AzureAD · RyAuld · Oct 18, 2025 · Oct 20, 2025 · Oct 24, 2025 · Oct 24, 2025
@@ -19,13 +19,12 @@ public class CacheExecutionTests
 
         private static async Task<LabUserData> GetPublicAadUserDataAsync()
         {
-            var api = new LabServiceApi();
-            LabResponse labResponse = (await api.GetLabResponseFromApiAsync(UserQuery.PublicAadUserQuery).ConfigureAwait(false));
+            var labUser = await LabUserHelper.GetDefaultUserAsync().ConfigureAwait(false);
             return new LabUserData(
-              labResponse.User.Upn,
-              labResponse.User.GetOrFetchPassword(),
-              labResponse.User.AppId,
-              labResponse.User.TenantId);
+              labUser.User.Upn,
+              labUser.User.GetOrFetchPassword(),
+              labUser.App.AppId,
+              labUser.User.TenantId);
         }
 
         [AssemblyInitialize]

@@ -32,8 +32,9 @@ public static HashSet<string> s_scope
         public const string MsiResource = "scope";
         public static readonly string[] s_graphScopes = new[] { "user.read" };
         public const uint JwtToAadLifetimeInSeconds = 60 * 10; // Ten minutes
-        public const string ClientCredentialAudience = "https://login.microsoftonline.com/f645ad92-e38d-4d1a-b510-d1b09a74a8ca/v2.0";
-        public const string PublicCloudConfidentialClientID = "88f91eac-c606-4c67-a0e2-a5e8a186854f";
+        // TODO: Tenant Migration - Migrated to new id4slab1 tenant, legacy values: f645ad92-e38d-4d1a-b510-d1b09a74a8ca, 88f91eac-c606-4c67-a0e2-a5e8a186854f
+        public const string ClientCredentialAudience = "https://login.microsoftonline.com/10c419d4-4a50-45b2-aa4e-919fb84df24f/v2.0";
+        public const string PublicCloudConfidentialClientID = "54a2d933-8bf8-483b-a8f8-0a31924f3c1f";
         public const string AutomationTestCertName = "LabAuth.MSIDLab.com";
         public static Dictionary<string, string> AdditionalAssertionClaims =>
             new Dictionary<string, string>() { { "Key1", "Val1" }, { "Key2", "Val2" }, { "customClaims", "{\"xms_az_claim\": [\"GUID\", \"GUID2\", \"GUID3\"]}" } };
@@ -74,6 +75,9 @@ public static HashSet<string> s_scope
 
         public const string ProductionPrefNetworkEnvironment = "login.microsoftonline.com";
         public const string ProductionPrefCacheEnvironment = "login.windows.net";
+        // TODO: Tenant Migration - Regional endpoint may need update after migration
+        // Current: centralus (old tenant), New: eastus2 (id4slab1 tenant)
+        // Note: Regional endpoints may not work with new tenant due to AADSTS100007 restrictions
         public const string ProductionPrefRegionalEnvironment = "centralus.login.microsoft.com";
         public const string ProductionPrefInvalidRegionEnvironment = "invalidregion.login.microsoft.com";
         public const string ProductionNotPrefEnvironmentAlias = "sts.windows.net";
@@ -204,7 +208,7 @@ public static HashSet<string> s_scope
         public const string PKeyAuthResponse = "PKeyAuth Context=\"context\",Version=\"1.0\"";
 
         public const string RegionName = "REGION_NAME";
-        public const string Region = "centralus";
+        public const string Region = "centralus"; // TODO: Tenant Migration - Update for new tenant (id4slab1) is in eastus2
         public const string InvalidRegion = "invalidregion";
         public const int TimeoutInMs = 2000;
         public const string ImdsHost = "169.254.169.254";
@@ -250,6 +254,7 @@ public static IDictionary<string, string> ExtraQueryParameters
         public const string MsalCCAKeyVaultUri = "https://id4skeyvault.vault.azure.net/secrets/AzureADIdentityDivisionTestAgentSecret/";
 
