1

I'm trying to fetch email list from government tenant via graph api and it worked fine until last week. I'm using client credentials flow. Last week i started to get the following error when trying to authorize my app in government tenants:

oauthlib.oauth2.rfc6749.errors.InvalidClientIdError: (invalid_request) AADSTS900441: Requests to applications hosted in the public cloud are not supported for USGov tenants.

Is there a way to authorize application from public azure cloud to read data from government tenant?

EDIT: code example and debug logs

    from oauthlib.oauth2 import BackendApplicationClient
    
    client = BackendApplicationClient(client_id=config.CLIENT_ID)
    MSGRAPH = requests_oauthlib.OAuth2Session(
        client=client
    )
    
    token = MSGRAPH.fetch_token(
        'https://login.microsoftonline.us' + '/<tenant>' + config.TOKEN_ENDPOINT,
        client_id=config.CLIENT_ID,
        client_secret=config.CLIENT_SECRET,
        include_client_id=True,
        scope=['https://graph.microsoft.us/.default'])

    endpoint = config.RESOURCE + config.API_VERSION + '/users'
    graphdata = MSGRAPH.get(endpoint).json()

DEBUG:requests_oauthlib.oauth2_session:Requesting url https://login.microsoftonline.us/<tenant-id>/oauth2/v2.0/token using method POST.
DEBUG:requests_oauthlib.oauth2_session:Supplying headers {u'Content-Type': u'application/x-www-form-urlencoded;charset=UTF-8', u'Accept': u'application/json'} and data {u'client_secret': u'...', u'grant_type': u'client_credentials', u'client_id': u'...', u'scope': u'https://graph.microsoft.us/.default'}
DEBUG:requests_oauthlib.oauth2_session:Passing through key word arguments {'verify': True, 'json': None, 'proxies': None, 'timeout': None, 'auth': None}.
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): login.microsoftonline.us:443
DEBUG:urllib3.connectionpool:https://login.microsoftonline.us:443 "POST /<tenant-id>/oauth2/v2.0/token HTTP/1.1" 400 522
DEBUG:requests_oauthlib.oauth2_session:Prepared fetch token request body grant_type=client_credentials&client_id=...&client_secret=...&scope=https%3A%2F%2Fgraph.microsoft.us%2F.default
DEBUG:requests_oauthlib.oauth2_session:Request to fetch token completed with status 400.

Basically i see this error when i'm trying to fetch access token. Adminconsent was already given to my application by tenant admin. This code worked for Gov tenants for month or so and suddenly stopped to work.

Novarg
  • 253
  • 2
  • 17
  • As a general statement, you can retrieve information in the gov tenant if you have the appropraite auth. But can you share the code you're currently using that is causing this error message. – Steve Michelotti Oct 07 '20 at 21:33
  • @SteveMichelotti yes i was able to retrieve info for month or so but suddenly it stopped to work few days ago. Please check my post update with sample code and debug log. – Novarg Oct 08 '20 at 09:55

1 Answers1

1

AAD started enforcing this about a month ago, GCC High/DoD tenants cannot use confidential apps published in commercial cloud. You need to publish your app from a GCC High/DoD tenant.

Nagdeep
  • 26
  • 1
  • what does 'confidential apps' mean here? Also do you know whether it would it be necessary to publish an app for each Gov tenant? To support multiple Gov customers is it necessary to publish multiple apps, one for each tenant? – Nick Baker Dec 05 '20 at 09:25