National clouds, also known as Sovereign clouds, are physically isolated instances of Azure. These regions of Azure help make sure that data residency, sovereignty, and compliance requirements are honored within geographical boundaries.
In addition to the Microsoft worldwide cloud, the Microsoft Authentication Library (MSAL) enables application developers in national clouds to acquire tokens in order to authenticate and call secured web APIs. These web APIs can be Microsoft Graph or other Microsoft APIs.
Including the global cloud, Azure Active Directory (Azure AD) is deployed in the following national clouds:
Azure Government
Azure China 21Vianet
Azure Germany
This guide demonstrates how to sign in to work and school accounts, get an access token, and call the Microsoft Graph API in the Azure Government cloud environment.
Prerequisites
Before you start, make sure that you meet these prerequisites.
Choose the appropriate identities
Azure Government applications can use Azure AD Government identities and Azure AD Public identities to authenticate users. Because you can use any of these identities, you need to decide which authority endpoint you should choose for your scenario:
Azure AD Public: Commonly used if your organization already has an Azure AD Public tenant to support Microsoft 365 (Public or GCC) or another application.
Azure AD Government: Commonly used if your organization already has an Azure AD Government tenant to support Office 365 (GCC High or DoD) or is creating a new tenant in Azure AD Government.
After you decide, a special consideration is where you perform your app registration. If you choose Azure AD Public identities for your Azure Government application, you must register the application in your Azure AD Public tenant.
You can use MSAL.NET to sign in users, acquire tokens, and call the Microsoft Graph API in national clouds.
The following tutorials demonstrate how to build a .NET Core 2.2 MVC Web app. The app uses OpenID Connect to sign in users with a work and school account in an organization that belongs to a national cloud.
If you have access to multiple tenants, use the Directory + subscription filter
in the top menu to select the tenant in which you want to register an application.
Search for and select Azure Active Directory.
Under Manage, select App registrations > New registration.
Enter a Name for your application. Users of your app might see this name, and you can change it later.
Under Supported account types, select Accounts in any organizational directory.
In the Redirect URI section, select the Web platform and set the value to the application's URL based on your web server. See the next sections for instructions on how to set and obtain the redirect URL in Visual Studio and Node.
Select Register.
On the Overview page, note down the Application (client) ID value for later use.
This tutorial requires you to enable the implicit grant flow.
Under Manage, select Authentication.
Under Implicit grant, select ID tokens and Access tokens. ID tokens and access tokens are required because this app needs to sign in users and call an API.
Step 3: Use the Microsoft Authentication Library to sign in the user
Follow steps in the JavaScript tutorial to create your project and integrate with MSAL to sign in the user.
Step 4: Configure your JavaScript SPA
In the index.html file created during project setup, add the application registration information. Add the following code at the top within the <script></script> tags in the body of your index.html file:
Enter_the_Application_Id_here is the Application (client) ID value for the application that you registered.
Enter_the_Tenant_Info_Here is set to one of the following options:
If your application supports Accounts in this organizational directory, replace this value with the tenant ID or tenant name (for example, contoso.microsoft.com).
If your application supports Accounts in any organizational directory, replace this value with organizations.
To enable your MSAL Python application for sovereign clouds:
Register your application in a specific portal, depending on the cloud. For more information on how to choose the portal refer App registration endpoints
Use any of the samples from the repo with a few changes to the configuration, depending on the cloud, which is mentioned next.
Use a specific authority, depending on the cloud you registered the application in. For more information on authorities for different clouds, refer Azure AD Authentication endpoints.
To enable your MSAL for Java application for sovereign clouds:
Register your application in a specific portal, depending on the cloud. For more information on how to choose the portal refer App registration endpoints
Use any of the samples from the repo with a few changes to the configuration, depending on the cloud, which are mentioned next.
Use a specific authority, depending on the cloud you registered the application in. For more information on authorities for different clouds, refer Azure AD Authentication endpoints.
MSAL for iOS and macOS can be used to acquire tokens in national clouds, but it requires additional configuration when creating MSALPublicClientApplication.
For instance, if you want your application to be a multi-tenant application in a national cloud (here US Government), you could write:
MSAL for iOS and macOS can be used to acquire tokens in national clouds, but it requires additional configuration when creating MSALPublicClientApplication.
For instance, if you want your application to be a multi-tenant application in a national cloud (here US Government), you could write:
let authority = try? MSALAADAuthority(cloudInstance: .usGovernmentCloudInstance, audienceType: .azureADMultipleOrgsAudience, rawTenant: nil)
let config = MSALPublicClientApplicationConfig(clientId: "<your-client-id-here>", redirectUri: "<your-redirect-uri-here>", authority: authority)
if let application = try? MSALPublicClientApplication(configuration: config) { /* Use application */}
in the top menu to select the tenant in which you want to register an application.