`az keyvault secret list` hangs in AzureUSGovernment cloud

[jiasli]

Related command
az keyvault secret list

Describe the bug

When running az keyvault secret list in AzureUSGovernment cloud, the --debug log shows it hangs at

urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443

I am able to pin down this request to MSAL’s this line:

https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/fc3f39f9deecc2cbb9c3c5e46023a527835beaaf/msal/application.py#L1057-L1059

    def _get_authority_aliases(self, instance):
        if not self.authority_groups:
            resp = self.http_client.get(
                "https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=https://login.microsoftonline.com/common/oauth2/authorize",
                headers={'Accept': 'application/json'})

_get_authority_aliases is unconditionally called by acquire_token_silent_with_error, which is called when Azure CLI tries to get an access token for a scope other than ARM.

authority_groups is then populated from the result of this HTTP request. When MSAL gets access token from token cache, it checks if there is an existing access token issued to current authority’ aliases.

Since https://login.microsoftonline.com/ is blocked in isolated environments, MSAL hangs.

Additional context
https://portal.microsofticm.com/imp/v3/incidents/details/334661425/home

[yonzhan]

keyvault