From 52c5f9cdba5fab772c228271ee931f52cc3272bb Mon Sep 17 00:00:00 2001
From: Victor Vazquez <vhvb1989@gmail.com>
Date: Mon, 20 Oct 2025 17:25:48 +0000
Subject: [PATCH 1/4] wip

---
 cli/azd/cmd/auth_login.go   | 26 ++++++++++++++++++++++
 cli/azd/pkg/auth/manager.go | 43 +++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)

diff --git a/cli/azd/cmd/auth_login.go b/cli/azd/cmd/auth_login.go
index 69d5b2e4648..e7a087b231e 100644
--- a/cli/azd/cmd/auth_login.go
+++ b/cli/azd/cmd/auth_login.go
@@ -288,6 +288,32 @@ func newLoginAction(
 }
 
 func (la *loginAction) Run(ctx context.Context) (*actions.ActionResult, error) {
+	loginMode, err := la.authManager.Mode()
+	if err != nil {
+		return nil, err
+	}
+	if loginMode != auth.AzdBuiltIn {
+		la.console.MessageUxItem(ctx, &ux.WarningAltMessage{
+			Message: fmt.Sprintf(
+				"Azd is not using the built-in authentication mode, but rather '%s'", loginMode),
+		})
+		la.console.Message(ctx, "If you want to use 'azd auth login', you need to disable the current auth mode.")
+		response, err := la.console.Confirm(ctx, input.ConsoleOptions{
+			Message:      "Do you want to switch back to azd built-in authentication?",
+			DefaultValue: "N",
+			Help:         "",
+		})
+		if err != nil {
+			return nil, err
+		}
+		if !response {
+			return nil, fmt.Errorf("log in is not supported on current mode: %s", loginMode)
+		}
+		if err := la.authManager.SetMode(ctx, auth.AzdBuiltIn); err != nil {
+			return nil, fmt.Errorf("setting auth mode: %w", err)
+		}
+	}
+
 	if len(la.flags.scopes) == 0 {
 		la.flags.scopes = la.authManager.LoginScopes()
 	}
diff --git a/cli/azd/pkg/auth/manager.go b/cli/azd/pkg/auth/manager.go
index 1cfcf1073fe..be4e776d975 100644
--- a/cli/azd/pkg/auth/manager.go
+++ b/cli/azd/pkg/auth/manager.go
@@ -1409,3 +1409,46 @@ func (m *Manager) LogInDetails(ctx context.Context) (*LogInDetails, error) {
 
 	return nil, ErrNoCurrentUser
 }
+
+type AuthMode string
+
+const (
+	AzdBuiltIn      AuthMode = "azd built in"
+	AzDelegated     AuthMode = "delegated to az cli"
+	ExternalRequest AuthMode = "external token request"
+)
+
+func (m *Manager) Mode() (AuthMode, error) {
+	// Check external
+	if m.UseExternalAuth() {
+		return ExternalRequest, nil
+	}
+
+	// check az delegation
+	cfg, err := m.userConfigManager.Load()
+	if err != nil {
+		return "", fmt.Errorf("fetching current user: %w", err)
+	}
+
+	if shouldUseLegacyAuth(cfg) {
+		return AzDelegated, nil
+	}
+
+	// default to azd
+	return AzdBuiltIn, nil
+}
+
+func (m *Manager) SetMode(mode AuthMode) error {
+	currentMode, err := m.Mode()
+	if err != nil {
+		return fmt.Errorf("fetching current auth mode: %w", err)
+	}
+
+	if currentMode == mode {
+		return nil
+	}
+
+	if currentMode == ExternalRequest {
+
+	}
+}

From 43c3339a1a76d86df9aaefdb698a77ec22d7ba3b Mon Sep 17 00:00:00 2001
From: Victor Vazquez <vhvb1989@gmail.com>
Date: Tue, 21 Oct 2025 21:20:23 +0000
Subject: [PATCH 2/4] lint

