question

alivedevil avatar image
0 Votes"
alivedevil asked NandeeshSwami-8857 answered

Use globally registered app id on Microsoft Graph operated by 21Vianet

I've got a globally registered app id of type "Public Client" for consumer with multi-tenancy enabled using /common/oauth2/v2.0/-authentication endpoints.
Now using this app id doesn't work for AD tenants in Azure operated by 21Vianet.

There is no documentation I can find which describes this exact use case. Basically create a "public client" app registration in Azure Portal (.com) and use it in login.chinacloudapi.cn. Is there any way this integration works? Registering a company in china is no option.

azure-ad-app-registration
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@alivedevil Checking on this, will update soon.

1 Vote 1 ·
NandeeshSwami-8857 avatar image
0 Votes"
NandeeshSwami-8857 answered alivedevil commented

Check this,
https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-national-cloud?tabs=dotnet#choose-the-appropriate-identities

After you decide, a special consideration is where you perform your app registration. If you choose Azure AD Public identities for your Azure Government application, you must register the application in your Azure AD Public tenant.

For more info on Soverign cloud check below,
https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-national-cloud?tabs=dotnet
https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud
https://docs.microsoft.com/en-us/azure/china/overview-connectivity-and-interoperability

The above links has been beautifully summarized in the below stack over flow discussion.
https://stackoverflow.com/questions/41599059/how-to-specify-a-different-aadinstance-for-a-web-api

<Copying the below from Stack over flow thread/>

Few things to note here about applications that use different sovereign clouds:

Each Sovereign Cloud (China, US Gov, Germany, Worldwide) is its own instance of AAD. In order for you to authenticate with an application to its token endpoint, you must have a separately registered application for that environment. An application registered in worldwide, that can call "https://login.microsoftonline.com" will generally not be able to authenticate to the other endpoints like "https://login.chinacloudapi.cn".

As a client application, you must make sure to request a token using all the correct parameters for the environment you are looking to authenticate to. If you want to get a token to the AAD Graph API in China, so that you may access directory information for a tenant based in the China Cloud AAD environment, you must ensure that:
You use the correct login endpoint (https://login.chinacloudapi.net)
You use the correct resource identifier for that environment (https://graph.chinacloudapi.cn/)
You use the correct client id, which is registered for that environment
You use the correct reply url, and other configurations registered for that environment

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your response. The overall (login) process is clear, I'm unsure about the actual registration of a public client-app.
With my current globally registered app (in App manifest "signInAudience": "AzureADandPersonalMicrosoftAccount") it's impossible to get a China-login token.
So I'd need to register this public client in Azure AD China, but there is no way of specifying in the app registration that I want to register that app in Azure China in Azure Portal. Each app I'm registering on this tenant in Azure will always get global login endpoints.

0 Votes 0 ·
NandeeshSwami-8857 avatar image
0 Votes"
NandeeshSwami-8857 answered

Please add the appropriate redirect URI for your Azure deployment.
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-redirect-uri

A valid entry for the response URI should be one of:

https://login.microsoftonline.us/common/oauth2/nativeclient (Microsoft Cloud for US Government)
https://login.microsoftonline.de/common/oauth2/nativeclient (Microsoft Cloud Germany)
https://login.chinacloudapi.cn/common/oauth2/nativeclient (Azure and Office 365 operated by 21Vianet in China)

For a single-tenant application, it may be necessary to use your specific tenant id instead of "common":

https://login.microsoftonline.us/example.onmicrosoft.us/oauth2/nativeclient (Microsoft Cloud for US Government)
https://login.microsoftonline.de/example.onmicrosoft.de/oauth2/nativeclient (Microsoft Cloud Germany)
https://login.chinacloudapi.cn/example.onmicrosoft.cn/oauth2/nativeclient (Azure and Office 365 operated by 21Vianet in China)

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-redirect-uri

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.