         public const string MsalCCAKeyVaultSecretName = "MSIDLAB4-IDLABS-APP-AzureADMyOrg-CC";
+        // TODO: Tenant Migration - New secret name for id4slab1 tenant: "MSAL-APP-AzureADMultipleOrgs"
         public const string MsalOBOKeyVaultUri = "https://id4skeyvault.vault.azure.net/secrets/IdentityDivisionDotNetOBOServiceSecret/";
         public const string MsalOBOKeyVaultSecretName = "IdentityDivisionDotNetOBOServiceSecret";
         public const string MsalArlingtonOBOKeyVaultUri = "https://msidlabs.vault.azure.net:443/secrets/ARLMSIDLAB1-IDLASBS-App-CC-Secret";
@@ -583,6 +588,14 @@ public static MsalTokenResponse CreateAadTestTokenResponseWithFoci()
             return msalTokenResponse;
         }
 
+        public static MsalTokenResponse CreateAadTestTokenResponseWithMsalUserDefault()
+        {
+            // Token response with MSAL User Default user information for ID4SLAB1 tenant
+            const string jsonResponse = "{\"token_type\":\"Bearer\",\"scope\":\"Calendars.Read openid profile Tasks.Read User.Read email\",\"expires_in\":3600,\"ext_expires_in\":262800,\"access_token\":\"<removed_at>\",\"refresh_token\":\"<removed_rt>\",\"id_token\":\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiNmM2OWEzNy1kZjk2LTRkYjAtOTA4OC0yYWI5NmUxZDgyMTUiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vZjY0NWFkOTItZTM4ZC00ZDFhLWI1MTAtZDFiMDlhNzRhOGNhL3YyLjAiLCJpYXQiOjE1Mzg1Mzg0MjIsIm5iZiI6MTUzODUzODQyMiwiZXhwIjoxNTM4NTQyMzIyLCJuYW1lIjoiTVNBTCBVc2VyIERlZmF1bHQiLCJvaWQiOiI5ZjQ4ODBkOC04MGJhLTRjNDAtOTdiYy1mN2EyM2M3MDMwODQiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJNU0FMLVVzZXItRGVmYXVsdEBpZDRzbGFiMS5vbm1pY3Jvc29mdC5jb20iLCJzdWIiOiJZNllrQmRITk5MSE5tVEtlbDlLaFJ6OHdyYXN4ZExSRmlQMTRCUlBXcm40IiwidGlkIjoiZjY0NWFkOTItZTM4ZC00ZDFhLWI1MTAtZDFiMDlhNzRhOGNhIiwidXRpIjoiNm5jaVgwMlNNa2k5azczLUYxc1pBQSIsInZlciI6IjIuMCJ9.\",\"client_info\":\"" + AadRawClientInfo + "\"}";
