msauth: accept IMicrosoftAccount on GetTokenForUserAsync

`IMicrosoftAuthentication.GetTokenForUserAsync` predated the
`IMicrosoftAccount` shape that the rest of the auth surface now
uses for identifying cached accounts. It took a bare `string
userName`, matched by UPN against `app.GetAccountsAsync()`, and
quietly picked the first match. That works fine for single-tenant
single-account users but loses information in two scenarios:

  - Guest accounts where the same UPN exists in two tenants
    (e.g. `alice@contoso.com` as a guest in fabrikam). Both
    accounts share a UPN but have distinct `HomeAccountId`
    values; selecting by UPN alone non-deterministically picks one.
  - Callers that already carry a stable `HomeAccountId` (e.g. an
    upcoming binding manager rewrite) have to translate it back
    to a UPN before calling the API, which both wastes the
    stable identifier and reintroduces the ambiguity.

Pivot the interface to take an `IMicrosoftAccount`:

    Task<IMicrosoftAuthenticationResult> GetTokenForUserAsync(
        string authority, string clientId, Uri redirectUri,
        string[] scopes, IMicrosoftAccount account, bool msaPt = false);

Internal resolution prefers `HomeAccountId` when present, falls
back to `UserName` otherwise, traces a warning when both are set
and the cached account's UPN differs from the supplied one
(HomeAccountId wins, supplied UPN is informational), and traces a
warning when UPN-only resolution returns multiple matches
(first-match returned, today's behaviour preserved). `null`
account remains "let MSAL pick interactively".

The silent-acquisition helper unifies behind a single
`GetAccessTokenSilentlyAsync(app, scopes, IAccount, msaPt)`:
callers with an explicit cached account pass it through, and the
broker's "default OS account" path resolves to
`PublicClientApplication.OperatingSystemAccount` (an `IAccount`
sentinel) and goes through the same path. The MSA-passthrough
tenant-id workaround switches to a null-safe lookup so it no-ops
cleanly when the sentinel's `HomeAccountId` isn't populated.

Add a new `MicrosoftAuthenticationExtensions` static class to
host an `[Obsolete]` extension that preserves the pre-existing
`(…, string userName, …)` signature. Existing in-tree production
call sites keep building with a deprecation warning as a TODO
list; the extension wraps by constructing
`new MicrosoftAccount(homeAccountId: null, userName)` — the
"UPN-only" shape — so the legacy semantics are preserved exactly.
A follow-on commit migrates the one remaining production caller
(Azure Repos), then a final commit deletes the extension.

`Mock<IMicrosoftAuthentication>` cannot set up an extension
method, so the eight `.Setup` expressions in
`AzureReposHostProviderTests` and the one direct call in
`MicrosoftAuthenticationTests` migrate to the new interface
method in this commit. Each test hoists a local
`var expectedAccount = new MicrosoftAccount(homeAccountId: null,
userName: …)` (or `IMicrosoftAccount expectedAccount = null` for
the unconstrained case) alongside its other expected-mock-inputs
and passes the value directly to `Setup`; the equality contract
introduced alongside `IMicrosoftAccount` itself is what lets Moq
match these by value rather than reference. Production code
stays on the obsolete extension for now.

Assisted-by: Claude Opus 4.7
Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>

Author: mjcheetham

src/shared/Core.Tests/Authentication/MicrosoftAuthenticationTests.cs

@@ -16,7 +16,7 @@ public async Task MicrosoftAuthentication_GetTokenForUserAsync_NoInteraction_Thr
             const string clientId = "C9E8FDA6-1D46-484C-917C-3DBD518F27C3";
             Uri redirectUri = new Uri("https://localhost");
             string[] scopes = {"user.read"};
-            const string userName = null; // No user to ensure we do not use an existing token
+            IMicrosoftAccount account = null; // No account to ensure we do not use an existing token
 
             var context = new TestCommandContext
             {
@@ -26,7 +26,7 @@ public async Task MicrosoftAuthentication_GetTokenForUserAsync_NoInteraction_Thr
             var msAuth = new MicrosoftAuthentication(context);
 
             await Assert.ThrowsAsync<Trace2InvalidOperationException>(
-                () => msAuth.GetTokenForUserAsync(authority, clientId, redirectUri, scopes, userName, false));
+                () => msAuth.GetTokenForUserAsync(authority, clientId, redirectUri, scopes, account, false));
         }
 
