reauth-sp

jiasli · jiasli · commit 07b20c1594eb · 2025-07-01T17:46:45.000+08:00
diff --git a/src/azure-cli-core/azure/cli/core/auth/util.py b/src/azure-cli-core/azure/cli/core/auth/util.py
@@ -43,11 +43,13 @@ def aad_error_handler(error, **kwargs):
         recommendation = PASSWORD_CERTIFICATE_WARNING
     else:
         login_command = _generate_login_command(**kwargs)
-        recommendation = (
-            # Cloud Shell uses IMDS-like interface for implicit login. If getting token/cert failed,
-            # we let the user explicitly log in to AAD with MSAL.
-            "Please explicitly log in with:\n{}" if error.get('error') == 'broker_error'
-            else "Interactive authentication is needed. Please run:\n{}").format(login_command)
+        recommendation = None
+        if login_command:
+            recommendation = (
+                # Cloud Shell uses IMDS-like interface for implicit login. If getting token/cert failed,
+                # we let the user explicitly log in to AAD with MSAL.
+                "Please explicitly log in with:\n{}" if error.get('error') == 'broker_error'
+                else "Interactive authentication is needed. Please run:\n{}").format(login_command)
 
     from azure.cli.core.azclierror import AuthenticationError
     raise AuthenticationError(error_description, msal_error=error, recommendation=recommendation)
@@ -56,6 +58,9 @@ def aad_error_handler(error, **kwargs):
 def _generate_login_command(scopes=None, claims_challenge=None):
     login_command = ['az login']
 
+    if not scopes and not claims_challenge:
+        return None
+
     # Rejected by Conditional Access policy, like MFA
     if scopes:
         login_command.append('--scope {}'.format(' '.join(scopes)))
