In WAM flow, MFA is not cached for non-home tenant

[jiasli]

Describe the bug In WAM flow, MFA is not cached for non-home tenant.

To Reproduce In the browser flow, MFA information is cached (possibly by cookies), meaning that no MFA is required when running az login again.

az config set core.enable_broker_on_windows=false
az login --tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a  # MFA required
az account clear
az login --tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a  # No MFA required

However, with WAM, MFA information is not cached, meaning that MFA is required when running az login again:

az config set core.enable_broker_on_windows=true
az login --tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a  # MFA required
az account clear
az login --tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a  # MFA required

Expected behavior The behaviors for WAM flow and browser flow should be consistent.

What you see instead The behaviors for WAM flow and browser flow are not consistent.

The MSAL Python version you are using

> pip list | Select-String msal

msal                                    1.28.0
msal-extensions                         1.2.0b1
pymsalruntime                           0.14.2a1

Additional context Add any other context about the problem here.

[jiasli]

I am not sure which of my operations affected it, but I am not able to reproduce it now. I can't trigger MFA in WAM anymore.

[rayluo]

I am not sure which of my operations affected it, but I am not able to reproduce it now. I can't trigger MFA in WAM anymore.

I do not know enough MsalRuntime and WAM details to speak on that. I can just share my personal experience that I also occasionally ran into similar situation. It feels like the underlying cache does not immediately store the SSO and/or MFA state.

Regardless, let's tag @iulico-1 @ashok672 , @fengga for awareness.