Parse new azd auth error formats in AzureDeveloperCliCredential

[JeffreyCA]

Fixes Azure/azure-dev#7859 (parent: Azure/azure-dev#7728)

Related:

• Azure/azure-sdk-for-go#26590 - equivalent Go fix
• Azure/azure-sdk-for-net#58616 - equivalent .NET fix
• Azure/azure-sdk-for-js#38416 - equivalent JS fix

Description

Starting with azd v1.23.7 (PR Azure/azure-dev#6827), azd auth token changed its stderr error format from the legacy consoleMessage JSON to a structured {"error":"..."} JSON object. The stderr output may also include an extraneous empty consoleMessage line preceding the error (fixed in v1.24.0 via Azure/azure-dev#7701).

This PR updates AzureDeveloperCliCredential error parsing to handle all three formats:

azd version	stderr format
pre-v1.23.7	{"type":"consoleMessage","data":{"message":"..."}}
v1.23.7 – v1.23.15	{"type":"consoleMessage",...}\n{"error":"..."} (two lines)
v1.24.0+	{"error":"..."} (single line)

Validation

In addition to unit tests, validated manually with small Python script:

credential = AzureDeveloperCliCredential(tenant_id="invalid-tenant")

try:
    token = credential.get_token("https://management.azure.com/.default")
    print(f"Unexpected success. Token expires at: {token.expires_on}")
except ClientAuthenticationError as ex:
    pass

Without changes (v1.23.6)

AzureDeveloperCliCredential.get_token failed: ERROR: fetching token: failed to authenticate:
(invalid_tenant) AADSTS90002: Tenant 'invalid-tenant' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant. Trace ID: <redacted> Correlation ID: <redacted> Timestamp: 2026-05-05 00:38:02Z

Without changes (v1.23.7+)

AzureDeveloperCliCredential.get_token failed: Authentication with Azure failed.

With changes (all versions)

AzureDeveloperCliCredential.get_token failed: ERROR: fetching token: failed to authenticate:
(invalid_tenant) AADSTS90002: Tenant 'invalid-tenant' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant. Trace ID: <redacted> Correlation ID: <redacted> Timestamp: 2026-05-05 00:38:37Z

All SDK Contribution checklist:

• The pull request does not introduce [breaking changes]
• CHANGELOG is updated for new features, bug fixes or other significant changes.
• I have read the contribution guidelines.

General Guidelines and Best Practices

• Title of the pull request is clear and informative.
• There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

• Pull request includes test coverage for the included changes.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[pvaneck]

LGTM overall. Looks like you just need to run black formatting locally (azpysdk black) for the Analyze check. Also, with "error" being preferred, is "suggestion" also something worth surfacing still?

[JeffreyCA]

LGTM overall. Looks like you just need to run black formatting locally (azpysdk black) for the Analyze check. Also, with "error" being preferred, is "suggestion" also something worth surfacing still?

Thanks, I went ahead and removed the suggestion logic since I think preferring the error makes more sense and is more helpful for understanding what exactly went wrong (exact AADSTS code and message) than the suggestion (which is usually something like re-running azd auth login). It also aligns with how the other languages' SDKs like Go and .NET behave.