IDownstreamApi interface unable to retrieve access token for applications using CIAM endpoint when created with TokenAcquirerFactory.GetDefaultInstance()

[v-michaelmi]

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.9.0

Web app

Sign-in users and call web APIs

Web API

Protected web APIs call downstream web APIs

Token cache serialization

In-memory caches

Description

Create an application similar to the one shown here.

However, instead of providing https://login.microsoftonline.com as the Instance or Authority value in the appsettings.json file provide a CIAM URL such as https://myciamtenant.ciamlogin.com.

After doing this, attempts to retrieve an access token to make requests using the IDownstreamApi will fail with a tenant_override_non_aad error.

Reproduction steps

1. Create an application similar to the one shown here.
2. Set the Instance or Authority value in the appsettings.json file to use a CIAM URL such as https://myciamtenant.ciamlogin.com instead of https://login.microsoftonline.com.
3. Run the application. You'll see the error.

Error message

Unhandled exception. MSAL.NetCore.4.53.0.0.MsalClientException: 
        ErrorCode: tenant_override_non_aad
Microsoft.Identity.Client.MsalClientException: WithTenantId can only be used when an AAD authority is specified at the application level.
   at Microsoft.Identity.Client.AbstractAcquireTokenParameterBuilder`1.WithTenantId(String tenantId)
   at Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForAppAsync(String scope, String authenticationScheme, String tenant, TokenAcquisitionOptions tokenAcquisitionOptions)
   at Microsoft.Identity.Web.DefaultAuthorizationHeaderProvider.CreateAuthorizationHeaderForAppAsync(String scopes, AuthorizationHeaderProviderOptions downstreamApiOptions, CancellationToken cancellationToken)
   at Microsoft.Identity.Web.DownstreamApi.CallApiInternalAsync(String serviceName, DownstreamApiOptions effectiveOptions, Boolean appToken, HttpContent content, ClaimsPrincipal user, CancellationToken cancellationToken)
   at Microsoft.Identity.Web.DownstreamApi.PostForAppAsync[TInput,TOutput](String serviceName, TInput input, Action`1 downstreamApiOptionsOverride, CancellationToken cancellationToken)
   at Program.<Main>$(String[] args) in C:\GitHub\AzureSamples\ms-identity-ciam-dotnet-tutorial\2-Authorization\3-call-own-api-dotnet-core-daemon\ToDoListClient\Program.cs:line 30
   at Program.<Main>(String[] args)

Id Web logs

N/A

Relevant code snippets

Any HTTP call with the IDownstreamApi as an application.

Possible diagnosis is applications using a CIAM authority URL for their Instance or Authority values will trigger a failure in calls to the WithTenantId method due to tenant overrides only being supported in AAD applications.

GetAuthenticationResultForAppAsync makes the call to WithTenantId which then triggers the failure.

Regression

N/A

Expected behavior

The IDownstreamApi http class should work for applications even with a CIAM url set as the instance or authority value.