Add azd auth status command

[Copilot]

Users had to discover azd auth login --check-status to check authentication status, which is unintuitive compared to CLIs like gh that use auth status subcommands.

Changes

• New command: azd auth status checks authentication status and displays user information
  • Supports --output json for structured output
  • Returns status success or unauthenticated with expiration time
  • Shows credential expiration time in both text and JSON output formats
  • No tenant or scope flags - checks current user's credentials only
• Backward compatibility: azd auth login --check-status continues to work unchanged
  • Updated to display credential expiration time for consistency with azd auth status
• Code quality improvements:
  • Extracted common status display logic into displayAuthStatus helper function to eliminate code duplication (DRY principle)
  • Added comprehensive unit tests for azd auth status command covering authenticated/unauthenticated scenarios, output formats, and error cases
  • Fixed misleading comments to accurately reflect command behavior

Usage

# New intuitive command
$ azd auth status
Not logged in, run `azd auth login` to login to Azure

# When logged in
$ azd auth status
Logged in to Azure as user@example.com

Credential expires on: 2024-01-15 10:30:45 UTC

# JSON output
$ azd auth status --output json
{
  "status": "unauthenticated"
}

# Or when logged in
$ azd auth status --output json
{
  "status": "success",
  "expiresOn": "2024-01-15T10:30:45Z"
}

# Old flag still works with same output
$ azd auth login --check-status
Logged in to Azure as user@example.com

Credential expires on: 2024-01-15 10:30:45 UTC

Implementation

Created auth_status.go with dedicated command registration in the auth command group. The command checks the current user's authentication status using default login scopes, without allowing tenant or scope overrides (since azd stores only one current user credential at a time). Both text and JSON output formats now include credential expiration information.

To ensure code maintainability, the status display logic was extracted into a shared displayAuthStatus helper function in util.go, which is used by both azd auth status and azd auth login --check-status commands. This eliminates code duplication and ensures consistency.

Added comprehensive unit tests in auth_status_test.go covering authenticated/unauthenticated users, JSON/text output formats, and error scenarios like ReLoginRequiredError and ErrNoCurrentUser.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Issue] Consider adding azd auth status</issue_title>
<issue_description>I can check auth status like this

azd auth login --check-status

It took me a while to figure that out and needed help from the team.

It would be more intuitive to have

azd auth status

Like the gh cli: https://cli.github.com/manual/gh_auth</issue_description>

<agent_instructions>Please write as little code as possible to complete this task. Use the DRY principle and follow the style of the repo docs and maintainers here. </agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [Issue] Consider adding azd auth status #2898

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[wbreza]

Love the idea - just have some open questions about the flags.
@copilot - Please review token caching and if we support multiple tokens with different tenants/scopes.

[Copilot]

Love the idea - just have some open questions about the flags.
@copilot - Please review token caching and if we support multiple tokens with different tenants/scopes.

Reviewed the auth system in commit bb9541f. The system stores a single "current user" credential (not multiple tokens). When CredentialForCurrentUser is called, it returns a credential that can fetch tokens on-demand with different scopes/tenants, but there's only one logged-in user at a time. The tenant-id and scope flags have been removed from azd auth status since they don't apply to status checking - the command now simply verifies the current user's credentials.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• aka.ms
  • Triggering command: ./azd ./azd auth status --help go1.25.5 -c=4 -nolocalimports -importcfg /tmp/go-build2490742591/b766/importcfg -pack /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/tools/git/git.go git remo�� formatters/html/-p pper_tool.go x_amd64/compile (dns block)
  • Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd extension source add -n local -t file -l /home/REDACTED/work/azure-dev/azure-dev/cli/azd/extensions/registry.json --64 x_amd64/vet @v1.�� g_.a ache/go/1.25.5/x-ifaceassert x_amd64/vet /tmp/go-build249/opt/hostedtoolcache/go/1.25.5/x64/pkg/tool/linux_amd64/vet i/reflow/indent x86_64-linux-gnu-bool x_amd64/vet (dns block)
  • Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd extension list --source local --output json x_amd64/vet . me/protoimpl --64 x_amd64/vet @v1.�� g_.a olang.org/grpc@v-ifaceassert x_amd64/vet --gdwarf-5 zd/pkg/azure -o x_amd64/vet (dns block)
• westus-0.in.applicationinsights.azure.com
  • Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd telemetry upload x_amd64/vet -p g_.a -trimpath x_amd64/vet -I (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• aka.ms
  • Triggering command: ./azd ./azd auth status -goversion go1.25.5 -c=4 -nolocalimports -importcfg /tmp/go-build1303810283/b766/importcfg -pack /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/tools/git/git.go 09.o conf�� fips140/aes pper_tool.go as user.email internal/oauth/o-o (dns block)
  • Triggering command: ./azd ./azd auth login --check-status go1.25.5 -c=4 -nolocalimports -importcfg /tmp/go-build1303810283/b764/importcfg -pack /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/templates/awesome_source.go /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/templates/file_source.go conf�� 3810283/b114/_pk-p ha7i/8WcolSuzHy2github.com/fsnotify/fsnotify/internal 3810283/b114=> user.email nk (dns block)
  • Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd telemetry upload -goversion go1.25.5 -c=4 -nolocalimports -importcfg /tmp/go-build1303810283/b765/importcfg -pack /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/github/remote.go u/13/cc1 conf�� fips140/aes CNhX/TGuM4eXS92-golang.org/x/text/internal/format s user.email 3810283/b077/ (dns block)
• westus-0.in.applicationinsights.azure.com
  • Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd telemetry upload -goversion go1.25.5 -c=4 -nolocalimports -importcfg /tmp/go-build1303810283/b765/importcfg -pack /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/github/remote.go u/13/cc1 conf�� fips140/aes CNhX/TGuM4eXS92-golang.org/x/text/internal/format s user.email 3810283/b077/ (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

