Update multitenant authN guidance and exception message (Azure#52944)

* Update multitenant authN guidance and exception message

* Apply suggestion from @christothes

Co-authored-by: Christopher Scott <[email protected]>

---------

Co-authored-by: Christopher Scott <[email protected]>

Author: scottaddie

sdk/identity/Azure.Identity/TROUBLESHOOTING.md

@@ -305,7 +305,7 @@ azd auth token --output json --scope https://management.core.windows.net/.defaul
 |Az.Account module >= 2.2.0 isn't installed.|The Az.Account module needed for authentication in Azure PowerShell isn't installed.|Install the latest Az.Account module. Installation instructions can be found [here](https://learn.microsoft.com/powershell/azure/install-az-ps).|
 |Please run 'Connect-AzAccount' to set up account.|No account is currently logged into Azure PowerShell.|<ul><li>Log in to Azure PowerShell using the `Connect-AzAccount` command. More instructions for authenticating Azure PowerShell can be found at [Sign in with Azure PowerShell](https://learn.microsoft.com/powershell/azure/authenticate-azureps).</li><li>Validate that Azure PowerShell can obtain tokens. For instructions, see [Verify Azure PowerShell can obtain tokens](#verify-azure-powershell-can-obtain-tokens).</li></ul>|
 
-#### __Verify Azure PowerShell can obtain tokens__
+### __Verify Azure PowerShell can obtain tokens__
 
 You can manually verify that Azure PowerShell is properly authenticated, and can obtain tokens. First, use the `Get-AzContext` command to verify the account that is currently logged in to the Azure CLI.
 
@@ -330,7 +330,7 @@ Get-AzAccessToken -ResourceUrl "https://management.core.windows.net"
 
 | Error Message |Description| Mitigation |
 |---|---|---|
-|The current credential is not configured to acquire tokens for tenant <tenant ID>|<p>The application must configure the credential to allow token acquisition from the requested tenant.|Make one of the following changes in your app:<ul><li>Add the requested tenant ID to `AdditionallyAllowedTenants` on the credential options.</li><li>Add `*` to `AdditionallyAllowedTenants` to allow token acquisition for any tenant.</li></ul></p><p>This exception was added as part of a breaking change to multi-tenant authentication in version `1.7.0`. Users experiencing this error after upgrading can find details on the change and migration in [BREAKING_CHANGES.md](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/BREAKING_CHANGES.md#170).</p> |
+|The current credential is not configured to acquire tokens for tenant \<tenant ID\>.|The app must configure the credential to allow token acquisition from the requested tenant.|Make one of the following changes in the credential's options:<ul><li>Set property `TenantId` to the requested tenant ID if your app only needs to authenticate to a single, known tenant.</li><li>Add the requested tenant ID to property `AdditionallyAllowedTenants` if your app needs to authenticate to multiple tenants or if the tenant is determined at runtime.</li><li>Set property `AdditionallyAllowedTenants` to include the known tenants, or `*` if the tenants are unknown, to allow token acquisition for additional tenants (use `*` with caution in production as it will trust any tenant).</li></ul><p>This exception was added as part of a breaking change to multi-tenant authentication in version `1.7.0`. Users experiencing this error after upgrading can find details on the change and migration in [BREAKING_CHANGES.md](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/BREAKING_CHANGES.md#170).</p> |
 
 ## Troubleshoot brokered authentication issues
 

sdk/identity/Azure.Identity/src/TenantIdResolver.cs

@@ -42,7 +42,7 @@ false when string.Equals(explicitTenantId, Constants.AdfsTenantId, StringCompari
 
             if (explicitTenantId != null && !string.Equals(resolvedTenantId, explicitTenantId, StringComparison.OrdinalIgnoreCase) && additionallyAllowedTenantIds != AllTenants && Array.BinarySearch(additionallyAllowedTenantIds, resolvedTenantId, StringComparer.OrdinalIgnoreCase) < 0)
             {
-                throw new AuthenticationFailedException($"The current credential is not configured to acquire tokens for tenant {resolvedTenantId}. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add \"*\" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/multitenant/troubleshoot");
+                throw new AuthenticationFailedException($"The current credential is not configured to acquire tokens for tenant {resolvedTenantId}. To enable token acquisition for this tenant, see the guidance at https://aka.ms/azsdk/net/identity/multitenant/troubleshoot.");
             }
 
             return resolvedTenantId;