AzureDeveloperCliCredential: parse new auth error formats

[JeffreyCA]

Fixes Azure/azure-dev#8039

Related:

• Enhance error message extraction for Azure Developer CLI to support multiple JSON formats azure-sdk-for-go#26590
• AzureDeveloperCliCredential: parse new auth error formats azure-sdk-for-net#58616
• Parse new azd auth error formats in AzureDeveloperCliCredential azure-sdk-for-python#46711
• AzureDeveloperCliCredential: parse new auth error formats azure-sdk-for-js#38416

Description

Starting with azd v1.23.7, azd auth token changed its stderr error format from the legacy consoleMessage JSON to a structured {"error":"..."} JSON object. The stderr output may also include an extraneous empty consoleMessage line preceding the error (fixed in v1.24.0 via Azure/azure-dev#7701).

This PR updates AzureDeveloperCliCredential error parsing to handle all three formats:

azd version	stderr format
pre-v1.23.7	{"type":"consoleMessage","data":{"message":"..."}}
v1.23.7 – v1.23.15	{"type":"consoleMessage",...}\n{"error":"..."} (two lines)
v1.24.0+	{"error":"..."} (single line)

The parsed message is also used for downstream exception classification, so structured AAD failures (e.g. invalid_tenant, AADSTS*) now correctly surface as ClientAuthenticationException instead of being misclassified as CredentialUnavailableException due to the azd auth login text embedded in the suggestion field.

Testing

Added unit tests in IdentityClientTests.java covering each format, the error-over-consoleMessage precedence, and the multi-line legacy fallback. Existing tests for the legacy format and downstream error classification (login-required, AADSTS, etc.) continue to pass.

Validated manually against multiple versions of azd with a small test program that calls getTokenSync on an AzureDeveloperCliCredential instance with an invalid tenant ID:

Without changes - v1.23.6:

Caught exception type: com.azure.core.exception.ClientAuthenticationException
Caught exception message:
{"type":"consoleMessage","timestamp":"2026-05-26T14:26:03.0072801-07:00","data":{"message":"\nERROR: fetching token: failed to authenticate:\n(invalid_tenant) AADSTS900021: Requested tenant identifier '00000000-0000-0000-0000-000000000000' is not valid. Tenant identifiers may not be an empty GUID. Trace ID: a2d5bf3e-9d1c-4867-a2ba-7916880c0c00 Correlation ID: c28e0a03-6544-425a-9fd0-fdd2229b10d1 Timestamp: 2026-05-26 21:25:59Z\n\n"}}

Without changes - v1.23.7 and above:

Caught exception type: com.azure.identity.CredentialUnavailableException
Caught exception message:
AzureDeveloperCliCredential authentication unavailable. Please run 'azd auth login' to set up account.

With changes - v1.23.6:

Caught exception type: com.azure.core.exception.ClientAuthenticationException
Caught exception message:
ERROR: fetching token: failed to authenticate:
(invalid_tenant) AADSTS900021: Requested tenant identifier '00000000-0000-0000-0000-000000000000' is not valid. Tenant identifiers may not be an empty GUID. Trace ID: <redacted> Correlation ID: <redacted> Timestamp: 2026-05-26 21:34:16Z

With changes - v1.23.7 and above:

Caught exception type: com.azure.core.exception.ClientAuthenticationException
Caught exception message:
(invalid_tenant) AADSTS900021: Requested tenant identifier '00000000-0000-0000-0000-000000000000' is not valid. Tenant identifiers may not be an empty GUID. Trace ID: <redacted> Correlation ID: <redacted> Timestamp: 2026-05-26 21:17:43Z

---

All SDK Contribution checklist:

• The pull request does not introduce [breaking changes]
• CHANGELOG is updated for new features, bug fixes or other significant changes.
• I have read the contribution guidelines.

General Guidelines and Best Practices

• Title of the pull request is clear and informative.
• There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

• Pull request includes test coverage for the included changes.

[Copilot]

Pull request overview

Updates Azure Identity’s AzureDeveloperCliCredential integration to correctly parse and surface errors from newer Azure Developer CLI (azd) versions where stderr moved from legacy consoleMessage JSON to structured {"error":"..."} JSON, ensuring AAD failures are classified as authentication errors rather than “credential unavailable”.

Changes:

• Updated azd stderr parsing to prefer the structured top-level error field, with fallback to the first non-empty legacy data.message.
• Adjusted exception classification to dispatch based on the parsed message (avoiding suggestion text like azd auth login skewing classification).
• Added/updated unit tests covering legacy, mixed, and structured azd error formats (including multi-object outputs).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClientBase.java	Updates azd error parsing and exception dispatch to support structured error output and correct classification.
sdk/identity/azure-identity/src/test/java/com/azure/identity/implementation/IdentityClientTests.java	Expands and updates tests to cover new structured error formats and revised legacy precedence behavior.
sdk/identity/azure-identity/CHANGELOG.md	Documents the azd parsing fix and the corrected exception classification for structured AAD failures.

Comments suppressed due to low confidence (1)

sdk/identity/azure-identity/CHANGELOG.md:17

• The Unreleased notes now have two bullets describing improved AzureDeveloperCliCredential azd error message extraction (one under “Bugs Fixed” and another under “Other Changes”). Consider consolidating or rewording to avoid redundant/possibly confusing release notes for the same behavior change.

- Fixed `AzureDeveloperCliCredential` error parsing for Azure Developer CLI v1.23.7 and later, which previously surfaced the friendly wrapper "Authentication with Azure failed." instead of the underlying error text. The parser now prefers the structured top-level `error` field while preserving fallback behavior for older `consoleMessage` output.
- Structured AAD failures from `azd` (e.g. `invalid_tenant`, `AADSTS*`) now surface as `ClientAuthenticationException` rather than being misclassified as `CredentialUnavailableException`.
- Disabled MSAL's internal retry for Confidential Client, Managed Identity and Public Client Applications.

### Other Changes

- Improved `AzureDeveloperCliCredential` error handling to extract meaningful messages from `azd auth token` JSON output, providing cleaner error messages to users.