What?

main.py

@@ -82,16 +82,23 @@ class Application:
         future.add_done_callback(on_complete)
 
     async def _authenticate(self):
-        """Perform authentication."""
+        """Perform authentication with tenant discovery."""
         try:
-            self.logger.info("Starting authentication...")
+            self.logger.info("Starting authentication with tenant discovery...")
 
-            # Authenticate to Microsoft Graph
-            await self.graph_auth.authenticate()
+            # PHASE 1: Discover tenant ID using "organizations" endpoint (single auth prompt)
+            self.logger.info("Discovering tenant ID...")
+            discovered_tenant_id, orgs_credential, subscriptions = self.azure_auth.discover_tenant_id()
 
-            # Authenticate to Azure (reuse credential)
-            credential = self.graph_auth.get_credential()
-            self.azure_auth.authenticate(credential)
+            self.logger.info(f"Discovered tenant: {discovered_tenant_id}")
+
+            # PHASE 2: Reuse the "organizations" credential for Graph
+            # Skip validation to avoid triggering Graph API auth here - it will auth when first used
+            self.logger.info("Initializing Microsoft Graph with shared credential...")
+            await self.graph_auth.authenticate(credential=orgs_credential, skip_validation=True)
+
+            self.logger.info("Initializing Azure with shared credential...")
+            self.azure_auth.authenticate(credential=orgs_credential, tenant_id=discovered_tenant_id, subscriptions=subscriptions)
 
             # Initialize Graph services
             graph_client = self.graph_auth.get_client()
@@ -103,7 +110,7 @@ class Application:
 
             self.logger.info("Authentication successful")
 
-            # Load subscriptions (should use SSO from Graph auth above)
+            # Load subscriptions (already loaded during discover_tenant_id)
             await self._load_subscriptions()
 
         except Exception as e: