Don't pass organizations to CLIs (#35764)

billwert · web-flow · commit 2e5aba759e8a · 2023-07-06T13:57:32.000-07:00
For some flows `organizations` is an invalid tenant ID when acquiring a token, and passing it will result in a break.
diff --git a/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java b/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java
@@ -321,7 +321,8 @@ public Mono<AccessToken> authenticateWithAzureCli(TokenRequestContext request) {
 
         try {
             String tenant = IdentityUtil.resolveTenantId(tenantId, request, options);
-            if (!CoreUtils.isNullOrEmpty(tenant)) {
+            // The default is not correct for many cases, such as when the logged in entity is a service principal.
+            if (!CoreUtils.isNullOrEmpty(tenant) && !tenant.equals(IdentityUtil.DEFAULT_TENANT)) {
                 azCommand.append(" --tenant ").append(tenant);
             }
         } catch (ClientAuthenticationException e) {
@@ -362,7 +363,7 @@ public Mono<AccessToken> authenticateWithAzureDeveloperCli(TokenRequestContext r
 
         try {
             String tenant = IdentityUtil.resolveTenantId(tenantId, request, options);
-            if (!CoreUtils.isNullOrEmpty(tenant)) {
+            if (!CoreUtils.isNullOrEmpty(tenant) && !tenant.equals(IdentityUtil.DEFAULT_TENANT)) {
                 azdCommand.append(" --tenant-id ").append(tenant);
             }
         } catch (ClientAuthenticationException e) {
