MSAL authentication doesn't respect REQUESTS_CA_BUNDLE for proxy certificates

[ciaran-finnegan]

Describe the bug

MSAL authentication in Azure CLI doesn't respect the REQUESTS_CA_BUNDLE environment variable when
working behind a proxy with custom certificates. While other Azure CLI operations properly use custom CA
bundles specified via REQUESTS_CA_BUNDLE, the MSAL library used for authentication (particularly az login) ignores this setting, causing SSL certificate verification errors even when users have correctly
configured their proxy certificates according to the official documentation.

Related command

az login
az login --debug

Errors

Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with a self-signed certificate.

SSL: CERTIFICATE_VERIFY_FAILED

Issue script & Debug output

Environment setup

export HTTPS_PROXY=https://corporate-proxy:8080
export REQUESTS_CA_BUNDLE=/path/to/custom-ca-bundle.pem

Run login with debug

az login --debug

Debug output shows NO indication of using custom cert bundle for MSAL:

DEBUG: Getting management service client client_type=SubscriptionClient
DEBUG: urllib3.connectionpool: Starting new HTTPS connection
ERROR: SSL: CERTIFICATE_VERIFY_FAILED

Expected debug output (missing):

DEBUG: MSAL: Using CA bundle file at '/path/to/custom-ca-bundle.pem'

Other az commands work fine with the same REQUESTS_CA_BUNDLE:

az vm list --debug

Shows: DEBUG: Using CA bundle file at '/path/to/custom-ca-bundle.pem'

Expected behavior

When REQUESTS_CA_BUNDLE environment variable is set:

1. MSAL authentication should use the specified custom CA bundle file
2. az login --debug should show debug message indicating the custom CA bundle is being used
3. Authentication should succeed without SSL certificate verification errors
4. Behavior should be consistent with other Azure CLI operations that already respect this environment
   variable

This is documented behavior according to:
https://learn.microsoft.com/en-us/cli/azure/use-azure-cli-successfully-troubleshooting#work-behind-a-pro
xy

Environment Summary

azure-cli 2.77.0

core 2.77.0
telemetry 1.1.0

Dependencies:
msal 1.34.0b1
azure-mgmt-resource 23.3.0

Python location '/opt/homebrew/Cellar/azure-cli/2.77.0/libexec/bin/python'
Config directory '/Users/ciaranfinnegan/.azure'
Extensions directory '/Users/ciaranfinnegan/.azure/cliextensions'

Python (Darwin) 3.13.7 (main, Aug 14 2025, 11:12:11) [Clang 17.0.0 (clang-1700.0.13.3)]

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Az CLI 2.77.0 ssl issues #32108
• AZ Login fails with SSL intercept for 2.77.0 #32206
• unable to login to AZ  #13032
• 2.77.0 raises error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032) #32083
• Better support for Fiddler #7455

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

Downgrade Azure CLI to version 2.76.0, which does not exhibit this issue. Use the following script to downgrade:

- task: CmdLine@2
  displayName: "Downgrade Azure CLI to 2.76.0"
  inputs:
    script: |
      # Obtain the currently installed distribution
      AZ_DIST=$(lsb_release -cs)

      # Store an Azure CLI version of choice
      AZ_VER=2.76.0

      # Install a specific version
      sudo apt-get install --allow-downgrades -y azure-cli=${AZ_VER}-1~${AZ_DIST}

Reference:

• Az CLI 2.77.0 ssl issues #32108 (comment)

Solution 2:

Ensure that the certificate being used includes the Authority Key Identifier (AKI) property. This is required due to stricter SSL controls introduced in Python 3.13, which Azure CLI 2.77.0 uses. Certificates without the AKI property will fail verification.

Reference:

• 2.77.0 raises error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032) #32083 (comment)
• 2.77.0 raises error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032) #32083 (comment)

Solution 3:

Set the environment variable AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1 as a workaround to bypass SSL verification. Note that this is not recommended for production environments due to security risks.

Reference:

• 2.77.0 raises error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032) #32083 (comment)

Powered by issue-sentinel