feat: update Azure login step to clarify tenant-only usage for Graph API

emmanuelknafo · emmanuelknafo · commit cf0b4ecabe4c · 2026-05-01T17:02:14.000-04:00
diff --git a/.github/workflows/teardown.yml b/.github/workflows/teardown.yml
@@ -185,13 +185,16 @@ jobs:
           echo "spa_app_id=$spa_app_id" >> "$GITHUB_OUTPUT"
           echo "skip=false" >> "$GITHUB_OUTPUT"
 
-      - name: Azure login (OIDC)
+      - name: Azure login (OIDC, tenant-only for Graph)
         if: ${{ steps.ids.outputs.skip == 'false' }}
         uses: azure/login@v2
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          # Graph (`az ad app delete`) does not need a subscription. Passing
+          # subscription-id together with allow-no-subscriptions still makes
+          # the action attempt `az account set`, which fails with "No
+          # subscriptions found" if the OIDC SP has no role on that sub.
           allow-no-subscriptions: true
 
       - name: Delete API app registration
