diff --git a/src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs b/src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs index a5de3e36f0..5509dc8ee7 100644 --- a/src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs +++ b/src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs @@ -165,6 +165,7 @@ internal override Task ExecuteInternalAsync(CancellationTo } /// + /// for a comment inside this function for AzureRegion. protected override void Validate() { if (CommonParameters.MtlsCertificate != null) @@ -187,8 +188,10 @@ protected override void Validate() } // Check for Azure region only if the authority is AAD + // AzureRegion is by default set to null or set to null when the application is created + // with region set to DisableForceRegion (see ConfidentialClientApplicationBuilder.Validate) if (ServiceBundle.Config.Authority.AuthorityInfo.AuthorityType == AuthorityType.Aad && - string.IsNullOrEmpty(ServiceBundle.Config.AzureRegion)) + ServiceBundle.Config.AzureRegion == null) { throw new MsalClientException( MsalError.MtlsPopWithoutRegion, diff --git a/tests/Microsoft.Identity.Test.Unit/PublicApiTests/MtlsPopTests.cs b/tests/Microsoft.Identity.Test.Unit/PublicApiTests/MtlsPopTests.cs index fcc2ca07d7..b75159824f 100644 --- a/tests/Microsoft.Identity.Test.Unit/PublicApiTests/MtlsPopTests.cs +++ b/tests/Microsoft.Identity.Test.Unit/PublicApiTests/MtlsPopTests.cs @@ -129,28 +129,44 @@ public async Task MtlsPopWithoutCertificateWithClientAssertionAsync() Assert.AreEqual(MsalError.MtlsCertificateNotProvided, ex.ErrorCode); } - [TestMethod] - public async Task MtlsPopWithoutRegionAsync() + [DataTestMethod] + [DataRow(false)] + [DataRow(true)] + public async Task MtlsPop_WithoutRegion_ThrowsException(bool setAzureRegion) { using (var envContext = new EnvVariableContext()) { - Environment.SetEnvironmentVariable("REGION_NAME", null); // Ensure no region is set - - IConfidentialClientApplication app = ConfidentialClientApplicationBuilder - .Create(TestConstants.ClientId) - .WithAuthority(TestConstants.AuthorityTenant) - .WithCertificate(s_testCertificate) - .WithExperimentalFeatures() - .Build(); + IConfidentialClientApplication app; + if (setAzureRegion) + { + app = ConfidentialClientApplicationBuilder + .Create(TestConstants.ClientId) + .WithAuthority(TestConstants.AuthorityTenant) + .WithCertificate(s_testCertificate) + // Setting Azure region to ConfidentialClientApplicationBuilder.DisableForceRegion overrides the AzureRegion to null. + .WithAzureRegion(ConfidentialClientApplicationBuilder.DisableForceRegion) + .WithExperimentalFeatures() + .Build(); + } + else + { + app = ConfidentialClientApplicationBuilder + .Create(TestConstants.ClientId) + .WithAuthority(TestConstants.AuthorityTenant) + .WithCertificate(s_testCertificate) + .WithExperimentalFeatures() + .Build(); + } - // Set WithMtlsProofOfPossession on the request without specifying a region + // Set WithMtlsProofOfPossession on the request MsalClientException ex = await AssertException.TaskThrowsAsync(() => - app.AcquireTokenForClient(TestConstants.s_scope) - .WithMtlsProofOfPossession() // Enables MTLS PoP - .ExecuteAsync()) - .ConfigureAwait(false); + app.AcquireTokenForClient(TestConstants.s_scope) + .WithMtlsProofOfPossession() // Enables MTLS PoP + .ExecuteAsync()) + .ConfigureAwait(false); Assert.AreEqual(MsalError.MtlsPopWithoutRegion, ex.ErrorCode); + Assert.AreEqual(MsalErrorMessage.MtlsPopWithoutRegion, ex.Message); } }