Region Discovery Troubleshooting

AAD is adding support for regional STS (ESTS-Regional). Currently only the service to service flow (client_credentials / AcquireTokenForClient) is available via opt-in.

Region detection

If you know the region - use it. If you don't know the region, MSAL can attempt auto-discovery. This works for some Azure systems, such as some VMs (through IDMS) and Azure Functions (using environment variables are defined). If the auto-detection fails, the non-regional authority is used.

// if app knows the region, use it as MSAL cannot always reliably detect it depending on the cases
string region = Config.Region ?? ConfidentialClientApplication.AttemptRegionDiscovery;

var cca = ConfidentialClientApplicationBuilder(client_id)
                  .WithAuthority(AzureCloud.PublicCloud, validateAuthority:false)
                  .WithRegion(region)  
                  .Build();

Authority validation

Authority validation is not currently supported for regional Azure authorities. You can set the validateAuthority flag to false to use Azure Regional authority. Do not disable authority validation if you read the authority from an untrusted source, for example from the WWWAuthenticate header of an HTTP request that resulted in a 401 response. Disable authority validation if the authority comes from a trusted source such as Config file, or if you hardcode it to "https://login.microsoftonline.com/" or similar.

Known errors

AADSTS700023: Client assertion audience claim does not match Realm issuer. is thrown if an invalid regional authority is used.