diff --git a/msal/application.py b/msal/application.py
index 036b63dc..7270c7e4 100644
--- a/msal/application.py
+++ b/msal/application.py
@@ -281,7 +281,9 @@ def __init__(
 
         if http_client:
             self.http_client = http_client
+            self.internal_client = False
         else:
+            self.internal_client = True
             self.http_client = requests.Session()
             self.http_client.verify = verify
             self.http_client.proxies = proxies
@@ -301,7 +303,24 @@ def __init__(
 
         # Here the self.authority will not be the same type as authority in input
         try:
-            self.authority = Authority(
+            self.authority = self._build_authority(
+                authority, validate_authority, azure_region)
+        except Exception:
+            self.close()
+            raise
+
+        self.token_cache = token_cache or TokenCache()
+        self._region_configured = azure_region
+        self._region_detected = None
+        self.client, self._regional_client = self._build_client(
+            client_credential, self.authority)
+        self.authority_groups = None
+        self._telemetry_buffer = {}
+        self._telemetry_lock = Lock()
+
+    def _build_authority(authority, validate_authority, azure_region):
+        try:
+            return Authority(
                 authority or "https://login.microsoftonline.com/common/",
                 self.http_client, validate_authority=validate_authority)
         except ValueError:  # Those are explicit authority validation errors
@@ -310,21 +329,12 @@ def __init__(
             if validate_authority and azure_region:
                 # Since caller opts in to use region, here we tolerate connection
                 # errors happened during authority validation at non-region endpoint
-                self.authority = Authority(
+                return Authority(
                     authority or "https://login.microsoftonline.com/common/",
                     self.http_client, validate_authority=False)
             else:
                 raise
 
-        self.token_cache = token_cache or TokenCache()
-        self._region_configured = azure_region
-        self._region_detected = None
-        self.client, self._regional_client = self._build_client(
-            client_credential, self.authority)
-        self.authority_groups = None
-        self._telemetry_buffer = {}
-        self._telemetry_lock = Lock()
-
     def _decorate_scope(
             self, scopes,
             reserved_scope=frozenset(['openid', 'profile', 'offline_access'])):
@@ -1297,6 +1307,11 @@ def _acquire_token_by_username_password_federated(
                 )),
             **kwargs)
 
+    def close(self):
+        """Close the app and any open sockets"""
+        if self.internal_client:
+            self.http_client.close()
+
 
 class PublicClientApplication(ClientApplication):  # browser app or mobile app