Description
Library version used
4.71.1
.NET version
.Net 472
Scenario
ManagedIdentityClient - managed identity
Is this a new or an existing app?
The app is in production, and I have upgraded to a new version of MSAL
Issue description and reproduction steps
The application, running on an Azure VM (tenant xxxx), directs calls to a separate Azure VM (tenant cccc), and it is from this VM that Azure API requests are sent. Access tokens were acquired from the VM (tenant cccc). After upgraded Microsoft.Identity.Client to 4.71.1, requests start failing with error message like:
Azure.RequestFailedException: The access token is from the wrong issuer 'https://sts.windows.net/xxxx'. It must match one of the tenants 'https://sts.windows.net/cccc/,https://sts.windows.net/bbbb/' associated with this subscription. Please use any authority (URL) from 'https://sts.windows.net/ccc/,https://sts.windows.net/bbbb/ to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.
Status: 401 (Unauthorized)
ErrorCode: InvalidAuthenticationTokenTenant
Relevant code snippets
var tokenCredentialOptions = new TokenCredentialOptions()
{
Transport = new HttpClientTransport(customHttpClient);
}
var credential = new ManagedIdentityCredential(null, tokenCredentialOptions);
var options = new ArmClientOptions
{
Environment = new ArmEnvironment(endpoint, authAudience),
Transport = new HttpClientTransport(customHttpClient)
};
var client = new ArmClient(credential, subscriptionId, options)Expected behavior
No response
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
No response