Multiple tenant password grant being granted when it shouldn't be

I’m trying a password owner grant on two different tenants A, and B.

The scope I’m asking for is oauth

However, when I go to, and try a Resource owner password grant with credentials and the Client from, a token is granted to me

This doesn’t make sense. Shouldn’t I be refused the token on the grounds that I’m accessing a different tenant?

It’s something that is already being tracked in order to be addressed; although it’s something that is prone to generate confusion and hence should be resolved have in mind that to my knowledge it does not have a real impact because the client application identifier is already unique by itself. In addition the fact that it behaves like that, even if you consider it a bug, means that changing it ends up to be a breaking change so there may be more to it then just a code change.