Azure · g2vinay · Oct 13, 2021 · Sep 28, 2021 · Sep 29, 2021 · Oct 4, 2021
@@ -19,7 +19,7 @@
  * </ol>
  */
 @Immutable
-public final class AzureApplicationCredential extends ChainedTokenCredential {
+final class AzureApplicationCredential extends ChainedTokenCredential {
     /**
      * Creates default AzureApplicationCredential instance to use. This will use environment variables to create
      * {@link EnvironmentCredential}

@@ -15,13 +15,13 @@
  *
  * @see AzureApplicationCredential
  */
-public class AzureApplicationCredentialBuilder extends CredentialBuilderBase<AzureApplicationCredentialBuilder> {
+class AzureApplicationCredentialBuilder extends CredentialBuilderBase<AzureApplicationCredentialBuilder> {
     private String managedIdentityClientId;
 
     /**
      * Creates an instance of a AzureApplicationCredentialBuilder.
      */
-    public AzureApplicationCredentialBuilder() {
+    AzureApplicationCredentialBuilder() {
         Configuration configuration = Configuration.getGlobalConfiguration().clone();
         managedIdentityClientId = configuration.get(Configuration.PROPERTY_AZURE_CLIENT_ID);
     }

@@ -25,10 +25,13 @@ public class AzureCliCredential implements TokenCredential {
 
     /**
      * Creates an AzureCliSecretCredential with default identity client options.
+     * @param tenantId the tenant id of the application
      * @param identityClientOptions the options to configure the identity client
      */
-    AzureCliCredential(IdentityClientOptions identityClientOptions) {
-        identityClient = new IdentityClientBuilder().identityClientOptions(identityClientOptions).build();
+    AzureCliCredential(String tenantId, IdentityClientOptions identityClientOptions) {
+        identityClient = new IdentityClientBuilder()
+            .tenantId(tenantId)
+            .identityClientOptions(identityClientOptions).build();
     }
 
     @Override

@@ -3,18 +3,34 @@
 
 package com.azure.identity;
 
+import com.azure.identity.implementation.util.ValidationUtil;
+
 /**
  * Fluent credential builder for instantiating a {@link AzureCliCredential}.
  *
  * @see AzureCliCredential
  */
 public class AzureCliCredentialBuilder extends CredentialBuilderBase<AzureCliCredentialBuilder> {
+    private String tenantId;
+
+    /**
+     * Sets the tenant ID of the application.
+     *
+     * @param tenantId the tenant ID of the application.
+     * @return An updated instance of this builder with the tenant id set as specified.
+     */
+    public AzureCliCredentialBuilder tenantId(String tenantId) {
+        ValidationUtil.validateTenantIdCharacterRange(getClass().getSimpleName(), tenantId);
+        this.tenantId = tenantId;
+        return this;
+    }
+
      /**
      * Creates a new {@link AzureCliCredential} with the current configurations.
      *
      * @return a {@link AzureCliCredential} with the current configurations.
      */
     public AzureCliCredential build() {
-        return new AzureCliCredential(identityClientOptions);
+        return new AzureCliCredential(tenantId, identityClientOptions);
     }
 }
@@ -22,11 +22,11 @@ public class AzurePowerShellCredential implements TokenCredential {
     private final IdentityClient identityClient;
     private final ClientLogger logger = new ClientLogger(AzurePowerShellCredential.class);
 
-    AzurePowerShellCredential(IdentityClientOptions options) {
+    AzurePowerShellCredential(String tenantId, IdentityClientOptions options) {
         identityClient = new IdentityClientBuilder()
             .identityClientOptions(options)
+            .tenantId(tenantId)
             .build();
-
     }
 
     @Override

@@ -3,19 +3,34 @@
 
 package com.azure.identity;
 
