Use MSAL in a national cloud environment
National clouds, also known as Sovereign clouds, are physically isolated instances of Azure. These regions of Azure help make sure that data residency, sovereignty, and compliance requirements are honored within geographical boundaries.
In addition to the Microsoft worldwide cloud, the Microsoft Authentication Library (MSAL) enables application developers in national clouds to acquire tokens in order to authenticate and call secured web APIs. These web APIs can be Microsoft Graph or other Microsoft APIs.
Including the global Azure cloud, Azure Active Directory (Azure AD) is deployed in the following national clouds:
- Azure Government
- Azure China 21Vianet
- Azure Germany (Closing on October 29, 2021)
This guide demonstrates how to sign in to work and school accounts, get an access token, and call the Microsoft Graph API in the Azure Government cloud environment.
Azure Germany (Microsoft Cloud Deutschland)
Azure Germany (Microsoft Cloud Deutschland) will be closed on October 29, 2021. Services and applications you choose not to migrate to a region in global Azure before that date will become inaccessible.
If you haven't migrated your application from Azure Germany, follow Azure Active Directory information for the migration from Azure Germany to get started.
Before you start, make sure that you meet these prerequisites.
Choose the appropriate identities
Azure Government applications can use Azure AD Government identities and Azure AD Public identities to authenticate users. Because you can use any of these identities, decide which authority endpoint you should choose for your scenario:
- Azure AD Public: Commonly used if your organization already has an Azure AD Public tenant to support Microsoft 365 (Public or GCC) or another application.
- Azure AD Government: Commonly used if your organization already has an Azure AD Government tenant to support Office 365 (GCC High or DoD) or is creating a new tenant in Azure AD Government.
After you decide, a special consideration is where you perform your app registration. If you choose Azure AD Public identities for your Azure Government application, you must register the application in your Azure AD Public tenant.
Get an Azure Government subscription
To get an Azure Government subscription, see Managing and connecting to your subscription in Azure Government.
If you don't have an Azure Government subscription, create a free account before you begin.
For details about using a national cloud with a particular programming language, choose the tab matching your language:
You can use MSAL.NET to sign in users, acquire tokens, and call the Microsoft Graph API in national clouds.
The following tutorials demonstrate how to build a .NET Core 2.2 MVC Web app. The app uses OpenID Connect to sign in users with a work and school account in an organization that belongs to a national cloud.
- To sign in users and acquire tokens, follow this tutorial: Build an ASP.NET Core Web app signing-in users in sovereign clouds with the Microsoft identity platform.
- To call the Microsoft Graph API, follow this tutorial: Using the Microsoft identity platform to call the Microsoft Graph API from an ASP.NET Core 2.x web app, on behalf of a user signing-in using their work and school account in Microsoft National Cloud.
See National cloud authentication endpoints for a list of the Azure portal URLs and token endpoints for each cloud.
National cloud documentation: