diff --git a/src/azure-cli-core/azure/cli/core/_identity.py b/src/azure-cli-core/azure/cli/core/_identity.py
index 9be5dcc7b86..0f0f4d5e864 100644
--- a/src/azure-cli-core/azure/cli/core/_identity.py
+++ b/src/azure-cli-core/azure/cli/core/_identity.py
@@ -64,10 +64,10 @@ class Identity:
 
     CLOUD_SHELL_IDENTITY_UNIQUE_NAME = "unique_name"
 
-    def __init__(self, authority=None, tenant_id=None, client_id=_CLIENT_ID, **kwargs):
+    def __init__(self, authority=None, tenant_id=None, client_id=None, **kwargs):
         self.authority = authority
-        self.tenant_id = tenant_id
-        self.client_id = client_id
+        self.tenant_id = tenant_id or "organizations"
+        self.client_id = client_id or _CLIENT_ID
         self._cred_cache = kwargs.pop('cred_cache', None)
         # todo: MSAL support force encryption
         self.allow_unencrypted = True
@@ -92,7 +92,9 @@ def _msal_app(self):
 
         # Store for user token persistence
         cache = load_persistent_cache(self.allow_unencrypted)
-        return PublicClientApplication(authority=self.authority, client_id=self.client_id, token_cache=cache)
+        # Build the authority in MSAL style
+        msal_authority = "https://{}/{}".format(self.authority, self.tenant_id)
+        return PublicClientApplication(authority=msal_authority, client_id=self.client_id, token_cache=cache)
 
     def login_with_interactive_browser(self):
         # Use InteractiveBrowserCredential
@@ -256,16 +258,15 @@ def _decode_managed_identity_token(self, credential, resource):
         return decoded
 
     def get_user(self, user_or_sp=None):
-        try:
-            return self._msal_app.get_accounts(user_or_sp)
-        except ValueError:
-            pass
+        accounts = self._msal_app.get_accounts(user_or_sp)
+        return accounts
 
     def logout_user(self, user_or_sp):
         accounts = self._msal_app.get_accounts(user_or_sp)
         logger.info('Before account removal:')
         logger.info(json.dumps(accounts))
 
+        # `accounts` are the same user in all tenants, log out all of them
         for account in accounts:
             self._msal_app.remove_account(account)
 
@@ -276,6 +277,7 @@ def logout_user(self, user_or_sp):
         self._msal_store.remove_cached_creds(user_or_sp)
 
     def logout_all(self):
+        # TODO: Support multi-authority logout
         accounts = self._msal_app.get_accounts()
         logger.info('Before account removal:')
         logger.info(json.dumps(accounts))
diff --git a/src/azure-cli-core/azure/cli/core/_profile.py b/src/azure-cli-core/azure/cli/core/_profile.py
index e89575f5e40..3a79b771b29 100644
--- a/src/azure-cli-core/azure/cli/core/_profile.py
+++ b/src/azure-cli-core/azure/cli/core/_profile.py
@@ -440,7 +440,7 @@ def logout(self, user_or_sp, clear_credential):
             # https://english.stackexchange.com/questions/5302/log-in-to-or-log-into-or-login-to
             logger.warning("Account %s was not logged in to Azure CLI.", user_or_sp)
 
-        # Deal with MSAL cache
+        # Log out from MSAL cache
         identity = Identity(self._authority)
         accounts = identity.get_user(user_or_sp)
         if accounts: