[Bug] MSAL attempting to get token from wrong tenant when using a PCA Builder with a certain tenant id

[hallivia]

Library version used

4.56.0.0

.NET version

.NET 7.0.12 Windows

Scenario

Other - please specify

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

The code normally works, but today I found that the retrieval of access token silently was throwing error on my side even though my user on the device is registered to the right tenant. After debugging with the Microsoft team, we found out that the log says it attempts to connect to a different tenant id when trying to get the token, instead of the tenant id that was passed to the PCABuilder.

Log provided to the Microsoft team via OneDrive.

Relevant code snippets

PublicClientApplicationBuilder pcaBuilder = pcaTester.CreatePcaBuilder(tenantId);

                    var pca = pcaBuilder.Build();
                    AcquireTokenSilentParameterBuilder atsBuilder = pca.AcquireTokenSilent(PCATester.Scopes, PublicClientApplication.OperatingSystemAccount);
                    AuthenticationResult result = await atsBuilder.ExecuteAsync().ConfigureAwait(false);
                    if (result.AccessToken != null)
                    {
                        Console.WriteLine(result.AccessToken);
                    }

// The error was on the ExecuteAsync part

internal PublicClientApplicationBuilder CreatePcaBuilder(string tenantId)
        {
            var pcaBuilder = CreatePcaBuilderNoBroker(tenantId);

            BrokerOptions options = new BrokerOptions(BrokerOptions.OperatingSystems.Windows);
            options.Title = "new Runtime broker";
            options.ListOperatingSystemAccounts = ListOSAccounts;
            options.MsaPassthrough = HasMsaPasThrough;

            pcaBuilder.WithBroker(options);

            return pcaBuilder;
        }

        internal PublicClientApplicationBuilder CreatePcaBuilderNoBroker(string tenantId)
        {

            IntPtr consoleWindowHandle = GetConsoleWindow();
            Func<IntPtr> consoleWindowHandleProvider = () => consoleWindowHandle;

            string clientId = getClientIdFromTenantId(tenantId);
            MyIdentityLogger myLogger = new MyIdentityLogger();
            var pcaBuilder = PublicClientApplicationBuilder
                            .Create(clientId)
                            .WithAuthority(Authority)
                            .WithRedirectUri("http://localhost") // required for DefaultOsBrowser
                            .WithParentActivityOrWindow(consoleWindowHandleProvider)
                            .WithLogging(myLogger, true);

            return pcaBuilder;
        }

Expected behavior

Access token should be retrieved, and no error like this should be thrown:

Unhandled exception: MSAL.NetCore.4.56.0.0.MsalUiRequiredException: ErrorCode: failed_to_acquire_token_silently_from_broker Microsoft.Identity.Client.MsalUiRequiredException: WAM Er ror Error Code: 3400073242 Error Message: No endpoint information in discovery response. Internal Error Code: 527291998

at Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken) at Microsoft.Identity.Client.ApiConfig.Executors.ClientApplicationBaseExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenSilentParameters silentParamet ers, CancellationToken cancellationToken)

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

4.56.0.0

Solution and workarounds

No workaround found at the moment.

[gladjohn]

@ashok672 has been investigating this

[bgavrilMS]

You should not use MsaPassthrough option, it's a legacy config available only to some internal apps.