[BUG] Unable to authenticate to SharePoint Online with certificate thumbprint in multi tenant setup

[evobis]

Description
When trying to authenticate to SharePoint site with Certificate Thumbprint, ClientId(App Registration) and TenantId I am faced with an error. If I Authenticate with PnP.PowerShell with the exact same thumbprint and IDs I am authenticated without issues.

This is a multi tenant setup with multiple domains associated.

I use the exact same AppId and TenantId in PowerShell and .Net Core C#

This works
Connect-PnPOnline -Url $siteUrl -ClientId $clientId -Thumbprint $cert.Thumbprint -Tenant $tenantId
Get-PnPWeb

This does not work
new PnP.Framework.AuthenticationManager(AuthenticationSettings.ClientId, StoreName.My, StoreLocation.CurrentUser, AuthenticationSettings.CertificateThumbprint, AuthenticationSettings.TenantID).GetContext(AuthenticationSettings.SharePointSiteUrl);

Note: I tried to do the exact same with "SharePointPnPCoreOnline" in .net framework 4.8 C# and it works perfectly. I am authenticated without issues.

Error
AADSTS700016: Application with identifier '................' was not found in the directory 'sharepoint.com'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID: 8f5324b2-96e9-4107-b630-00b078492000 Correlation ID: 004872a6-bda0-4e2f-ae52-e12eb801547b Timestamp: 2021-04-14 06:51:18Z

Framework version
Powershell PnP.PowerShell: 1.4
.Net Core: 3.1
.Net Core PnP.Framework: 1.4

[jansenbe]

@evobis : just to rule out a difference between .NET Framework and .NET Core...what is the PS version you're using (version 5 uses .NET Framework, version 7 uses .NET core)

[evobis]

@jansenbe thanks for replying :)

I was using PowerShell 5.1, but I just installed PowerShell 7 and it works perfectly here as well. The issue only occurs when using PnP.Framework 1.4 in C#.

[jansenbe]

@evobis : can you do a fiddler trace while doing the PS login (works) and the .NET call (fails) and share the outcome. If the trace contains confidential content then feel free to send it to bjansen@microsoft.com.

[evobis]

@jansenbe thanks, I've send you an e-mail with the traces.

[evobis]

@jansenbe did you by any chance find an opportunity to look into the issue or have a status of the progress? :)

[jansenbe]

Sorry, did not yet have time...really busy at the moment. Will try to squeeze this in this week though

[evobis]

No reason to apologize. As I see it you are doing me a favor.

[evobis]

@jansenbe my colleague @Tanddant can confirm that the authentication actually works by downgrading the to PNP Framework to version 1.2 from 1.4. I can confirm that my code works as well when using PNP Framework 1.2.

[Tanddant]

I did a small bit of further digging, the issue seems have appeared from 1.2 -> 1.3.
Looking at the AuthenticationManager it seems to be related to the new GetBuilderWithAuthority which relies on the GetAzureADLoginEndPoint that doesn't take the tenantId into account!

I don't have time to really dive into the issue, but I hope this can help you a bit more.

[Tanddant]

Looking at 1.2.0 the AuthenticationManager calls
builder.WithAuthority(azureADEndPoint, tenantId, true); at L481

1.3.0 relies on "GetBuilderWithAuthority" - which seems to ignore that a tenantId has been set in the AuthenticationManager.
builder = builder.WithAuthority($"{azureADEndPoint}/organizations"); at L1438

A fix would seem to be to wrap the .WithAuthority call in an if:

if(this.TenantId) {
    builder = builder.WithAuthority(azureADEndPoint, tenantId, true);
} else {
    builder = builder.WithAuthority($"{azureADEndPoint}/organizations");
}

^ just some quick pseudocode, I hope someone with a greater understanding of this repo can actually verify/implement it

[sadomovalex]

I've got the same error with PnP.Framework 1.5.0 (according to https://www.nuget.org/packages/PnP.Framework 1.5.0 version was release 2021-06-07 and should include provided fix?) when tried to authenticate to SPO with certificate. Here is the minimal code to reproduce the issue:

using (var authMngr = PnP.Framework.AuthenticationManager.CreateWithCertificate(AppId, StoreName.My,
    StoreLocation.CurrentUser, AppCertificateThumbprint, AADDomain))
{
    using (var ctx = authMngr.GetContext("https://{mytenant}.sharepoint.com/sites/foo"))
    {
        ctx.Load(ctx.Web);
        ctx.ExecuteQuery();

        Console.WriteLine(ctx.Web.Title);
    }
}

it throws exception:
"Microsoft.Identity.Client.MsalServiceException: 'AADSTS700016: Application with identifier '...' was not found in the directory 'sharepoint.com'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant."

Similar code with SharePointPnPCoreOnline works properly:

using (var authMngr = new AuthenticationManager())
{
    using (var ctx = authMngr.GetAzureADAppOnlyAuthenticatedContext("https://{mytenant}.sharepoint.com/sites/foo",
        AppId, AADDomain, StoreName.My, StoreLocation.CurrentUser, AppCertificateThumbprint))
    {
        ctx.Load(ctx.Web);
        ctx.ExecuteQuery();

        Console.WriteLine(ctx.Web.Title);
    }
}