Potential fix for issue highlighted in parent branch

src/client/Microsoft.Identity.Client/ApiConfig/Executors/ClientApplicationBaseExecutor.cs

@@ -47,6 +47,9 @@ public async Task<AuthenticationResult> ExecuteAsync(
             AcquireTokenByRefreshTokenParameters refreshTokenParameters,
             CancellationToken cancellationToken)
         {
+            await commonParameters.TryInitMtlsPopParametersAsync(ServiceBundle, cancellationToken)
+                .ConfigureAwait(false);
+
             var requestContext = CreateRequestContextAndLogVersionInfo(commonParameters.CorrelationId, commonParameters.MtlsCertificate, cancellationToken);
             if (commonParameters.Scopes == null || !commonParameters.Scopes.Any())
             {

src/client/Microsoft.Identity.Client/ApiConfig/Executors/ConfidentialClientExecutor.cs

@@ -37,6 +37,9 @@ public async Task<AuthenticationResult> ExecuteAsync(
             AcquireTokenByAuthorizationCodeParameters authorizationCodeParameters,
             CancellationToken cancellationToken)
         {
+            await commonParameters.TryInitMtlsPopParametersAsync(ServiceBundle, cancellationToken)
+                .ConfigureAwait(false);
+
             RequestContext requestContext = CreateRequestContextAndLogVersionInfo(commonParameters.CorrelationId, commonParameters.MtlsCertificate, cancellationToken);
 
             AuthenticationRequestParameters requestParams = await _confidentialClientApplication.CreateRequestParametersAsync(
@@ -85,6 +88,9 @@ public async Task<AuthenticationResult> ExecuteAsync(
             AcquireTokenOnBehalfOfParameters onBehalfOfParameters,
             CancellationToken cancellationToken)
         {
+            await commonParameters.TryInitMtlsPopParametersAsync(ServiceBundle, cancellationToken)
+                .ConfigureAwait(false);
+
             RequestContext requestContext = CreateRequestContextAndLogVersionInfo(commonParameters.CorrelationId, commonParameters.MtlsCertificate, cancellationToken);
 
             AuthenticationRequestParameters requestParams = await _confidentialClientApplication.CreateRequestParametersAsync(

src/client/Microsoft.Identity.Client/Instance/Discovery/RegionAndMtlsDiscoveryProvider.cs

@@ -59,7 +59,15 @@ public async Task<InstanceDiscoveryMetadataEntry> GetMetadataAsync(Uri authority
             string region = null;
             bool isMtlsEnabled = requestContext.IsMtlsRequested;
 
-            if (requestContext.ApiEvent?.ApiId == TelemetryCore.Internal.Events.ApiEvent.ApiIds.AcquireTokenForClient)
+            // Always attempt region discovery for AcquireTokenForClient.
+            // Also attempt it for mTLS-enabled user flows when the app has opted in to
+            // regional endpoints (AzureRegion != null), so that OBO/RT can use a regional
+            // mTLS endpoint (e.g. eastus.mtlsauth.microsoft.com) when configured.
+            bool shouldAttemptRegionDiscovery =
+                requestContext.ApiEvent?.ApiId == TelemetryCore.Internal.Events.ApiEvent.ApiIds.AcquireTokenForClient ||
+                (isMtlsEnabled && requestContext.ServiceBundle.Config.AzureRegion != null);
+
+            if (shouldAttemptRegionDiscovery)
             {
                 region = await _regionManager.GetAzureRegionAsync(requestContext).ConfigureAwait(false);
             }

src/client/Microsoft.Identity.Client/Internal/Requests/AuthenticationRequestParameters.cs

@@ -97,6 +97,17 @@ public AuthenticationRequestParameters(
 
         public AuthorityInfo AuthorityInfo => AuthorityManager.Authority.AuthorityInfo;
 
+        /// <summary>
+        /// Returns the authority info appropriate for cache alias resolution.
+        /// When mTLS is active, the current authority may be rewritten to mtlsauth.microsoft.com,
+        /// which is not a valid host for instance discovery. Use the original login.* authority
+        /// for all cache environment/alias lookups.
+        /// </summary>
+        public AuthorityInfo CacheAuthorityInfo =>
+            RequestContext.IsMtlsRequested
+                ? AuthorityManager.OriginalAuthority.AuthorityInfo
+                : AuthorityInfo;
+
         public AuthorityInfo AuthorityOverride => _commonParameters.AuthorityOverride;
 
         #endregion

src/client/Microsoft.Identity.Client/TokenCache.ITokenCacheInternal.cs

@@ -723,7 +723,7 @@ private async Task<List<MsalAccessTokenCacheItem>> FilterTokensByEnvironmentAsyn
 
             // at this point we need environment aliases, try to get them without a discovery call
             var instanceMetadata = await ServiceBundle.InstanceDiscoveryManager.GetMetadataEntryTryAvoidNetworkAsync(
-                                     requestParams.AuthorityInfo,
+                                     requestParams.CacheAuthorityInfo,
                                      tokenCacheItems.Select(at => at.Environment),  // if all environments are known, a network call can be avoided
                                      requestParams.RequestContext)
                             .ConfigureAwait(false);
@@ -841,7 +841,7 @@ async Task<MsalRefreshTokenCacheItem> ITokenCacheInternal.FindRefreshTokenAsync(
                 {
                     var metadata =
                     await ServiceBundle.InstanceDiscoveryManager.GetMetadataEntryTryAvoidNetworkAsync(
-                        requestParams.AuthorityInfo,
+                        requestParams.CacheAuthorityInfo,
                         refreshTokens.Select(rt => rt.Environment),  // if all environments are known, a network call can be avoided
                         requestParams.RequestContext)
                     .ConfigureAwait(false);
@@ -871,7 +871,7 @@ await ServiceBundle.InstanceDiscoveryManager.GetMetadataEntryTryAvoidNetworkAsyn
             {
                 var metadata =
                   await ServiceBundle.InstanceDiscoveryManager.GetMetadataEntryTryAvoidNetworkAsync(
-                      requestParams.AuthorityInfo,
+                      requestParams.CacheAuthorityInfo,
                       refreshTokens.Select(rt => rt.Environment),  // if all environments are known, a network call can be avoided
                       requestParams.RequestContext)
                   .ConfigureAwait(false);
@@ -942,7 +942,7 @@ private static void FilterRefreshTokensByHomeAccountIdOrAssertion(
             var allAppMetadata = Accessor.GetAllAppMetadata();
 
             var instanceMetadata = await ServiceBundle.InstanceDiscoveryManager.GetMetadataEntryTryAvoidNetworkAsync(
-                    requestParams.AuthorityInfo,
+                    requestParams.CacheAuthorityInfo,
                     allAppMetadata.Select(m => m.Environment),
                     requestParams.RequestContext)
                 .ConfigureAwait(false);
@@ -1014,7 +1014,7 @@ async Task<IEnumerable<IAccount>> ITokenCacheInternal.GetAccountsAsync(Authentic
             }
 
             InstanceDiscoveryMetadataEntry instanceMetadata = await ServiceBundle.InstanceDiscoveryManager.GetMetadataEntryTryAvoidNetworkAsync(
-                requestParameters.AuthorityInfo,
+                requestParameters.CacheAuthorityInfo,
                 allEnvironmentsInCache,
                 requestParameters.RequestContext).ConfigureAwait(false);
 
@@ -1184,7 +1184,7 @@ private async Task<IDictionary<string, TenantProfile>> GetTenantProfilesAsync(
                     StringComparer.OrdinalIgnoreCase);
 
                 InstanceDiscoveryMetadataEntry instanceMetadata = await ServiceBundle.InstanceDiscoveryManager.GetMetadataEntryTryAvoidNetworkAsync(
-                    requestParameters.AuthorityInfo,
+                    requestParameters.CacheAuthorityInfo,
                     allEnvironmentsInCache,
                     requestParameters.RequestContext).ConfigureAwait(false);