         [Theory]

src/shared/Core/Authentication/MicrosoftAuthentication.cs

@@ -53,11 +53,14 @@ public interface IMicrosoftAuthentication
         /// <param name="clientId">Client ID.</param>
         /// <param name="redirectUri">Redirect URI for the client.</param>
         /// <param name="scopes">Set of scopes to request.</param>
-        /// <param name="userName">Optional user name for an existing account.</param>
+        /// <param name="account">Optional account to acquire a token for. <see langword="null"/>
+        /// lets MSAL pick interactively. When set, resolved against the MSAL cache by
+        /// <see cref="IMicrosoftAccount.HomeAccountId"/> when present, otherwise by
+        /// <see cref="IMicrosoftAccount.UserName"/>.</param>
         /// <param name="msaPt">Use MSA-Passthrough behavior when authenticating.</param>
         /// <returns>Authentication result.</returns>
         Task<IMicrosoftAuthenticationResult> GetTokenForUserAsync(string authority, string clientId, Uri redirectUri,
-            string[] scopes, string userName, bool msaPt = false);
+            string[] scopes, IMicrosoftAccount account, bool msaPt = false);
 
         /// <summary>
         /// Acquire an access token for the given service principal with the specified scopes.
@@ -152,6 +155,25 @@ public override int GetHashCode()
         }
     }
 
+    public static class MicrosoftAuthenticationExtensions
+    {
+        /// <summary>
+        /// Convenience overload of <see cref="IMicrosoftAuthentication.GetTokenForUserAsync"/>
+        /// that takes a bare UPN string.
+        /// </summary>
+        [Obsolete("Construct a MicrosoftAccount and call the IMicrosoftAccount overload directly.")]
+        public static Task<IMicrosoftAuthenticationResult> GetTokenForUserAsync(
+            this IMicrosoftAuthentication msAuth,
+            string authority, string clientId, Uri redirectUri, string[] scopes, string userName, bool msaPt = false)
+        {
+            EnsureArgument.NotNull(msAuth, nameof(msAuth));
+            IMicrosoftAccount account = string.IsNullOrWhiteSpace(userName)
+                ? null
+                : new MicrosoftAccount(homeAccountId: null, userName: userName);
+            return msAuth.GetTokenForUserAsync(authority, clientId, redirectUri, scopes, account, msaPt);
+        }
+    }
+
     public class MicrosoftAuthentication : AuthenticationBase, IMicrosoftAuthentication
     {
         public static readonly string[] AuthorityIds =
@@ -254,7 +276,7 @@ private static string DescribeAccount(IMicrosoftAccount account) =>
             !string.IsNullOrWhiteSpace(account.HomeAccountId) ? account.HomeAccountId : account.UserName;
 
         public async Task<IMicrosoftAuthenticationResult> GetTokenForUserAsync(
-            string authority, string clientId, Uri redirectUri, string[] scopes, string userName, bool msaPt)
+            string authority, string clientId, Uri redirectUri, string[] scopes, IMicrosoftAccount account, bool msaPt)
         {
             var uiCts = new CancellationTokenSource();
 
@@ -276,11 +298,25 @@ public async Task<IMicrosoftAuthenticationResult> GetTokenForUserAsync(
 
                 AuthenticationResult result = null;
 
-                // Try silent authentication first if we know about an existing user
-                bool hasExistingUser = !string.IsNullOrWhiteSpace(userName);
+                // Resolve the account against the MSAL cache once (HomeAccountId-first, UPN-fallback,
+                // with trace warnings on mismatch/ambiguity). The same resolved account is then
+                // reused for silent acquisition and the device-code fallback.
+                IAccount resolvedAccount = null;
+                if (account is not null)
+                {
+                    IReadOnlyList<IAccount> cached = (await app.GetAccountsAsync()).ToList();
+                    resolvedAccount = ResolveAccount(cached, account);
+                    if (resolvedAccount is null)
+                    {
+                        Context.Trace.WriteLine($"No cached account matches '{DescribeAccount(account)}'.");
+                    }
+                }
+
+                // Try silent authentication first if we resolved an account against the cache.
+                bool hasExistingUser = resolvedAccount is not null;
                 if (hasExistingUser)
                 {
-                    result = await GetAccessTokenSilentlyAsync(app, scopes, userName, msaPt);
+                    result = await GetAccessTokenSilentlyAsync(app, scopes, resolvedAccount, msaPt);
                 }
 
