Pass through EntraID token via Env Var #608
Description
Problem: Auth via Env Var
There is no way to pass-through an existing EntraID access token for the CLI to use, limiting the use cases of the tool.
The current auth flow uses AzureDefaultCredential to go through the default set of flows. This is fine for prototyping, but doesn't provide the best auth experience, or cover all scenarios for non-interactive authentication.
Solution
By allowing another authentication option to take an already-acquired token from the env var any consumer can orchestrate auth in they way they need to and pass in a token.
Design
The existing -a|--authentication option takes env, azcli to indicate using the Azure CLI / (an external cred provider source).
I propose we include parsing other values prefixed as ENV_ENV_VAR_NAME to indicate, to read a token directly from ENV_VAR_NAME.
This way any caller can setup authentication the way they need, and pass down a token.
Use Case
We've (1P Agent Platform EngThrive Squad) built an interally distributed AI CLI tool(-kit) aicoder that now has HTTP and STDIO MCP proxy commands that allow us to inject and handle Entra ID authentication using azureauth - our purpose built EntraID credential Provider for developers at Microsoft. This provides the best (and most silent) auth experience possible. We are orchestraing it's usage on local dev machines, and then also handling authentication in service and pipeline contexts within our proxy commands.
The proxies are usable as a local stdio MCP tool by any Agentic IDE or tool, including VSCode, Cursor, Claude Code, Codex, Copilot-CLI, etc.
In order to make the local ADO MCP tool work, we just need a way to inject an auth token to the process when we launch it. The proxy will relaunch with a fresh token when it needs it. This should be a very small amount of code that requires no up-keep until the full remote ADO MCP is available.