fb

sdk/identity/Azure.Identity/BREAKING_CHANGES.md

@@ -17,26 +17,26 @@ More information on this change and the consideration behind it can be found [he
 
 ## 1.7.0
 
-### Changed Credential types supporting multi-tenant authentication to throw `AuthenticationFailedException` if the requested tenant id doesn't match the tenant id of the credential, and is not included in the `AdditionallyAllowedTenants` option.
+### Behavioral change to credential types supporting multi-tenant authentication
 
-Starting in Azure.Identity 1.7.0 the default behavior of credentials supporting multi-tenant authentication will be to throw a `AuthenticationFailedExcpetion` if the requested `TenantId` doesn't match the tenant id originally configured on the credential. Applications must now either explicitly add all expected tenant ids to the `AdditionallyAllowedTenants` list in the credential options, or add "*" to enable acquiring tokens from any tenant (the original behavior).
+As of `Azure.Identity` 1.7.0, the default behavior of credentials supporting multi-tenant authentication has changed. Each of these credentials will throw an `AuthenticationFailedException` if the requested `TenantId` doesn't match the tenant ID originally configured on the credential. Apps must now do one of the following things:
 
-This is an example of explicitly adding tenants to allow acquiring tokens.
+- Add all IDs, of tenants from which tokens should be acquired, to the `AdditionallyAllowedTenants` list in the credential options. For example:
 
-```C# Snippet:Identity_BreakingChanges_AddExplicitAdditionallyAllowedTenants
-var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
-{
-    AdditionallyAllowedTenants = { "00000000-0000-0000-0000-000000000000", "11111111-1111-1111-1111-111111111111" }
-});
-```
+    ```C# Snippet:Identity_BreakingChanges_AddExplicitAdditionallyAllowedTenants
+    var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
+    {
+        AdditionallyAllowedTenants = { "<tenant_id_1>", "<tenant_id_2>" }
+    });
+    ```
 
-Here is an example of using the wildcard to enable acquiring tokens from any tenant, to be compatible with versions 1.5.0 through 1.6.1.
+- Add `*` to enable token acquisition from any tenant. This is the original behavior and is compatible with versions 1.5.0 through 1.6.1. For example:
 
-```C# Snippet:Identity_BreakingChanges_AddAllAdditionallyAllowedTenants
-var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
-{
-    AdditionallyAllowedTenants = { "*" }
-});
-```
+    ```C# Snippet:Identity_BreakingChanges_AddAllAdditionallyAllowedTenants
+    var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
+    {
+        AdditionallyAllowedTenants = { "*" }
+    });
+    ```
 
 Note: Credential types which do not require a `TenantId` on construction will only throw `AuthenticationFailedException` when the application has provided a value for `TenantId` either in the options or via a constructor overload. If no `TenantId` is specified when constructing the credential, the credential will acquire tokens for any requested `TenantId` regardless of the value of `AdditionallyAllowedTenants`.

sdk/identity/Azure.Identity/tests/samples/BreakingChangesSnippets.cs

@@ -20,7 +20,7 @@ public void AddExplicitAdditionallyAllowedTenants()
             #region Snippet:Identity_BreakingChanges_AddExplicitAdditionallyAllowedTenants
             var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
             {
-                AdditionallyAllowedTenants = { "00000000-0000-0000-0000-000000000000", "11111111-1111-1111-1111-111111111111" }
+                AdditionallyAllowedTenants = { "<tenant_id_1>", "<tenant_id_2>" }
             });
             #endregion
         }