fix: add tenantId filter to getNativeAccountId for multi-tenant scenarios#8601
Open
lalimasharda wants to merge 4 commits into
Open
fix: add tenantId filter to getNativeAccountId for multi-tenant scenarios#8601lalimasharda wants to merge 4 commits into
lalimasharda wants to merge 4 commits into
Conversation
…rios getNativeAccountId() previously filtered cached accounts only by loginHint and sid. In multi-tenant scenarios where the same user has accounts across multiple tenants, this returned the wrong tenant's nativeAccountId. Added an optional tenantId field to PopupRequest, RedirectRequest, and SsoSilentRequest. When provided, getNativeAccountId passes it into the AccountFilter so the cache lookup also matches on tenantId, preventing incorrect account matches. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses incorrect nativeAccountId selection in multi-tenant scenarios by allowing callers to provide an explicit tenantId (GUID) on interactive/sso request objects and threading it into the cached account lookup performed by StandardController.getNativeAccountId().
Changes:
- Added optional
tenantId?: stringtoPopupRequest,RedirectRequest, andSsoSilentRequest. - Updated
StandardController.getNativeAccountId()to passrequest.tenantIdinto theAccountFilterused bygetAccount(). - Expanded unit test coverage around
getNativeAccountId()behavior and updated the API review file.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| lib/msal-browser/src/controllers/StandardController.ts | Passes request.tenantId into the AccountFilter for native account id resolution. |
| lib/msal-browser/src/request/PopupRequest.ts | Adds optional tenantId to the popup request type. |
| lib/msal-browser/src/request/RedirectRequest.ts | Adds optional tenantId to the redirect request type. |
| lib/msal-browser/src/request/SsoSilentRequest.ts | Adds optional tenantId to the ssoSilent request type. |
| lib/msal-browser/test/app/PublicClientApplication.spec.ts | Adds/updates tests validating tenantId propagation into account filtering. |
| lib/msal-browser/apiReview/msal-browser.api.md | Updates extracted API surface to include the new tenantId request property. |
Comment on lines
1888
to
+1892
| request.account || | ||
| this.getAccount({ | ||
| loginHint: request.loginHint, | ||
| sid: request.sid, | ||
| tenantId: request.tenantId, |
Contributor
Author
There was a problem hiding this comment.
I think that should be okay because we would return the first account that matches with the tenantId passed in.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
lalimasharda
commented
May 22, 2026
lalimasharda
commented
May 22, 2026
Co-authored-by: Lalima Sharda <lalima.sharda@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
In multi-tenant scenarios, \getNativeAccountId()\ filters cached accounts only by \loginHint\ and \sid. When the same user has accounts in multiple tenants with the same \loginHint, the wrong tenant's
ativeAccountId\ is returned from the cache.
Solution
Added an optional \ enantId\ (GUID) field to \PopupRequest, \RedirectRequest, and \SsoSilentRequest. When provided, \getNativeAccountId()\ passes it into the \AccountFilter\ used by \getAccount(), so the cache lookup also matches on \ enantId.
Why \ enantId\ on the request (not parsed from authority)?
The authority URL may contain either a tenant GUID or a domain name (e.g. \contoso.onmicrosoft.com), but cached accounts store \ enantId\ as a GUID. Parsing the authority string would fail to match when a domain name is used. By accepting an explicit \ enantId\ GUID from the caller, we avoid this mismatch.
Design Points
Changes
Testing