@@ -336,51 +336,22 @@ def __init__(
336336 `claims parameter <https://openid.net/specs/openid-connect-core-1_0-final.html#ClaimsParameter>`_
337337 which you will later provide via one of the acquire-token request.
338338
339- :param str azure_region:
340- AAD provides regional endpoints for apps to opt in
341- to keep their traffic remain inside that region .
339+ :param str azure_region: (optional)
340+ Instructs MSAL to use the Entra regional token service. This legacy feature is only available to
341+ first-party applications. Only ``acquire_token_for_client()`` is supported .
342342
343- As of 2021 May, regional service is only available for
344- ``acquire_token_for_client()`` sent by any of the following scenarios:
343+ Supports 3 values:
345344
346- 1. An app powered by a capable MSAL
347- (MSAL Python 1.12+ will be provisioned)
348-
349- 2. An app with managed identity, which is formerly known as MSI.
350- (However MSAL Python does not support managed identity,
351- so this one does not apply.)
352-
353- 3. An app authenticated by
354- `Subject Name/Issuer (SNI) <https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/60>`_.
355-
356- 4. An app which already onboard to the region's allow-list.
357-
358- This parameter defaults to None, which means region behavior remains off.
359-
360- App developer can opt in to a regional endpoint,
361- by provide its region name, such as "westus", "eastus2".
362- You can find a full list of regions by running
363- ``az account list-locations -o table``, or referencing to
364- `this doc <https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.resourcemanager.fluent.core.region?view=azure-dotnet>`_.
365-
366- An app running inside Azure Functions and Azure VM can use a special keyword
367- ``ClientApplication.ATTEMPT_REGION_DISCOVERY`` to auto-detect region.
345+ ``azure_region=None`` - meaning no region is used. This is the default value.
346+ ``azure_region="some_region"`` - meaning the specified region is used.
347+ ``azure_region=True`` - meaning MSAL will try to auto-detect the region. This is not recommended.
368348
369349 .. note::
350+ Region auto-discovery has been tested on VMs and on Azure Functions. It is unreliable.
351+ Applications using this option should configure a short timeout.
370352
371- Setting ``azure_region`` to non-``None`` for an app running
372- outside of Azure Function/VM could hang indefinitely.
373-
374- You should consider opting in/out region behavior on-demand,
375- by loading ``azure_region=None`` or ``azure_region="westus"``
376- or ``azure_region=True`` (which means opt-in and auto-detect)
377- from your per-deployment configuration, and then do
378- ``app = ConfidentialClientApplication(..., azure_region=azure_region)``.
379-
380- Alternatively, you can configure a short timeout,
381- or provide a custom http_client which has a short timeout.
382- That way, the latency would be under your control,
383- but still less performant than opting out of region feature.
353+ For more details and for the values of the region string
354+ see https://learn.microsoft.com/entra/msal/dotnet/resources/region-discovery-troubleshooting
384355
385356 New in version 1.12.0.
386357
@@ -612,6 +583,8 @@ def _build_telemetry_context(
612583 correlation_id = correlation_id , refresh_reason = refresh_reason )
613584
614585 def _get_regional_authority (self , central_authority ):
586+ if not self ._region_configured : # User did not opt-in to ESTS-R
587+ return None # Short circuit to completely bypass region detection
615588 self ._region_detected = self ._region_detected or _detect_region (
616589 self .http_client if self ._region_configured is not None else None )
617590 if (self ._region_configured != self .ATTEMPT_REGION_DISCOVERY
0 commit comments