Jon Gallant

How to use Azure.Identity with Azure Government Cloud, Azure German Cloud, and Azure China Cloud

3 min read
azureazure-identityazure-sdksdkgovernmentcloud

Azure has many cloud instances like: Azure Public, Azure Government, Azure German, and Azure China. You can see the full cloud list and associated endpoints via the Azure CLI command az cloud list.

If you try to use the new Azure Identity library with one of those clouds, you will get this error:

Terminal window
AADSTS900382: Confidential Client is not supported in Cross Cloud request


```python


That is because all of the libraries default to using `https://login.microsoftonline.com` as the Azure Active Diretory authority host. Each of the other clouds have different authority host endpoints, as you can see from the Azure Government profile here:


The `activeDirectory` property doesn’t end with `.com` it ends with `.us`, and every cloud is different.


```json


{
    "endpoints": {
      "activeDirectory": "https://login.microsoftonline.us",
      "activeDirectoryDataLakeResourceId": null,
      "activeDirectoryGraphResourceId": "https://graph.windows.net/",
      "activeDirectoryResourceId": "https://management.core.usgovcloudapi.net/",
      "batchResourceId": "https://batch.core.usgovcloudapi.net/",
      "gallery": "https://gallery.usgovcloudapi.net/",
      "management": "https://management.core.usgovcloudapi.net/",
      "mediaResourceId": "https://rest.media.usgovcloudapi.net",
      "microsoftGraphResourceId": "https://graph.microsoft.us/",
      "ossrdbmsResourceId": "https://ossrdbms-aad.database.usgovcloudapi.net",
      "resourceManager": "https://management.usgovcloudapi.net/",
      "sqlManagement": "https://management.core.usgovcloudapi.net:8443/",
      "vmImageAliasDoc": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json"
    },
    "isActive": true,
    "name": "AzureUSGovernment",
    "profile": "latest",
    "suffixes": {
      "acrLoginServerEndpoint": ".azurecr.us",
      "azureDatalakeAnalyticsCatalogAndJobEndpoint": null,
      "azureDatalakeStoreFileSystemEndpoint": null,
      "keyvaultDns": ".vault.usgovcloudapi.net",
      "sqlServerHostname": ".database.usgovcloudapi.net",
      "storageEndpoint": "core.usgovcloudapi.net"
    }
  },


```text


When you instantiate `Azure.Identity.DefaultAzureCredential()` without any parameters:


```js


const credential = new DefaultAzureCredential();


```text


You will get the following error:


```bash


AADSTS900382: Confidential Client is not supported in Cross Cloud request


```markdown


What you need to do is instantiate `DefaultAzureCredential` with the proper authority host for the cloud you are targeting. Run `az cloud list` to find the appropriate `activeDirectory` endpoint.


You can set via the `AZURE_AUTHORITY_HOST` environment variable or use the `AzureAuthorityHosts` enums.


Here’s what you need to do for each language:


## Setting Authority Host via the AZURE\_AUTHORITY\_HOST Environment Variable


As of the following releases, each Azure SDK library now supports setting authority host via the AZURE\_AUTHORITY\_HOST environment variable.


- *.NET**: [Azure.Identity 1.2.0](https://www.nuget.org/packages/Azure.Identity/1.2.0)


- *Python**: [azure-identity 1.4.0](https://pypi.org/project/azure-identity/1.4.0/)


- *Java**: [com.azure:azure-identity 1.1.0](https://search.maven.org/artifact/com.azure/azure-identity/1.1.0/jar)


- *JavaScript/TypeScript**: [@azure/identity 1.1.0](https://www.npmjs.com/package/@azure/identity/v/1.1.0)


## Setting Authority Host via the “AuthorityHost” property and AzureAuthorityHosts enums


### .NET


```csharp


var options = new DefaultAzureCredentialOptions { AuthorityHost = AzureAuthorityHosts.AzureGovernment };
var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential(options));


```text


With service version number:


```csharp


var client = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential(options), new KeyClientOptions(KeyClientOptions.ServiceVersion.V7_0));


```markdown


### Java


```java


DefaultAzureCredential cred = new DefaultAzureCredentialBuilder()
    .authorityHost(AzureAuthorityHosts.AZURE_GOVERNMENT)
    .build();


KeyClient keyClient = new KeyClientBuilder()
    .vaultUrl(keyVaultUrl)
    .credential(cred)
    .buildClient();


```text


With service version number:


```java


KeyClient keyClient = new KeyClientBuilder()
    .vaultUrl(keyVaultUrl)
    .serviceVersion(KeyServiceVersion.V7_0)
    .credential(cred)
    .buildClient();


```markdown


### Python


```python


credential = DefaultAzureCredential(authority=AzureAuthorityHosts.AZURE_GOVERNMENT)
client = KeyClient(vault_url=VAULT_URL, credential=credential)


```text


With service version number:


```python


client = KeyClient(vault_url=VAULT_URL, credential=credential, api_version="7.0")


```markdown


### JavaScript/TypeScript


```js


const credential = new DefaultAzureCredential({ authorityHost: KnownAuthorityHosts.AzureGovernment });
const client = new KeyClient(url, credential);


```text


With service version number:


```js


const client = new KeyClient(url, credential, { serviceVersion: "7.0" });


```markdown


## Service Version Error


If you get the following error, then you’ll need to explicitly set the version number. Both examples are shown above for each language.


```bash


The specified version (7.1) is not recognized. Consider using the latest supported version (2016-10-01).
Share:
Share on X