Azure · erich-wang · Nov 12, 2020 · Nov 11, 2020 · Nov 11, 2020 · Nov 11, 2020
diff --git a/src/Accounts/Accounts/ChangeLog.md b/src/Accounts/Accounts/ChangeLog.md
@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Fixed an issue that TenantId may be not respected if using `Connect-AzAccount -DeviceCode`[#13477]
 * Added new cmdlet `Get-AzAccessToken`
 * Fixed an issue that error happens if user profile path is inaccessible
 * Fixed an issue causing Write-Object error during Connect-AzAccount [#13419]

diff --git a/src/Accounts/Accounts/Models/RMProfileClient.cs b/src/Accounts/Accounts/Models/RMProfileClient.cs
@@ -195,6 +195,7 @@ public AzureRmProfile Login(
                         environment,
                         subscriptionId,
                         subscriptionName,
+                        true,
                         out newSubscription,
                         out newTenant))
                     {
@@ -248,7 +249,7 @@ public AzureRmProfile Login(
 
                         if (token != null &&
                             newTenant == null &&
-                            TryGetTenantSubscription(token, account, environment, subscriptionId, subscriptionName, out tempSubscription, out tempTenant))
+                            TryGetTenantSubscription(token, account, environment, subscriptionId, subscriptionName, false, out tempSubscription, out tempTenant))
                         {
                             // If no subscription found for the given token/tenant，discard tempTenant value.
                             // Continue to look for matched subscripitons until one subscription retrived by its home tenant is found.
@@ -554,6 +555,7 @@ private bool TryGetTenantSubscription(IAccessToken accessToken,
             IAzureEnvironment environment,
             string subscriptionId,
             string subscriptionName,
+            bool isTenantPresent,
             out IAzureSubscription subscription,
             out IAzureTenant tenant)
         {
@@ -596,7 +598,13 @@ private bool TryGetTenantSubscription(IAccessToken accessToken,
                 }
                 catch (CloudException ex)
                 {
-                    WriteWarningMessage(ex.Message);
+                    //Error "InvalidAuthenticationTokenTenant" means tenant and subscription mismatches.
+                    //If tenant is not present, we're iterating all tenants until finding right tenant for specified subscription,
+                    //in this case, InvalidAuthenticationTokenTenant message is expected and we should ignore it.
+                    if (isTenantPresent || !string.Equals(ex.Body?.Code, "InvalidAuthenticationTokenTenant", StringComparison.OrdinalIgnoreCase))
+                    {
+                        WriteWarningMessage(ex.Message);
+                    }
                 }
 
                 if (subscription != null)

diff --git a/src/Accounts/Authenticators/DeviceCodeAuthenticator.cs b/src/Accounts/Authenticators/DeviceCodeAuthenticator.cs
@@ -48,7 +48,7 @@ public override Task<IAccessToken> Authenticate(AuthenticationParameters paramet
                 DeviceCodeCallback = DeviceCodeFunc,
                 AuthorityHost = new Uri(authority),
                 ClientId = clientId,
-                TenantId = onPremise ? tenantId : null,
+                TenantId = tenantId,
                 TokenCache = tokenCache.TokenCache,
             };
             var codeCredential = new DeviceCodeCredential(options);