Azure-docs: Default Tenant-Id when "Authenticating with Visual Studio"?

I have trouble understanding the "Authenticating with Visual Studio" section. In particular we are are in a situation where our developers have access to multiple tenants and we use the following code to connect to an SQL database (from https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi#modify-aspnet-core):

var conn = (Microsoft.Data.SqlClient.SqlConnection)Database.GetDbConnection();
conn.AccessToken = (new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider()).GetAccessTokenAsync("https://database.windows.net/").Result;

Everything works fine with this code after deployment and locally when working with Azure CLI (as you can use az login --tenant <tenantId>). However, we are unsure what we need to do in our situation when working with Visual Studio Authentication. We tried filtering the tenants in "Account Settings..." but it always results in:

Login failed for user '<token-identified principal>'.

The SQL documentation briefly mentions:

If the Azure AD user you configured has access to multiple tenants, call GetAccessTokenAsync("https://database.windows.net/", tenantid) with the desired tenant ID to retrieve the proper access token.

However, this again requires some machinery from the developer (which AzureServiceTokenProvider tried to solve?)

Is there a way to set the "default" tenant-id used for tokens when using "Visual Studio Azure Authentication"?
Is there some documentation/best practice around that scenario? (For example should we use some local setting to set the tenant-id?)

Additionally, I was wondering why this issue occurs only when using SQL Server and found that when using for example the KeyVaulClient it will work correctly. This is because KeyVaultClient makes an initial request to the server without any token and uses an HTTP response header to identity the correct tenant-id to request the token. Can we do something similar for SQL Server?

Should I open the same issue for the page on https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi#modify-aspnet-core? I feel like this are separate issues/questions:

• One is specific to the Visual Studio Azure Login (how to handle multiple possible tenants in GetAccessTokenAsync - generally)
• One specific to SQL (How to retrieve the correct tenant specifically for a given SQL server similar to how KeyVaultClient works)

However, I need only one of them solved or linked to existing docs.

Maybe this is a feature request, but I couldn't find existing posts of people in a similar situation and I can't see any straightforward way to solve this given the current docs.

If this isn't the correct place, feel free to point me to a better place for this feedback.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 17824597-7e9b-4ca5-12f7-310b0ce4bdf4
• Version Independent ID: 49e1c9ee-fabf-df55-5bd9-1019abda22f1
• Content: Service-to-service authentication to Azure Key Vault using .NET
• Content Source: articles/key-vault/general/service-to-service-authentication.md
• Service: key-vault
• Sub-service: general
• GitHub Login: @msmbaldwin
• Microsoft Alias: mbaldwin