[BUG] AzureDeveloperCliCredential fails if resource scope doesn't include /.default

[ronaldbosma]

Library name and version

Azure.Identity 1.17.0

Describe the bug

When retrieving a token with AzureDeveloperCliCredential it fails if the scope is specified without /.default suffix. For example retrieving a token with a Key Vault scope like https://kvaisquicksdctaqld.vault.azure.net or app registration scope like api://apim-managedidentity-nwe-i2jdr will fail.

When AzureCliCredential is used with the same scopes. It succeeds in retrieving a token.

Expected behavior

I would expect AzureDeveloperCliCredential to behave in the same way as AzureCliCredential. Both calls in the following snippet should succeed in retrieving a token.

var tokenCredential = new AzureDeveloperCliCredential();
await tokenCredential.GetTokenAsync(new TokenRequestContext(["https://kvaisquicksdctaqld.vault.azure.net"]));
await tokenCredential.GetTokenAsync(new TokenRequestContext(["https://kvaisquicksdctaqld.vault.azure.net/.default"]));

Actual behavior

When retrieving a token for an Entra ID app registration, the error The resource principal named api:/ was not found in the tenant named... is raised. See following details:

Message: 
Class Initialization method IntegrationTests.PipelineCredentialsTests.ClassInitialize threw exception. 
Azure.Identity.AuthenticationFailedException: Azure Developer CLI authentication failed due to an unknown error. 
Please visit https://aka.ms/azure-dev for installation instructions and then, once installed, authenticate to your Azure account using 'azd auth login'. 
{"type":"consoleMessage","timestamp":"2025-10-30T15:14:44.643371+01:00","data":{"message":"\nERROR: fetching token: failed to authenticate:\n(invalid_resource) AADSTS500011: The resource principal named api:/ was not found in the tenant named .... This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: f1832b0f-1d4d-4dbe-a5a7-bb3bad198900 Correlation ID: 1c7fff72-e886-4075-829a-abda5899b8bf Timestamp: 2025-10-30 14:14:47Z\n\n"}}.

  Stack Trace: 
AzureDeveloperCliCredential.RequestCliAccessTokenAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
AzureDeveloperCliCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
AzureDeveloperCliCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
AzureDeveloperCliCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
PipelineCredentialsTests.ClassInitialize(TestContext context) line 31

When retrieving a token for e.g. a Key Vault resource, the error The provided request must include a 'scope' input parameter. is raised. See following details:

Message: 
Test method IntegrationTests.PipelineCredentialsTests.MyTestMethod threw exception: 
Azure.Identity.AuthenticationFailedException: Azure Developer CLI authentication failed due to an unknown error. 
Please visit https://aka.ms/azure-dev for installation instructions and then, once installed, authenticate to your Azure account using 'azd auth login'. 
{"type":"consoleMessage","timestamp":"2025-10-30T15:20:21.1284874+01:00","data":{"message":"\nERROR: fetching token: failed to authenticate:\n(invalid_scope) AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://kvaisquicksdctaqld.vault.azure.net openid offline_access profile is not valid. The scope format is invalid. Scope must be in a valid URI form \u003chttps://example/scope\u003e or a valid Guid \u003cguid/scope\u003e. Trace ID: a318c5c6-773d-4ccb-9a5e-35a49dec5800 Correlation ID: 7b47c7dd-fed8-4a98-9dcf-832f50a439e5 Timestamp: 2025-10-30 14:20:24Z\n\n"}}

Stack Trace: 
AzureDeveloperCliCredential.RequestCliAccessTokenAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
AzureDeveloperCliCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
AzureDeveloperCliCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
AzureDeveloperCliCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
PipelineCredentialsTests.MyTestMethod() line 47

Reproduction Steps

Key Vault

1. Authorize with azd
2. Deploy a Key Vault in Azure and make sure you have permission
3. Execute the following C# code, replace <key-vault-name> with your Key Vault name:

   var tokenCredential = new AzureDeveloperCliCredential();
   var tokenResult = await tokenCredential.GetTokenAsync(new TokenRequestContext(["https://<key-vault-name>.vault.azure.net"]));

App Registration

1. Authorize with azd
2. Deploy an app registration
   • add a scope so a user token can be used
   • grant azd (app id: 04b07795-8ddb-461a-bbee-02f9e1bf7b46) permission to use the scope
   • assign role to user so it has permission to retrieve a token
3. Execute the following C# code, replace <app-id-uri> with your 'Application ID URI':

   var tokenCredential = new AzureDeveloperCliCredential();
   var tokenResult = await tokenCredential.GetTokenAsync(new TokenRequestContext(["api://<app-id-uri>"]));

My template call-apim-with-managed-identity deploys this scenario. After deployment, the code in PipelineCredentialsTests.cs could be altered to reproduce the scenario.

Environment

Windows 11
.NET 9

[github-actions]

@christothes @JonathanCrd