fix for 1738

src/Microsoft.Identity.Web/TokenAcquisition.cs

@@ -852,11 +852,25 @@ private IConfidentialClientApplication BuildConfidentialClientApplication(Merged
                 if (builder != null)
                 {
                     builder.WithSendX5C(mergedOptions.SendX5C);
+
+                    ClaimsPrincipal? user = GetUserFromHttpContext();
+                    var userTenant = string.Empty;
+                    if (user != null)
+                    {
+                        userTenant = user.GetTenantId();
+                        builder.WithCcsRoutingHint(user.GetObjectId(), userTenant);
+                    }
                     if (!string.IsNullOrEmpty(tenantId))
                     {
                         builder.WithTenantId(tenantId);
                     }
-
+                    else
+                    {
+                        if (!string.IsNullOrEmpty(userTenant))
+                        {
+                            builder.WithTenantId(userTenant);
+                        }
+                    }
                     if (tokenAcquisitionOptions != null)
                     {
                         builder.WithExtraQueryParameters(tokenAcquisitionOptions.ExtraQueryParameters);
@@ -867,13 +881,7 @@ private IConfidentialClientApplication BuildConfidentialClientApplication(Merged
                         {
                             builder.WithProofOfPossession(tokenAcquisitionOptions.PoPConfiguration);
                         }
-                    }
-
-                    ClaimsPrincipal? user = GetUserFromHttpContext();
-                    if (user != null)
-                    {
-                        builder.WithCcsRoutingHint(user.GetObjectId(), user.GetTenantId());
-                    }
+                    }                    
 
                     return await builder.ExecuteAsync(tokenAcquisitionOptions != null ? tokenAcquisitionOptions.CancellationToken : CancellationToken.None)
                                         .ConfigureAwait(false);