---
 cli/azd/cmd/auth_login.go   |  3 ++-
 cli/azd/pkg/auth/manager.go | 27 ++++++++++++++++++++++++---
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/cli/azd/cmd/auth_login.go b/cli/azd/cmd/auth_login.go
index e7a087b231e..6b07c5ca723 100644
--- a/cli/azd/cmd/auth_login.go
+++ b/cli/azd/cmd/auth_login.go
@@ -309,9 +309,10 @@ func (la *loginAction) Run(ctx context.Context) (*actions.ActionResult, error) {
 		if !response {
 			return nil, fmt.Errorf("log in is not supported on current mode: %s", loginMode)
 		}
-		if err := la.authManager.SetMode(ctx, auth.AzdBuiltIn); err != nil {
+		if err := la.authManager.SetBuiltInAuthMode(); err != nil {
 			return nil, fmt.Errorf("setting auth mode: %w", err)
 		}
+		la.console.Message(ctx, "Authentication mode set to azd built-in. Continuing login...")
 	}
 
 	if len(la.flags.scopes) == 0 {
diff --git a/cli/azd/pkg/auth/manager.go b/cli/azd/pkg/auth/manager.go
index be4e776d975..2ddbd1e91fa 100644
--- a/cli/azd/pkg/auth/manager.go
+++ b/cli/azd/pkg/auth/manager.go
@@ -1438,17 +1438,38 @@ func (m *Manager) Mode() (AuthMode, error) {
 	return AzdBuiltIn, nil
 }
 
-func (m *Manager) SetMode(mode AuthMode) error {
+func (m *Manager) SetBuiltInAuthMode() error {
 	currentMode, err := m.Mode()
 	if err != nil {
 		return fmt.Errorf("fetching current auth mode: %w", err)
 	}
-
-	if currentMode == mode {
+	if currentMode == AzdBuiltIn {
 		return nil
 	}
 
 	if currentMode == ExternalRequest {
+		return fmt.Errorf("cannot change auth mode when external token mode is set. See %s",
+			"https://github.com/Azure/azure-dev/blob/main/cli/azd/docs/external-authentication.md")
+	}
+
+	// protecting against unexpected modes. There should be only azDelegsated left.
+	if currentMode != AzDelegated {
+		return fmt.Errorf("Unexpected mode found: %s", currentMode)
+	}
+
+	// Unset the useAzCliAuthKey flag
+	cfg, err := m.userConfigManager.Load()
+	if err != nil {
+		return fmt.Errorf("reading user config: %w", err)
+	}
+
+	if err := cfg.Unset(useAzCliAuthKey); err != nil {
+		return fmt.Errorf("unsetting %s: %w", useAzCliAuthKey, err)
+	}
 
+	if err := m.userConfigManager.Save(cfg); err != nil {
+		return fmt.Errorf("saving user config: %w", err)
 	}
+
+	return nil
 }

From 059e3656c7090ea4efde9de4599fdc0c925c70ad Mon Sep 17 00:00:00 2001
From: Victor Vazquez <vhvb1989@gmail.com>
Date: Tue, 21 Oct 2025 21:24:05 +0000
Subject: [PATCH 3/4] adjust default value

---
 cli/azd/cmd/auth_login.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/cli/azd/cmd/auth_login.go b/cli/azd/cmd/auth_login.go
index 6b07c5ca723..49dbba55c69 100644
--- a/cli/azd/cmd/auth_login.go
+++ b/cli/azd/cmd/auth_login.go
@@ -300,8 +300,9 @@ func (la *loginAction) Run(ctx context.Context) (*actions.ActionResult, error) {
 		la.console.Message(ctx, "If you want to use 'azd auth login', you need to disable the current auth mode.")
 		response, err := la.console.Confirm(ctx, input.ConsoleOptions{
 			Message:      "Do you want to switch back to azd built-in authentication?",
-			DefaultValue: "N",
-			Help:         "",
+			DefaultValue: false,
+			Help: "Azd supports multiple authentication modes, including Azure CLI authentication and External " +
+				"request for Auth. Switching back to azd built-in authentication will try to disable the current mode.",
 		})
 		if err != nil {
 			return nil, err

From 7d81486170f961713a3b524e3671171092ecd119 Mon Sep 17 00:00:00 2001
From: Victor Vazquez <vhvb1989@gmail.com>
Date: Tue, 21 Oct 2025 21:25:43 +0000
Subject: [PATCH 4/4] spell

---
 cli/azd/pkg/auth/manager.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cli/azd/pkg/auth/manager.go b/cli/azd/pkg/auth/manager.go
index 2ddbd1e91fa..de2e00fcd0b 100644
--- a/cli/azd/pkg/auth/manager.go
+++ b/cli/azd/pkg/auth/manager.go
@@ -1452,7 +1452,7 @@ func (m *Manager) SetBuiltInAuthMode() error {
 			"https://github.com/Azure/azure-dev/blob/main/cli/azd/docs/external-authentication.md")
 	}
 
-	// protecting against unexpected modes. There should be only azDelegsated left.
+	// protecting against unexpected modes. There should be only azDelegated left.
 	if currentMode != AzDelegated {
 		return fmt.Errorf("Unexpected mode found: %s", currentMode)
 	}