fix(fabric): isolate tenant-switch auth path for cross-tenant MFA flows (#1797)

[newventurecap]

Summary

This PR addresses #1797 by isolating tenant-switch authentication behavior to explicit tenant-scoped requests while preserving default credential-chain behavior.

Changes

• Added TenantAwareCredential for explicit tenant-scoped auth flow
• Updated SingleIdentityTokenCredentialProvider to route tenant-specific requests to TenantAwareCredential
• Restored CustomChainedCredential behavior path for default flow
• Updated Fabric server documentation for this scoped fix

Validation

• dotnet build core/Microsoft.Mcp.Core/src/Microsoft.Mcp.Core.csproj
• dotnet build servers/Fabric.Mcp.Server/src/Fabric.Mcp.Server.csproj
• dotnet test core/Azure.Mcp.Core/tests/Azure.Mcp.Core.UnitTests/Azure.Mcp.Core.UnitTests.csproj --filter "FullyQualifiedName~Authentication"
  • 76 passed, 0 failed

[github-actions]

Thank you for your contribution @newventurecap! We will review the pull request and get back to you soon.

[newventurecap]

@newventurecap please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@microsoft-github-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree

[newventurecap]

Adding context for the current CI failure pattern after latest update.

Observed failing jobs:

• Build linux_x64
• Build linux_arm64
• Build windows_x64
• Build macos_x64

Common failing step:

• Run recorded tests

Representative failing lines from build 6013273 logs:

• System.InvalidOperationException: Test proxy restore failed with exit code 1
• Git ran into an unrecoverable error. Test-Proxy is exiting.
• error: pathspec '.' did not match any file(s) known to git
• ##[error]PowerShell exited with code '1'

Additional macOS x64 signature seen in same run:

• `error: RPC failed; curl 56 LibreSSL SSL_reAdding context for the current CI failure pattern after latest update.

Observed failing jobs:

• Build linux_x64
• Build linux_arm64
• Build windows_x64
• Build macos_x64

Common failing step:

• Run recorded tests

Representative failing lines from build 6013273 logs:

• `System.InvalidOperationException: Test proxy restore -proxy restore issue path for this pipeline run context?