As of azure-identity 1.6.0, the default behavior of credentials supporting multi-tenant authentication has changed. Each of these credentials will throw an ClientAuthenticationException if the requested tenantId doesn't match the tenant ID originally configured on the credential. Apps must now do one of the following things:
- Add all IDs, of tenants from which tokens should be acquired, to the
additionallyAllowedTenantslist on the credential builder. For example:
DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder()
.additionallyAllowedTenants("<tenant_id_1>", "tenant_id_2>")
.build();- Add
*to enable token acquisition from any tenant. This is the original behavior and is compatible previous versions supporting multi tenant authentication. For example:
DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder()
.additionallyAllowedTenants("*")
.build();Note: Credential types which do not require a tenantId on construction will only throw ClientAuthenticationException when the application has provided a value for tenantId on the credential builder. If no tenantId is specified when building the credential, the credential will acquire tokens for any requested tenantId regardless of the value of additionallyAllowedTenants.
More information on this change and the consideration behind it can be found here.