Skip to content

[App Config] Update CLI to use Audience and update to 1.8.0#33393

Open
mrm9084 wants to merge 8 commits into
Azure:devfrom
mrm9084:audincefix
Open

[App Config] Update CLI to use Audience and update to 1.8.0#33393
mrm9084 wants to merge 8 commits into
Azure:devfrom
mrm9084:audincefix

Conversation

@mrm9084

@mrm9084 mrm9084 commented May 18, 2026

Copy link
Copy Markdown
Member

Related command
az appconfig

Description
When updating to the 1.8.0 version of the python sdk it will result in us breaking in all non hardcoded regions, such as Bleu.

This PR adds a check that will attempt to get the audience from the endpoint if an audience isn't provided.

This PR also updates us to 1.8.0.

This PR also updates to use entra ID for tests.

Testing Guide
Get a config store in Bleu, you'll see that you can connect without providing the audience manually like you can in 1.7.2.

History Notes
Make is so the 1.8.0 release of the python sdk will not break all of our existing customers in non-public/ff/mc clouds.


This checklist is used to make sure that common guidelines for a pull request are followed.

Copilot AI review requested due to automatic review settings May 18, 2026 23:33
@azure-client-tools-bot-prd

azure-client-tools-bot-prd Bot commented May 18, 2026

Copy link
Copy Markdown
❌AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.14
️✔️acs
️✔️latest
️✔️3.12
️✔️3.14
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.14
️✔️ams
️✔️latest
️✔️3.12
️✔️3.14
️✔️apim
️✔️latest
️✔️3.12
️✔️3.14
❌appconfig
❌latest
❌3.12
Type Test Case Error Message Line
Failed test_get_appconfig_data_client_falls_back_to_endpoint_when_cloud_has_no_audience self = <azure.cli.command_modules.appconfig.tests.latest.test_appconfig_aad_auth.AppConfigAadAuthUnitTest testMethod=test_get_appconfig_data_client_falls_back_to_endpoint_when_cloud_has_no_audience>
profile_cls_mock = <MagicMock name='Profile' id='140263780908688'>
get_active_cloud_mock = <MagicMock name='get_active_cloud' id='140263776881696'>
appconfig_credential_cls_mock = <MagicMock name='AppConfigurationCliCredential' id='140263776885632'>
appconfig_client_cls_mock = <MagicMock name='AzureAppConfigurationClient' id='140263776889424'>

    @mock.patch('azure.cli.command_modules.appconfig.utils.AzureAppConfigurationClient')
    @mock.patch('azure.cli.command_modules.appconfig.credential.AppConfigurationCliCredential')
    @mock.patch('azure.cli.core.cloud.get_active_cloud')
    @mock.patch('azure.cli.core.profile.Profile')
    def test_get_appconfig_data_client_falls_back_to_endpoint_when_cloud_has_no_audience(
            self,
            profile_cls_mock,
            get_active_cloud_mock,
            appconfig_credential_cls_mock,
            appconfig_client_cls_mock):
        endpoint = 'https://contoso.azconfig.io'
        command = mock.MagicMock()
        command.cli_ctx = DummyCli()
    
        token_credential = object()
        profile_cls_mock.return_value.get_login_credentials.return_value = (token_credential, None, None)
        get_active_cloud_mock.return_value = SimpleNamespace(endpoints=SimpleNamespace())
    
        get_appconfig_data_client(
            command,
            name=None,
            connection_string=None,
            auth_mode='login',
            endpoint=endpoint)
    
        appconfig_credential_cls_mock.assert_called_once_with(token_credential, endpoint)
>       appconfig_client_cls_mock.assert_called_once_with(
            credential=appconfig_credential_cls_mock.return_value,
            base_url=endpoint,
            user_agent=mock.ANY)

src/azure-cli/azure/cli/command_modules/appconfig/tests/latest/test_appconfig_aad_auth.py:93: 
 
 
                                      
/opt/hostedtoolcache/Python/3.12.12/x64/lib/python3.12/unittest/mock.py:961: in assert_called_once_with
    return self.assert_called_with(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                       _ 

self = <MagicMock name='AzureAppConfigurationClient' id='140263776889424'>
args = ()
kwargs = {'credential': <MagicMock name='AppConfigurationCliCredential()' id='140263778240512'>, 'base_url': 'https://contoso.azconfig.io',&nbsp;'user_agent': }

    def assert_called_with(self, /, *args, **kwargs):
        """assert that the last call was made with the specified arguments.
    
        Raises an AssertionError if the args and keyword args passed in are
        different to the last call to the mock."""
        if self.call_args is None:
            expected = self._format_mock_call_signature(args, kwargs)
            actual = 'not called.'
            error_message = ('expected call not found.\nExpected: %s\n  Actual: %s'
                    % (expected, actual))
            raise AssertionError(error_message)
    
        def _error_message():
            msg = self._format_mock_failure_message(args, kwargs)
            return msg
        expected = self._call_matcher(_Call((args, kwargs), two=True))
        actual = self._call_matcher(self.call_args)
        if actual != expected:
            cause = expected if isinstance(expected, Exception) else None
>           raise AssertionError(_error_message()) from cause
E           AssertionError: expected call not found.
E           Expected: AzureAppConfigurationClient(credential=<MagicMock name='AppConfigurationCliCredential()' id='140263778240512'>, base_url='https://contoso.azconfig.io',&nbsp;user_agent=)
E             Actual: AzureAppConfigurationClient(credential=<MagicMock name='AppConfigurationCliCredential()' id='140263778240512'>, base_url='https://contoso.azconfig.io',&nbsp;user_agent='AZURECLI.APPCONFIG/2.88.0',&nbsp;retry_policy=<azure.core.pipeline.policies._retry.RetryPolicy object at 0x7f91b49a59d0>)

/opt/hostedtoolcache/Python/3.12.12/x64/lib/python3.12/unittest/mock.py:949: AssertionError
azure/cli/command_modules/appconfig/tests/latest/test_appconfig_aad_auth.py:66
Failed test_azconfig_credential self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f91b4bf1790>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f91b5ca1c10>
command = 'appconfig create -n CredentialTest000002 -g clitest.rg000001 -l eastus --sku standard --retention-days 1 --disable-local-auth true'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303: 
                                        
env/lib/python3.12/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:153: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
                                        

ex = HttpResponseError('(RequestDisallowedByPolicy) Resource 'CredentialTest000002' was disallowed by policy. Reasons: '...onsString": "all",\n        "effect": "deny"\n    },\n    "policyExemptionIds": [],\n    "policyEnrollmentIds": []\n}')
args = (), kwargs = {}

    def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument
        if isinstance(ex, CannotOverwriteExistingCassetteException):
            # This exception usually caused by a no match HTTP request. This is a product error
            # that is caused by change of SDK invocation.
            raise ex
    
>       raise CliExecutionError(ex)
E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception HttpResponseError during execution and fails the command.

src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError

During handling of the above exception, another exception occurred:

self = <azure.cli.command_modules.appconfig.tests.latest.test_appconfig_credential_commands.AppConfigCredentialScenarioTest testMethod=test_azconfig_credential>
resource_group = 'clitest.rg000001', location = 'eastus'

    @AllowLargeResponse()
    @ResourceGroupPreparer(parameter_name_for_location='location')
    def test_azconfig_credential(self, resource_group, location):
        credential_store_prefix = get_resource_name_prefix('CredentialTest')
        config_store_name = self.create_random_name(prefix=credential_store_prefix, length=24)
    
        location = 'eastus'
        sku = 'standard'
        self.kwargs.update({
            'config_store_name': config_store_name,
            'rg_loc': location,
            'rg': resource_group,
            'sku': sku
        })
    
>       create_config_store(self, self.kwargs, disable_local_auth=True)

src/azure-cli/azure/cli/command_modules/appconfig/tests/latest/test_appconfig_credential_commands.py:34: 
 
                                       
src/azure-cli/azure/cli/command_modules/appconfig/tests/latest/test_utils.py:21: in create_config_store
    test.cmd(command)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd
    return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute
    raise ex.exception
env/lib/python3.12/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:335: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/appconfig/custom.py:108: in create_configstore
    config_store = client.begin_create(resource_group_name, name, configstore_params)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/tracing/decorator.py:119: in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/mgmt/appconfiguration/operations/operations.py:1274: in begin_create
    raw_result = self.create_initial(
 