+import com.azure.identity.implementation.util.ValidationUtil;
+
 /**
  * Fluent credential builder for instantiating a {@link AzurePowerShellCredential}.
  *
  * @see AzurePowerShellCredential
  */
 public class AzurePowerShellCredentialBuilder extends CredentialBuilderBase<AzurePowerShellCredentialBuilder> {
+    private String tenantId;
+
+    /**
+     * Sets the tenant ID of the application.
+     *
+     * @param tenantId the tenant ID of the application.
+     * @return An updated instance of this builder with the tenant id set as specified.
+     */
+    public AzurePowerShellCredentialBuilder tenantId(String tenantId) {
+        ValidationUtil.validateTenantIdCharacterRange(getClass().getSimpleName(), tenantId);
+        this.tenantId = tenantId;
+        return this;
+    }
 
      /**
      * Creates a new {@link AzurePowerShellCredential} with the current configurations.
      *
      * @return a {@link AzurePowerShellCredential} with the current configurations.
      */
     public AzurePowerShellCredential build() {
-        return new AzurePowerShellCredential(identityClientOptions);
+        return new AzurePowerShellCredential(tenantId, identityClientOptions);
     }
 }
@@ -4,6 +4,7 @@
 package com.azure.identity;
 
 import com.azure.core.util.logging.ClientLogger;
+import com.azure.identity.implementation.RegionalAuthority;
 import com.azure.identity.implementation.util.ValidationUtil;
 
 import java.io.InputStream;
@@ -128,7 +129,7 @@ public ClientCertificateCredentialBuilder sendCertificateChain(boolean sendCerti
      * @param regionalAuthority the regional authority
      * @return An updated instance of this builder with the regional authority configured.
      */
-    public ClientCertificateCredentialBuilder regionalAuthority(RegionalAuthority regionalAuthority) {
+    ClientCertificateCredentialBuilder regionalAuthority(RegionalAuthority regionalAuthority) {
         this.identityClientOptions.setRegionalAuthority(regionalAuthority);
         return this;
     }

@@ -3,6 +3,7 @@
 
 package com.azure.identity;
 
+import com.azure.identity.implementation.RegionalAuthority;
 import com.azure.identity.implementation.util.ValidationUtil;
 
 import java.util.HashMap;
@@ -70,7 +71,7 @@ public ClientSecretCredentialBuilder tokenCachePersistenceOptions(TokenCachePers
      * @param regionalAuthority the regional authority
      * @return An updated instance of this builder with the regional authority configured.
      */
-    public ClientSecretCredentialBuilder regionalAuthority(RegionalAuthority regionalAuthority) {
+    ClientSecretCredentialBuilder regionalAuthority(RegionalAuthority regionalAuthority) {
         this.identityClientOptions.setRegionalAuthority(regionalAuthority);
         return this;
     }

@@ -6,6 +6,7 @@
 import com.azure.core.http.HttpClient;
 import com.azure.core.http.HttpPipeline;
 import com.azure.core.http.ProxyOptions;
+import com.azure.core.util.Configuration;
 import com.azure.identity.implementation.IdentityClientOptions;
 
 import java.time.Duration;
@@ -91,14 +92,18 @@ public T httpClient(HttpClient client) {
     }
 
     /**
-     * Allows to override the tenant being used in the authentication request
-     * via {@link com.azure.core.credential.TokenRequestContext#setTenantId(String)}.
+     * Sets the configuration store that is used during construction of the credential.
      *
-     * @return An updated instance of this builder.
+     * The default configuration store is a clone of the {@link Configuration#getGlobalConfiguration() global
+     * configuration store}.
+     *
+     * @param configuration The configuration store used to load Env variables and/or properties from.
+     *
+     * @return An updated instance of this builder with the configuration store set as specified.
      */
     @SuppressWarnings("unchecked")
-    public T allowMultiTenantAuthentication() {
-        this.identityClientOptions.setAllowMultiTenantAuthentication(true);
+    public T configuration(Configuration configuration) {
+        identityClientOptions.setConfiguration(configuration);
         return (T) this;
     }
 }
@@ -131,8 +131,8 @@ private ArrayList<TokenCredential> getCredentialsChain() {
             tenantId, identityClientOptions));
         output.add(new IntelliJCredential(tenantId, identityClientOptions));
         output.add(new VisualStudioCodeCredential(tenantId, identityClientOptions));
-        output.add(new AzureCliCredential(identityClientOptions));
-        output.add(new AzurePowerShellCredential(identityClientOptions));
+        output.add(new AzureCliCredential(tenantId, identityClientOptions));
+        output.add(new AzurePowerShellCredential(tenantId, identityClientOptions));
         return output;
     }
 }
@@ -3,7 +3,6 @@
 
 package com.azure.identity;
 
