Remove AllowMultiTenantAuthentication option (Azure#24264)

* Remove AllowMultiTenantAuthentication option

Author: christothes

sdk/identity/Azure.Identity/CHANGELOG.md

@@ -4,7 +4,8 @@
 
 ### Features Added
 
-### Breaking Changes
+### Breaking Changes from 1.5.0-beta.4
+- The `AllowMultiTenantAuthentication` option has been removed and the default behavior is now as if it were true. The multi-tenant discovery feature can be totally disabled by either setting an `AppContext` switch named "Azure.Identity.DisableTenantDiscovery" to `true` or by setting the environment variable "AZURE_IDENTITY_DISABLE_TENANTDISCOVERY" to "true".
 
 ### Bugs Fixed
 

sdk/identity/Azure.Identity/api/Azure.Identity.netstandard2.0.cs

@@ -369,7 +369,6 @@ internal TokenCacheUpdatedArgs() { }
     public partial class TokenCredentialOptions : Azure.Core.ClientOptions
     {
         public TokenCredentialOptions() { }
-        public bool AllowMultiTenantAuthentication { get { throw null; } set { } }
         public System.Uri AuthorityHost { get { throw null; } set { } }
         public bool IsLoggingPIIEnabled { get { throw null; } set { } }
     }

sdk/identity/Azure.Identity/src/AuthorizationCodeCredential.cs

@@ -21,7 +21,6 @@ public class AuthorizationCodeCredential : TokenCredential
         private readonly string _clientId;
         private readonly CredentialPipeline _pipeline;
         private AuthenticationRecord _record;
-        private readonly bool _allowMultiTenantAuthentication;
         private readonly MsalConfidentialClient _client;
         private readonly string _redirectUri;
         private readonly string _tenantId;
@@ -85,7 +84,6 @@ internal AuthorizationCodeCredential(string tenantId, string clientId, string cl
             Argument.AssertNotNull(authorizationCode, nameof(authorizationCode));
             _clientId = clientId;
             _authCode = authorizationCode ;
-            _allowMultiTenantAuthentication = options?.AllowMultiTenantAuthentication ?? false;
             _pipeline = CredentialPipeline.GetInstance(options ?? new TokenCredentialOptions());
             _redirectUri = options switch
             {
@@ -135,7 +133,7 @@ private async ValueTask<AccessToken> GetTokenImplAsync(bool async, TokenRequestC
             try
             {
                 AccessToken token;
-                var tenantId = TenantIdResolver.Resolve(_tenantId, requestContext, _allowMultiTenantAuthentication);
+                var tenantId = TenantIdResolver.Resolve(_tenantId, requestContext);
 
                 if (_record is null)
                 {

sdk/identity/Azure.Identity/src/AzureCliCredential.cs

@@ -20,7 +20,6 @@ namespace Azure.Identity
     /// </summary>
     public class AzureCliCredential : TokenCredential
     {
-        private readonly bool _allowMultiTenantAuthentication;
         internal const string AzureCLINotInstalled = "Azure CLI not installed";
         internal const string AzNotLogIn = "Please run 'az login' to set up account";
         internal const string WinAzureCLIError = "'az' is not recognized";
@@ -69,7 +68,6 @@ internal AzureCliCredential(CredentialPipeline pipeline, IProcessService process
             _pipeline = pipeline;
             _path = !string.IsNullOrEmpty(EnvironmentVariables.Path) ? EnvironmentVariables.Path : DefaultPath;
             _processService = processService ?? ProcessService.Default;
-            _allowMultiTenantAuthentication = options?.AllowMultiTenantAuthentication ?? false;
             _tenantId = options?.TenantId;
         }
 
@@ -113,7 +111,7 @@ private async ValueTask<AccessToken> GetTokenImplAsync(bool async, TokenRequestC
         private async ValueTask<AccessToken> RequestCliAccessTokenAsync(bool async, TokenRequestContext context, CancellationToken cancellationToken)
         {
             string resource = ScopeUtilities.ScopesToResource(context.Scopes);
-            string tenantId = TenantIdResolver.Resolve(_tenantId, context, _allowMultiTenantAuthentication);
+            string tenantId = TenantIdResolver.Resolve(_tenantId, context);
 
             ScopeUtilities.ValidateScope(resource);
 

sdk/identity/Azure.Identity/src/AzureIdentityEventSource.cs

@@ -31,6 +31,10 @@ internal sealed class AzureIdentityEventSource : AzureEventSource
         private const int ProcessRunnerErrorEvent = 14;
         private const int ProcessRunnerInfoEvent = 15;
         private const int UsernamePasswordCredentialAcquireTokenSilentFailedEvent = 16;
+        private const int TenantIdDiscoveredAndNotUsedEvent = 17;
+        private const int TenantIdDiscoveredAndUsedEvent = 18;
+        internal const string TenantIdDiscoveredAndNotUsedEventMessage = "A token was request for a different tenant than was configured on the credential, but the configured value was used since multi tenant authentication has been disabled. Configured TenantId: {0}, Requested TenantId {1}";
+        internal const string TenantIdDiscoveredAndUsedEventMessage = "A token was requested for a different tenant than was configured on the credential, and the requested tenant id was used to authenticate. Configured TenantId: {0}, Requested TenantId {1}";
 
         private AzureIdentityEventSource() : base(EventSourceName) { }
 
@@ -276,5 +280,23 @@ public void UsernamePasswordCredentialAcquireTokenSilentFailed(string error)
         {
             WriteEvent(UsernamePasswordCredentialAcquireTokenSilentFailedEvent, error);
         }
+
+        [Event(TenantIdDiscoveredAndNotUsedEvent, Level = EventLevel.Informational, Message = TenantIdDiscoveredAndNotUsedEventMessage)]
+        public void TenantIdDiscoveredAndNotUsed(string explicitTenantId, string contextTenantId)
+        {
+            if (IsEnabled(EventLevel.Informational, EventKeywords.All))
+            {
+                WriteEvent(TenantIdDiscoveredAndNotUsedEvent, explicitTenantId, contextTenantId);
+            }
+        }
+
+        [Event(TenantIdDiscoveredAndUsedEvent, Level = EventLevel.Informational, Message = TenantIdDiscoveredAndUsedEventMessage)]
+        public void TenantIdDiscoveredAndUsed(string explicitTenantId, string contextTenantId)
+        {
+            if (IsEnabled(EventLevel.Informational, EventKeywords.All))
+            {
+                WriteEvent(TenantIdDiscoveredAndUsedEvent, explicitTenantId, contextTenantId);
+            }
+        }
     }
 }

sdk/identity/Azure.Identity/src/AzurePowerShellCredential.cs

@@ -40,7 +40,6 @@ public class AzurePowerShellCredential : TokenCredential
         private static readonly string DefaultWorkingDir =
             RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ? DefaultWorkingDirWindows : DefaultWorkingDirNonWindows;
 
-        private readonly bool _allowMultiTenantAuthentication;
         private readonly string _tenantId;
 
         private const int ERROR_FILE_NOT_FOUND = 2;
@@ -64,7 +63,6 @@ internal AzurePowerShellCredential(AzurePowerShellCredentialOptions options, Cre
         {
             UseLegacyPowerShell = false;
             _logPII = options?.IsLoggingPIIEnabled ?? false;
-            _allowMultiTenantAuthentication = options?.AllowMultiTenantAuthentication ?? false;
             _tenantId = options?.TenantId;
             _pipeline = pipeline ?? CredentialPipeline.GetInstance(options);
             _processService = processService ?? ProcessService.Default;
@@ -125,7 +123,7 @@ private async ValueTask<AccessToken> RequestAzurePowerShellAccessTokenAsync(bool
             string resource = ScopeUtilities.ScopesToResource(context.Scopes);
 
