Skip get_all_tokens for managed identity

src/azure-cli-core/azure/cli/core/_profile.py

@@ -563,6 +563,7 @@ def get_login_credentials(self, resource=None, subscription_id=None, aux_subscri
 
         identity_type, identity_id = Profile._try_parse_msi_account_name(account)
 
+        # Make sure external_tenants_info only contains real external tenant (no current tenant).
         external_tenants_info = []
         if aux_tenants:
             external_tenants_info = [tenant for tenant in aux_tenants if tenant != account[_TENANT_ID]]
@@ -573,6 +574,10 @@ def get_login_credentials(self, resource=None, subscription_id=None, aux_subscri
                 if sub[_TENANT_ID] != account[_TENANT_ID]:
                     external_tenants_info.append(sub[_TENANT_ID])
 
+        if external_tenants_info and (identity_type or in_cloud_console()):
+            raise CLIError("Cross-tenant authentication is not supported by managed identity and Cloud Shell. "
+                           "Please run `az login` with a user account or a service principal.")
+
         if identity_type is None:
             def _retrieve_token(sdk_resource=None):
                 # When called by

src/azure-cli-core/azure/cli/core/commands/client_factory.py

@@ -198,14 +198,11 @@ def _get_mgmt_service_client(cli_ctx,
         #   https://github.com/Azure/azure-sdk-for-python/issues/8313
         # As a temporary workaround, manually add external tokens to 'x-ms-authorization-auxiliary' header.
         #   https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/authenticate-multi-tenant
-        if aux_subscriptions or aux_tenants:
+        if getattr(cred, "_external_tenant_token_retriever", None):
             _, _, _, external_tenant_tokens = cred.get_all_tokens(*resource_to_scopes(resource))
-
-            # external_tenant_tokens can be [] if no external tenant is involved.
-            if external_tenant_tokens:
-                # Hard-code scheme to 'Bearer' as _BearerTokenCredentialPolicyBase._update_headers does.
-                client_kwargs['headers']['x-ms-authorization-auxiliary'] = \
-                    ', '.join("Bearer {}".format(t[1]) for t in external_tenant_tokens)
+            # Hard-code scheme to 'Bearer' as _BearerTokenCredentialPolicyBase._update_headers does.
+            client_kwargs['headers']['x-ms-authorization-auxiliary'] = \
+                ', '.join("Bearer {}".format(t[1]) for t in external_tenant_tokens)
 
     if subscription_bound:
         client = client_type(cred, subscription_id, **client_kwargs)