Fix for 5223 - env var to disable ESTS-R (#5224)

* Fix for 5223 - env var to disable ESTS-R

* Fix for 5223 - env var to disable ESTS-R

* Address PR comments

* PR

* whitespace

Author: bgavrilMS

src/client/Microsoft.Identity.Client/AppConfig/ConfidentialClientApplicationBuilder.cs

@@ -24,6 +24,7 @@ namespace Microsoft.Identity.Client
     public class ConfidentialClientApplicationBuilder : AbstractApplicationBuilder<ConfidentialClientApplicationBuilder>
     {
         internal const string ForceRegionEnvVariable = "MSAL_FORCE_REGION";
+        internal const string DisableRegionEnvVariable = "MSAL_DISABLE_REGION";
         internal const string DisableForceRegion = "DisableMsalForceRegion";
 
         /// <inheritdoc/>
@@ -380,8 +381,22 @@ internal override void Validate()
                 throw new InvalidOperationException(MsalErrorMessage.InvalidRedirectUriReceived(Config.RedirectUri));
             }
 
-            if (!string.IsNullOrEmpty(Config.AzureRegion) && 
-                (Config.CustomInstanceDiscoveryMetadata != null || Config.CustomInstanceDiscoveryMetadataUri != null))
+            ValidateAndUpdateRegion();
+        }
+
+        private void ValidateAndUpdateRegion()
+        {
+            // master override - do not use region if this env variable is set, as per #5223
+            // this is needed because MSAL is used in other SDKs and it's difficult for apps to 
+            // disable ESTS-R for some calls and to enable it for others
+            if (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable(DisableRegionEnvVariable)))
+            {
+                Config.AzureRegion = null;
+                return;
+            }
+
+            if (!string.IsNullOrEmpty(Config.AzureRegion) &&
+              (Config.CustomInstanceDiscoveryMetadata != null || Config.CustomInstanceDiscoveryMetadataUri != null))
             {
                 throw new MsalClientException(MsalError.RegionDiscoveryWithCustomInstanceMetadata, MsalErrorMessage.RegionDiscoveryWithCustomInstanceMetadata);
             }

tests/Microsoft.Identity.Test.Unit/PublicApiTests/ClientCredentialWithRegionTests.cs

@@ -329,6 +329,89 @@ public async Task MsalForceRegionIsSet_RegionIsUsed()
             }
         }
 
+        [TestMethod]
+        public async Task MsalDisableRegionEnvVariable_API()
+        {
+            using (new EnvVariableContext())
+            using (var harness = base.CreateTestHarness())
+            {
+                Environment.SetEnvironmentVariable(
+                    ConfidentialClientApplicationBuilder.DisableRegionEnvVariable, "1");
+
+                var httpManager = harness.HttpManager;
+
+                var cca = ConfidentialClientApplicationBuilder
+                                .Create(TestConstants.ClientId)
+                                .WithHttpManager(httpManager)
+                                .WithAzureRegion(TestConstants.Region)
+                                .WithClientSecret(TestConstants.ClientSecret)
+                                .Build();
+
+                await ExpectNoRegionAsync(httpManager, cca).ConfigureAwait(false);
+            }
+        }
+
+        [TestMethod]
+        public async Task MsalDisableRegionEnvVariable_OtherEnv()
+        {
+            using (new EnvVariableContext())
+            using (var harness = base.CreateTestHarness())
+            {
+                Environment.SetEnvironmentVariable(
+                    ConfidentialClientApplicationBuilder.ForceRegionEnvVariable, "someregion");
+                Environment.SetEnvironmentVariable(
+                    ConfidentialClientApplicationBuilder.DisableRegionEnvVariable, "1");
+
+                var httpManager = harness.HttpManager;
+
+                var cca = ConfidentialClientApplicationBuilder
+                                .Create(TestConstants.ClientId)
+                                .WithHttpManager(httpManager)
+                                .WithClientSecret(TestConstants.ClientSecret)
+                                .Build();
+
+                await ExpectNoRegionAsync(httpManager, cca).ConfigureAwait(false);
+            }
+        }
+
+        [TestMethod]
+        public async Task MsalDisableRegionEnvVariable_ApiAndOtherEnv()
+        {
+            using (new EnvVariableContext())
+            using (var harness = base.CreateTestHarness())
+            {
+                Environment.SetEnvironmentVariable(
+                    ConfidentialClientApplicationBuilder.DisableRegionEnvVariable, "1");
+
+                Environment.SetEnvironmentVariable(
+                    ConfidentialClientApplicationBuilder.ForceRegionEnvVariable, "someregion");
+
+                var httpManager = harness.HttpManager;
+
+                var cca = ConfidentialClientApplicationBuilder
+                                .Create(TestConstants.ClientId)
+                                .WithHttpManager(httpManager)
+                                .WithAzureRegion(TestConstants.Region)
+                                .WithClientSecret(TestConstants.ClientSecret)
+                                .Build();
+
+                await ExpectNoRegionAsync(httpManager, cca).ConfigureAwait(false);
+            }
+        }
+
+        private static async Task ExpectNoRegionAsync(MockHttpManager httpManager, IConfidentialClientApplication cca)
+        {
+            httpManager.AddInstanceDiscoveryMockHandler();
+            httpManager.AddMockHandler(CreateTokenResponseHttpHandler(expectRegional: false));
+
+            AuthenticationResult result = await cca
+                    .AcquireTokenForClient(TestConstants.s_scope)
+                    .ExecuteAsync()
+                    .ConfigureAwait(false);
+
+            Assert.IsNull(result.ApiEvent.RegionUsed);
+        }
+
         [TestMethod]
         public async Task MsalForceRegionIsSet_WithRegionIsSet_WithRegionWins()
         {