             ScopeUtilities.ValidateScope(resource);
-            var tenantId = TenantIdResolver.Resolve(_tenantId, context, _allowMultiTenantAuthentication);
+            var tenantId = TenantIdResolver.Resolve(_tenantId, context);
 
             GetFileNameAndArguments(resource, tenantId, out string fileName, out string argument);
             ProcessStartInfo processStartInfo = GetAzurePowerShellProcessStartInfo(fileName, argument);

sdk/identity/Azure.Identity/src/ClientAssertionCredential.cs

@@ -28,7 +28,6 @@ public ClientAssertionCredential(string tenantId, string clientId, Func<string>
         {
             TenantId = tenantId;
             ClientId = clientId;
-            AllowMultiTenantAuthentication = options?.AllowMultiTenantAuthentication ?? false;
             Client = options?.MsalClient ?? new MsalConfidentialClient(options?.Pipeline ?? CredentialPipeline.GetInstance(options), tenantId, clientId, getAssertionCallback, null, null, options?.IsLoggingPIIEnabled ?? false);
         }
 
@@ -38,7 +37,7 @@ public override AccessToken GetToken(TokenRequestContext requestContext, Cancell
 
             try
             {
-                var tenantId = TenantIdResolver.Resolve(TenantId, requestContext, AllowMultiTenantAuthentication);
+                var tenantId = TenantIdResolver.Resolve(TenantId, requestContext);
 
                 AuthenticationResult result = Client.AcquireTokenForClientAsync(requestContext.Scopes, tenantId, false, cancellationToken).EnsureCompleted();
 
@@ -56,7 +55,7 @@ public async override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext r
 
             try
             {
-                var tenantId = TenantIdResolver.Resolve(TenantId, requestContext, AllowMultiTenantAuthentication);
+                var tenantId = TenantIdResolver.Resolve(TenantId, requestContext);
 
                 AuthenticationResult result = await Client.AcquireTokenForClientAsync(requestContext.Scopes, tenantId, true, cancellationToken).ConfigureAwait(false);
 

sdk/identity/Azure.Identity/src/ClientCertificateCredential.cs

@@ -35,7 +35,6 @@ public class ClientCertificateCredential : TokenCredential
         internal MsalConfidentialClient Client { get; }
 
         private readonly CredentialPipeline _pipeline;
-        private readonly bool _allowMultiTenantAuthentication;
 
         /// <summary>
         /// Protected constructor for mocking.
@@ -148,14 +147,9 @@ internal ClientCertificateCredential(
             MsalConfidentialClient client)
         {
             TenantId = Validations.ValidateTenantId(tenantId, nameof(tenantId));
-
             ClientId = clientId ?? throw new ArgumentNullException(nameof(clientId));
-
             ClientCertificateProvider = certificateProvider;
-            _allowMultiTenantAuthentication = options?.AllowMultiTenantAuthentication ?? false;
-
             _pipeline = pipeline ?? CredentialPipeline.GetInstance(options);
-
             ClientCertificateCredentialOptions certCredOptions = (options as ClientCertificateCredentialOptions);
 
             Client = client ??
@@ -182,7 +176,7 @@ public override AccessToken GetToken(TokenRequestContext requestContext, Cancell
 
             try
             {
-                var tenantId = TenantIdResolver.Resolve(TenantId, requestContext, _allowMultiTenantAuthentication);
+                var tenantId = TenantIdResolver.Resolve(TenantId, requestContext);
                 AuthenticationResult result = Client.AcquireTokenForClientAsync(requestContext.Scopes, tenantId, false, cancellationToken).EnsureCompleted();
 
                 return scope.Succeeded(new AccessToken(result.AccessToken, result.ExpiresOn));
@@ -205,7 +199,7 @@ public override async ValueTask<AccessToken> GetTokenAsync(TokenRequestContext r
 
             try
             {
-                var tenantId = TenantIdResolver.Resolve(TenantId, requestContext, _allowMultiTenantAuthentication);
+                var tenantId = TenantIdResolver.Resolve(TenantId, requestContext);
                 AuthenticationResult result = await Client
                     .AcquireTokenForClientAsync(requestContext.Scopes, tenantId, true, cancellationToken)
                     .ConfigureAwait(false);

