Fix tenantId selection in MSAL (Azure#52613)

christothes · web-flow · commit 588dd67b7cdc · 2025-09-12T22:24:38.000Z
diff --git a/sdk/identity/Azure.Identity/CHANGELOG.md b/sdk/identity/Azure.Identity/CHANGELOG.md
@@ -8,6 +8,8 @@
 
 ### Bugs Fixed
 
+- TenantId is now configured via MSAL's `WithTenantId` instead of `WithTenantIdFromAuthority` to prevent malformed Uris to the authority.
+
 ### Other Changes
 
 ## 1.16.0 (2025-09-09)
diff --git a/sdk/identity/Azure.Identity/src/MsalClientBase.cs b/sdk/identity/Azure.Identity/src/MsalClientBase.cs
@@ -108,20 +108,5 @@ await _clientWithCaeAsyncLock.GetLockOrValueAsync(true, default).ConfigureAwait(
 
             return asyncLock.HasValue ? asyncLock.Value.Cache : null;
         }
-
-        public UriBuilder BuildTenantIdWithAuthorityHost(string tenantId)
-        {
-            UriBuilder uriBuilder = new(AuthorityHost);
-            if (uriBuilder.Path.EndsWith("/"))
-            {
-                uriBuilder.Path += tenantId;
-            }
-            else
-            {
-                uriBuilder.Path = uriBuilder.Path + "/" + tenantId;
-            }
-
-            return uriBuilder;
-        }
     }
 }
diff --git a/sdk/identity/Azure.Identity/src/MsalConfidentialClient.cs b/sdk/identity/Azure.Identity/src/MsalConfidentialClient.cs
@@ -169,8 +169,7 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenForClientCoreAs
 
             if (!string.IsNullOrEmpty(tenantId))
             {
-                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);
-                builder.WithTenantIdFromAuthority(uriBuilder.Uri);
+                builder.WithTenantId(tenantId);
             }
             if (!string.IsNullOrEmpty(claims))
             {
@@ -211,8 +210,7 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenSilentCoreAsync
             var builder = client.AcquireTokenSilent(scopes, account);
             if (!string.IsNullOrEmpty(tenantId))
             {
-                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);
-                builder.WithTenantIdFromAuthority(uriBuilder.Uri);
+                builder.WithTenantId(tenantId);
             }
             if (!string.IsNullOrEmpty(claims))
             {
@@ -254,8 +252,7 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenByAuthorization
 
             if (!string.IsNullOrEmpty(tenantId))
             {
-                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);
-                builder.WithTenantIdFromAuthority(uriBuilder.Uri);
+                builder.WithTenantId(tenantId);
             }
             if (!string.IsNullOrEmpty(claims))
             {
@@ -297,8 +294,7 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenOnBehalfOfCoreA
 
             if (!string.IsNullOrEmpty(tenantId))
             {
-                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);
-                builder.WithTenantIdFromAuthority(uriBuilder.Uri);
+                builder.WithTenantId(tenantId);
             }
             if (!string.IsNullOrEmpty(claims))
             {
diff --git a/sdk/identity/Azure.Identity/src/MsalPublicClient.cs b/sdk/identity/Azure.Identity/src/MsalPublicClient.cs
@@ -126,8 +126,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenSilentCoreAs
             }
             if (tenantId != null)
             {
-                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);
-                builder.WithTenantIdFromAuthority(uriBuilder.Uri);
+                builder.WithTenantId(tenantId);
             }
 
             if (context.IsProofOfPossessionEnabled)
@@ -182,8 +181,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenSilentCoreAs
 
             if (tenantId != null || record.TenantId != null)
             {
-                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId ?? record.TenantId);
-                builder.WithTenantIdFromAuthority(uriBuilder.Uri);
+                builder.WithTenantId(tenantId ?? record.TenantId);
             }
 
             if (!string.IsNullOrEmpty(claims))
@@ -284,8 +282,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenInteractiveC
             }
             if (tenantId != null)
             {
-                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);
-                builder.WithTenantIdFromAuthority(uriBuilder.Uri);
+                builder.WithTenantId(tenantId);
             }
             if (browserOptions != null)
             {
@@ -328,8 +325,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenByUsernamePa
             }
             if (!string.IsNullOrEmpty(tenantId))
             {
-                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);
-                builder.WithTenantIdFromAuthority(uriBuilder.Uri);
+                builder.WithTenantId(tenantId);
             }
             return await builder.ExecuteAsync(async, cancellationToken)
                 .ConfigureAwait(false);
@@ -353,8 +349,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenWithDeviceCo
             }
             if (!string.IsNullOrEmpty(TenantId))
             {
-                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(TenantId);
-                builder.WithTenantIdFromAuthority(uriBuilder.Uri);
+                builder.WithTenantId(TenantId);
             }
 
             return await builder.ExecuteAsync(async, cancellationToken)
@@ -380,8 +375,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenByRefreshTok
 
             if (!string.IsNullOrEmpty(TenantId))
             {
-                UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(TenantId);
-                builder.WithTenantIdFromAuthority(uriBuilder.Uri);
+                builder.WithTenantId(TenantId);
             }
 
             return await builder.ExecuteAsync(async, cancellationToken)

Original file line number	Diff line number	Diff line change
`@@ -169,8 +169,7 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenForClientCoreAs`
`169`	`169`
`170`	`170`	`if (!string.IsNullOrEmpty(tenantId))`
`171`	`171`	`{`
`172`		`- UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);`
`173`		`- builder.WithTenantIdFromAuthority(uriBuilder.Uri);`
	`172`	`+ builder.WithTenantId(tenantId);`
`174`	`173`	`}`
`175`	`174`	`if (!string.IsNullOrEmpty(claims))`
`176`	`175`	`{`
`@@ -211,8 +210,7 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenSilentCoreAsync`
`211`	`210`	`var builder = client.AcquireTokenSilent(scopes, account);`
`212`	`211`	`if (!string.IsNullOrEmpty(tenantId))`
`213`	`212`	`{`
`214`		`- UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);`
`215`		`- builder.WithTenantIdFromAuthority(uriBuilder.Uri);`
	`213`	`+ builder.WithTenantId(tenantId);`
`216`	`214`	`}`
`217`	`215`	`if (!string.IsNullOrEmpty(claims))`
`218`	`216`	`{`
`@@ -254,8 +252,7 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenByAuthorization`
`254`	`252`
`255`	`253`	`if (!string.IsNullOrEmpty(tenantId))`
`256`	`254`	`{`
`257`		`- UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);`
`258`		`- builder.WithTenantIdFromAuthority(uriBuilder.Uri);`
	`255`	`+ builder.WithTenantId(tenantId);`
`259`	`256`	`}`
`260`	`257`	`if (!string.IsNullOrEmpty(claims))`
`261`	`258`	`{`
`@@ -297,8 +294,7 @@ public virtual async ValueTask<AuthenticationResult> AcquireTokenOnBehalfOfCoreA`
`297`	`294`
`298`	`295`	`if (!string.IsNullOrEmpty(tenantId))`
`299`	`296`	`{`
`300`		`- UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);`
`301`		`- builder.WithTenantIdFromAuthority(uriBuilder.Uri);`
	`297`	`+ builder.WithTenantId(tenantId);`
`302`	`298`	`}`
`303`	`299`	`if (!string.IsNullOrEmpty(claims))`
`304`	`300`	`{`
Original file line number	Diff line number	Diff line change
`@@ -126,8 +126,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenSilentCoreAs`
`126`	`126`	`}`
`127`	`127`	`if (tenantId != null)`
`128`	`128`	`{`
`129`		`- UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);`
`130`		`- builder.WithTenantIdFromAuthority(uriBuilder.Uri);`
	`129`	`+ builder.WithTenantId(tenantId);`
`131`	`130`	`}`
`132`	`131`
`133`	`132`	`if (context.IsProofOfPossessionEnabled)`
`@@ -182,8 +181,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenSilentCoreAs`
`182`	`181`
`183`	`182`	`if (tenantId != null \|\| record.TenantId != null)`
`184`	`183`	`{`
`185`		`- UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId ?? record.TenantId);`
`186`		`- builder.WithTenantIdFromAuthority(uriBuilder.Uri);`
	`184`	`+ builder.WithTenantId(tenantId ?? record.TenantId);`
`187`	`185`	`}`
`188`	`186`
`189`	`187`	`if (!string.IsNullOrEmpty(claims))`
`@@ -284,8 +282,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenInteractiveC`
`284`	`282`	`}`
`285`	`283`	`if (tenantId != null)`
`286`	`284`	`{`
`287`		`- UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);`
`288`		`- builder.WithTenantIdFromAuthority(uriBuilder.Uri);`
	`285`	`+ builder.WithTenantId(tenantId);`
`289`	`286`	`}`
`290`	`287`	`if (browserOptions != null)`
`291`	`288`	`{`
`@@ -328,8 +325,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenByUsernamePa`
`328`	`325`	`}`
`329`	`326`	`if (!string.IsNullOrEmpty(tenantId))`
`330`	`327`	`{`
`331`		`- UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(tenantId);`
`332`		`- builder.WithTenantIdFromAuthority(uriBuilder.Uri);`
	`328`	`+ builder.WithTenantId(tenantId);`
`333`	`329`	`}`
`334`	`330`	`return await builder.ExecuteAsync(async, cancellationToken)`
`335`	`331`	`.ConfigureAwait(false);`
`@@ -353,8 +349,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenWithDeviceCo`
`353`	`349`	`}`
`354`	`350`	`if (!string.IsNullOrEmpty(TenantId))`
`355`	`351`	`{`
`356`		`- UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(TenantId);`
`357`		`- builder.WithTenantIdFromAuthority(uriBuilder.Uri);`
	`352`	`+ builder.WithTenantId(TenantId);`
`358`	`353`	`}`
`359`	`354`
`360`	`355`	`return await builder.ExecuteAsync(async, cancellationToken)`
`@@ -380,8 +375,7 @@ protected virtual async ValueTask<AuthenticationResult> AcquireTokenByRefreshTok`
`380`	`375`
`381`	`376`	`if (!string.IsNullOrEmpty(TenantId))`
`382`	`377`	`{`
`383`		`- UriBuilder uriBuilder = BuildTenantIdWithAuthorityHost(TenantId);`
`384`		`- builder.WithTenantIdFromAuthority(uriBuilder.Uri);`
	`378`	`+ builder.WithTenantId(TenantId);`
`385`	`379`	`}`
`386`	`380`
`387`	`381`	`return await builder.ExecuteAsync(async, cancellationToken)`