+            var msalTokenResponse = JsonHelper.DeserializeFromJson<MsalTokenResponse>(jsonResponse);
+            return msalTokenResponse;
+        }
+
         // Fake strings approximately representing tokens of real-world size
         internal const string AppAccessToken = "a9sVdA2UrU0KbsG19MjSZp4hlrd4B3mhZc1gfWsu1v3Nxuf9y7MMqdmCqyt4OwJ7cZEFAhdy8wf9vRastaS0Dcc6MnAtaI73k9co06QtQgecLPVMR23ht6cWB25Ta7yqdcQ8X7ARdUD4MWY6o01TqADKE4Vo3DMpzZiwpiS6Z81I5bW9jbWiUTT7J44lRM1qR3ZJUdaa6OSOaLZT4temLYy3bXZh6Bvu7fxOF1pStzwESRDiFegYq6LFf1sHVY5scdvNOifQnWuRy4bWw0Fl17IO5lKzhuEUvaOcgyWea0Hg3Rh9U0or2WPogJna7HraHdp0BWtuj3KOdXqmjxDoFKkTfBXiubpnAqlWwfAKHvKYefNuSRT7ewHLFQNpVVbr93P1Na4aMHqL4DWIQ1BEYoRskQkxNDtzeipb5CP5FrfStz8lFB4nCaZsJPqIzi82BpZ4HwXls8VYrRLt2dK0D9ksxufhN2uUknO2w5MBDvpwl5IuPZiCvwxU0IG3eDyqRCqw1uh18KL4qbeAwp0BPQL7Xexc4eCXC5o24uxipyWK6C169R645sYCgHY9Phiik9fUaTcZ6rzPhSKXK5svhtuMUpDHoHnSkOocCmJPRdNEpULup7zAMtGxGtD4ldfRRtAD5MLBcnKB4QN4KsbysV9lj1xDSFawL22pno61hreo5lJmqlRdj3yRVupqg5IRhilWI0wbUSfUPISrBS0EcCb6rSBd6MPIbstJYOsuJ4Bh4wtLDDeD5oxlMIaF2tkf2QHfspXocd0fLbpA7X9AR1s5yYRRJKgh7SJMgS4JJxLHvF9VZJCKKwnYzlR5EaHYsvDCGyvEi9UkWDCBYMcG6OvzYemjVOTiJTbNM2q6DaqLS9bOMZdZzNfG3PlMAqeZlH5CLv8edLzfDaVZmMCdsc6iUTCAgW4ERDzu7Pf2AeQHQlpplPkgYMxiKZ31BxoaHvwlGReopWq3NN8oOS9QG5VCG1osQRmBZAQHDZTA2x30C4l8L4yH8tvs12trqAvRGnFIq79qluVwJHAPGbQZiAEArzpN7laNqDmzJFCA4emv6DdnCnGdLCSaIubVTBJ5dXbBN9xmphJUGw1jCoFDcFxrcOK0MdJnVGnbkEuSrnEVHUGmocUG1tb0QRZ9Jhn9mGO6RxVcZVzs7XJi8vEQ0FeWJOG0uqsNyi0gCmsglyH8QqsOVlYve8UuxqCgzm1CgfCeNDJEB01xk6iTsjRM0iGcCaZGCm9dRdW99Hlq8SsLRZl2IT48KYj4B9ZP4jBrkY9Ef3xpFRu8fiwgBdzrZosZA2aQPRXlvdM1XjeGaK7iUsrpsVOrvDorBoMucV3uypI85c7yQaTu1qrKfri7OZgEVVBdQO08iipyvyRVSBz1U9ZAc0xqgERqPUoPIOFtqMRx1qJD7WWRUa0hnd66SAgiM2ViGBZspIsUvA9KnAF28uU0kVRn3FXb3B3pNLhpHQSqElPz1uFKp6gO1kqRR6B6TwKn";
         internal const string UserAccessToken = "flMpQIKiCoiPK6qISSjmF9dGhKe47KFGPwe82BDBxBCVfYI4UiKYbBuShsjf8oGTsjN5ODeaO6k0cmZJYuNNbLyOr8JGqoxQRW9bI8j5ETpbTNf6tYpAWde9PIYj2wEBnbughVgtJsh2QxIrahie5leMpsGb1yoFzADD5gyoJq8etNUSgZwe5qkfaE9UBCUKrznKjKbsG5hBJXut5GD0QdQy3wo2PnocewrptlMzd5SsHCzUUBGA4q7ks7IfrLiQH11JyBnjBhypOX3XvuqBz4JKkpftVYfvwPWE3f5Onku6FkZJFFESyGQP9YnJVx5dQCpHH9l6ShTqOLSQduf7wxoyeAgxwPrM9Y8Kvj31IrXqiwP52x4hBsctLCqOXOZ3wMXnozMXyHpNvKMJaNgDgvBgMYhiyORkb3qKYw0gAP4659I8dK1esxJoD8I3EreDftGfNMFCgn7kFfauUQphkqx8ukqzw068R7g5TOUci1pgPcVXCAMxj0P3fTiKe1doVuF6znKYh3m7pjyzyaqb5K9VFIh4A8TXOO0MqjaVkoSWJXARTy4T0kAZBVPbO6U2BWku23yLIt43MhQTc9uf7inuirwaIgh5u7noDxYG4QZLB1CJl04Zq2gbh9GW7dqweAaC9efYTEDwhxDTPHeGTQs44e8cnWerIyZA7mq8sFuzihIiCfgZ6nNBPcx2lXKyarUtQGmjjRyOEAhs66atv3SgMhNBhontPoUhR1QEnTKeYzfaavlnf5qMZA41hijGazHyxy5FgLD5aLEpZTHN5MPQLeaEXzDMX5Wtdvq7nokiItRfLkKZtXkuSiFVltmRPcKqzGbjNRH96OQzuxLE1Mv25FYFR3PAwv6np69yScVOpNFL8CqJdT310dGnRPUKSrEqTPuMsHqVRr36j2ZUaGs6YBtcrxIxKHuPrv23FQg5fC0FgxZvKqve0hf68AocJ1HqKRy01CGQobmYpTwBByftOZYGC4KOfGd13l78kZaKLuk2gxfFuTQyr11A0L4n5tXfjlikJtr3wlTGt0KCGGXmNK1xsSoRC0VcXDOgQUu3FHblhiaYjbSvPRF09xn9tRPnUkznbsT1kPMiJ8v89ZOCtVWpvkoiy9VUVcSUpZNQwRh3wHidZAkp1xyjyVc2pIHPg6XhzJnlt77zHNiBkPxWbYt7hXBQf3QeYoMF4s0Qi1y5N72DdoSNJ3iaTwx3esAz6TeyxSh36PIz35mR5jGyGMssyaNg6lIewLPbjnizgC6xssi6mKOheDqWqBv89nIvSBOXEkKcUYsBlhBBK6BgxOIha1NAeP93RRKfyjrF7LtIoSOk3DJUx75rUJ9oyuuTt4FdSnp7ZdrIciO8vlNslPrfa7UjBdOtVHiaz9Ef91dctdADVFcwXXmcu2ypyKB1YvMbkPP7mc12TF1a8X6t0mU4s4J4IpA3SHmT5JvbQBEzOIs6ex38X3UtXSItxpaS2gKozAhAmvjt6NKMe3Jysm4bafH1kb8eB1vdwTQu3jIOGozqHC3rvqEVAt26NNKOuNYAoYYamQOSb2w8PUCuDDWs1ffLvvfyvRndZztV5C4HGGR1Tg82N291Sb7rSUYmA1rdGyJ4kPtSaiPOwMyPUs9FuZNef5Ib83D3gTcgS1gMxto5UkfSxtCDKLXtGKArOdACrRzHiiMSn3owQfyVtSXZPdeofoCzuPWcZzFLBUJR0iKWBpUkxd0N17vw45uMQpQUNGgGoyvyboKkAFlOGsEIAmrnooC3CJGVA4jHPYJnVG4xTJ37U6QL5sX95qWtjbvuD5KoT2GyWec0o62CNr09tCQsiALLC1QrfCiCGsullefbsgBB5tsOY1Kyiy4uf84qBMu20GbsJ01R8xxpJ5bh6HFRaStEK3WIy7TMJym42YMbxB3AGsGFGhNYljtuqgeUjXn1UuWskkB6QqdepFHCof6CHg0LlV0o4Iz9QKu5cfoi8jk5HKbvIGyDqCgZaC2LdugNgQ0X";

@@ -29,6 +29,11 @@ namespace Microsoft.Identity.Test.Integration.HeadlessTests
     [TestClass]
     public class RegionalAuthIntegrationTests
     {
+        // TODO: TENANT MIGRATION - These tests currently use original tenant configuration
+        // Regional endpoints (eastus2.login.microsoft.com) return AADSTS100007 with new tenant
+        // "Only managed identities and Microsoft internal service identities are supported"
+        // Regional endpoints are restricted by Azure AD policy for regular app registrations
+
         private KeyVaultSecretsProvider _keyVault;
 
         private const string RegionalHost = "centralus.login.microsoft.com";
@@ -59,7 +64,7 @@ public async Task AcquireTokenToRegionalEndpointAsync(bool instanceDiscoveryEnab
         {
             // Arrange
             var factory = new HttpSnifferClientFactory();
-            var settings = ConfidentialAppSettings.GetSettings(Cloud.Public);
+            var settings = ConfidentialAppSettings.GetSettings(Cloud.PublicLegacy); // Use legacy config for regional tests
             settings.InstanceDiscoveryEndpoint = instanceDiscoveryEnabled;
             _confidentialClientApplication = BuildCCA(settings, factory);
 
@@ -78,7 +83,7 @@ public async Task InvalidRegion_GoesToInvalidAuthority_Async()
         {
             // Arrange
             var factory = new HttpSnifferClientFactory();
-            var settings = ConfidentialAppSettings.GetSettings(Cloud.Public);
+            var settings = ConfidentialAppSettings.GetSettings(Cloud.PublicLegacy); // Use legacy config for regional tests
             _confidentialClientApplication = BuildCCA(settings, factory, true, "invalid");
 
             Environment.SetEnvironmentVariable(TestConstants.RegionName, TestConstants.Region);
@@ -193,7 +198,7 @@ private static string GetSignedClientAssertionUsingMsalInternal(string clientId,
             var manager = PlatformProxyFactory.CreatePlatformProxy(null).CryptographyManager;
 
             var jwtToken = new JsonWebToken(manager, clientId, TestConstants.ClientCredentialAudience, claims);
-            var cert = ConfidentialAppSettings.GetSettings(Cloud.Public).GetCertificate();
+            var cert = ConfidentialAppSettings.GetSettings(Cloud.PublicLegacy).GetCertificate(); // Use legacy config for regional tests
 
             return jwtToken.Sign(cert, true, true);
         }

@@ -69,7 +69,7 @@ public async Task AuthorityMigrationAsync()
         [TestMethod]
         public async Task FailedAuthorityValidationTestAsync()
         {
-            LabResponse labResponse = await LabUserHelper.GetDefaultUserAsync().ConfigureAwait(false);
+            LabResponse labResponse = await LabUserHelper.GetDefaultUserWithMultiTenantAppAsync().ConfigureAwait(false);
             LabUser user = labResponse.User;
 
             IPublicClientApplication pca = PublicClientApplicationBuilder
@@ -97,7 +97,7 @@ public async Task FailedAuthorityValidationTestAsync()
         [TestMethod]
         public async Task AuthorityValidationTestWithFalseValidateAuthorityAsync()
         {
-            LabResponse labResponse = await LabUserHelper.GetDefaultUserAsync().ConfigureAwait(false);
+            LabResponse labResponse = await LabUserHelper.GetDefaultUserWithMultiTenantAppAsync().ConfigureAwait(false);
             LabUser user = labResponse.User;
 
             IPublicClientApplication pca = PublicClientApplicationBuilder

@@ -22,22 +22,26 @@ public class LongRunningOnBehalfOfTests
     {
         private static readonly string[] s_scopes = { "User.Read" };
         private static readonly string[] s_oboServiceScope = { "api://23c64cd8-21e4-41dd-9756-ab9e2c23f58c/access_as_user" };
-        const string PublicClientID = "be9b0186-7dfd-448a-a944-f771029105bf";
         const string OboConfidentialClientID = "23c64cd8-21e4-41dd-9756-ab9e2c23f58c";
 
         private string _confidentialClientSecret;
+        private string _multiTenantAppId; // Will be set in test initialize
 
         private readonly KeyVaultSecretsProvider _keyVault = new KeyVaultSecretsProvider(KeyVaultInstance.MsalTeam);
 
         #region Test Hooks
         [TestInitialize]
-        public void TestInitialize()
+        public async Task TestInitializeAsync()
         {
             ApplicationBase.ResetStateForTest();
             if (string.IsNullOrEmpty(_confidentialClientSecret))
             {
                 _confidentialClientSecret = _keyVault.GetSecretByName(TestConstants.MsalOBOKeyVaultSecretName).Value;
             }
+
+            // Get the multi-tenant app ID for use in tests
+            var labResponse = await LabUserHelper.GetDefaultUserWithMultiTenantAppAsync().ConfigureAwait(false);
+            _multiTenantAppId = labResponse.App.AppId;
         }
 
         #endregion
@@ -52,9 +56,9 @@ public void TestInitialize()
         [TestMethod]
         public async Task LongRunningAndNormalObo_WithDifferentKeys_TestAsync()
         {
-            var user1 = (await LabUserHelper.GetSpecificUserAsync("[email protected]").ConfigureAwait(false)).User;
+            var user1 = (await LabUserHelper.GetDefaultUserWithMultiTenantAppAsync().ConfigureAwait(false)).User;
             var pca = PublicClientApplicationBuilder
-                .Create(PublicClientID)
+                .Create(_multiTenantAppId)
                 .WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
                 .Build();
 
@@ -104,9 +108,9 @@ public async Task LongRunningAndNormalObo_WithDifferentKeys_TestAsync()
         [TestMethod]
         public async Task LongRunningThenNormalObo_WithTheSameKey_TestAsync()
         {
-            var user1 = (await LabUserHelper.GetSpecificUserAsync("[email protected]").ConfigureAwait(false)).User;
+            var user1 = (await LabUserHelper.GetDefaultUserWithMultiTenantAppAsync().ConfigureAwait(false)).User;
             var pca = PublicClientApplicationBuilder
-                .Create(PublicClientID)
+                .Create(_multiTenantAppId)
                 .WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
                 .Build();
 
@@ -177,9 +181,9 @@ public async Task LongRunningThenNormalObo_WithTheSameKey_TestAsync()
         public async Task InitiateLRWithCustomKey_ThenAcquireLRWithSameKey_Succeeds_TestAsync()
         {
             // Arrange
-            LabUser user1 = (await LabUserHelper.GetSpecificUserAsync("[email protected]").ConfigureAwait(false)).User;
+            LabUser user1 = (await LabUserHelper.GetDefaultUserWithMultiTenantAppAsync().ConfigureAwait(false)).User;
             IPublicClientApplication pca = PublicClientApplicationBuilder
-                .Create(PublicClientID)
+                .Create(_multiTenantAppId)
                 .WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
                 .Build();
 
@@ -248,9 +252,9 @@ public async Task InitiateLRWithCustomKey_ThenAcquireLRWithSameKey_Succeeds_Test
         [TestMethod]
         public async Task NormalOboThenLongRunningAcquire_WithTheSameKey_TestAsync()
         {
-            var user1 = (await LabUserHelper.GetSpecificUserAsync("[email protected]").ConfigureAwait(false)).User;
+            LabUser user1 = (await LabUserHelper.GetDefaultUserWithMultiTenantAppAsync().ConfigureAwait(false)).User;
             var pca = PublicClientApplicationBuilder
-                .Create(PublicClientID)
+                .Create(_multiTenantAppId)
                 .WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
                 .Build();
 
@@ -319,9 +323,9 @@ public async Task NormalOboThenLongRunningAcquire_WithTheSameKey_TestAsync()
         [TestMethod]
         public async Task NormalOboThenLongRunningInitiate_WithTheSameKey_TestAsync()
         {
-            var user1 = (await LabUserHelper.GetSpecificUserAsync("[email protected]").ConfigureAwait(false)).User;
+            var user1 = (await LabUserHelper.GetDefaultUserWithMultiTenantAppAsync().ConfigureAwait(false)).User;
             var pca = PublicClientApplicationBuilder
-                .Create(PublicClientID)
+                .Create(_multiTenantAppId)
                 .WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
                 .Build();
 
@@ -375,10 +379,10 @@ public async Task NormalOboThenLongRunningInitiate_WithTheSameKey_TestAsync()
         [TestMethod]
         public async Task WithDifferentScopes_TestAsync()
         {
-            string[] scopes2 = { "api://eec635da-5760-452d-940a-448220db047c/access_as_user" };
-            var user1 = (await LabUserHelper.GetSpecificUserAsync("[email protected]").ConfigureAwait(false)).User;
+            string[] scopes2 = { "api://23c64cd8-21e4-41dd-9756-ab9e2c23f58c/access_as_user" };
+            var user1 = (await LabUserHelper.GetDefaultUserWithMultiTenantAppAsync().ConfigureAwait(false)).User;
             var pca = PublicClientApplicationBuilder
-                .Create(PublicClientID)
+                .Create(_multiTenantAppId)
                 .WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
                 .WithRedirectUri("https://login.microsoftonline.com/common/oauth2/nativeclient")
                 .Build();