[Bug] WithSSHCertificateAuthenticationScheme Not Return a SSH Certificate When WAM Enabled

[msJinLei]

Library version used

4.61.3.0

.NET version

.netstandard 2.0

Scenario

PublicClient - desktop app

Is this a new or an existing app?

The app is in production, and I have upgraded to a new version of MSAL

Issue description and reproduction steps

Raised by @vthiebaut10, in Azure PowerShell, when WAM is enabled, the customer fails to retry to connect a configured Azure VM using Az.Ssh. Here are the steps to reproduce

• Create an Ubuntu Azure VM with Login with Microsoft Entra Id enabled (Sign in to a Linux virtual machine in Azure by using Microsoft Entra ID and OpenSSH - Microsoft Entra ID | Microsoft Learn). To enable AAD login, during creation in the portal, on the management tab select the Login with Microsoft Entra ID checkbox and ensure that the System assigned managed identity checkbox is selected.
• Once the VM is created, assign "Virtual Machine Administrator Login" role to your account.
• Run "Enter-AzVM -ResourceGroupName rgname -Name vmname" (make sure wam is enabled)

When the WAM is disabled, Enter-AzVM works as expected. And we find when WAM is enabled, WithSSHCertificateAuthenticationScheme doesn't return a SSH certificate but return a bearer token. But WAM is disabled, it returns a SSH certficate.

Relevant code snippets

public virtual IPublicClientApplication CreatePublicClient(string authority, string tenantId)
{
    var builder = PublicClientApplicationBuilder.Create(Constants.PowerShellClientId);
    if (AzConfigReader.IsWamEnabled(authority))
    {
        builder = builder.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows));
    }
    if (!string.IsNullOrEmpty(authority))
    {
        builder.WithAuthority(authority, tenantId ?? organizationTenant);
    }
    var client = builder.Build();
    RegisterCache(client);
    return client;
}

var publicClient = CreatePublicClient(context.Environment.ActiveDirectoryAuthority, context.Tenant.Id)
var account = publicClient.GetAccountAsync(context.Account.GetProperty(AzureAccount.Property.HomeAccountId))
               .ConfigureAwait(false).GetAwaiter().GetResult();
var result = publicClient.AcquireTokenSilent(scopes, account)
             .WithSSHCertificateAuthenticationScheme(jwk, keyId)
             .ExecuteAsync();
var accessToken = result.ConfigureAwait(false).GetAwaiter().GetResult();

Expected behavior

Return a SSH certificate as non-broker public client does

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response