Region Discovery Troubleshooting

AAD is adding support for regional STS (ESTS-Regional). Currently only the service to service flow (client_credentials / AcquireTokenForClient) is available via opt-in only to first party apps.

For more details refer: https://aka.ms/msal/estsr/guidance

Region detection

If you know the region - use it. If you don't know the region, MSAL can attempt auto-discovery. This works for some Azure systems, such as some VMs (through IMDS) and Azure Functions (using environment variables are defined). If the auto-detection fails, the non-regional authority is used.

// if app knows the region, use it as MSAL cannot always reliably detect it depending on the cases
string region = Config.AzureRegion ?? ConfidentialClientApplication.AttemptRegionDiscovery;

var cca = ConfidentialClientApplicationBuilder(client_id)
                  .WithAzureRegion(region) 
                  .WithCertificate(x509cert)
                  .Build();
var result = await cca
                  .AcquireTokenForClient(scopes)
                  .WithAuthority(AzureCloud.PublicCloud) // The authority here should be tenanted authority in the format "https://login.microsoftonline.com/{TenantId}"
                  .WithSendX5C(true) // for SNI
                  .ExecuteAsync();

Authority validation

Authority validation is not currently supported for regional Azure authorities. Authority validation will be performed on the authority passed in the request.

Known errors

AADSTS700023: Client assertion audience claim does not match Realm issuer. is thrown if an invalid regional authority is used.