[BUG] `role` tool fails with "No accessible tenant found" while other tools (appservice) work fine

[silkfire]

Describe the bug

The role tool (e.g. role_assignment_list) returns InvalidOperationException: No accessible tenant found for tenant ID '<id>' even when:

• az login is authenticated to the correct tenant
• Other MCP tools (e.g. appservice) work against the same subscription/tenant
• The tenant parameter is passed explicitly to the tool
• The equivalent CLI command az role assignment list --scope <resource-id> works correctly

Expected behavior

The role_assignment_list tool should return role assignments for the specified scope, the same way az role assignment list --scope <resource-id> does via the CLI.

Actual behavior

The tool returns HTTP 500 with:

InvalidOperationException: No accessible tenant found for tenant ID <GUID>

Root cause in code:

In BaseAzureResourceService.cs, the GetTenantResourceAsync method calls TenantService.GetTenants() without passing the tenant parameter:

var allTenants = await TenantService.GetTenants(cancellationToken);
var tenantResource = allTenants.FirstOrDefault(t => t.Data.TenantId == tenantId.Value);

And in ExecuteResourceQueryAsync, the explicitly passed tenant parameter is not forwarded:

var subscriptionResource = await _subscriptionService.GetSubscription(subscription, tenant, retryPolicy, cancellationToken);
var tenantResource = await GetTenantResourceAsync(subscriptionResource!.Data.TenantId, cancellationToken);
// ^ 'tenant' parameter from caller is not used to scope the credential

The TenantService.GetTenants() method enumerates all tenants via ArmClient.GetTenants() without using a credential scoped to the requested tenant. If the default credential cannot enumerate the target tenant, it fails.

Reproduction Steps

1. Run az login --tenant <tenant-id>
2. Confirm login: az account show returns the correct tenant
3. Use the role_assignment_list tool with a valid scope, passing tenant and subscription explicitly
4. Observe: InvalidOperationException: No accessible tenant found for tenant ID '<id>'
5. Run az role assignment list --scope <same-scope> --include-inherited — works correctly

Environment

• OS: Windows 11
• IDE: VS Code (latest)
• Azure MCP Server: latest
• Shell: Git Bash

[github-actions]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @vurhanau.

[alzimmermsft]

Thanks for filing this @silkfire, this should be fixed as of this PR: #1945

Which released with Azure MCP 2.0.0-beta.29

[github-actions]

Hi @silkfire. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.