sdk/identity/Azure.Identity/src/ClientSecretCredential.cs

@@ -19,7 +19,6 @@ namespace Azure.Identity
     public class ClientSecretCredential : TokenCredential
     {
         private readonly CredentialPipeline _pipeline;
-		private readonly bool _allowMultiTenantAuthentication;
 
         internal MsalConfidentialClient Client { get; }
 
@@ -88,7 +87,6 @@ internal ClientSecretCredential(string tenantId, string clientId, string clientS
             ClientId = clientId ?? throw new ArgumentNullException(nameof(clientId));
 
             ClientSecret = clientSecret;
-            _allowMultiTenantAuthentication = options?.AllowMultiTenantAuthentication ?? false;
             _pipeline = pipeline ?? CredentialPipeline.GetInstance(options);
             Client = client ??
                      new MsalConfidentialClient(
@@ -113,7 +111,7 @@ public override async ValueTask<AccessToken> GetTokenAsync(TokenRequestContext r
 
             try
             {
-                var tenantId = TenantIdResolver.Resolve(TenantId, requestContext, _allowMultiTenantAuthentication);
+                var tenantId = TenantIdResolver.Resolve(TenantId, requestContext);
                 AuthenticationResult result = await Client.AcquireTokenForClientAsync(requestContext.Scopes, tenantId, true, cancellationToken).ConfigureAwait(false);
 
                 return scope.Succeeded(new AccessToken(result.AccessToken, result.ExpiresOn));
@@ -136,7 +134,7 @@ public override AccessToken GetToken(TokenRequestContext requestContext, Cancell
 
             try
             {
-                var tenantId = TenantIdResolver.Resolve(TenantId, requestContext, _allowMultiTenantAuthentication);
+                var tenantId = TenantIdResolver.Resolve(TenantId, requestContext);
                 AuthenticationResult result = Client.AcquireTokenForClientAsync(requestContext.Scopes, tenantId, false, cancellationToken).EnsureCompleted();
 
                 return scope.Succeeded(new AccessToken(result.AccessToken, result.ExpiresOn));

sdk/identity/Azure.Identity/src/DeviceCodeCredential.cs

@@ -18,7 +18,6 @@ namespace Azure.Identity
     public class DeviceCodeCredential : TokenCredential
     {
         private readonly string _tenantId;
-        private readonly bool _allowMultiTenantAuthentication;
         internal MsalPublicClient Client { get; set; }
         internal string ClientId { get; }
         internal bool DisableAutomaticAuthentication { get; }
@@ -86,7 +85,6 @@ internal DeviceCodeCredential(Func<DeviceCodeInfo, CancellationToken, Task> devi
             DeviceCodeCallback = deviceCodeCallback;
             DisableAutomaticAuthentication = (options as DeviceCodeCredentialOptions)?.DisableAutomaticAuthentication ?? false;
             Record = (options as DeviceCodeCredentialOptions)?.AuthenticationRecord;
-            _allowMultiTenantAuthentication = options?.AllowMultiTenantAuthentication ?? false;
             Pipeline = pipeline ?? CredentialPipeline.GetInstance(options);
             Client = client ?? new MsalPublicClient(
                 Pipeline,
@@ -204,7 +202,7 @@ private async ValueTask<AccessToken> GetTokenImplAsync(bool async, TokenRequestC
                 {
                     try
                     {
-                        var tenantId = TenantIdResolver.Resolve(_tenantId, requestContext, _allowMultiTenantAuthentication);
+                        var tenantId = TenantIdResolver.Resolve(_tenantId, requestContext);
                         AuthenticationResult result = await Client
                             .AcquireTokenSilentAsync(requestContext.Scopes, requestContext.Claims, Record, tenantId, async, cancellationToken)
                             .ConfigureAwait(false);