Add instance aware flow restriction to copilot-instructions.md

[Copilot]

Instance aware flow is a 1st party-only feature that should not be suggested to 3rd party customers. This PR adds explicit guidance to prevent Copilot from recommending it incorrectly.

Changes

• New section "Instance Aware Flow Restrictions" in .github/copilot-instructions.md:
  • Marks instanceAware config and instance_aware query parameter as 1st party-only
  • Prohibits suggesting this feature for 3rd party applications
  • Clarifies existing docs at lib/msal-browser/docs/instance-aware.md are for internal use
  • Provides alternative solutions for 3rd party multi-cloud scenarios (standard flows, proper authority config, separate app registrations)

Context

Instance aware flow enables dynamic cloud instance selection via STS parameters in the /authorize response. While available in the public API surface, it's designed exclusively for Microsoft internal applications handling users across cloud boundaries.

Original prompt

Please create a PR for me that updates the "copilot-instructions.md" file that states that the instance aware flow is only available for 1st party customers, and not to suggest or use instance aware for 3rd party customers. Please use the instructions located at .github/copilot-instructions.md for the PR.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull Request Overview

This PR adds explicit guidance to prevent GitHub Copilot from recommending the instance aware flow feature to 3rd party developers, as it's exclusively designed for Microsoft internal applications. The new section clarifies that while the feature exists in the public API, it should only be used by 1st party Microsoft customers for handling users across different cloud instances.

Key Changes

• Added "Instance Aware Flow Restrictions" section with clear prohibitions against suggesting this feature to external developers
• Documented what instance aware flow is and when it should be used (1st party only)
• Provided alternative solutions for 3rd party multi-cloud scenarios

[tnorling]

Copilot is unlikely to know if I am a 1st party or 3rd party customer or what that is. The instructions here are probably not going to be all that useful, we probably need to restrict access in code instead if this is the goal.

[peterzenz]

Maybe this should just be that this feature isn't supported and we have copilot instructions in the 1p repo to ignore that statement in the 3p repo? We aren't looking to make code changes for this, just doc updates.

[tnorling]

When working in the 1P repo, this instructions file won't be read at all so no need to ignore explicitly. At a higher level though exposing something we don't support creates several challenges, including this one. We should reconsider whether this is the right approach.

[jo-arroyo]

Good to know re. what Copilot does and does not know. This part has now been amended, since the current ask is just to move/remove the public-facing documentation.

[peterzenz]

Let's move what is / when to use sections to the 1p docs.

[jo-arroyo]

Done.