diff --git a/plugin/pkg/client/auth/azure/azure.go b/plugin/pkg/client/auth/azure/azure.go
index a5218029..f4eeb858 100644
--- a/plugin/pkg/client/auth/azure/azure.go
+++ b/plugin/pkg/client/auth/azure/azure.go
@@ -354,7 +354,6 @@ func (ts *azureTokenSource) Refresh(token *azureToken) (*azureToken, error) {
 }
 
 // refresh outdated token with adal.
-// adal.RefreshTokenError will be returned if error occur during refreshing.
 func (ts *azureTokenSourceDeviceCode) Refresh(token *azureToken) (*azureToken, error) {
 	env, err := azure.EnvironmentFromName(token.environment)
 	if err != nil {
@@ -388,7 +387,8 @@ func (ts *azureTokenSourceDeviceCode) Refresh(token *azureToken) (*azureToken, e
 	}
 
 	if err := spt.Refresh(); err != nil {
-		return nil, fmt.Errorf("refreshing token: %v", err)
+		// Caller expects IsTokenRefreshError(err) to trigger prompt.
+		return nil, fmt.Errorf("refreshing token: %w", err)
 	}
 
 	return &azureToken{
diff --git a/plugin/pkg/client/auth/azure/azure_test.go b/plugin/pkg/client/auth/azure/azure_test.go
index 5f9aab76..aa3f0989 100644
--- a/plugin/pkg/client/auth/azure/azure_test.go
+++ b/plugin/pkg/client/auth/azure/azure_test.go
@@ -330,6 +330,16 @@ func TestAzureTokenSourceScenarios(t *testing.T) {
 			tokenCalls:   1,
 			persistCalls: 1,
 		},
+		{
+			name:         "extend failure with fmt.Errorf nested tokenRefreshError",
+			configToken:  expiredToken,
+			refreshErr:   fmt.Errorf("refreshing token: %w", fakeTokenRefreshError{message: "nested FakeError happened when refreshing"}),
+			sourceToken:  fakeToken,
+			expectToken:  fakeToken,
+			refreshCalls: 1,
+			tokenCalls:   1,
+			persistCalls: 1,
+		},
 		{
 			name:         "unexpected error when extend",
 			configToken:  expiredToken,