You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
az acr login always requested AAD tokens with https://containerregistry.azure.net as the audience. Local IDPs (e.g. ADFS on Azure Local) don't have this public resource registered, causing AADSTS50001 failures for any private-cloud registry.
Root cause:_resolve_acr_scope() unconditionally fell back to https://containerregistry.azure.net regardless of which cloud the CLI was targeting.
Changes:
_docker_utils.py: _resolve_acr_scope now accepts an optional login_server parameter. For clouds whose name is not in the set of known standard Azure clouds (AzureCloud, AzureChinaCloud, AzureUSGovernment, AzureGermanCloud, AzureBleuCloud), the audience is derived as https://<login_server> — matching what the local IDP has registered.
_get_aad_token_after_challenge passes login_server through to _resolve_acr_scope.
Explicit az config set acr.audience_resource=<value> override continues to take precedence over everything.
Resolution order in _resolve_acr_scope:
acr.audience_resource config override (verbatim or expanded)
On Azure Local (private cloud) with a local registry:
# Previously failed with AADSTS50001 "resource is disabled or does not exist"
az acr login --name myregistry.edgeacr.local.private --expose-token --output tsv --query accessToken
# Now correctly acquires token with audience https://myregistry.edgeacr.local.private
Public Azure registries are unaffected — cloud name AzureCloud stays on the existing audience.
History Notes
[ACR] az acr login: Fix incorrect AAD resource URL used for local/private registry token acquisition
This checklist is used to make sure that common guidelines for a pull request are followed.
CopilotAI
changed the title
[WIP] Fix Azure local regression for az acr login
[ACR] Fix Azure/azure-cli#33674: az acr login: Fix incorrect resource URL used for local/private registry token acquisition
Jun 30, 2026
Live test results — azdev test --live --series (changed test files only)
✅ PASS
Selectors:test_acr_commands_mock (module) PR head ref:copilot/fix-azure-acr-login-regression PR head sha:c5773c5d1333d6326b858cada5db570399fd6235 PR base ref:dev New test files in PR: false
Live test results — azdev test --live --series (changed test files only)
✅ PASS
Selectors:test_acr_commands_mock (module) PR head ref:copilot/fix-azure-acr-login-regression PR head sha:b7d590fd16ad5244a00710f0df5b30ace547781d PR base ref:dev New test files in PR: false
Live test results — azdev test --live --series (changed test files only)
✅ PASS
Selectors:test_acr_commands_mock (module) PR head ref:copilot/fix-azure-acr-login-regression PR head sha:1ece96d93751a4e3deeb7a5f037aabdbff4ad5f5 PR base ref:dev New test files in PR: false
Live test results — azdev test --live --series (changed test files only)
✅ PASS
Selectors:test_acr_commands_mock (module) PR head ref:copilot/fix-azure-acr-login-regression PR head sha:81e313446801700f035e54686e5f719d9ab0a3a2 PR base ref:dev New test files in PR: false
Live test results — azdev test --live --series (changed test files only)
✅ PASS
Selectors:test_acr_commands_mock (module) PR head ref:copilot/fix-azure-acr-login-regression PR head sha:845774d533acaae91723b74d56dcb0765ed0ef1d PR base ref:dev New test files in PR: false
Live test results — azdev test --live --series (changed test files only)
✅ PASS
Selectors:test_acr_commands_mock (module) PR head ref:copilot/fix-azure-acr-login-regression PR head sha:2077da1704b001f7ea6ea8b2572130f6e675ff1c PR base ref:dev New test files in PR: false
Live test results — azdev test --live --series (changed test files only)
✅ PASS
Selectors:test_acr_commands_mock (module) PR head ref:copilot/fix-azure-acr-login-regression PR head sha:d98db5a554e6716e7fa0153c565819cc02a5c1e3 PR base ref:dev New test files in PR: false
The reason will be displayed to describe this comment to others. Learn more.
✅ Agent Review — Pass
All checks are green. Here's the summary:
Gate
Result
CI checks (50/50)
✅ Passed
Live test (azdev test --live)
✅ Passed
The fix looks good — CI and live tests both completed successfully with no failures. This PR is ready for maintainer review and merge.
Posted by agent-assist (autonomous bug-fix pipeline).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related command
az acr loginDescription
az acr loginalways requested AAD tokens withhttps://containerregistry.azure.netas the audience. Local IDPs (e.g. ADFS on Azure Local) don't have this public resource registered, causingAADSTS50001failures for any private-cloud registry.Root cause:
_resolve_acr_scope()unconditionally fell back tohttps://containerregistry.azure.netregardless of which cloud the CLI was targeting.Changes:
_docker_utils.py:_resolve_acr_scopenow accepts an optionallogin_serverparameter. For clouds whose name is not in the set of known standard Azure clouds (AzureCloud,AzureChinaCloud,AzureUSGovernment,AzureGermanCloud,AzureBleuCloud), the audience is derived ashttps://<login_server>— matching what the local IDP has registered._get_aad_token_after_challengepasseslogin_serverthrough to_resolve_acr_scope.az config set acr.audience_resource=<value>override continues to take precedence over everything.Resolution order in
_resolve_acr_scope:acr.audience_resourceconfig override (verbatim or expanded)login_serverprovided →https://<login_server>https://containerregistry.azure.netTesting Guide
On Azure Local (private cloud) with a local registry:
Public Azure registries are unaffected — cloud name
AzureCloudstays on the existing audience.History Notes
[ACR]
az acr login: Fix incorrect AAD resource URL used for local/private registry token acquisitionThis checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.