Library version used
4.83.3
.NET version
10
Scenario
ConfidentialClient - service to service (AcquireTokenForClient)
Is this a new or an existing app?
The app is in production, and I have upgraded to a new version of MSAL
Issue description and reproduction steps
Not able to acquire an access token, using a client_credentials flow, with a custom domain for MS Entra.
Using WithAuthority() throws the error:
MSAL service error: AADSTS50049: Unknown or invalid instance. Trace ID: 5546c0ac-7dbc-4e00-a69b-eb3e90c21700 Correlation ID: 84a95c71-8732-4090-8e3a-580f0c89bcb6 Timestamp: 2026-04-15 14:48:56Z
While using WithOidcAuthority() throws the following error:
MSAL service error: Issuer validation failed for authority: https://clientlogin.test.parentpay.com/ebdf0e4c-ebe2-4793-af52-ceaf96f82741/v2.0 . Issuer from OIDC endpoint does not match any expected pattern: https://login.microsoftonline.com/ebdf0e4c-ebe2-4793-af52-ceaf96f82741/v2.0 .
Relevant code snippets
using Microsoft.Identity.Client;
namespace TestMSAL
{
internal class Program
{
static async Task Main(string[] args)
{
string tenantId = "<tenant_id>";
string clientId = "<client_id>";
string clientSecret = "<client_secret>";
string authority = "https://<custom_domain>/<tenant_id>/v2.0";
try
{
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithClientSecret(clientSecret)
.WithAuthority(authority)
.Build();
string[] scopes = ["https://smth.onmicrosoft.com/guid/.default"];
var result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
Console.WriteLine(result.AccessToken);
}
catch (MsalServiceException ex)
{
Console.WriteLine($"MSAL service error: {ex.Message}");
}
catch (Exception ex)
{
Console.WriteLine($"Unexpected error: {ex.Message}");
}
}
}
}Expected behavior
This was working in previous versions using the WithOidcAuthority(), so the expected behaviour is to be able to still acquire an access_token using a custom domain in MS Entra.
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
4.72.1
Solution and workarounds
The workaround is to use the normal login.microsoftonline.com endpoints.
However, in this specific scenario, customer is using 3rd party providers, and they want to keep the branding in the endpoints they share.
Library version used
4.83.3
.NET version
10
Scenario
ConfidentialClient - service to service (AcquireTokenForClient)
Is this a new or an existing app?
The app is in production, and I have upgraded to a new version of MSAL
Issue description and reproduction steps
Not able to acquire an access token, using a client_credentials flow, with a custom domain for MS Entra.
Using WithAuthority() throws the error:
MSAL service error: AADSTS50049: Unknown or invalid instance. Trace ID: 5546c0ac-7dbc-4e00-a69b-eb3e90c21700 Correlation ID: 84a95c71-8732-4090-8e3a-580f0c89bcb6 Timestamp: 2026-04-15 14:48:56Z
While using WithOidcAuthority() throws the following error:
MSAL service error: Issuer validation failed for authority: https://clientlogin.test.parentpay.com/ebdf0e4c-ebe2-4793-af52-ceaf96f82741/v2.0 . Issuer from OIDC endpoint does not match any expected pattern: https://login.microsoftonline.com/ebdf0e4c-ebe2-4793-af52-ceaf96f82741/v2.0 .
Relevant code snippets
Expected behavior
This was working in previous versions using the WithOidcAuthority(), so the expected behaviour is to be able to still acquire an access_token using a custom domain in MS Entra.
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
4.72.1
Solution and workarounds
The workaround is to use the normal login.microsoftonline.com endpoints.
However, in this specific scenario, customer is using 3rd party providers, and they want to keep the branding in the endpoints they share.