Random 401 error when sending POST request

[zhuanyi]

Describe the bug trying to construct a very basic GraphAPI client by following and slightly modify the code in this tuorial: https://docs.microsoft.com/en-us/graph/tutorials/python?tabs=aad&tutorial-step=2, to send messages to Teams chat and return status code for the POST request is randomly between 201 and 401, and if it is 401 the error message is a simple unauthorized error with the details being "Additional claims required".

To Reproduce he client is authenticating via DeviceCodeCredential in azure.identity package (with client_id and tenant_id provided, also with the logging_enable=True. Graph client is set up using GraphClient constructor and pass in the DeviceControlCredential as a param, with the scope being "Chat.ReadWrite" (also tried to add "User.Read" on top) and I am using the post method within GraphClient. I did not pass in any parameter for URL callback (nor it is configured in the App Registration in Azure Portal since the Python app I am writing is standalone with no web listener - really just send POST request and do nothing else), also I did not pass in any additional claims.

When doing the authentication via DeviceCodeCredential, I am able to go to the device login page, input the code generated, log in (the account used is SFA), approve the app and get to the page where it says "you can close the window". The logging also shows there was a token obtained successfully with the correct scope required. The POST is a simple loop (with time.sleep(30) - well within the API limit, and basically sending the same request) and the log also stated it was able to get_token() successfully, but the return code would some times be 401 and sometimes be 201 with much higher chance of 401 than 201.

In the test environment in dev.onmicrosoft.com, we are able to run the exact same code fine. We compared the App Registration in Azure portal tab by tab to make sure they are the same. The same requests also works fine in Graph Explorer (so the permissions are good). The messages are sending to the same chat and sign-in log in Azure portal shows two requests in both prod and test environment generated a few seconds apart every time, and always with one success and one fail (originating from the same IP). We also know this account only runs on one server and there is only 1 instance of the Python code runs at once. No password change or any API call to close the DeviceCodeCredential. Also support engineers from Microsoft compared a 401 and 201 request and told me they are identical, with the only bit he saw might be a little suspicious is sometimes the calls would be hitting teamsgraph.team.microsoft.com end point rather than graph.microsoft.com end point.

Expected behavior 201 status code for all POST requests, no 401 error