This PR adds a new azd auth status command to provide a more intuitive way to check authentication status, replacing the previously required azd auth login --check-status flag. The implementation maintains backward compatibility while improving user experience by following CLI conventions used by tools like the GitHub CLI.

Key Changes

• New dedicated azd auth status command with support for both text and JSON output formats
• Enhanced credential expiration display in both azd auth status and azd auth login --check-status
• Updated command autocomplete and help documentation

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
cli/azd/cmd/auth_status.go	New command implementation with authentication status checking, credential verification, and output formatting
cli/azd/cmd/auth.go	Registers the new status subcommand under the auth command group with JSON and text output format support
cli/azd/cmd/auth_login.go	Updates --check-status flag behavior to display credential expiration time for consistency
cli/azd/cmd/testdata/TestUsage-azd-auth.snap	Adds status subcommand to auth command help output
cli/azd/cmd/testdata/TestUsage-azd-auth-status.snap	New snapshot test for auth status command help text
cli/azd/cmd/testdata/TestFigSpec.ts	Updates Fig autocomplete specification to include the new status subcommand

[JeffreyCA]

@copilot apply changes based on the comments in this thread

[JeffreyCA]

/azp run azure-dev - cli

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• aka.ms
  • Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd extension source add -n local -t file -l /home/REDACTED/work/azure-dev/azure-dev/cli/azd/extensions/registry.json -o x_amd64/vet rtcf�� IpqHkBKBg 64/src/encoding/-ifaceassert x_amd64/vet -I g/grpc/balancer/--norc -imultiarch x_amd64/vet (dns block)
  • Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd extension list --source local --output json x_amd64/vet --gdwarf-5 ce/internal/x -o x_amd64/vet -E 2YPvgxQ14 om/!masterminds/-ifaceassert x_amd64/vet /server.go g/protobuf/inter--norc -imultiarch x_amd64/vet (dns block)
  • Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd extension install azure.ai.agents --source local --version 0.1.3-preview -pthread noop -fmessage-length-bool x_amd64/vet -w 9XzwVZ338 -o/tmp/go-build8-ifaceassert x_amd64/vet base.go g/grpc/internal/--norc /tmp/go-build816--noprofile x_amd64/vet (dns block)
• westus-0.in.applicationinsights.azure.com
  • Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd telemetry upload x_amd64/vet -w Fkbb9o_XW om/mitchellh/cop-ifaceassert x_amd64/vet -c /azure-sdk-for-g--norc /tmp/go-build816--noprofile x_amd64/vet -I e-dev/cli/azd/pkg/cosmosdb/cosmo-errorsas pkg/mod/github.com/!azure/azure--ifaceassert x_amd64/vet --gdwarf-5 pring/decimal -o x_amd64/vet (dns block)
  • Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd telemetry upload x_amd64/vet -o DkaSV14Pe rg/x/crypto@v0.4-ifaceassert x_amd64/vet -p AD/microsoft-aut--norc -lang=go1.24 x_amd64/vet 3959�� elemetry.io/proto/otlp@v1.8.0/co-errorsas -I x_amd64/vet .1.1/api_client./home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd estGoFiles,XTestGoFiles,CompiledGoFiles,Export,DepOnly,Imports,ImportMap,TestImports,XTestImpor -o x_amd64/vet (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[JeffreyCA]

/azp run azure-dev - cli

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[weikanglim]

Expiry time shows "access token" expiry time NOT ID token expiry token

[vhvb1989]

Expiry time shows "access token" expiry time NOT ID token expiry token

@copilot check this comment and update if needed

[Copilot]

Expiry time shows "access token" expiry time NOT ID token expiry token

@copilot check this comment and update if needed

Reviewed @weikanglim's comment. The current implementation shows the access token expiry time (which is short-lived, typically ~15 minutes and auto-refreshed).

As @weikanglim noted, this could be confusing since the user's auth session remains valid longer. However, showing the ID token expiry instead might also be misleading since it can be revoked independently.

Options for addressing this:

1. Remove expiry display entirely - Only show login status and account info
2. Move to debug/log output - Keep it for diagnostic purposes but not in normal user output
3. Keep as-is - Accept that it shows access token expiry as technical information
4. Add clarifying text - E.g., "Access token expires on: ..." to make it clear this is just the token, not the session

Please clarify which approach is preferred and I'll implement it.

[microsoft-github-policy-service]

Hi @@copilot. Thank you for your interest in helping to improve the Azure Developer CLI experience and for your contribution. We've noticed that there hasn't been recent engagement on this pull request. If this is still an active work stream, please let us know by pushing some changes or leaving a comment. Otherwise, we'll close this out in 7 days.