[BUG] EnvironmentCredential doesn't work and the instructions are unclear

[JljHook]

Describe the bug

I'm trying to get Azure MCP to run in Azure container apps.
Instructions state that you should define AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID.
However container crashes with error "ClientId" should be defined.
I've additionally defined these:
AZURE_TOKEN_CREDENTIALS=true, AZURE_MCP_INCLUDE_PRODUCTION_CREDENTIALS=false
and --transport=http.

Expected behavior

Extra authentication to MCP should not be required as it should use "EnvironmentCredential".

Actual behavior

Container crashed and throws this exception: System.ArgumentNullException: IDW10106: The 'ClientId' option must be provided.

Reproduction Steps

containers: [
{
name: 'azure-mcp-server'
image: 'mcr.microsoft.com/azure-sdk/azure-mcp:latest'
args: serverArgs
resources: {
cpu: json('0.25')
memory: '0.5Gi'
}
env: [
{
name: 'ASPNETCORE_ENVIRONMENT'
value: 'production'
}
{
name: 'ASPNETCORE_URLS'
value: 'http://+:8080'
}
{
name: 'ASPNETCORE_ENVIRONMENT'
value: 'production'
}
{
name: 'AZURE_TOKEN_CREDENTIALS'
value: 'prod'
}
{
name: 'AZURE_MCP_DANGEROUSLY_DISABLE_HTTPS_REDIRECTION'
value: 'true'
}
{
name: 'AZURE_MCP_INCLUDE_PRODUCTION_CREDENTIALS'
value: 'false'
}
{
name: 'AZURE_TENANT_ID'
value: azureTenantId
}
{
name: 'AZURE_CLIENT_ID'
value: managedIdentityClientId
}
{
name: 'AZURE_CLIENT_SECRET'
value: managedIdentityClientSecret
}
]
}

Environment

No response

[JasonYeMSFT]

@JljHook Could you please share the full startup command you used (e.g. baseArgs in our example template)

The error is about missing one of these environment variables. They are necessary for the server to tell what access tokens to accept since it comapres them with the corresponding claims in incoming access tokens.

{
  name: 'AzureAd__Instance'
  value: environment().authentication.loginEndpoint
}
{
  name: 'AzureAd__TenantId'
  value: azureAdTenantId
}
{
  name: 'AzureAd__ClientId'
  value: azureAdClientId
}