                 //
@@ -318,7 +354,7 @@ public async Task<IMicrosoftAuthenticationResult> GetTokenForUserAsync(
                         // account then the user may become stuck in a loop of authentication failures.
                         if (!hasExistingUser && Context.Settings.UseMsAuthDefaultAccount)
                         {
-                            result = await GetAccessTokenSilentlyAsync(app, scopes, null, msaPt);
+                            result = await GetAccessTokenSilentlyAsync(app, scopes, PublicClientApplication.OperatingSystemAccount, msaPt);
 
                             if (result is null || !await UseDefaultAccountAsync(result.Account.Username))
                             {
@@ -604,48 +640,32 @@ internal InteractiveFlowType GetFlowType()
         }
 
         /// <summary>
-        /// Obtain an access token without showing UI or prompts.
+        /// Obtain an access token without showing UI or prompts for the given cached account.
+        /// Pass <see cref="PublicClientApplication.OperatingSystemAccount"/> to acquire silently
+        /// against the broker's default OS account (broker only).
         /// </summary>
         private async Task<AuthenticationResult> GetAccessTokenSilentlyAsync(
-            IPublicClientApplication app, string[] scopes, string userName, bool msaPt)
+            IPublicClientApplication app, string[] scopes, IAccount account, bool msaPt)
         {
             try
             {
-                if (userName is null)
+                string label = ReferenceEquals(account, PublicClientApplication.OperatingSystemAccount)
+                    ? "current operating system account"
+                    : $"account '{account.Username}'";
+                Context.Trace.WriteLine($"Attempting to acquire token silently for {label}...");
+
+                var atsBuilder = app.AcquireTokenSilent(scopes, account);
+
+                // If we are operating with an MSA passthrough app we need to ensure that we target the
+                // special MSA 'transfer' tenant explicitly. This is a workaround for MSAL issue:
+                // https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3077
+                if (msaPt && Guid.TryParse(account.HomeAccountId?.TenantId, out Guid homeTenantId) &&
+                    homeTenantId == Constants.MsaHomeTenantId)
                 {
-                    Context.Trace.WriteLine(
-                        "Attempting to acquire token silently for current operating system account...");
-
-                    return await app.AcquireTokenSilent(scopes, PublicClientApplication.OperatingSystemAccount)
-                        .ExecuteAsync();
+                    atsBuilder = atsBuilder.WithTenantId(Constants.MsaTransferTenantId.ToString("D"));
                 }
-                else
-                {
-                    Context.Trace.WriteLine($"Attempting to acquire token silently for user '{userName}'...");
 
-                    // Enumerate all accounts and find the one matching the user name
-                    IEnumerable<IAccount> accounts = await app.GetAccountsAsync();
-                    IAccount account = accounts.FirstOrDefault(x =>
-                        StringComparer.OrdinalIgnoreCase.Equals(x.Username, userName));
-                    if (account is null)
-                    {
-                        Context.Trace.WriteLine($"No cached account found for user '{userName}'...");
-                        return null;
-                    }
-
-                    var atsBuilder = app.AcquireTokenSilent(scopes, account);
-
-                    // Is we are operating with an MSA passthrough app we need to ensure that we target the
-                    // special MSA 'transfer' tenant explicitly. This is a workaround for MSAL issue:
-                    // https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3077
-                    if (msaPt && Guid.TryParse(account.HomeAccountId.TenantId, out Guid homeTenantId) &&
-                        homeTenantId == Constants.MsaHomeTenantId)
-                    {
-                        atsBuilder = atsBuilder.WithTenantId(Constants.MsaTransferTenantId.ToString("D"));
-                    }
-
-                    return await atsBuilder.ExecuteAsync();
-                }
+                return await atsBuilder.ExecuteAsync();
             }
             catch (MsalUiRequiredException)
             {

src/shared/Microsoft.AzureRepos.Tests/AzureReposHostProviderTests.cs

@@ -158,6 +158,7 @@ public async Task AzureReposProvider_GetCredentialAsync_JwtMode_CachedAuthority_
             var expectedRedirectUri = AzureDevOpsConstants.AadRedirectUri;
             var expectedScopes = AzureDevOpsConstants.AzureDevOpsDefaultScopes;
             var accessToken = "ACCESS-TOKEN";
+            var expectedAccount = new MicrosoftAccount(homeAccountId: null, userName: urlAccount);
             var authResult = CreateAuthResult(urlAccount, accessToken);
 
             var context = new TestCommandContext();
@@ -170,7 +171,7 @@ public async Task AzureReposProvider_GetCredentialAsync_JwtMode_CachedAuthority_
             azDevOpsMock.Setup(x => x.GetAuthorityAsync(expectedOrgUri)).ReturnsAsync(authorityUrl);
 
             var msAuthMock = new Mock<IMicrosoftAuthentication>(MockBehavior.Strict);
-            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, urlAccount, true))
+            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, expectedAccount, true))
                       .ReturnsAsync(authResult);
 
             var authorityCacheMock = new Mock<IAzureDevOpsAuthorityCache>(MockBehavior.Strict);
@@ -208,6 +209,7 @@ public async Task AzureReposProvider_GetCredentialAsync_JwtMode_CachedAuthority_
             var expectedRedirectUri = AzureDevOpsConstants.AadRedirectUri;
             var expectedScopes = AzureDevOpsConstants.AzureDevOpsDefaultScopes;
             var accessToken = "ACCESS-TOKEN";
+            var expectedAccount = new MicrosoftAccount(homeAccountId: null, userName: urlAccount);
             var authResult = CreateAuthResult(urlAccount, accessToken);
 
             var context = new TestCommandContext();
@@ -220,7 +222,7 @@ public async Task AzureReposProvider_GetCredentialAsync_JwtMode_CachedAuthority_
             azDevOpsMock.Setup(x => x.GetAuthorityAsync(expectedOrgUri)).ReturnsAsync(authorityUrl);
 
             var msAuthMock = new Mock<IMicrosoftAuthentication>(MockBehavior.Strict);
-            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, urlAccount, true))
+            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, expectedAccount, true))
                       .ReturnsAsync(authResult);
 
             var authorityCacheMock = new Mock<IAzureDevOpsAuthorityCache>(MockBehavior.Strict);
@@ -254,6 +256,7 @@ public async Task AzureReposProvider_GetCredentialAsync_JwtMode_CachedAuthority_
             var expectedRedirectUri = AzureDevOpsConstants.AadRedirectUri;
             var expectedScopes = AzureDevOpsConstants.AzureDevOpsDefaultScopes;
             var accessToken = "ACCESS-TOKEN";
+            IMicrosoftAccount expectedAccount = null;
             var account = "jane.doe";
             var authResult = CreateAuthResult(account, accessToken);
 
@@ -267,7 +270,7 @@ public async Task AzureReposProvider_GetCredentialAsync_JwtMode_CachedAuthority_
             azDevOpsMock.Setup(x => x.GetAuthorityAsync(expectedOrgUri)).ReturnsAsync(authorityUrl);
 
             var msAuthMock = new Mock<IMicrosoftAuthentication>(MockBehavior.Strict);
-            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, null, true))
+            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, expectedAccount, true))
                       .ReturnsAsync(authResult);
 
             var authorityCacheMock = new Mock<IAzureDevOpsAuthorityCache>(MockBehavior.Strict);
@@ -303,6 +306,7 @@ public async Task AzureReposProvider_GetCredentialAsync_JwtMode_CachedAuthority_
             var expectedRedirectUri = AzureDevOpsConstants.AadRedirectUri;
             var expectedScopes = AzureDevOpsConstants.AzureDevOpsDefaultScopes;
             var accessToken = "ACCESS-TOKEN";
+            IMicrosoftAccount expectedAccount = null;
             var account = "john.doe";
             var authResult = CreateAuthResult(account, accessToken);
 
@@ -315,7 +319,7 @@ public async Task AzureReposProvider_GetCredentialAsync_JwtMode_CachedAuthority_
             var azDevOpsMock = new Mock<IAzureDevOpsRestApi>(MockBehavior.Strict);
 
             var msAuthMock = new Mock<IMicrosoftAuthentication>(MockBehavior.Strict);
-            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, null, true))
+            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, expectedAccount, true))
                       .ReturnsAsync(authResult);
 
             var authorityCacheMock = new Mock<IAzureDevOpsAuthorityCache>(MockBehavior.Strict);
@@ -353,6 +357,7 @@ public async Task AzureReposProvider_GetCredentialAsync_JwtMode_CachedAuthority_
             var expectedScopes = AzureDevOpsConstants.AzureDevOpsDefaultScopes;
             var accessToken = "ACCESS-TOKEN";
             var account = "john.doe";
+            var expectedAccount = new MicrosoftAccount(homeAccountId: null, userName: account);
             var authResult = CreateAuthResult(account, accessToken);
 
             var context = new TestCommandContext();
@@ -364,7 +369,7 @@ public async Task AzureReposProvider_GetCredentialAsync_JwtMode_CachedAuthority_
             var azDevOpsMock = new Mock<IAzureDevOpsRestApi>(MockBehavior.Strict);
 
             var msAuthMock = new Mock<IMicrosoftAuthentication>(MockBehavior.Strict);
-            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, account, true))
+            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, expectedAccount, true))
                       .ReturnsAsync(authResult);
 
             var authorityCacheMock = new Mock<IAzureDevOpsAuthorityCache>(MockBehavior.Strict);
@@ -401,6 +406,7 @@ public async Task AzureReposProvider_GetCredentialAsync_JwtMode_NoCachedAuthorit
             var expectedRedirectUri = AzureDevOpsConstants.AadRedirectUri;
             var expectedScopes = AzureDevOpsConstants.AzureDevOpsDefaultScopes;
             var accessToken = "ACCESS-TOKEN";
+            IMicrosoftAccount expectedAccount = null;
             var account = "john.doe";
             var authResult = CreateAuthResult(account, accessToken);
 
@@ -414,7 +420,7 @@ public async Task AzureReposProvider_GetCredentialAsync_JwtMode_NoCachedAuthorit
             azDevOpsMock.Setup(x => x.GetAuthorityAsync(expectedOrgUri)).ReturnsAsync(authorityUrl);
 
             var msAuthMock = new Mock<IMicrosoftAuthentication>(MockBehavior.Strict);
-            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, null, true))
+            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, expectedAccount, true))
                       .ReturnsAsync(authResult);
 
             var authorityCacheMock = new Mock<IAzureDevOpsAuthorityCache>(MockBehavior.Strict);
@@ -450,6 +456,7 @@ public async Task AzureReposProvider_GetCredentialAsync_PatMode_OrgInUserName_No
             var expectedRedirectUri = AzureDevOpsConstants.AadRedirectUri;
             var expectedScopes = AzureDevOpsConstants.AzureDevOpsDefaultScopes;
             var accessToken = "ACCESS-TOKEN";
+            IMicrosoftAccount expectedAccount = null;
             var personalAccessToken = "PERSONAL-ACCESS-TOKEN";
             var account = "john.doe";
             var authResult = CreateAuthResult(account, accessToken);
@@ -462,7 +469,7 @@ public async Task AzureReposProvider_GetCredentialAsync_PatMode_OrgInUserName_No
                         .ReturnsAsync(personalAccessToken);
 
             var msAuthMock = new Mock<IMicrosoftAuthentication>(MockBehavior.Strict);
-            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, null, true))
+            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, expectedAccount, true))
                       .ReturnsAsync(authResult);
 
             var authorityCacheMock = new Mock<IAzureDevOpsAuthorityCache>(MockBehavior.Strict);
@@ -496,6 +503,7 @@ public async Task AzureReposProvider_GetCredentialAsync_PatMode_NoExistingPat_Ge
             var expectedRedirectUri = AzureDevOpsConstants.AadRedirectUri;
             var expectedScopes = AzureDevOpsConstants.AzureDevOpsDefaultScopes;
             var accessToken = "ACCESS-TOKEN";
+            IMicrosoftAccount expectedAccount = null;
             var personalAccessToken = "PERSONAL-ACCESS-TOKEN";
             var account = "john.doe";
             var authResult = CreateAuthResult(account, accessToken);
@@ -508,7 +516,7 @@ public async Task AzureReposProvider_GetCredentialAsync_PatMode_NoExistingPat_Ge
                         .ReturnsAsync(personalAccessToken);
 
             var msAuthMock = new Mock<IMicrosoftAuthentication>(MockBehavior.Strict);
-            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, null, true))
+            msAuthMock.Setup(x => x.GetTokenForUserAsync(authorityUrl, expectedClientId, expectedRedirectUri, expectedScopes, expectedAccount, true))
                       .ReturnsAsync(authResult);
 
             var authorityCacheMock = new Mock<IAzureDevOpsAuthorityCache>(MockBehavior.Strict);