You're encountering the error:
AADSTS100033: Regional Cache Auth Service token requests for flows that need CA (Conditional Access) policy evaluation are forbidden
This is a known issue when using Managed Identity in a Dataverse plugin (or other Azure services) with regional token acquisition enabled. Here's what’s going on and how to address it:
🧠 What’s causing this?
When using IMangedIdentityService.AcquireToken, the Microsoft Authentication Library (MSAL) may attempt to use a regional Azure AD endpoint to acquire tokens. However, regional endpoints currently do not support flows that require Conditional Access (CA) evaluation, which is why you're seeing this error.
✅ How to fix it: Disable Regional Token Acquisition
You can disable the use of regional endpoints by not setting or removing the environment variable:
AZURE_REGIONAL_AUTHORITY_NAME
If this variable is set (e.g., to westeurope, eastus, etc.), MSAL will try to use the regional endpoint, which leads to the error when CA policies are involved.
🔧 To disable it:
- In your plugin or app configuration, ensure
AZURE_REGIONAL_AUTHORITY_NAME is not set.
- If you're using Azure Functions or App Services, check the Application Settings in the Azure Portal and remove this variable if present.
🛠️ Additional Tips
- If you're using DefaultAzureCredential or similar in .NET, it may automatically pick up this variable from the environment.
- If you must use regional endpoints for performance or compliance reasons, you’ll need to avoid flows that require CA evaluation, which may not be feasible in most enterprise environments.
📌 Summary
- Error cause: Regional AAD endpoints don’t support CA policy evaluation.
- Fix: Remove or avoid setting
AZURE_REGIONAL_AUTHORITY_NAME.
- Alternative: Use global AAD endpoints (default behavior when the variable is unset).
Would you like help checking where this variable might be set in your environment or modifying your plugin code to avoid this behavior?
