Fix IDW10405 error when using managed identity with common tenant

[Copilot]

Problem

When using managed identity in multi-tenant applications with AzureAd.TenantId set to "common", the GetAuthenticationResultForAppAsync method throws an IDW10405 error:

IDW10405: 'tenant' parameter should be a tenant ID or domain name, not 'common', 'organizations' or 'consumers'.

This occurs because ResolveTenant is called before checking if managed identity is being used. For managed identity flows, tenant resolution is not needed and should be skipped entirely.

Configuration Example

{
  "AzureAd": {
    "TenantId": "common",
    "ClientId": "<app-guid>"
  },
  "DownstreamApis": {
    "MyApi": {
      "BaseUrl": "https://example.com",
      "Scopes": ["scope"],
      "AcquireTokenOptions": {
        "ManagedIdentity": {
          "UserAssignedClientId": "<managed-identity-client-guid>"
        }
      }
    }
  }
}

Solution

Moved the ResolveTenant call to execute only for non-managed identity scenarios:

• Before: ResolveTenant was called unconditionally, causing the error
• After: ResolveTenant is skipped when using managed identity, preventing the error

Changes

1. TokenAcquisition.cs: Moved ResolveTenant call after managed identity check
2. TokenAcquisitionTests.cs: Added test case to verify the fix

The fix is minimal and surgical - only 3 lines changed in the core logic while preserving all existing functionality.

Testing

• Added comprehensive test case covering the scenario
• Verified existing tenant resolution logic still works correctly
• Confirmed no regression in non-managed identity flows

Fixes #3395.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[jmprieur]

LGTM