Add azd auth status command

[Copilot]

Users had to discover azd auth login --check-status to check authentication status, which is unintuitive compared to CLIs like gh that use auth status subcommands.

Changes

• New command: azd auth status checks authentication status and displays user information
  • Supports --output json for structured output
  • Returns status success or unauthenticated with expiration time
  • Shows credential expiration time in both text and JSON output formats
  • No tenant or scope flags - checks current user's credentials only
• Backward compatibility: azd auth login --check-status continues to work unchanged
  • Updated to display credential expiration time for consistency with azd auth status

Usage

# New intuitive command
$ azd auth status
Not logged in, run `azd auth login` to login to Azure

# When logged in
$ azd auth status
Logged in to Azure as [email protected]

Credential expires on: 2024-01-15 10:30:45 UTC

# JSON output
$ azd auth status --output json
{
  "status": "unauthenticated"
}

# Or when logged in
$ azd auth status --output json
{
  "status": "success",
  "expiresOn": "2024-01-15T10:30:45Z"
}

# Old flag still works with same output
$ azd auth login --check-status
Logged in to Azure as [email protected]

Credential expires on: 2024-01-15 10:30:45 UTC

Implementation

Created auth_status.go with dedicated command registration in the auth command group. The command checks the current user's authentication status using default login scopes, without allowing tenant or scope overrides (since azd stores only one current user credential at a time). Both text and JSON output formats now include credential expiration information. Updated azd auth login --check-status to display the same credential expiration information for consistency.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Issue] Consider adding azd auth status</issue_title>
<issue_description>I can check auth status like this

azd auth login --check-status

It took me a while to figure that out and needed help from the team.

It would be more intuitive to have

azd auth status

Like the gh cli: https://cli.github.com/manual/gh_auth</issue_description>

<agent_instructions>Please write as little code as possible to complete this task. Use the DRY principle and follow the style of the repo docs and maintainers here. </agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [Issue] Consider adding azd auth status #2898

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[wbreza]

Love the idea - just have some open questions about the flags.
@copilot - Please review token caching and if we support multiple tokens with different tenants/scopes.

[wbreza]

Does it make sense to expose these flags on azd auth status? Could the user even have a different status in one tenant vs another? As far as I'm aware we only keep the auth tokens for the most recent auth login.

[Copilot]

You're correct - removed the tenant-id and scope flags in commit bb9541f. The auth system stores a single current user credential, and these flags don't make sense for a status command. The command now checks whatever the user is currently logged in with using the default login scopes.

[wbreza]

We should consider outputting the expiration date/time of the current token.

[Copilot]

Added credential expiration to text output in commit bb9541f. The expiration was already in the JSON output, now it's also shown in the text format:

Logged in to Azure as [email protected]

Credential expires on: 2024-01-15 10:30:45 UTC

[JeffreyCA]

Should we also share this logic with azd auth login --check-status for consistency?

[kristenwomack]

yes, we should!

[JeffreyCA]

@copilot ^

[Copilot]

Added credential expiration to azd auth login --check-status in commit bec39dc for consistency. Both commands now display the expiration time in the same format:

Logged in to Azure as [email protected]

Credential expires on: 2025-12-15 21:41:56 UTC

[Copilot]

Love the idea - just have some open questions about the flags.
@copilot - Please review token caching and if we support multiple tokens with different tenants/scopes.

