From 9e705ba9ba122c99d1bd77f5e79cf06899230c2c Mon Sep 17 00:00:00 2001
From: Jan Hajek <hajek.j@hotmail.com>
Date: Wed, 2 Dec 2020 09:00:34 +0100
Subject: [PATCH] Explicitly provide tenantId from configuration if not
 specified when obtaining token via client_credentials. Streamline argument
 validation.

---
 src/Microsoft.Identity.Web/TokenAcquisition.cs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Microsoft.Identity.Web/TokenAcquisition.cs b/src/Microsoft.Identity.Web/TokenAcquisition.cs
index a3987cd33..20da2b4ce 100644
--- a/src/Microsoft.Identity.Web/TokenAcquisition.cs
+++ b/src/Microsoft.Identity.Web/TokenAcquisition.cs
@@ -271,14 +271,14 @@ public async Task<string> GetAccessTokenForAppAsync(
                 throw new ArgumentException(IDWebErrorMessage.ClientCredentialScopeParameterShouldEndInDotDefault, nameof(scope));
             }
 
-            if (!string.IsNullOrEmpty(tenant) && _metaTenantIdentifiers.Contains(tenant))
+            if (string.IsNullOrEmpty(tenant))
             {
-                throw new ArgumentException(IDWebErrorMessage.ClientCredentialTenantShouldBeTenanted, nameof(tenant));
+                tenant = _applicationOptions.TenantId ?? _microsoftIdentityOptions.TenantId;
             }
 
-            if (!string.IsNullOrEmpty(_microsoftIdentityOptions.TenantId) && _metaTenantIdentifiers.Contains(_microsoftIdentityOptions.TenantId))
+            if (!string.IsNullOrEmpty(tenant) && _metaTenantIdentifiers.Contains(tenant))
             {
-                throw new ArgumentException(IDWebErrorMessage.ClientCredentialTenantShouldBeTenanted, nameof(_microsoftIdentityOptions.TenantId));
+                throw new ArgumentException(IDWebErrorMessage.ClientCredentialTenantShouldBeTenanted, nameof(tenant));
             }
 
             // Use MSAL to get the right token to call the API