Adds a fallback mechanism to AAD scope override.

[aavasthy]

Description

It's a follow up to this PR #42228, which introduces the ability to override AAD scope value. As part of the current PR:

• If end-user provided a custom scope by overriding the environment variable() then we use that value for AAD authentication. In case of failures with the custom scope there is no retry/fallback.
• If no custom scope is provided then we use account scope for AAD authentication. In case of failure with exception AADSTS500011, there is fallback implemented as part of this PR and then it retries with this scope "https://cosmos.azure.com/.default".

This is a temporary change we are implementing till this "https://cosmos.azure.com/.default" is accepted as the scope across all environments and clouds.

All SDK Contribution checklist:

• The pull request does not introduce [breaking changes]
• CHANGELOG is updated for new features, bug fixes or other significant changes.
• I have read the contribution guidelines.

General Guidelines and Best Practices

• Title of the pull request is clear and informative.
• There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

• Pull request includes test coverage for the included changes.

[Copilot]

Pull Request Overview

This PR introduces a fallback mechanism for AAD scope override in the Azure Cosmos DB client. When no override scope is provided, the client will first attempt authentication with the account scope, and if that fails with the specific error AADSTS500011, it will fallback to the default Cosmos scope https://cosmos.azure.com/.default. The fallback only occurs when using account scope - when an override scope is explicitly provided, no fallback occurs.

Key changes:

• Modified authentication policy classes to support fallback logic with retry mechanism
• Updated client connection initialization to pass both account and override scopes to the policy
• Enhanced test coverage with comprehensive scenarios for scope override and fallback behavior

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
sdk/cosmos/azure-cosmos/azure/cosmos/_auth_policy.py	Implements fallback logic in sync authentication policy with retry loop for AADSTS500011 errors
sdk/cosmos/azure-cosmos/azure/cosmos/aio/_auth_policy_async.py	Implements fallback logic in async authentication policy with retry loop for AADSTS500011 errors
sdk/cosmos/azure-cosmos/azure/cosmos/_cosmos_client_connection.py	Updates sync client initialization to pass separate account and override scopes to the policy
sdk/cosmos/azure-cosmos/azure/cosmos/aio/_cosmos_client_connection_async.py	Updates async client initialization to pass separate account and override scopes to the policy
sdk/cosmos/azure-cosmos/tests/test_aad.py	Adds comprehensive sync test coverage for scope override and fallback scenarios
sdk/cosmos/azure-cosmos/tests/test_aad_async.py	Adds comprehensive async test coverage for scope override and fallback scenarios

[github-actions]

API Change Check

APIView identified API level changes in this PR and created the following API reviews

azure-cosmos

[tvaron3]

LGTM

[azure-pipelines]

You have several pipelines (over 10) configured to build pull requests in this repository. Specify which pipelines you would like to run by using /azp run [pipelines] command. You can specify multiple pipelines using a comma separated list.

[simorenoh]

/azp run python - cosmos - ci

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[FabianMeiswinkel]

LGTM