InvalidAuthenticationTokenTenant Exceptions

If you want to debug an app that accesses Azure resources using Managed Service Identity (MSI) in Visual Studio or VS Code then you may well find yourself getting an error similar to that below.

Azure.RequestFailedException: Service request failed.
Status: 401 (Unauthorized)

Content:
{"error":{"code":"InvalidAuthenticationTokenTenant","message":"The access token is from the wrong issuer 'https://sts.windows.net/36D497E5-F857-49F4-B1C1-EAEE7FBBAE02/'. It must match the tenant 'https://sts.windows.net/9B85A6E8-8F30-4CC6-9999-B200A7794164/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/ef2f812a-fb40-4091-825e-c3367e68875e' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."}}

Although the error message is pretty clear, it’s not obvious what you can do about it.

When accessing MSI protected resources in Visual Studio it attempts to get an access token using the default login you’ve set, unfortunatly this is from the tenant where your login exists and if you’re trying to access a resource in a different tenant then the tenant IDs won’t match and you’ll recieve an Unauthorized response.

In order to resolve this issue you need to set the desired tenant ID in the apps enviroment settings, this way it will get picked up by the DefaultAzureCredential() method which will then authenticate you against the desired tenant.

This can be done by adding an enviroment variable called AZURE_TENANT_ID in Properties > Debug.

When the app is published to Azure MSI should work as expected as the user will be created in the desired tenant.