 
 
 
 
 
 
                                 

self = <azure.mgmt.appconfiguration.operations._operations.ConfigurationStoresOperations object at 0x7f91b4bf3410>
resource_group_name = 'clitest.rg000001'
config_store_name = 'CredentialTest000002'
config_store_creation_parameters = {'location': 'eastus', 'sku': {'name': 'Standard'}, 'properties': {'dataPlaneProxy': {}, 'disableLocalAuth': True, 'createMode': 'Default', 'softDeleteRetentionInDays': 1}}
kwargs = {}

    def _create_initial(
        self,
        resource_group_name: str,
        config_store_name: str,
        config_store_creation_parameters: Union[_models.ConfigurationStore, JSON, IO[bytes]],
        **kwargs: Any
    ) -> Iterator[bytes]:
        error_map: MutableMapping = {
            401: ClientAuthenticationError,
            404: ResourceNotFoundError,
            409: ResourceExistsError,
            304: ResourceNotModifiedError,
        }
        error_map.update(kwargs.pop("error_map", {}) or {})
    
        _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {})
        _params = kwargs.pop("params", {}) or {}
    
        content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None))
        cls: ClsType[Iterator[bytes]] = kwargs.pop("cls", None)
    
        content_type = content_type or "application/json"
        _content = None
        if isinstance(config_store_creation_parameters, (IOBase, bytes)):
            _content = config_store_creation_parameters
        else:
            _content = json.dumps(config_store_creation_parameters, cls=SdkJSONEncoder, exclude_readonly=True)  # type: ignore
    
        _request = build_configuration_stores_create_request(
            resource_group_name=resource_group_name,
            config_store_name=config_store_name,
            subscription_id=self._config.subscription_id,
            content_type=content_type,
            api_version=self._config.api_version,
            content=_content,
            headers=_headers,
            params=_params,
        )
        path_format_arguments = {
            "endpoint": self._serialize.url("self._config.base_url", self._config.base_url, "str", skip_quote=True),
        }
        _request.url = self._client.format_url(_request.url, **path_format_arguments)
    
        _decompress = kwargs.pop("decompress", True)
        _stream = True
        pipeline_response: PipelineResponse = self._client._pipeline.run(  # pylint: disable=protected-access
            _request, stream=_stream, **kwargs
        )
    
        response = pipeline_response.http_response
    
        if response.status_code not in [200, 201]:
            try:
                response.read()  # Load the body in memory and close the socket
            except (StreamConsumedError, StreamClosedError):
                pass
            map_error(status_code=response.status_code, response=response, error_map=error_map)
            error = _failsafe_deserialize(
                _models.ErrorResponse,
                response,
            )
>           raise HttpResponseError(response=response, model=error, error_format=ARMErrorFormat)
E           azure.core.exceptions.HttpResponseError: (RequestDisallowedByPolicy) Resource 'CredentialTest000002' was disallowed by policy. Reasons: 'Local authentication must be disabled on App Configuration stores. Use Microsoft Entra ID for authentication instead.'. See error details for policy resource IDs.
E           Code: RequestDisallowedByPolicy
E           Message: Resource 'CredentialTest000002' was disallowed by policy. Reasons: 'Local authentication must be disabled on App Configuration stores. Use Microsoft Entra ID for authentication instead.'. See error details for policy resource IDs.
E           Target: CredentialTest000002
E           Additional Information:Type: PolicyViolation
E           Info: {
E               "evaluationDetails": {
E                   "evaluatedExpressions": [
E                       {
E                           "result": "True",
E                           "expressionKind": "Value",
E                           "expression": "all",
E                           "expressionValue": "all",
E                           "targetValue": [
E                               "all"
E                           ],
E                           "operator": "In"
E                       },
E                       {
E                           "result": "True",
E                           "expressionKind": "Field",
E                           "expression": "type",
E                           "path": "type",
E                           "expressionValue": "Microsoft.AppConfiguration/configurationStores",
E                           "targetValue": "Microsoft.AppConfiguration/configurationStores",
E                           "operator": "Equals"
E                       },
E                       {
E                           "result": "True",
E                           "expressionKind": "Field",
E                           "expression": "Microsoft.AppConfiguration/configurationStores/disableLocalAuth",
E                           "path": "properties.disableLocalAuth",
E                           "targetValue": "False",
E                           "operator": "Exists"
E                       }
E                   ],
E                   "reason": "Local authentication must be disabled on App Configuration stores. Use Microsoft Entra ID for authentication instead."
E               },
E               "policyDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/628fedbf-e261-5d9d-9880-97d5b2a0226e",
E               "policyDefinitionName": "628fedbf-e261-5d9d-9880-97d5b2a0226e",
E               "policyDefinitionDisplayName": "[AppConfig] Disable local authentication on App Configuration stores",
E               "policyDefinitionVersion": "1.0.0",
E               "policyDefinitionEffect": "deny",
E               "policyAssignmentId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/67dfe9ff-974c-5e6b-bbf3-2b683b13c936",
E               "policyAssignmentName": "67dfe9ff-974c-5e6b-bbf3-2b683b13c936",
E               "policyAssignmentDisplayName": "[AppConfig] Disable local authentication on App Configuration stores",
E               "policyAssignmentScope": "/subscriptions/00000000-0000-0000-0000-000000000000",
E               "policyAssignmentParameters": {
E                   "enforcedRegionsString": "all",
E                   "effect": "deny"
E               },
E               "policyExemptionIds": [],
E               "policyEnrollmentIds": []
E           }