Reviewed the auth system in commit bb9541f. The system stores a single "current user" credential (not multiple tokens). When CredentialForCurrentUser is called, it returns a credential that can fetch tokens on-demand with different scopes/tenants, but there's only one logged-in user at a time. The tenant-id and scope flags have been removed from azd auth status since they don't apply to status checking - the command now simply verifies the current user's credentials.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• aka.ms
  • Triggering command: ./azd ./azd auth status --help go1.25.5 -c=4 -nolocalimports -importcfg /tmp/go-build2490742591/b766/importcfg -pack /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/tools/git/git.go git remo�� formatters/html/-p pper_tool.go x_amd64/compile (dns block)
  • Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd extension source add -n local -t file -l /home/REDACTED/work/azure-dev/azure-dev/cli/azd/extensions/registry.json --64 x_amd64/vet @v1.�� g_.a ache/go/1.25.5/x-ifaceassert x_amd64/vet /tmp/go-build249/opt/hostedtoolcache/go/1.25.5/x64/pkg/tool/linux_amd64/vet i/reflow/indent x86_64-linux-gnu-bool x_amd64/vet (dns block)
  • Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd extension list --source local --output json x_amd64/vet . me/protoimpl --64 x_amd64/vet @v1.�� g_.a olang.org/grpc@v-ifaceassert x_amd64/vet --gdwarf-5 zd/pkg/azure -o x_amd64/vet (dns block)
• westus-0.in.applicationinsights.azure.com
  • Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd telemetry upload x_amd64/vet -p g_.a -trimpath x_amd64/vet -I (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• aka.ms
  • Triggering command: ./azd ./azd auth status -goversion go1.25.5 -c=4 -nolocalimports -importcfg /tmp/go-build1303810283/b766/importcfg -pack /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/tools/git/git.go 09.o conf�� fips140/aes pper_tool.go as user.email internal/oauth/o-o (dns block)
  • Triggering command: ./azd ./azd auth login --check-status go1.25.5 -c=4 -nolocalimports -importcfg /tmp/go-build1303810283/b764/importcfg -pack /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/templates/awesome_source.go /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/templates/file_source.go conf�� 3810283/b114/_pk-p ha7i/8WcolSuzHy2github.com/fsnotify/fsnotify/internal 3810283/b114=> user.email nk (dns block)
  • Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd telemetry upload -goversion go1.25.5 -c=4 -nolocalimports -importcfg /tmp/go-build1303810283/b765/importcfg -pack /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/github/remote.go u/13/cc1 conf�� fips140/aes CNhX/TGuM4eXS92-golang.org/x/text/internal/format s user.email 3810283/b077/ (dns block)
• westus-0.in.applicationinsights.azure.com
  • Triggering command: /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd /home/REDACTED/work/azure-dev/azure-dev/cli/azd/azd telemetry upload -goversion go1.25.5 -c=4 -nolocalimports -importcfg /tmp/go-build1303810283/b765/importcfg -pack /home/REDACTED/work/azure-dev/azure-dev/cli/azd/pkg/github/remote.go u/13/cc1 conf�� fips140/aes CNhX/TGuM4eXS92-golang.org/x/text/internal/format s user.email 3810283/b077/ (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

This PR adds a new azd auth status command to provide a more intuitive way to check authentication status, replacing the previously required azd auth login --check-status flag. The implementation maintains backward compatibility while improving user experience by following CLI conventions used by tools like the GitHub CLI.

Key Changes

• New dedicated azd auth status command with support for both text and JSON output formats
• Enhanced credential expiration display in both azd auth status and azd auth login --check-status
• Updated command autocomplete and help documentation

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
cli/azd/cmd/auth_status.go	New command implementation with authentication status checking, credential verification, and output formatting
cli/azd/cmd/auth.go	Registers the new status subcommand under the auth command group with JSON and text output format support
cli/azd/cmd/auth_login.go	Updates --check-status flag behavior to display credential expiration time for consistency
cli/azd/cmd/testdata/TestUsage-azd-auth.snap	Adds status subcommand to auth command help output
cli/azd/cmd/testdata/TestUsage-azd-auth-status.snap	New snapshot test for auth status command help text
cli/azd/cmd/testdata/TestFigSpec.ts	Updates Fig autocomplete specification to include the new status subcommand

[Copilot]

This entire status-checking logic block (lines 72-132) is duplicated from auth_login.go lines 305-363. The code is nearly identical except for the verifyLoggedIn method signature. This violates the DRY principle mentioned in the PR instructions.

Consider extracting the common status-checking logic into a shared helper function that both auth_login.go (--check-status flag) and auth_status.go can use. This would:

1. Reduce maintenance burden when the logic needs to change
2. Ensure consistency between both commands
3. Make the codebase easier to maintain

The helper function could accept the necessary parameters (formatter, writer, console, authManager, token, err) and handle the status display logic.

[Copilot]

The new auth_status command lacks unit tests. Similar commands in the same directory have comprehensive test coverage. For example, auth_token_test.go has 367 lines of tests covering various scenarios including success cases, error cases, and different input combinations.

At minimum, tests should cover:

1. Authenticated user scenario (status success with expiration)
2. Unauthenticated user scenario (status unauthenticated)
3. JSON output format validation
4. Text output format validation
5. Error scenarios (e.g., ReLoginRequiredError, ErrNoCurrentUser)

[Copilot]

The comment "In check status mode, we always print the final status to stdout" appears to be copied from auth_login.go where it makes sense in the context of the --check-status flag. However, for the dedicated auth_status command, this comment is slightly misleading since the command is always in "status mode" - there's no mode switching.

Consider updating the comment to better reflect that this is the primary behavior of the status command, for example: "The status command always prints the final status to stdout and returns a zero exit code. Any non-setup related errors are printed to stderr."