Include scopes in az login command for claims challenge error messages

Copilot · weikanglim · Copilot · commit 2af955e34e43 · 2025-07-29T19:37:19.000Z
Co-authored-by: weikanglim &lt;2322434+weikanglim@users.noreply.github.com&gt;
diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/azure_cli.py b/sdk/identity/azure-identity/azure/identity/_credentials/azure_cli.py
@@ -115,7 +115,10 @@ def get_token(
           receive an access token.
         """
         if claims and claims.strip():
-            raise CredentialUnavailableError(f"Failed to get token. Run az login --claims-challenge {claims}")
+            login_cmd = f"az login --claims-challenge {claims}"
+            if scopes:
+                login_cmd += f" --scope {scopes[0]}"
+            raise CredentialUnavailableError(f"Failed to get token. Run {login_cmd}")
 
         options: TokenRequestOptions = {}
         if tenant_id:
@@ -147,7 +150,10 @@ def get_token_info(self, *scopes: str, options: Optional[TokenRequestOptions] =
         """
         claims_value = options.get("claims") if options else None
         if claims_value and claims_value.strip():
-            raise CredentialUnavailableError(f"Failed to get token. Run az login --claims-challenge {claims_value}")
+            login_cmd = f"az login --claims-challenge {claims_value}"
+            if scopes:
+                login_cmd += f" --scope {scopes[0]}"
+            raise CredentialUnavailableError(f"Failed to get token. Run {login_cmd}")
         return self._get_token_base(*scopes, options=options)
 
     def _get_token_base(
diff --git a/sdk/identity/azure-identity/azure/identity/aio/_credentials/azure_cli.py b/sdk/identity/azure-identity/azure/identity/aio/_credentials/azure_cli.py
@@ -106,7 +106,10 @@ async def get_token(
           receive an access token.
         """
         if claims and claims.strip():
-            raise CredentialUnavailableError(f"Failed to get token. Run az login --claims-challenge {claims}")
+            login_cmd = f"az login --claims-challenge {claims}"
+            if scopes:
+                login_cmd += f" --scope {scopes[0]}"
+            raise CredentialUnavailableError(f"Failed to get token. Run {login_cmd}")
 
         # only ProactorEventLoop supports subprocesses on Windows (and it isn't the default loop on Python < 3.8)
         if sys.platform.startswith("win") and not isinstance(asyncio.get_event_loop(), asyncio.ProactorEventLoop):
@@ -142,7 +145,10 @@ async def get_token_info(self, *scopes: str, options: Optional[TokenRequestOptio
         """
         claims_value = options.get("claims") if options else None
         if claims_value and claims_value.strip():
-            raise CredentialUnavailableError(f"Failed to get token. Run az login --claims-challenge {claims_value}")
+            login_cmd = f"az login --claims-challenge {claims_value}"
+            if scopes:
+                login_cmd += f" --scope {scopes[0]}"
+            raise CredentialUnavailableError(f"Failed to get token. Run {login_cmd}")
         # only ProactorEventLoop supports subprocesses on Windows (and it isn't the default loop on Python < 3.8)
         if sys.platform.startswith("win") and not isinstance(asyncio.get_event_loop(), asyncio.ProactorEventLoop):
             return _SyncAzureCliCredential().get_token_info(*scopes, options=options)
diff --git a/sdk/identity/azure-identity/tests/test_cli_credential.py b/sdk/identity/azure-identity/tests/test_cli_credential.py
@@ -402,7 +402,7 @@ def test_claims_challenge_raises_error(get_token_method):
     """The credential should raise CredentialUnavailableError when claims challenge is provided"""
 
     claims = "test-claims-challenge"
-    expected_message = f"Failed to get token. Run az login --claims-challenge {claims}"
+    expected_message = f"Failed to get token. Run az login --claims-challenge {claims} --scope scope"
 
     if get_token_method == "get_token":
         with pytest.raises(CredentialUnavailableError, match=re.escape(expected_message)):
@@ -412,6 +412,21 @@ def test_claims_challenge_raises_error(get_token_method):
             AzureCliCredential().get_token_info("scope", options={"claims": claims})
 
 
+@pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS)
+def test_claims_challenge_without_scopes(get_token_method):
+    """The credential should raise CredentialUnavailableError with appropriate message even when no scopes provided"""
+
+    claims = "test-claims-challenge"
+    expected_message = f"Failed to get token. Run az login --claims-challenge {claims}"
+
+    if get_token_method == "get_token":
+        with pytest.raises(CredentialUnavailableError, match=re.escape(expected_message)):
+            AzureCliCredential().get_token(claims=claims)  # No scopes provided
+    else:  # get_token_info
+        with pytest.raises(CredentialUnavailableError, match=re.escape(expected_message)):
+            AzureCliCredential().get_token_info(options={"claims": claims})  # No scopes provided
+
+
 @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS)
 def test_empty_claims_does_not_raise_error(get_token_method):
     """The credential should not raise error when claims parameter is empty or None"""
diff --git a/sdk/identity/azure-identity/tests/test_cli_credential_async.py b/sdk/identity/azure-identity/tests/test_cli_credential_async.py
@@ -396,7 +396,7 @@ async def test_claims_challenge_raises_error(get_token_method):
     """The credential should raise CredentialUnavailableError when claims challenge is provided"""
 
     claims = "test-claims-challenge"
-    expected_message = f"Failed to get token. Run az login --claims-challenge {claims}"
+    expected_message = f"Failed to get token. Run az login --claims-challenge {claims} --scope scope"
 
     if get_token_method == "get_token":
         with pytest.raises(CredentialUnavailableError, match=re.escape(expected_message)):
@@ -406,6 +406,21 @@ async def test_claims_challenge_raises_error(get_token_method):
             await AzureCliCredential().get_token_info("scope", options={"claims": claims})
 
 
+@pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS)
+async def test_claims_challenge_without_scopes(get_token_method):
+    """The credential should raise CredentialUnavailableError with appropriate message even when no scopes provided"""
+
+    claims = "test-claims-challenge"
+    expected_message = f"Failed to get token. Run az login --claims-challenge {claims}"
+
+    if get_token_method == "get_token":
+        with pytest.raises(CredentialUnavailableError, match=re.escape(expected_message)):
+            await AzureCliCredential().get_token(claims=claims)  # No scopes provided
+    else:  # get_token_info
+        with pytest.raises(CredentialUnavailableError, match=re.escape(expected_message)):
+            await AzureCliCredential().get_token_info(options={"claims": claims})  # No scopes provided
+
+
 @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS)
 async def test_empty_claims_does_not_raise_error(get_token_method):
     """The credential should not raise error when claims parameter is empty or None"""