env/lib/python3.12/site-packages/azure/mgmt/appconfiguration/operations/_operations.py:1140: HttpResponseError
azure/cli/command_modules/appconfig/tests/latest/test_appconfig_credential_commands.py:18
Failed test_azconfig_identity The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appconfig/tests/latest/test_appconfig_identity_commands.py:17
Failed test_azconfig_snapshot_filtering The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appconfig/tests/latest/test_appconfig_snapshot_commands.py:182
Failed test_azconfig_snapshot_mgmt The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appconfig/tests/latest/test_appconfig_snapshot_commands.py:22
❌3.14
Type Test Case Error Message Line
Failed test_get_appconfig_data_client_falls_back_to_endpoint_when_cloud_has_no_audience self = <azure.cli.command_modules.appconfig.tests.latest.test_appconfig_aad_auth.AppConfigAadAuthUnitTest testMethod=test_get_appconfig_data_client_falls_back_to_endpoint_when_cloud_has_no_audience>
profile_cls_mock = <MagicMock name='Profile' id='139875361600048'>
get_active_cloud_mock = <MagicMock name='get_active_cloud' id='139875361595680'>
appconfig_credential_cls_mock = <MagicMock name='AppConfigurationCliCredential' id='139875361593328'>
appconfig_client_cls_mock = <MagicMock name='AzureAppConfigurationClient' id='139875361592992'>

    @mock.patch('azure.cli.command_modules.appconfig.utils.AzureAppConfigurationClient')
    @mock.patch('azure.cli.command_modules.appconfig.credential.AppConfigurationCliCredential')
    @mock.patch('azure.cli.core.cloud.get_active_cloud')
    @mock.patch('azure.cli.core.profile.Profile')
    def test_get_appconfig_data_client_falls_back_to_endpoint_when_cloud_has_no_audience(
            self,
            profile_cls_mock,
            get_active_cloud_mock,
            appconfig_credential_cls_mock,
            appconfig_client_cls_mock):
        endpoint = 'https://contoso.azconfig.io'
        command = mock.MagicMock()
        command.cli_ctx = DummyCli()
    
        token_credential = object()
        profile_cls_mock.return_value.get_login_credentials.return_value = (token_credential, None, None)
        get_active_cloud_mock.return_value = SimpleNamespace(endpoints=SimpleNamespace())
    
        get_appconfig_data_client(
            command,
            name=None,
            connection_string=None,
            auth_mode='login',
            endpoint=endpoint)
    
        appconfig_credential_cls_mock.assert_called_once_with(token_credential, endpoint)
>       appconfig_client_cls_mock.assert_called_once_with(
            credential=appconfig_credential_cls_mock.return_value,
            base_url=endpoint,
            user_agent=mock.ANY)

src/azure-cli/azure/cli/command_modules/appconfig/tests/latest/test_appconfig_aad_auth.py:93: 
 
