Cannot Acquire token for resources other than home tenant

[atiqhaqu]

---

name: Bug report
about: Cannot Acquire token for resources other than home tenant

Which Version of MSAL are you using ?
Note that to get help, you need to run the latest preview or non-preview version
For ADAL, please log issues to https://github.com/AzureAD/azure-activedirectory-library-for-dotnet

v2.5.0-preview

Which platform has the issue?

net45

What authentication flow has the issue?

• Desktop
  • Interactive
  • Integrated Windows Auth
  • Username / Password
  • Device code flow (browserless)
• Mobile
  • Xamarin.iOS
  • Xamarin.Android
  • UWP
• Web App
  • Authorization code
  • OBO
• Web API
  • OBO
• Daemon App
  • Client credentials

Other? - please describe;

What is the identity provider ?

• Azure AD
• Azure AD B2C

If B2C, what social identity did you use?

Repro

public static async Task<AuthenticationResult> AcquireTokenWithPromptAsync(string resource, string tenant)
        {
            string authority = $"{ProductionAuthority}/{tenant}";
            string[] scopes = { resource + ".default" };
            string clientId = Client;
            var app = new PublicClientApplication(clientId: clientId, authority: authority, userTokenCache: TokenCacheHelper.GetUserCache());

            return await app.AcquireTokenAsync(scopes).ConfigureAwait(false);
        }

        public static async Task<AuthenticationResult> AcquireTokenSilentAsync(string resource, string tenant, string userId)
        {
            string authority = $"{ProductionAuthority}/{tenant}";
            string[] scopes = { resource + ".default" };
            string clientId = Client;
            AuthenticationResult result = null;
            var app = new PublicClientApplication(clientId: clientId, authority: authority, userTokenCache: TokenCacheHelper.GetUserCache());
            var account = await app.GetAccountAsync(userId).ConfigureAwait(false);
            result = await app.AcquireTokenSilentAsync(scopes, account).ConfigureAwait(false);
            return result;
        }

var authResult = await AcquireTokenWithPromptAsync("https://management.azure.com", "Common");

// suppose the home tenantId for the user is foo and it is also part of another tenant with tenantId bar

// this call works and get a token for foo
var result = await AcquireTokenSilentAsync("https://graph.microsoft.com/", foo, authResult.Account.HomeAccountId.Identifier).ConfigureAwait(false);

// this one still gets a token for foo
var result = await AcquireTokenSilentAsync("https://graph.microsoft.com/", bar, authResult.Account.HomeAccountId.Identifier).ConfigureAwait(false);

Expected behavior
With AcquireTokenSilentAsync call for tenant bar we expect to get an AuthenticationResult for that tenant.

Actual behavior
Irrespective of the tenant requested we always get the token for the home tenant.

Possible Solution

Additional context/ Logs / Screenshots
Add any other context about the problem here, such as logs and screebshots. Logging is described at https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/logging

[jennyf19]

@atiqhaqu has confirmed this is also fixed with these changes