-import com.azure.core.util.Configuration;
 import com.azure.core.util.CoreUtils;
 import com.azure.identity.implementation.util.ValidationUtil;
 
@@ -50,21 +49,6 @@ public EnvironmentCredentialBuilder executorService(ExecutorService executorServ
         return this;
     }
 
-    /**
-     * Sets the configuration store that is used during construction of the credential.
-     *
-     * The default configuration store is a clone of the {@link Configuration#getGlobalConfiguration() global
-     * configuration store}.
-     *
-     * @param configuration The configuration store used to load Env variables and/or properties from.
-     *
-     * @return An updated instance of this builder with the configuration store set as specified.
-     */
-    public EnvironmentCredentialBuilder configuration(Configuration configuration) {
-        identityClientOptions.setConfiguration(configuration);
-        return this;
-    }
-
     /**
      * Creates a new {@link EnvironmentCredential} with the current configurations.
      *

@@ -39,7 +39,8 @@ public final class ManagedIdentityCredential implements TokenCredential {
             .clientId(clientId)
             .identityClientOptions(identityClientOptions);
 
-        Configuration configuration = Configuration.getGlobalConfiguration().clone();
+        Configuration configuration = identityClientOptions.getConfiguration() == null
+            ? Configuration.getGlobalConfiguration().clone() : identityClientOptions.getConfiguration();
 
         if (configuration.contains(Configuration.PROPERTY_MSI_ENDPOINT)) {
             managedIdentityServiceCredential = new AppServiceMsiCredential(clientId, clientBuilder.build());

@@ -4,6 +4,7 @@
 package com.azure.identity;
 
 import com.azure.core.util.logging.ClientLogger;
+import com.azure.identity.implementation.RegionalAuthority;
 import com.azure.identity.implementation.util.ValidationUtil;
 
 import java.util.HashMap;
@@ -43,16 +44,35 @@ public OnBehalfOfCredentialBuilder tokenCachePersistenceOptions(TokenCachePersis
         return this;
     }
 
+    /**
+     * Sets the path of the PEM certificate for authenticating to AAD.
+     *
+     * @param pemCertificatePath the PEM file containing the certificate
+     * @return An updated instance of this builder.
+     */
+    public OnBehalfOfCredentialBuilder pemCertificate(String pemCertificatePath) {
+        this.clientCertificatePath = pemCertificatePath;
+        return this;
+    }
+
     /**
      * Sets the path and password of the PFX certificate for authenticating to AAD.
      *
-     * @param certificatePath the password protected PFX file containing the certificate
-     * @param clientCertificatePassword the password protecting the PFX file
+     * @param pfxCertificatePath the password protected PFX file containing the certificate
+     * @return An updated instance of this builder.
+     */
+    public OnBehalfOfCredentialBuilder pfxCertificate(String pfxCertificatePath) {
+        this.clientCertificatePath = pfxCertificatePath;
+        return this;
+    }
+
+    /**
+     * Sets the password of the client certificate for authenticating to AAD.
+     *
+     * @param clientCertificatePassword the password protecting the certificate
      * @return An updated instance of this builder.
      */
-    public OnBehalfOfCredentialBuilder pfxCertificate(String certificatePath,
-                                                             String clientCertificatePassword) {
-        this.clientCertificatePath = certificatePath;
+    public OnBehalfOfCredentialBuilder clientCertificatePassword(String clientCertificatePassword) {
         this.clientCertificatePassword = clientCertificatePassword;
         return this;
     }
@@ -78,7 +98,7 @@ public OnBehalfOfCredentialBuilder sendCertificateChain(boolean sendCertificateC
      * @param regionalAuthority the regional authority
      * @return An updated instance of this builder with the regional authority configured.
      */
-    public OnBehalfOfCredentialBuilder regionalAuthority(RegionalAuthority regionalAuthority) {
+    OnBehalfOfCredentialBuilder regionalAuthority(RegionalAuthority regionalAuthority) {
         this.identityClientOptions.setRegionalAuthority(regionalAuthority);
         return this;
     }

@@ -43,7 +43,8 @@ public class SharedTokenCacheCredential implements TokenCredential {
      */
     SharedTokenCacheCredential(String username, String clientId, String tenantId,
                                IdentityClientOptions identityClientOptions) {
-        Configuration configuration = Configuration.getGlobalConfiguration().clone();
+        Configuration configuration = identityClientOptions.getConfiguration() == null
+            ? Configuration.getGlobalConfiguration().clone() : identityClientOptions.getConfiguration();
 
         if (username == null) {
             this.username = configuration.get(Configuration.PROPERTY_AZURE_USERNAME);

@@ -23,7 +23,6 @@
 import com.azure.core.util.serializer.SerializerEncoding;
 import com.azure.identity.CredentialUnavailableException;
 import com.azure.identity.DeviceCodeInfo;
-import com.azure.identity.RegionalAuthority;
 import com.azure.identity.TokenCachePersistenceOptions;
 import com.azure.identity.implementation.util.CertificateUtil;
 import com.azure.identity.implementation.util.IdentityConstants;
@@ -405,10 +404,8 @@ public Mono<MsalToken> authenticateWithIntelliJ(TokenRequestContext request) {
      * @return a Publisher that emits an AccessToken
      */
     public Mono<AccessToken> authenticateWithAzureCli(TokenRequestContext request) {
-        String azCommand = "az account get-access-token --output json --resource ";
 
-        StringBuilder command = new StringBuilder();
-        command.append(azCommand);
+        StringBuilder azCommand = new StringBuilder("az account get-access-token --output json --resource ");
 
         String scopes = ScopeUtil.scopesToResource(request.getScopes());
 
@@ -418,7 +415,12 @@ public Mono<AccessToken> authenticateWithAzureCli(TokenRequestContext request) {
             return Mono.error(logger.logExceptionAsError(ex));
         }
 
-        command.append(scopes);
+        azCommand.append(scopes);
+
+        String tenant = IdentityUtil.resolveTenantId(null, request, options);
+        if (!CoreUtils.isNullOrEmpty(tenant)) {
+            azCommand.append("--tenant " + tenant);
+        }
 
         AccessToken token = null;
         BufferedReader reader = null;
@@ -433,7 +435,7 @@ public Mono<AccessToken> authenticateWithAzureCli(TokenRequestContext request) {
                 switcher = LINUX_MAC_SWITCHER;
             }
 
-            ProcessBuilder builder = new ProcessBuilder(starter, switcher, command.toString());
+            ProcessBuilder builder = new ProcessBuilder(starter, switcher, azCommand.toString());
             String workingDirectory = getSafeWorkingDirectory();
             if (workingDirectory != null) {
                 builder.directory(new File(workingDirectory));
@@ -583,6 +585,10 @@ private Mono<AccessToken> getAccessTokenFromPowerShell(TokenRequestContext reque
                     }
                     StringBuilder accessTokenCommand = new StringBuilder("Get-AzAccessToken -ResourceUrl ");
                     accessTokenCommand.append(ScopeUtil.scopesToResource(request.getScopes()));
+                    String tenant = IdentityUtil.resolveTenantId(null, request, options);
+                    if (!CoreUtils.isNullOrEmpty(tenant)) {
+                        accessTokenCommand.append("-TenantId " + tenant);
+                    }
                     accessTokenCommand.append(" | ConvertTo-Json");
                     return manager.runCommand(accessTokenCommand.toString())
                         .flatMap(out -> {