 
                                      
/opt/hostedtoolcache/Python/3.14.2/x64/lib/python3.14/unittest/mock.py:997: in assert_called_once_with
    return self.assert_called_with(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                       _ 

self = <MagicMock name='AzureAppConfigurationClient' id='139875361592992'>
args = ()
kwargs = {'credential': <MagicMock name='AppConfigurationCliCredential()' id='139875361590304'>, 'base_url': 'https://contoso.azconfig.io',&nbsp;'user_agent': }

    def assert_called_with(self, /, *args, **kwargs):
        """assert that the last call was made with the specified arguments.
    
        Raises an AssertionError if the args and keyword args passed in are
        different to the last call to the mock."""
        if self.call_args is None:
            expected = self._format_mock_call_signature(args, kwargs)
            actual = 'not called.'
            error_message = ('expected call not found.\nExpected: %s\n  Actual: %s'
                    % (expected, actual))
            raise AssertionError(error_message)
    
        def _error_message():
            msg = self._format_mock_failure_message(args, kwargs)
            return msg
        expected = self._call_matcher(_Call((args, kwargs), two=True))
        actual = self._call_matcher(self.call_args)
        if actual != expected:
            cause = expected if isinstance(expected, Exception) else None
>           raise AssertionError(_error_message()) from cause
E           AssertionError: expected call not found.
E           Expected: AzureAppConfigurationClient(credential=<MagicMock name='AppConfigurationCliCredential()' id='139875361590304'>, base_url='https://contoso.azconfig.io',&nbsp;user_agent=)
E             Actual: AzureAppConfigurationClient(credential=<MagicMock name='AppConfigurationCliCredential()' id='139875361590304'>, base_url='https://contoso.azconfig.io',&nbsp;user_agent='AZURECLI.APPCONFIG/2.88.0',&nbsp;retry_policy=<azure.core.pipeline.policies._retry.RetryPolicy object at 0x7f37453d8d70>)

/opt/hostedtoolcache/Python/3.14.2/x64/lib/python3.14/unittest/mock.py:985: AssertionError
azure/cli/command_modules/appconfig/tests/latest/test_appconfig_aad_auth.py:66
Failed test_azconfig_credential self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f3744001940>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f374572a5d0>
command = 'appconfig create -n CredentialTest000002 -g clitest.rg000001 -l eastus --sku standard --retention-days 1 --disable-local-auth true'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException
    
        if command.startswith('az '):
            command = command[3:]
    
        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303: 
                                        
env/lib/python3.14/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:153: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
                                        

ex = HttpResponseError('(RequestDisallowedByPolicy) Resource 'CredentialTest000002' was disallowed by policy. Reasons: '...onsString": "all",\n        "effect": "deny"\n    },\n    "policyExemptionIds": [],\n    "policyEnrollmentIds": []\n}')
args = (), kwargs = {}

    def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument
        if isinstance(ex, CannotOverwriteExistingCassetteException):
            # This exception usually caused by a no match HTTP request. This is a product error
            # that is caused by change of SDK invocation.
            raise ex
    
>       raise CliExecutionError(ex)
E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception HttpResponseError during execution and fails the command.

src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError

During handling of the above exception, another exception occurred:

self = <azure.cli.command_modules.appconfig.tests.latest.test_appconfig_credential_commands.AppConfigCredentialScenarioTest testMethod=test_azconfig_credential>
resource_group = 'clitest.rg000001', location = 'eastus'

    @AllowLargeResponse()
    @ResourceGroupPreparer(parameter_name_for_location='location')
    def test_azconfig_credential(self, resource_group, location):
        credential_store_prefix = get_resource_name_prefix('CredentialTest')
        config_store_name = self.create_random_name(prefix=credential_store_prefix, length=24)
    
        location = 'eastus'
        sku = 'standard'
        self.kwargs.update({
            'config_store_name': config_store_name,
            'rg_loc': location,
            'rg': resource_group,
            'sku': sku
        })
    
