Pass Microsoft EntraID Authority to CreatePublicClient to Fix Az.Ssh Issue When WAM Enabled (#25944)

* Address review comments

Address review comments

Polish change log

Address review comments

Address review comments

* Integrate Microsoft.Identity.Client 4.65.0

* Polish change log

Author: msJinLei

src/Accounts/Accounts/ChangeLog.md

@@ -19,6 +19,7 @@
 -->
 
 ## Upcoming Release
+* Fixed the issue that `Export-AzSshConfig` and `Enter-AzVM` from Az.Ssh are not able to use when WAM is enabled.
 * Added breaking change preannouncement for the removal of alias `Resolve-Error`. #26189
 * Integrated new detection library to expand the scope of secrets.
 * Upgraded Azure.Core to 1.44.1.

src/Accounts/AssemblyLoading/ConditionalAssemblyProvider.cs

@@ -46,9 +46,9 @@ public static void Initialize(string rootPath, IConditionalAssemblyContext conte
                 CreateAssembly("netstandard2.0", "Azure.Identity", "1.12.0.0"),
                 CreateAssembly("netstandard2.0", "Azure.Identity.Broker", "1.1.0.0"),
                 CreateAssembly("netstandard2.0", "Microsoft.Bcl.AsyncInterfaces", "6.0.0.0"),
-                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client", "4.61.3.0"),
-                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Extensions.Msal", "4.61.3.0"),
-                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Broker", "4.61.3.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client", "4.65.0.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Extensions.Msal", "4.65.0.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Broker", "4.65.0.0"),
                 CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.NativeInterop", "0.16.2.0"),
                 CreateAssembly("netstandard2.0", "Microsoft.IdentityModel.Abstractions", "6.35.0.0"),
                 CreateAssembly("netstandard2.0", "System.ClientModel", "1.1.0.0"),

src/Accounts/Authentication/Authentication/TokenCache/PowerShellTokenCacheProvider.cs

@@ -34,7 +34,10 @@ namespace Microsoft.Azure.Commands.Common.Authentication
     public abstract class PowerShellTokenCacheProvider
     {
         public const string PowerShellTokenCacheProviderKey = "PowerShellTokenCacheProviderKey";
-        private static readonly string CommonTenant = "organizations";
+        //Reanme CommonTenant to OrganizationTenant with reference to
+        //https://learn.microsoft.com/en-us/dotnet/api/microsoft.identity.client.abstractapplicationbuilder-1.withauthority?view=msal-dotnet-latest#microsoft-identity-client-abstractapplicationbuilder-1-withauthority(system-string-system-boolean
+        //From MSAL, we shall always use "organizations" for both work and school and MSA accounts
+        private const string organizationTenant = "organizations";
 
         protected byte[] _tokenCacheDataToFlush;
 
@@ -98,7 +101,7 @@ public List<IAccessToken> GetTenantTokensForAccount(IAccount account, IAzureEnvi
                 Id = account.Username,
                 Type = AzureAccount.AccountType.User
             };
-            var commonToken = AzureSession.Instance.AuthenticationFactory.Authenticate(azureAccount, environment, CommonTenant, null, null, promptAction);
+            var commonToken = AzureSession.Instance.AuthenticationFactory.Authenticate(azureAccount, environment, organizationTenant, null, null, promptAction);
             IEnumerable<string> tenants = Enumerable.Empty<string>();
             using (SubscriptionClient subscriptionClient = GetSubscriptionClient(commonToken, environment))
             {
@@ -164,6 +167,25 @@ private SubscriptionClient GetSubscriptionClient(IAccessToken token, IAzureEnvir
 
         protected abstract void RegisterCache(IPublicClientApplication client);
 
+        /// <summary>
+        /// Creates a public client app with tenantId.
+        /// This method is not meant for authentication purpose. Use APIs from Azure.Identity instead.
+        /// </summary>
+        public virtual IPublicClientApplication CreatePublicClient(string authority, string tenantId)
+        {
+            var builder = PublicClientApplicationBuilder.Create(Constants.PowerShellClientId);
+            if (AzConfigReader.IsWamEnabled(authority))
+            {
+                builder = builder.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows));
+            }
+            if (!string.IsNullOrEmpty(authority))
+            {
+                builder.WithAuthority(authority, tenantId ?? organizationTenant);
+            }
+            var client = builder.Build();
+            RegisterCache(client);
+            return client;
+        }
         /// <summary>
         /// Creates a public client app.
         /// This method is not meant for authentication purpose. Use APIs from Azure.Identity instead.

src/Accounts/Authentication/Factories/SshCredentialFactory.cs

@@ -14,7 +14,6 @@
 
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions.Models;
-using Microsoft.Azure.Commands.Common.Authentication.Authentication;
 using Microsoft.Azure.Commands.Common.Authentication.Properties;
 using Microsoft.Identity.Client.SSHCertificates;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
@@ -69,7 +68,7 @@ public SshCredential GetSshCredential(IAzureContext context, RSAParameters rsaKe
                 throw new NullReferenceException(Resources.AuthenticationClientFactoryNotRegistered);
             }
 
-            var publicClient = tokenCacheProvider.CreatePublicClient();
+            var publicClient = tokenCacheProvider.CreatePublicClient(context.Environment.ActiveDirectoryAuthority, context.Tenant.Id);
             string cloudName = context.Environment.Name.ToLower();
             string scope = CloudToScope.GetValueOrDefault(cloudName, null);
             if (scope == null)