[Core] Support disabling instance discovery (#27494)

Azure · Nov 3, 2023 · b00483c · b00483c
1 parent 2f2c929
commit b00483c
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/src/azure-cli-core/azure/cli/core/_profile.py b/src/azure-cli-core/azure/cli/core/_profile.py
@@ -861,5 +861,8 @@ def _create_identity_instance(cli_ctx, *args, **kwargs):
     from .telemetry import set_broker_info
     set_broker_info(allow_broker=allow_broker)
 
+    # PREVIEW: In Azure Stack environment, use core.instance_discovery=false to disable MSAL's instance discovery.
+    instance_discovery = cli_ctx.config.getboolean('core', 'instance_discovery', True)
+
     return Identity(*args, encrypt=encrypt, use_msal_http_cache=use_msal_http_cache, allow_broker=allow_broker,
-                    **kwargs)
+                    instance_discovery=instance_discovery, **kwargs)
diff --git a/src/azure-cli-core/azure/cli/core/auth/identity.py b/src/azure-cli-core/azure/cli/core/auth/identity.py
@@ -54,7 +54,7 @@ class Identity:  # pylint: disable=too-many-instance-attributes
     _service_principal_store_instance = None
 
     def __init__(self, authority, tenant_id=None, client_id=None, encrypt=False, use_msal_http_cache=True,
-                 allow_broker=None):
+                 allow_broker=None, instance_discovery=None):
         """
         :param authority: Authentication authority endpoint. For example,
             - AAD: https://login.microsoftonline.com
@@ -70,6 +70,7 @@ def __init__(self, authority, tenant_id=None, client_id=None, encrypt=False, use
         self._encrypt = encrypt
         self._use_msal_http_cache = use_msal_http_cache
         self._allow_broker = allow_broker
+        self._instance_discovery = instance_discovery
 
         # Build the authority in MSAL style
         self._msal_authority, self._is_adfs = _get_authority_url(authority, tenant_id)
@@ -98,6 +99,7 @@ def _msal_app_kwargs(self):
             "authority": self._msal_authority,
             "token_cache": Identity._msal_token_cache,
             "http_cache": Identity._msal_http_cache,
+            "instance_discovery": self._instance_discovery,
             # CP1 means we can handle claims challenges (CAE)
             "client_capabilities": None if "AZURE_IDENTITY_DISABLE_CP1" in os.environ else ["CP1"]
         }