scope.TenantId,

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Adds a path-scoped Copilot instruction for cli/azd/extensions/** that flags use of Subscription.TenantId (resource tenant) instead of Subscription.UserTenantId (user access tenant) for credential creation. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

rajeshkamal5050 · 2026-03-12T15:27:39Z

/check-enforcer override

…l extensions (Azure#7080) * fix(extensions): apply same UserTenantId fix to all affected extensions Audit of all extensions found the same bug in 5 more extensions: - azure.ai.models (custom.go, init.go) - azure.ai.agents (init.go, init_from_code.go) - azure.ai.finetune (init.go) - microsoft.azd.ai.builder (start.go) - microsoft.azd.demo (prompt.go) Extensions using LookupTenant() (azure.appservice, azure.ai.agents parser.go/service_target_agent.go) are already correct since the server resolves to UserAccessTenantId. Fixes Azure#7077 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore: add Copilot review instruction for extension tenant usage Adds a path-scoped Copilot instruction for cli/azd/extensions/** that flags use of Subscription.TenantId (resource tenant) instead of Subscription.UserTenantId (user access tenant) for credential creation. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

vhvb1989 requested review from hemarina and wbreza as code owners March 12, 2026 01:15

Copilot AI review requested due to automatic review settings March 12, 2026 01:15

vhvb1989 requested review from JeffreyCA, achauhan-scc, kingernupur, rabollin, rajeshkamal5050, saanikaguptamicrosoft, tg-msft, therealjohn, trangevi, trrwilson and weikanglim as code owners March 12, 2026 01:15

microsoft-github-policy-service bot assigned vhvb1989 Mar 12, 2026

Copilot started reviewing on behalf of vhvb1989 March 12, 2026 01:15 View session

Copilot AI reviewed Mar 12, 2026

View reviewed changes

vhvb1989 requested a review from danieljurek as a code owner March 12, 2026 01:32

rajeshkamal5050 approved these changes Mar 12, 2026

View reviewed changes

rajeshkamal5050 merged commit 105e08a into main Mar 12, 2026
72 checks passed

rajeshkamal5050 mentioned this pull request Mar 12, 2026

Update README with troubleshooting info #7070

Closed

Copilot AI mentioned this pull request Mar 13, 2026

Prepare azure.ai.agents 0.1.15-preview patch release #7135

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(extensions): use UserTenantId for credential resolution across all extensions#7080

fix(extensions): use UserTenantId for credential resolution across all extensions#7080
rajeshkamal5050 merged 2 commits intomainfrom
fix/extensions-tenant-credential

vhvb1989 commented Mar 12, 2026 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

rajeshkamal5050 commented Mar 12, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

vhvb1989 commented Mar 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Fix

Change

Affected extensions

Prevention: Copilot review instruction

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

rajeshkamal5050 commented Mar 12, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

vhvb1989 commented Mar 12, 2026 •

edited

Loading