Skip to content

Identity resolution mismatches when using Azure CLI authentication #620

New issue
New issue
Open
Open
Identity resolution mismatches when using Azure CLI authentication#620
Assignees
aaudzei
Labels
Auth and Identity 🔐Needs Review 👓needs review by the product team
@gregdskb

Description

@gregdskb
gregdskb
opened on Oct 21, 2025

Summary

I think that there can be identity resolution mismatches when using Azure CLI or environment-based authentication with Azure DevOps, where the authenticated user's identity doesn't properly resolve in the Azure DevOps system due to stale caching. See #413

Issue

I believe the underlying problem is that Azure DevOps's identity system can cache user mappings, and when using programmatic authentication (CLI or environment credentials), the cached identity might not match the token's actual identity. This causes:

  • API calls to fail with 401/403 errors
  • Operations to be attributed to the wrong user
  • Confusion about which user context is active

Fix

I propose updates to src/auth.ts to azcli authentication so that it will ONLY use AzureCliCredential to avoid stale cached credentials and to add X-VSS-ForceMsaPassThrough: true header to src/index.ts to force MSA (Microsoft Account) pass-through to ensure correct identity resolution which will prevent Azure DevOps from using stale cached identity mappings

Metadata

Metadata

Assignees

Labels

Auth and Identity 🔐Needs Review 👓needs review by the product team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions