[Identity] Update instance discovery error message (Azure#36932)

Signed-off-by: Paul Van Eck <[email protected]>

Author: pvaneck

sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py

@@ -32,7 +32,7 @@ def __init__(
         disable_instance_discovery: Optional[bool] = None,
         tenant_id: Optional[str] = None,
         enable_support_logging: Optional[bool] = None,
-        **kwargs: Any
+        **kwargs: Any,
     ) -> None:
         self._instance_discovery = None if disable_instance_discovery is None else not disable_instance_discovery
         self._authority = normalize_authority(authority) if authority else get_default_authority()
@@ -104,17 +104,26 @@ def _get_app(self, **kwargs: Any) -> msal.ClientApplication:
             token_cache = self._initialize_cache(is_cae=bool(kwargs.get("enable_cae")))
 
         if tenant_id not in client_applications_map:
-            client_applications_map[tenant_id] = app_class(
-                client_id=self._client_id,
-                client_credential=self._client_credential,
-                client_capabilities=capabilities,
-                authority="{}/{}".format(self._authority, tenant_id),
-                azure_region=self._regional_authority,
-                token_cache=token_cache,
-                http_client=self._client,
-                instance_discovery=self._instance_discovery,
-                enable_pii_log=self._enable_support_logging,
-            )
+            try:
+                client_applications_map[tenant_id] = app_class(
+                    client_id=self._client_id,
+                    client_credential=self._client_credential,
+                    client_capabilities=capabilities,
+                    authority="{}/{}".format(self._authority, tenant_id),
+                    azure_region=self._regional_authority,
+                    token_cache=token_cache,
+                    http_client=self._client,
+                    instance_discovery=self._instance_discovery,
+                    enable_pii_log=self._enable_support_logging,
+                )
+            except ValueError as ex:
+                if "invalid_instance" in str(ex):
+                    raise ValueError(  # pylint: disable=raise-missing-from
+                        f"The authority provided, {self._authority}, is not well-known. If this authority is valid "
+                        "and trustworthy, you can disable this check by passing in "
+                        "'disable_instance_discovery=True' when constructing the credential."
+                    )
+                raise
 
         return client_applications_map[tenant_id]
 

sdk/identity/azure-identity/tests/test_instance_discovery.py

@@ -2,7 +2,10 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 # ------------------------------------
+import pytest
+
 from azure.identity._internal.msal_credentials import MsalCredential
+from azure.core.exceptions import ServiceRequestError
 
 
 def test_instance_discovery():
@@ -19,3 +22,24 @@ def test_instance_discovery():
     )
     app = credential._get_app()
     assert app._instance_discovery
+
+
+def test_unknown_authority():
+    credential = MsalCredential(
+        client_id="CLIENT_ID",
+        authority="unknown.authority",
+    )
+    with pytest.raises(ValueError) as ex:
+        credential._get_app()
+        assert "disable_instance_discovery" in str(ex)
+
+    credential = MsalCredential(
+        client_id="CLIENT_ID",
+        authority="unknown.authority",
+        disable_instance_discovery=True,
+    )
+
+    with pytest.raises(ServiceRequestError):
+        # Instance discovery is disabled, so the credential should not attempt to validate the authority, and instead
+        # attempt to use the authority as given. This is fail since unknown.authority is not resolvable.
+        credential._get_app()