AzureAD · Robbie-Microsoft · May 14, 2026 · May 14, 2026 · May 14, 2026 · May 14, 2026
@@ -47,6 +47,9 @@ public async Task<AuthenticationResult> ExecuteAsync(
             AcquireTokenByRefreshTokenParameters refreshTokenParameters,
             CancellationToken cancellationToken)
         {
+            await commonParameters.TryInitMtlsPopParametersAsync(ServiceBundle, cancellationToken)
+                .ConfigureAwait(false);
+
             var requestContext = CreateRequestContextAndLogVersionInfo(commonParameters.CorrelationId, commonParameters.MtlsCertificate, cancellationToken);
             if (commonParameters.Scopes == null || !commonParameters.Scopes.Any())
             {

@@ -37,6 +37,9 @@ public async Task<AuthenticationResult> ExecuteAsync(
             AcquireTokenByAuthorizationCodeParameters authorizationCodeParameters,
             CancellationToken cancellationToken)
         {
+            await commonParameters.TryInitMtlsPopParametersAsync(ServiceBundle, cancellationToken)
+                .ConfigureAwait(false);
+
             RequestContext requestContext = CreateRequestContextAndLogVersionInfo(commonParameters.CorrelationId, commonParameters.MtlsCertificate, cancellationToken);
 
             AuthenticationRequestParameters requestParams = await _confidentialClientApplication.CreateRequestParametersAsync(
@@ -85,6 +88,9 @@ public async Task<AuthenticationResult> ExecuteAsync(
             AcquireTokenOnBehalfOfParameters onBehalfOfParameters,
             CancellationToken cancellationToken)
         {
+            await commonParameters.TryInitMtlsPopParametersAsync(ServiceBundle, cancellationToken)
+                .ConfigureAwait(false);
+
             RequestContext requestContext = CreateRequestContextAndLogVersionInfo(commonParameters.CorrelationId, commonParameters.MtlsCertificate, cancellationToken);
 
             AuthenticationRequestParameters requestParams = await _confidentialClientApplication.CreateRequestParametersAsync(

@@ -59,7 +59,15 @@ public async Task<InstanceDiscoveryMetadataEntry> GetMetadataAsync(Uri authority
             string region = null;
             bool isMtlsEnabled = requestContext.IsMtlsRequested;
 
-            if (requestContext.ApiEvent?.ApiId == TelemetryCore.Internal.Events.ApiEvent.ApiIds.AcquireTokenForClient)
+            // Always attempt region discovery for AcquireTokenForClient.
+            // Also attempt it for mTLS-enabled user flows when the app has opted in to
+            // regional endpoints (AzureRegion != null), so that OBO/RT can use a regional
+            // mTLS endpoint (e.g. eastus.mtlsauth.microsoft.com) when configured.
+            bool shouldAttemptRegionDiscovery =
+                requestContext.ApiEvent?.ApiId == TelemetryCore.Internal.Events.ApiEvent.ApiIds.AcquireTokenForClient ||
+                (isMtlsEnabled && requestContext.ServiceBundle.Config.AzureRegion != null);
+
+            if (shouldAttemptRegionDiscovery)
             {
                 region = await _regionManager.GetAzureRegionAsync(requestContext).ConfigureAwait(false);
             }

@@ -1183,8 +1183,14 @@ private async Task<IDictionary<string, TenantProfile>> GetTenantProfilesAsync(
                     idTokenCacheItems.Select(aci => aci.Environment),
                     StringComparer.OrdinalIgnoreCase);
 
+                // Use OriginalAuthority for alias resolution so that mTLS-transformed authorities
+                // (mtlsauth.microsoft.com) don't propagate into the cache lookup.
+                // _currentAuthority may be set to the mTLS endpoint (PreferredNetwork) after instance
+                // discovery; using OriginalAuthority ensures we always look up aliases from the
+                // canonical login.* host, which is where id tokens are stored.
+                var authorityInfoForAliases = requestParameters.AuthorityManager.OriginalAuthority.AuthorityInfo;
                 InstanceDiscoveryMetadataEntry instanceMetadata = await ServiceBundle.InstanceDiscoveryManager.GetMetadataEntryTryAvoidNetworkAsync(
-                    requestParameters.AuthorityInfo,
+                    authorityInfoForAliases,
                     allEnvironmentsInCache,
                     requestParameters.RequestContext).ConfigureAwait(false);