>       create_config_store(self, self.kwargs, disable_local_auth=True)

src/azure-cli/azure/cli/command_modules/appconfig/tests/latest/test_appconfig_credential_commands.py:34: 
 
                                       
src/azure-cli/azure/cli/command_modules/appconfig/tests/latest/test_utils.py:21: in create_config_store
    test.cmd(command)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd
    return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute
    raise ex.exception
env/lib/python3.14/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:335: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/appconfig/custom.py:108: in create_configstore
    config_store = client.begin_create(resource_group_name, name, configstore_params)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.14/site-packages/azure/core/tracing/decorator.py:119: in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.14/site-packages/azure/mgmt/appconfiguration/operations/operations.py:1274: in begin_create
    raw_result = self.create_initial(
 
 
 
 
 
 
 
                                 

self = <azure.mgmt.appconfiguration.operations._operations.ConfigurationStoresOperations object at 0x7f374430c050>
resource_group_name = 'clitest.rg000001'
config_store_name = 'CredentialTest000002'
config_store_creation_parameters = {'location': 'eastus', 'sku': {'name': 'Standard'}, 'properties': {'dataPlaneProxy': {}, 'disableLocalAuth': True, 'softDeleteRetentionInDays': 1, 'createMode': 'Default'}}
kwargs = {}

    def _create_initial(
        self,
        resource_group_name: str,
        config_store_name: str,
        config_store_creation_parameters: Union[_models.ConfigurationStore, JSON, IO[bytes]],
        **kwargs: Any
    ) -> Iterator[bytes]:
        error_map: MutableMapping = {
            401: ClientAuthenticationError,
            404: ResourceNotFoundError,
            409: ResourceExistsError,
            304: ResourceNotModifiedError,
        }
        error_map.update(kwargs.pop("error_map", {}) or {})
    
        _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {})
        _params = kwargs.pop("params", {}) or {}
    
        content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None))
        cls: ClsType[Iterator[bytes]] = kwargs.pop("cls", None)
    
        content_type = content_type or "application/json"
        _content = None
        if isinstance(config_store_creation_parameters, (IOBase, bytes)):
            _content = config_store_creation_parameters
        else:
            _content = json.dumps(config_store_creation_parameters, cls=SdkJSONEncoder, exclude_readonly=True)  # type: ignore
    
        _request = build_configuration_stores_create_request(
            resource_group_name=resource_group_name,
            config_store_name=config_store_name,
            subscription_id=self._config.subscription_id,
            content_type=content_type,
            api_version=self._config.api_version,
            content=_content,
            headers=_headers,
            params=_params,
        )
        path_format_arguments = {
            "endpoint": self._serialize.url("self._config.base_url", self._config.base_url, "str", skip_quote=True),
        }
        _request.url = self._client.format_url(_request.url, **path_format_arguments)
    
        _decompress = kwargs.pop("decompress", True)
        _stream = True
        pipeline_response: PipelineResponse = self._client._pipeline.run(  # pylint: disable=protected-access
            _request, stream=_stream, **kwargs
        )
    
