[Bug] Improve devex for AcquireTokenSilent + MSA-PT

[mjcheetham]

Which version of MSAL.NET are you using?
MSAL.NET 4.37.0

Platform
.NET 5.0 macOS x64

What authentication flow has the issue?

• Desktop / Mobile
  • Silent

Is this a new or existing app?

a. The app is in production, and I have upgraded to a new version of MSAL.

Repro

const string azDev = "499b84ac-1321-427f-aa17-267ca6975798";
const string clientId = "d735b71b-9eee-4a4f-ad23-421660877ba6";
const string authority = "https://login.microsoftonline.com/organizations";
const string redirectUri = "http://localhost";
string scopes = new[]{ $"{azDev}/vso.code_full" };
var pca = PublicClientApplicationBuilder.Create(clientId)
    .WithAuthority(authority)
    .WithRedirectUri(redirectUri)
    .Build();
RegisterTokenCache(pca.UserTokenCache);

var result1 = await pca.AcquireTokenInteractive(scopes).ExecuteAsync();

string userName = result1.Account.Username;

var result2 = await pca.AcquireTokenSilent(scopes, loginHint: userName).ExecuteAsync();

Expected behavior
The ATS call succeeds.

Actual behavior
An MsalServiceException is thrown:

"Application '499b84ac-1321-427f-aa17-267ca6975798'(Azure DevOps) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request.

Possible solution

We have worked around this by using the "MSFT Services tenant" to 'exchange' these MSA tokens for use with the MSA-PT resource (Azure DevOps).

IAccount account = result1.Account;

var atsBuilder = app.AcquireTokenSilent(scopes, account);

// If the account is an MSA we must target the special "MSA-PT transfer tenant"
var msaTenantId = new Guid("9188040d-6c67-4c5b-b112-36a304b66dad");
var transferTenantId = new Guid("f8cdef31-a31e-4b4a-93e4-5f571e91255a");
if (Guid.TryParse(account.HomeAccountId.TenantId, out Guid homeTenantId) && homeTenantId == msaTenantId)
{
    atsBuilder = atsBuilder.WithTenantId(transferTenantId.ToString("D"));
}

var result2 = await atsBuilder.ExecuteAsync();

Additional context / logs / screenshots / links to code

We are using MSA-PT (as a first party application) because the resource (Azure DevOps) only accepts AAD & MSA-PT tokens (not MSA native).

Also the workaround we have here only works for the public Azure cloud.

cc: @bgavrilMS

[bgavrilMS]

• .EnableMsaPassthrough()
• try to detect if the request comes from MSA. Can we not maintain a mapping?
• review the proposal from iOS.

[JohnSchmeichel]

Also came across this while trying to test a new app registration. Was surprised to see the error on using the consumers tenant when we were explicitly passing the organizations tenant.

[bgavrilMS]

This is a service issue - https://identitydivision.visualstudio.com/Engineering/_workitems/edit/1800497/?workitem=1848357

[JohnSchmeichel]

Also hitting this (but with slightly different options and getting additional errors than in the linked bug)

ClientId: d5a56ea4-7369-46b8-a538-c370805301bf
Authority: https://login.microsoftonline.com/organizations
Scopes: 499b84ac-1321-427f-aa17-267ca6975798/.default
MSA-Passthrough: Enabled
Account: johsch-test1@outlook.com

Calling AcquireTokenInteractive I can select my MSA and get a token, and when using AcquireTokenInteractive passing the account I get a token without a prompt:

ATI WithAccount for account johsch-test1@outlook.com
Account.Username johsch-test1@outlook.com
Account.HomeAccountId AccountId: 00000000-0000-0000-c2e8-f34129c9cd3a.9188040d-6c67-4c5b-b112-36a304b66dad
Account.Environment login.microsoftonline.com
TenantId f8cdef31-a31e-4b4a-93e4-5f571e91255a
Expires 4/12/2023 9:26:43 PM -07:00 local time
Source Broker
Scopes 499b84ac-1321-427f-aa17-267ca6975798/user_impersonation 499b84ac-1321-427f-aa17-267ca6975798/.default
AccessToken: ****

However, when using AcquireTokenSilent passing the same account object I get an error:

ATS with IAccount for johsch-test1@outlook.com
Exception: MSAL.NetCore.4.52.0.0.MsalServiceException: 
	ErrorCode: WAM_provider_error_2156265473
Microsoft.Identity.Client.MsalServiceException: WAM Error  
 Error Code: 2156265473 
 Error Message: ApiContractViolation 
 WAM Error Message: Error 
 Internal Error Code: 557973635 
 Is Retryable: false 
 Possible causes: 
- Invalid redirect uri - ensure you have configured the following url in the AAD portal App Registration: ms-appx-web://microsoft.aad.brokerplugin/d5a56ea4-7369-46b8-a538-c370805301bf 
- No Internet connection : 
Please see https://aka.ms/msal-net-wam for details about Windows Broker integration

Using the workaround of swapping the MSA tenant with the first party tenant allows AcquireTokenSilent to succeed.

[bgavrilMS]

@JohnSchmeichel - yes, this is the status quo for MSA-PT for now, you have to add that pretty horrible workaround. We will look at fixing this next quarter, there aren't any easy fixes though.