How to use Azure.Identity with Azure Government Cloud, Azure German Cloud, and Azure China Cloud

2020-02-29

Azure has many cloud instances like: Azure Public, Azure Government, Azure German, and Azure China. You can see the full cloud list and associated endpoints via the Azure CLI command az cloud list.

If you try to use the new Azure Identity library with one of those clouds, you will get this error:

AADSTS900382: Confidential Client is not supported in Cross Cloud request

That is because all of the libraries default to using https://login.microsoftonline.com as the Azure Active Diretory authority host. Each of the other clouds have different authority host endpoints, as you can see from the Azure Government profile here:

The activeDirectory property doesn’t end with .com it ends with .us, and every cloud is different.

{
    "endpoints": {
      "activeDirectory": "https://login.microsoftonline.us",
      "activeDirectoryDataLakeResourceId": null,
      "activeDirectoryGraphResourceId": "https://graph.windows.net/",
      "activeDirectoryResourceId": "https://management.core.usgovcloudapi.net/",
      "batchResourceId": "https://batch.core.usgovcloudapi.net/",
      "gallery": "https://gallery.usgovcloudapi.net/",
      "management": "https://management.core.usgovcloudapi.net/",
      "mediaResourceId": "https://rest.media.usgovcloudapi.net",
      "microsoftGraphResourceId": "https://graph.microsoft.us/",
      "ossrdbmsResourceId": "https://ossrdbms-aad.database.usgovcloudapi.net",
      "resourceManager": "https://management.usgovcloudapi.net/",
      "sqlManagement": "https://management.core.usgovcloudapi.net:8443/",
      "vmImageAliasDoc": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json"
    },
    "isActive": true,
    "name": "AzureUSGovernment",
    "profile": "latest",
    "suffixes": {
      "acrLoginServerEndpoint": ".azurecr.us",
      "azureDatalakeAnalyticsCatalogAndJobEndpoint": null,
      "azureDatalakeStoreFileSystemEndpoint": null,
      "keyvaultDns": ".vault.usgovcloudapi.net",
      "sqlServerHostname": ".database.usgovcloudapi.net",
      "storageEndpoint": "core.usgovcloudapi.net"
    }
  },

When you instantiate Azure.Identity.DefaultAzureCredential() without any parameters:

const credential = new DefaultAzureCredential();

You will get the following error:

AADSTS900382: Confidential Client is not supported in Cross Cloud request

What you need to do is instantiate DefaultAzureCredential with the proper authority host for the cloud you are targeting. Run az cloud list to find the appropriate activeDirectory endpoint.

You can set via the AZURE_AUTHORITY_HOST environment variable or use the AzureAuthorityHosts enums.

Here’s what you need to do for each language:

Setting Authority Host via the AZURE_AUTHORITY_HOST Environment Variable

As of the following releases, each Azure SDK library now supports setting authority host via the AZURE_AUTHORITY_HOST environment variable.

.NET: Azure.Identity 1.2.0

Python: azure-identity 1.4.0

Java: com.azure:azure-identity 1.1.0

JavaScript/TypeScript: @azure/identity 1.1.0

Setting Authority Host via the “AuthorityHost” property and AzureAuthorityHosts enums.

.NET

var options = new DefaultAzureCredentialOptions &#123; AuthorityHost = AzureAuthorityHosts.AzureGovernment &#125;;
var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential(options));

With service version number:

var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential(options), new KeyClientOptions(KeyClientOptions.ServiceVersion.V7_0));

Java

DefaultAzureCredential cred = new DefaultAzureCredentialBuilder()
    .authorityHost(AzureAuthorityHosts.AZURE_GOVERNMENT)
    .build();

KeyClient keyClient = new KeyClientBuilder()
    .vaultUrl(keyVaultUrl)
    .credential(cred)
    .buildClient();

With service version number:

KeyClient keyClient = new KeyClientBuilder()
    .vaultUrl(keyVaultUrl)
    .serviceVersion(KeyServiceVersion.V7_0)
    .credential(cred)
    .buildClient();

Python

credential = DefaultAzureCredential(authority=AzureAuthorityHosts.AZURE_GOVERNMENT)
client = KeyClient(vault_url=VAULT_URL, credential=credential)

With service version number:

client = KeyClient(vault_url=VAULT_URL, credential=credential, api_version="7.0")

JavaScript/TypeScript

const credential = new DefaultAzureCredential(&#123; authorityHost: KnownAuthorityHosts.AzureGovernment &#125;);
const client = new KeyClient(url, credential);

With service version number:

const client = new KeyClient(url, credential, &#123; serviceVersion: "7.0" &#125;);

Service Version Error

If you get the following error, then you’ll need to explicitly set the version number. Both examples are shown above for each language.

The specified version (7.1) is not recognized. Consider using the latest supported version (2016-10-01).

TechTips

Setting Authority Host via the AZURE_AUTHORITY_HOST Environment Variable

Setting Authority Host via the “AuthorityHost” property and AzureAuthorityHosts enums.

.NET

Java

Python

JavaScript/TypeScript

Service Version Error