        response = pipeline_response.http_response
    
        if response.status_code not in [200, 201]:
            try:
                response.read()  # Load the body in memory and close the socket
            except (StreamConsumedError, StreamClosedError):
                pass
            map_error(status_code=response.status_code, response=response, error_map=error_map)
            error = _failsafe_deserialize(
                _models.ErrorResponse,
                response,
            )
>           raise HttpResponseError(response=response, model=error, error_format=ARMErrorFormat)
E           azure.core.exceptions.HttpResponseError: (RequestDisallowedByPolicy) Resource 'CredentialTest000002' was disallowed by policy. Reasons: 'Local authentication must be disabled on App Configuration stores. Use Microsoft Entra ID for authentication instead.'. See error details for policy resource IDs.
E           Code: RequestDisallowedByPolicy
E           Message: Resource 'CredentialTest000002' was disallowed by policy. Reasons: 'Local authentication must be disabled on App Configuration stores. Use Microsoft Entra ID for authentication instead.'. See error details for policy resource IDs.
E           Target: CredentialTest000002
E           Additional Information:Type: PolicyViolation
E           Info: {
E               "evaluationDetails": {
E                   "evaluatedExpressions": [
E                       {
E                           "result": "True",
E                           "expressionKind": "Value",
E                           "expression": "all",
E                           "expressionValue": "all",
E                           "targetValue": [
E                               "all"
E                           ],
E                           "operator": "In"
E                       },
E                       {
E                           "result": "True",
E                           "expressionKind": "Field",
E                           "expression": "type",
E                           "path": "type",
E                           "expressionValue": "Microsoft.AppConfiguration/configurationStores",
E                           "targetValue": "Microsoft.AppConfiguration/configurationStores",
E                           "operator": "Equals"
E                       },
E                       {
E                           "result": "True",
E                           "expressionKind": "Field",
E                           "expression": "Microsoft.AppConfiguration/configurationStores/disableLocalAuth",
E                           "path": "properties.disableLocalAuth",
E                           "targetValue": "False",
E                           "operator": "Exists"
E                       }
E                   ],
E                   "reason": "Local authentication must be disabled on App Configuration stores. Use Microsoft Entra ID for authentication instead."
E               },
E               "policyDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/628fedbf-e261-5d9d-9880-97d5b2a0226e",
E               "policyDefinitionName": "628fedbf-e261-5d9d-9880-97d5b2a0226e",
E               "policyDefinitionDisplayName": "[AppConfig] Disable local authentication on App Configuration stores",
E               "policyDefinitionVersion": "1.0.0",
E               "policyDefinitionEffect": "deny",
E               "policyAssignmentId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/67dfe9ff-974c-5e6b-bbf3-2b683b13c936",
E               "policyAssignmentName": "67dfe9ff-974c-5e6b-bbf3-2b683b13c936",
E               "policyAssignmentDisplayName": "[AppConfig] Disable local authentication on App Configuration stores",
E               "policyAssignmentScope": "/subscriptions/00000000-0000-0000-0000-000000000000",
E               "policyAssignmentParameters": {
E                   "enforcedRegionsString": "all",
E                   "effect": "deny"
E               },
E               "policyExemptionIds": [],
E               "policyEnrollmentIds": []
E           }

env/lib/python3.14/site-packages/azure/mgmt/appconfiguration/operations/_operations.py:1140: HttpResponseError
azure/cli/command_modules/appconfig/tests/latest/test_appconfig_credential_commands.py:18
Failed test_azconfig_identity The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appconfig/tests/latest/test_appconfig_identity_commands.py:17
Failed test_azconfig_snapshot_filtering The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appconfig/tests/latest/test_appconfig_snapshot_commands.py:182
Failed test_azconfig_snapshot_mgmt The error message is too long, please check the pipeline log for details. azure/cli/command_modules/appconfig/tests/latest/test_appconfig_snapshot_commands.py:22
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.14
️✔️aro
️✔️latest
️✔️3.12
️✔️3.14
️✔️backup
️✔️latest
️✔️3.12
️✔️3.14
️✔️batch
️✔️latest
️✔️3.12
️✔️3.14
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.14
️✔️billing
️✔️latest
️✔️3.12
️✔️3.14
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.14
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.14
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.14
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.14
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.14
️✔️config
️✔️latest
️✔️3.12
️✔️3.14
️✔️configure
️✔️latest
️✔️3.12
️✔️3.14
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.14
️✔️container
️✔️latest
️✔️3.12
️✔️3.14
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.14
️✔️core
️✔️latest
️✔️3.12
️✔️3.14
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.14
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.14
️✔️dls
️✔️latest
️✔️3.12
️✔️3.14
️✔️dms
️✔️latest
️✔️3.12
️✔️3.14
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.14
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.14
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.14
️✔️find
️✔️latest
️✔️3.12
️✔️3.14
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.14
️✔️identity
️✔️latest
️✔️3.12
️✔️3.14
️✔️iot
️✔️latest
️✔️3.12
️✔️3.14
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.14
️✔️lab
️✔️latest
️✔️3.12
️✔️3.14
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.14
️✔️maps
️✔️latest
️✔️3.12
️✔️3.14
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.14
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.14
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.14
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.14
️✔️network
️✔️latest
️✔️3.12
️✔️3.14
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.14
️✔️postgresql
️✔️latest
️✔️3.12
️✔️3.14
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.14
️✔️profile
️✔️latest
️✔️3.12
️✔️3.14
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.14
️✔️redis
️✔️latest
️✔️3.12
️✔️3.14
️✔️relay
️✔️latest
️✔️3.12
️✔️3.14
️✔️resource
️✔️latest
️✔️3.12
️✔️3.14
️✔️role
️✔️latest
️✔️3.12
️✔️3.14
️✔️search
️✔️latest
️✔️3.12
️✔️3.14
️✔️security
️✔️latest
️✔️3.12
️✔️3.14
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.14
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.14
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.14
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.14
️✔️sql
️✔️latest
️✔️3.12
️✔️3.14
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.14
️✔️storage
️✔️latest
️✔️3.12
️✔️3.14
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.14
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.14
️✔️util
️✔️latest
️✔️3.12
️✔️3.14
️✔️vm
️✔️latest
️✔️3.12
️✔️3.14

