Have not filtered by tenant ID warning message filling logs

[councilwisenick]

Hi,

I am using MSAL.NET for authenticating on a REST API which uses the OBO flow. The API operates in a multi-tenanted environment where clients from various tenants need to connect. As a result, the API uses the "Organizations" tenant id.

I'm using the distributed token cache to store tokens in the API's backend database, and each time the API accesses the cache, I am seeing this log warning message:

2022-07-11 05:37:11.956 +00:00 [Warning] Microsoft.Identity.Web.TokenAcquisition: False MSAL 4.44.0.0 MSAL.NetCore .NET 6.0.3 Microsoft Windows 10.0.14393 [2022-07-11 05:37:11Z - 834....efe] Have not filtered by tenant ID. This can happen in OBO scenario where authority is /common or /organizations. Please use tenanted authority.

The log message is quite clear about what causes it to show up, but I have a few questions:

1. There is no explanation as to why this is a warning rather than say just an info message, and whether it's something I need to worry about. The API seems to be functioning totally fine as-is. I assume there is some potential performance impact if not filtering by tenant id?
2. Is it possible to address this warning and filter by tenant ID, while keeping the API as OBO with /organizations tenant?
3. This message is polluting my logs as each request generates this warning. I'd rather not set my log level to Error to get rid of it. Is there a way I can set logging level for MSAL.NET only to not log these warnings?

I've hunted and can't find any further doco about this. Based on what I currently understand (which isn't much), it feels to me like it should be an information-level message rather than a warning.

Thanks

[bgavrilMS]

Thanks for pointing this out @councilwisenick.

First, are you sure you need to use OBO and MSAL ?

• You should only use OBO in a web api scenario, not in a web app scenario.
• If you are on ASP.NET Core, please use our higher-level APIs Microsoft.Identity.Web, which will take care of so many things like this for you. See https://docs.microsoft.com/en-us/azure/active-directory/develop/microsoft-identity-web

Multi-tenant applications using OBO are quite complex to understand, but the important aspects of multi-tenancy are:

• if you specify an authority ending in "common" or "organizations", it means "I don't know the tenant where this user lives. Let AAD discover this for me". AAD will discover this fine, but it will always choose the **home tenant **
• In a web api scenario, you are given a token from some client (e.g. a mobile app, a web site or another web api). You are allowed to look into this token. This token could be from a normal user or from a guest user. You can't know this in web api. So the solution is to use the authority "https://login.microsoftonline.com/{upstream_token.tid_claim}", i.e. use the tid claim of the token. To make things easier, MSAL offers an API called WithTenantId on the AcquireToken* method.

Again, multi-tenancy is complex, so better to use Microsoft.identity.web

[councilwisenick]

Hi @bgavrilMS , thanks for the reply.

Just to confirm, this is indeed a web API not a web app. The web API is using OBO as it needs to perform MS Graph API calls on behalf of the user.

I am actually using Microsoft.Identity.Web but when it uses MSAL.NET underneath it generates this message. I don't seem to have a lot of control over what is happening for token acquisition as this is being handled for me - I am not calling AcquireToken directly. I should have been clearer on this point in my original post, sorry about that.

Perhaps I should post this over on the identity.web github instead?

[bgavrilMS]

I have also identified this problem in Microsoft.Identity.Web and have already logged a bug there, which was fixed. If you use the version 1.25 of Id.Web the log message should not be there. If it is, we need to reopen the bug.

AzureAD/microsoft-identity-web#1738

[councilwisenick]

I'm sorry I feel I have wasted your time a bit on this one! I was a version behind on identity.web and after updating, the warning has disappeared!

Thank you very much for your help on this @bgavrilMS

[bgavrilMS]

I'm sorry I feel I have wasted your time a bit on this one! I was a version behind on identity.web and after updating, the warning has disappeared!

Thank you very much for your help on this @bgavrilMS

Not at all @councilwisenick , this was a good discussion!