Azure MCP does not use your selected tenant

[alexwolfmsft]

Describe the bug

Azure MCP Server seems to only work with a default tenant and doesn't pick up one that is set directly. For example, if you run az login --tenant , that tenant is not selected when you run prompts. Instead, you receive this message:

Your access token is from the wrong Azure tenant for subscription . Please re-authenticate using the authority https://login.windows.net/ and try again. If you recently transferred the subscription, it may take up to....

I received this error in Copilot Chat as well as programmatically. I tried various ways of signing in or switching tenants, but it always just picks the default.

Because tenant is set during az login, and does not have a separate command in the way subscriptions do (az account set <>) - does this mean you cannot use Azure MCP to access resources on other tenants?

Expected behavior

Azure MCP Server should use whatever tenant you signed in with using az login --tenant .

Actual behavior

Azure MCP Server always uses the default tenant (az login with no parameters equivalent, it seems).

Reproduction Steps

1. Run az login --tenant
2. Attempt to access resources in your targeted tenant ("List my resource groups")
3. Provide your target subscription in your target tenant, if prompted
4. Error is displayed

Environment

Copilot with VS Code, .NET or Node apps programmatically.

[github-actions]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @anannya03 @g2vinay @microsoft/azure-mcp @xiangyan99.

[anannya03]

Hi @alexwolfmsft ,
Thank you for reporting this issue. I'm looking into it and will update you as soon as a fix is available.

[anannya03]

Hi @alexwolfmsft ,

In the Azure MCP development setup, multiple credential types are supported (for example: Azure CLI, Visual Studio Code, Managed Identity, etc.). If a specific credential is not explicitly configured, the default credential chain may get a token associated with your default tenant instead of the tenant you logged into using:
`az login --tenant

To resolve the Tenant Mismatch error, you're encountering, please do one of the following-

1. If you specifically want Azure MCP Server to use the Azure CLI login context (including the tenant you specified), you can explicitly configure it by setting the following environment variable in VS Code:

AZURE_TOKEN_CREDENTIAL=AzureCliCredential

This` forces the server to authenticate using Azure CLI credentials, ensuring it respects the tenant you logged into.

2. Alternatively, you can explicitly provide the tenant ID in your prompt. For example:

"List my resource groups for tenant ID <tenant_id>."

This helps the server target the correct tenant and mitigates the tenant mismatch error.

We agree that the current error message is not very actionable. We will improve the error message to provide clearer guidance so that tenant mismatch scenarios surface more helpful feedback directly in the Azure MCP Server’s LLM response.

Thanks again for raising this, please let us know if the above solution resolves the issue for you.