From f448c217e34b85535eeb6fdf9d33e826be81ffeb Mon Sep 17 00:00:00 2001 From: Vinay Gera Date: Mon, 4 May 2026 12:00:35 -0700 Subject: [PATCH 1/2] docs: add TSG entry for external MCP server auth failure with AzurePowerShellCredential --- docs/Authentication.md | 52 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/docs/Authentication.md b/docs/Authentication.md index cb9926b646..8575374b74 100644 --- a/docs/Authentication.md +++ b/docs/Authentication.md @@ -145,4 +145,54 @@ Each `azd` template provisions: - Entra ID app registration(s) with the correct scopes and roles - Managed identity with appropriate RBAC assignments -- Azure Container App configured to run the Azure MCP Server with all required environment variables and server flags \ No newline at end of file +- Azure Container App configured to run the Azure MCP Server with all required environment variables and server flags + +--- + +## Troubleshooting + +### External MCP server auth fails with `AzurePowerShellCredential` + +**Symptom** + +When the Azure MCP Server tries to connect to an external registry server (e.g. a Foundry MCP server), you see an error like: + +``` +Failed to create MCP client for registry server 'foundry': The ChainedTokenCredential failed to retrieve a token from the included credentials. +- AzurePowerShellCredential is not available: Azure PowerShell authentication failed due to an unknown error... + SharedTokenCacheCredential authentication failed: AADSTS65002: Consent between first party application '1950a258-227b-4e31-a9cf-717495945fc2' and first party resource '...' must be configured via preauthorization +- InteractiveBrowserCredential is not available: Authentication is not configured correctly. Please authenticate using Azure CLI ('az login')... +``` + +**Cause** + +The credential chain tries `AzurePowerShellCredential` and it fails because the PowerShell shared token cache does not have consent configured for the target resource. `InteractiveBrowserCredential` is also unavailable in non-interactive stdio/CLI mode. + +**Fix** + +Use Azure CLI authentication instead. This is the most reliable credential for stdio/CLI mode: + +1. Sign in with the Azure CLI: + + ```bash + az login + ``` + +2. Pin the credential chain to Azure CLI only by setting the `AZURE_TOKEN_CREDENTIALS` environment variable before starting the server: + + ```bash + # bash / zsh + export AZURE_TOKEN_CREDENTIALS=AzureCliCredential + ``` + + ```powershell + # PowerShell + $env:AZURE_TOKEN_CREDENTIALS = "AzureCliCredential" + ``` + + Or set it permanently in your shell profile / system environment variables. + +3. Restart the Azure MCP Server (or your IDE) so it picks up the new environment variable. + +> [!NOTE] +> `AZURE_TOKEN_CREDENTIALS=AzureCliCredential` skips the entire credential chain and uses `az login` credentials directly. It will fail if you are not logged in with the Azure CLI, so make sure `az account show` returns the expected account before starting the server. \ No newline at end of file From 342c1688c971dcb159c1e304187fc3cd82fe09d6 Mon Sep 17 00:00:00 2001 From: Vinay Gera Date: Mon, 4 May 2026 12:20:59 -0700 Subject: [PATCH 2/2] add tsg guidance to auth.md --- docs/Authentication.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/Authentication.md b/docs/Authentication.md index 8575374b74..f006d38c61 100644 --- a/docs/Authentication.md +++ b/docs/Authentication.md @@ -161,16 +161,15 @@ When the Azure MCP Server tries to connect to an external registry server (e.g. Failed to create MCP client for registry server 'foundry': The ChainedTokenCredential failed to retrieve a token from the included credentials. - AzurePowerShellCredential is not available: Azure PowerShell authentication failed due to an unknown error... SharedTokenCacheCredential authentication failed: AADSTS65002: Consent between first party application '1950a258-227b-4e31-a9cf-717495945fc2' and first party resource '...' must be configured via preauthorization -- InteractiveBrowserCredential is not available: Authentication is not configured correctly. Please authenticate using Azure CLI ('az login')... ``` **Cause** -The credential chain tries `AzurePowerShellCredential` and it fails because the PowerShell shared token cache does not have consent configured for the target resource. `InteractiveBrowserCredential` is also unavailable in non-interactive stdio/CLI mode. +The credential chain tries `AzurePowerShellCredential` and it fails because the PowerShell shared token cache does not have consent configured for the target resource. **Fix** -Use Azure CLI authentication instead. This is the most reliable credential for stdio/CLI mode: +Use Azure CLI authentication instead. 1. Sign in with the Azure CLI: