DefaultAzureCredential does not work for exclude_interactive_browser_credential = False

[robwe]

• Package Name: identity
• Package Version: 1.4.0b4
• Operating System:
• Python Version:

Describe the bug
When DefaultAzureCredential is created with exclude_interactive_browser_credential = False then an InteractiveBrowserCredential is created with no arguments. This means that it defaults to the "organizations" tenant, because that is what MsalCredential uses, if "tenant_id" is not passed as key word argument.
As a consequence tokens can be requested only for the "organizations" tenant, but not for the user's tenant of choice.

Expected behavior
When using DefaultAzureCredential with exclude_interactive_browser_credential = False, then it must be possible to specify a tenant, like e.g. for SharedTokenCacheCredential.

Additional context
The fix is in DefaultAzureCredential__init__() to add
ibc_tenant_id = kwargs.pop("interactive_browser_credential_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID))
and then to call
credentials.append(InteractiveBrowserCredential(tenant_id=ibc_tenant_id))
and to add to the documentation that for exclude_interactive_browser_credential = False
additionally interactive_browser_credential_tenant_id should be passed, if the default "organizations" is not appropriate.

[chlowell]

Thanks for reporting this! I think a fix can make it into our next release.