Skip to content

AzureGovernment and AzureChina audience values are not aligned with Azure CLI #25700

New issue
New issue
Open
#25715
Open
AzureGovernment and AzureChina audience values are not aligned with Azure CLI#25700
#25715
Assignees
chlowell
Labels
Azure.Core
@AzureMarker

Description

@AzureMarker
AzureMarker
opened on Dec 2, 2025

Bug Report

The Audience field in cloud.ServiceConfiguration is set in sdk/azcore/arm/runtime/runtime.go for public cloud, US government cloud, and China public cloud. The values for AzureGovernment and AzureChina do not exactly match the values used by Azure CLI (and azure-sdk-for-python). The audience values (besides AzurePublic) are missing the trailing slash, so the token cache does not recognize them as the same tokens.

azure-sdk-for-go:
https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azcore/arm/runtime/runtime.go

	cloud.AzureChina.Services[cloud.ResourceManager] = cloud.ServiceConfiguration{
		Audience: "https://management.core.chinacloudapi.cn",
		Endpoint: "https://management.chinacloudapi.cn",
	}
	cloud.AzureGovernment.Services[cloud.ResourceManager] = cloud.ServiceConfiguration{
		Audience: "https://management.core.usgovcloudapi.net",
		Endpoint: "https://management.usgovcloudapi.net",
	}
	cloud.AzurePublic.Services[cloud.ResourceManager] = cloud.ServiceConfiguration{
		Audience: "https://management.core.windows.net/",
		Endpoint: "https://management.azure.com",
	}

azure-sdk-for-python:
https://github.com/Azure/azure-sdk-for-python/blob/1cd78b1c3dbc5acb2a40d81cf4d3587783a187eb/sdk/identity/azure-identity/azure/identity/_internal/interactive.py#L28

_DEFAULT_AUTHENTICATE_SCOPES = {
    "https://" + KnownAuthorities.AZURE_CHINA: ("https://management.core.chinacloudapi.cn//.default",),
    "https://" + KnownAuthorities.AZURE_GOVERNMENT: ("https://management.core.usgovcloudapi.net//.default",),
    "https://" + KnownAuthorities.AZURE_PUBLIC_CLOUD: ("https://management.core.windows.net//.default",),
}

Azure CLI:
https://github.com/Azure/azure-cli/blob/azure-cli-2.80.0/src/azure-cli-core/azure/cli/core/_profile.py#L141

self._arm_scope = resource_to_scopes(self.cli_ctx.cloud.endpoints.active_directory_resource_id)

https://github.com/Azure/azure-cli/blob/azure-cli-2.80.0/src/azure-cli-core/azure/cli/core/cloud.py#L444C9-L444C83

active_directory_resource_id='https://management.core.usgovcloudapi.net/',

https://github.com/Azure/azure-cli/blob/azure-cli-2.80.0/src/azure-cli-core/azure/cli/core/auth/util.py#L92

def resource_to_scopes(resource):
    """Convert the ADAL resource ID to MSAL scopes by appending the /.default suffix and return a list.
    For example:
       'https://management.core.windows.net/' -> ['https://management.core.windows.net//.default']

Impact

AzureCLICredential will not find the cached credential from normal Azure CLI calls and will instead request a new token on the first call. Normally this is OK, but in some scenarios (like federated credentials) new token creation will fail.

For federated credentials, the ID token only lives for 10 minutes (on Azure DevOps) so requests to generate a new token after that timespan will fail. Because azure-sdk-for-go uses a different audience than Azure CLI / azure-sdk-for-python, the az account get-access-token call from Go will try and fail to create a new token:

AzureCLICredential: ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2025-11-25T20:32:03.1710719Z, assertion valid from 2025-11-25T20:05:44.0000000Z, expiry time of assertion 2025-11-25T20:15:44.0000000Z.

Steps to reproduce

  1. Switch cloud to AzureUSGovernment or AzureChinaCloud: 
    az cloud set -n AzureUSGovernment
  2. Log in (using interactive for this example): 
    az login
  3. Get an access token a few times. Each call with use the same token, so the expiresOn time will be constant. You can confirm that this is using cache and the https://management.core.usgovcloudapi.net//.default scope by adding --debug. 
    az account get-access-token --query expiresOn -o tsv
  4. Get an access token using the same audience that azure-sdk-for-go uses (https://management.core.usgovcloudapi.net). This will result in a new token creation with a different expiresOn value. You can confirm that the scope used is https://management.core.usgovcloudapi.net/.default by adding --debug. 
    az account get-access-token --query expiresOn -o tsv --resource https://management.core.usgovcloudapi.net

More technical details

github.com/Azure/azure-sdk-for-go/sdk/azcore version: v1.17.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity version: v1.8.2
The issue seems to still exist in the latest versions. These are just the versions we are using at the moment.

Link to the code where AzureCLICredential runs az account get-access-token with --resource:
https://github.com/Azure/azure-sdk-for-go/blob/sdk/azidentity/v1.8.2/sdk/azidentity/azure_cli_credential.go#L128

Metadata

Metadata

Assignees

Labels

Azure.Core

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions