azure-sdk-for-net: [BUG] Only the home tenant is considered for multi-tenant users when using SharedTokenCacheCredential

Describe the bug As reported in Azure/AppConfiguration#201, it seems that using SharedTokenCacheCredential (which extends to DefaultAzureCredential) doesn’t work when the user is part of multiple tenants.

Last week AzureAppConfiguration was updated to version 3, and it started using Azure.Identity. Version 2 seems to have used a self-implemented way of connecting with .ConnectWithManagedIdentity that has a fallback to local credentials if managed identity is not available. This worked just fine. Version 3 however, fails.

If I don’t set SharedTokenCacheTenantId, it fails with a 500 (which is a bug apparently and should return 401). If I do set SharedTokenCacheTenantId, it fails with the message that no accounts have been found matching the tenant id. However, I am part of the tenant that I’m trying to connect to.

Exception or Stack Trace

SharedTokenCacheCredential is unavailable
No account matching the specified tenantId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx was found in the cache.
To authenticate with the SharedTokenCacheCredential, login an account through developer tooling supporting Azure single sign on.
[ {username: ****** tenantId: yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy} ].

To Reproduce In my case, I have a home tenant A and I am a guest in tenant B. The App Configuration instance that I want to connect to from my application resides in tenant B. Executing the code fails with the above mentioned message.

Code Snippet

var builder = new ConfigurationBuilder();
builder.AddAzureAppConfiguration(x =>
{
    x.Connect(new Uri("https://xxxx.azconfig.io"), new DefaultAzureCredential(new DefaultAzureCredentialOptions
    {
        SharedTokenCacheTenantId = "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
    }));
});
var config = builder.Build();

Expected behavior I’m expecting this not to fail. Additionally, I expect it to succeed even without having to manually set the tenant id as it does with version 2 of AppConfiguration.

Setup (please complete the following information):

OS: Windows 10 1903
IDE: Visual Studio 2019 16.3.9
Version of the Library used: Azure.Identity 1.1.0

Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

Bug Description Added
Repro Steps Added
Setup information Added

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 6
Comments: 28 (14 by maintainers)

Most upvoted comments

Thanks for the update. Does it work for you if the AZURE-TENANT_ID environment variable is set to your preferred tenant? This should be the same as providing it via the DefaultAzureCredentialOptions, but generically for any of the configurable credential types.

https://github.com/Azure/azure-sdk-for-net/blob/72d4c479d82a7f71fd5b40dccf736ce96d9ec6a4/sdk/identity/Azure.Identity/src/DefaultAzureCredentialOptions.cs#L13-L42

https://github.com/Azure/azure-sdk-for-net/blob/5af6e7328701b71aec8f948b8054692083412b97/sdk/identity/Azure.Identity/src/EnvironmentVariables.cs#L12

christothes on Feb 22, 2021

Thank you all for you’re contributions to this issue. As @a99cl208 and @brandonh-msft pointed out the MSAL APIs don’t expose guest tenant information when we list accounts, so at this time the SharedTokenCacheCredential is limited in it’s functionality because of this. We are working on broader changes to address this, which should be coming in our next preview release in May.

Also, in our last preview release, 1.2.0-preview.2, we added the VisualStudioCredential to the DefaultAzureCredential authentication flow, which I believe will unblock this scenario of signing into a guest tenant when authenticating in VS. If you log into VS with the desired account, and then specify the tenant you wish to authenticate in either via the AZURE_TENANT_ID environment variable or the VisualStudioTenantId property on DefaultAzureCredentialOptions this will authenticate the account to the desired tenant.

schaabs on Apr 15, 2020

Created https://github.com/Azure/azure-sdk-for-net/issues/11509

brandonh-msft on Apr 22, 2020

The problem is : In file https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/identity/Azure.Identity/src/SharedTokenCacheCredential.cs, line136, you have this code that is used to find your account :

List<IAccount> filteredAccounts = accounts.Where(a => (string.IsNullOrEmpty(_username) || a.Username == _username) && (string.IsNullOrEmpty(_tenantId) || a.HomeAccountId?.TenantId == _tenantId)).ToList();

So the filtering is done using the HomeAccountId. However, this ID is always the tenant ID of the main tenant of a user. If you want to log on a tenant you are guest into, it won’t work. I have checked the MSAL token cache file “%HOMEPATH%\AppData\Local.IdentityService\AccountStore.json”, and in my case the ID of the tenant I want to log on is in the JSON property IdentityServiceTenants, which is a serialized json array. But I noticed that the IAccount interface that is used by SharedTokenCacheCredential does not expose this property.

So I don’t think this can work with the actual design.

As @brandonh-msft said, an actual workaround is to use the interactive browser and specifying the tenant id. We use this workaround on my projet since 3 month now. But it’s a clearly a workaround and not solution since you need to relog on the interactive browser each time you launch your application which is really annoying.

a99cl208 on Apr 8, 2020