@azure-client-tools-bot-prd

Copy link
Copy Markdown

Hi @mrm9084,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

@azure-client-tools-bot-prd

azure-client-tools-bot-prd Bot commented May 18, 2026

Copy link
Copy Markdown
️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@yonzhan

yonzhan commented May 18, 2026

Copy link
Copy Markdown
Collaborator

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions

Copy link
Copy Markdown

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR prepares az appconfig for azure-appconfiguration 1.8.0 by changing AAD login auth to provide an audience when the active cloud does not define one.

Changes:

  • Bumps azure-appconfiguration dependency in setup metadata to ~=1.8.0.
  • Falls back to using the App Configuration endpoint as the token audience.
  • Updates an AAD auth live test assertion for the new audience behavior.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.

File Description
src/azure-cli/setup.py Updates the App Configuration SDK dependency version.
src/azure-cli/azure/cli/command_modules/appconfig/_utils.py Adds endpoint fallback for App Configuration token audience selection.
src/azure-cli/azure/cli/command_modules/appconfig/tests/latest/test_appconfig_aad_auth.py Updates the expected credential audience in the live AAD auth scenario.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/azure-cli/setup.py
Comment thread src/azure-cli/azure/cli/command_modules/appconfig/_utils.py
@yonzhan yonzhan assigned yanzhudd and unassigned zhoxing-ms May 18, 2026
@jimmyca15

Copy link
Copy Markdown
Member

The PR title should probably also mention the sdk version update

@mrm9084

mrm9084 commented May 21, 2026

Copy link
Copy Markdown
Member Author

@VeryEarly can you review this so we can get it merged.

@mrm9084

mrm9084 commented Jun 4, 2026

Copy link
Copy Markdown
Member Author

@VeryEarly can you review this?

Pan-Qi
Pan-Qi previously approved these changes Jun 5, 2026
@mrm9084

mrm9084 commented Jun 12, 2026

Copy link
Copy Markdown
Member Author

@VeryEarly can you please review this PR?

@yanzhudd yanzhudd removed their assignment Jun 29, 2026
@yanzhudd

Copy link
Copy Markdown
Contributor

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines successfully started running 3 pipeline(s).

necusjz
necusjz previously approved these changes Jun 30, 2026
@mrm9084 mrm9084 requested review from a team as code owners June 30, 2026 17:36
@mrm9084

mrm9084 commented Jun 30, 2026

Copy link
Copy Markdown
Member Author

/azp run

@azure-pipelines

Copy link
Copy Markdown
Commenter does not have sufficient privileges for PR 33393 in repo Azure/azure-cli

@yonzhan

yonzhan commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines successfully started running 3 pipeline(s).

@mrm9084 mrm9084 dismissed stale reviews from necusjz and Pan-Qi via 05b462e July 6, 2026 17:51
@VeryEarly

Copy link
Copy Markdown

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
Successfully started running 3 pipeline(s).

Comment thread src/azure-cli-testsdk/azure/cli/testsdk/scenario_tests/base.py Outdated
@VeryEarly

Copy link
Copy Markdown

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
Successfully started running 3 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants