National clouds are physically isolated instances of Azure. These regions of Azure are designed to make sure that data residency, sovereignty, and compliance requirements are honored within geographical boundaries.
Including the global Azure cloud, Microsoft Entra ID is deployed in the following national clouds:
The individual national clouds and the global Azure cloud are cloud instances. Each cloud instance is separate from the others and has its own environment and endpoints. Cloud-specific endpoints include OAuth 2.0 access token and OpenID Connect ID token request endpoints, and URLs for app management and deployment.
As you develop your apps, use the endpoints for the cloud instance where you'll deploy the application.
App registration endpoints
There's a separate Azure portal for each one of the national clouds. To integrate applications with the Microsoft identity platform in a national cloud, you're required to register your application separately in each Azure portal that's specific to the environment.
Note
Users with a Microsoft Entra guest account from another national cloud can’t access Cost management + Billing features to manage EA enrollments.
The following table lists the base URLs for the Microsoft Entra endpoints used to register an application for each national cloud.
National cloud
Azure portal endpoint
Azure portal for US Government
https://portal.azure.us
Azure portal China operated by 21Vianet
https://portal.azure.cn
Azure portal (global service)
https://portal.azure.com
Application endpoints
You can find the authentication endpoints for your application.
Browse to Identity > Applications > App registrations.
Select Endpoints in the top menu.
The Endpoints page is displayed showing the authentication endpoints for the application.
Use the endpoint that matches the authentication protocol you're using in conjunction with the Application (client) ID to craft the authentication request specific to your application.
Microsoft Entra authentication endpoints
All the national clouds authenticate users separately in each environment and have separate authentication endpoints.
The following table lists the base URLs for the Microsoft Entra endpoints used to acquire tokens for each national cloud.
National cloud
Microsoft Entra authentication endpoint
Microsoft Entra ID for US Government
https://login.microsoftonline.us
Microsoft Entra China operated by 21Vianet
https://login.partner.microsoftonline.cn
Microsoft Entra ID (global service)
https://login.microsoftonline.com
You can form requests to the Microsoft Entra authorization or token endpoints by using the appropriate region-specific base URL. For example, for global Azure:
Authorization common endpoint is https://login.microsoftonline.com/common/oauth2/v2.0/authorize.
Token common endpoint is https://login.microsoftonline.com/common/oauth2/v2.0/token.
For single-tenant applications, replace "common" in the previous URLs with your tenant ID or name. An example is https://login.microsoftonline.com/contoso.com.
Some services and features in the global Azure cloud might be unavailable in other cloud instances like the national clouds.
To find out which services and features are available in a given cloud instance, see Products available by region.
To learn how to build an application by using the Microsoft identity platform, follow the Single-page application (SPA) using auth code flow tutorial. Specifically, this app will sign in a user and get an access token to call the Microsoft Graph API.