[BUG] Updating to Azure.Identity to 1.13.0 and Microsoft.Identity.Client to 4.65.0/4.66.1 fails with invalid_client

[pgrandhi]

Azure.Identity to 1.13.0 and Microsoft.Identity.Client to 4.65.0/4.66.1

Updating to Azure.Identity to 1.13.0 and Microsoft.Identity.Client to 4.65.0/4.66.1 fails with invalid_client

Describe the bug

We started getting this AuthenticationFailed Exception that the client application is missing Service principal in 1P AAD tenant even though we are actually passing a different tenantId where the app is created to the TokenCredential. Not sure why it is looking for 1P AAD tenant and complaining that the Service Principal does not exist.

Azure.Identity.AuthenticationFailedException: ClientCertificateCredential authentication failed:
---> MSAL.NetCore.4.65.0.0.MsalServiceException:
ErrorCode: invalid_client
Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000229: The client application is missing service principal in the tenant f8cdef31-a31e-4b4a-93e4-5f571e91255a. See instructions here: https://go.microsoft.com/fwlink/?linkid=2225119 Trace ID: adbf2a0d-cf9c-4779-b8e4-5e986a530f00 Correlation ID: 70425c48-461c-4720-b354-c12eeda72c5d Timestamp: 2024-10-22 18:44:50Z
...
at Azure.Identity.ClientCertificateCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
StatusCode: 401
ResponseBody: {"error":"invalid_client","error_description":"AADSTS7000229: The client application fe81293a-4ae8-47a7-ab18-4da55488b2bc is missing service principal in the tenant f8cdef31-a31e-4b4a-93e4-5f571e91255a. See instructions here: https://go.microsoft.com/fwlink/?linkid=2225119 Trace ID: adbf2a0d-cf9c-4779-b8e4-5e986a530f00 Correlation ID: 70425c48-461c-4720-b354-c12eeda72c5d Timestamp: 2024-10-22 18:44:50Z","error_codes":[7000229],"timestamp":"2024-10-22 18:44:50Z","trace_id":"adbf2a0d-cf9c-4779-b8e4-5e986a530f00","correlation_id":"70425c48-461c-4720-b354-c12eeda72c5d","error_uri":"https://login.microsoftonline.com/error?code=7000229"}
Headers: Cache-Control: no-store, no-cache
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
client-request-id: 70425c48-461c-4720-b354-c12eeda72c5d
x-ms-request-id: adbf2a0d-cf9c-4779-b8e4-5e986a530f00
x-ms-ests-server: 2.1.19184.6 - WEULR1 ProdSlices
x-ms-clitelem: 1,7000229,0,,
x-ms-srs: 1.P
X-XSS-Protection: 0
Set-Cookie: fpc=AruZXyKpADZGp5Fk_LL_iohhQeiFAQAAAKHpqd4OAAAA; expires=Thu, 21-Nov-2024 18:44:50 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Date: Tue, 22 Oct 2024 18:44:49 GMT

Expected behavior

There has been no code except for nuget version updates, and it started failing with this error. The app is not in 1P tenant, but in the tenant that we are explicitly passing. We are calling

new CustomClientCertificateCredential(
AppHomeTenantId,
ApplicationId,
Cert.X509Certificate,
"https://management.azure.com/.default",
new ClientCertificateCredentialOptions
{
AuthorityHost = new Uri("https://login.microsoftonline.com/common"),
AdditionallyAllowedTenants = { "*" },
SendCertificateChain = true
});

Expected behavior : successfully acquire token

Actual behavior

AuthenticationFailed Exception

Reproduction Steps

new CustomClientCertificateCredential(
AppHomeTenantId,
ApplicationId,
Cert.X509Certificate,
"https://management.azure.com/.default",
new ClientCertificateCredentialOptions
{
AuthorityHost = new Uri("https://login.microsoftonline.com/common"),
AdditionallyAllowedTenants = { "*" },
SendCertificateChain = true
});

Environment

AAD PROD

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[christothes]

Hi @pgrandhi -
Could you share the implementation of CustomClientCertificateCredential ?

Also, could you reproduce this with logging enabled?
For console output, you would just need to add the following line to your program.

using AzureEventSourceListener listener = AzureEventSourceListener.CreateTraceLogger();

If you need to log the output somewhere other than the console, this can be done as described in these docs.

[github-actions]

Hi @pgrandhi. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.