3

We have an app registered in public Azure portal (with client id & secret) which we have been using for a while. It's set up to use OAuth2 and is multi-tenant and has been successfully used by a number of commercial customers to retrieve Sharepoint data.

Can customers on US Gov tenants also use this app or will we need to set up a new one? I came across a post that suggested this used to work but has been recently tightened up. Perhaps we need to set up a new app for each US Gov tenant / customer? I have not found much about this in the documentation so far, so any links appreciated!

So far we have two US Gov customers who have attempted to complete the OAuth2 flow but each gets a different error:

  1. AADSTS900441 'Requests to applications hosted in the public cloud are not supported for US Gov tenants'
  2. AADSTS7000215 'Invalid client secret is provided'

The only thing we have changed so far to support these customers is the auth endpoint (https://login.microsoftonline.com -> https://login.microsoftonline.us). Perhaps there is something else we need to update?

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
Nick Baker
  • 717
  • 4
  • 27
  • 1
    Are you asking if a web app hosted in Azure Gov can use an App Registration from Azure public? If so, look at [this](https://www.youtube.com/watch?v=P3-z9b1Pjrw&t=22m3s). But if you're talking about calling APIs between the 2 clouds, then yes, that has been more locked down recently. – Steve Michelotti Dec 05 '20 at 21:52
  • Thanks Steve, yes - calling (OAuth) APIs between the two clouds. Sounds like we might need to create a new app (registration) for each US Gov tenant. Which actually means we will have to ask each customer to do this as we won't have access to do it for them, and additionally they would need a way to configure our product to refer to their newly created app / client id & secret etc? – Nick Baker Dec 07 '20 at 08:15
  • 1
    @SteveMichelotti it would be great if we could get additional clarification. Requiring every customer of ours to create a separate app seems to be a very high burden. Is it viable for us to create one Gov Cloud Azure account app that we own and use this app to access our customers' Gov Cloud data through Graph API? – jet Dec 12 '20 at 01:02

2 Answers2

1

As mentioned by @Steve Michelotti(the guy works at Microsoft on Azure Government), this has been more locked down recently, if your customers need to use Oauth2 flow to login to your app, you need to create a new app for each US Gov tenant.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Thanks - not sure I fully understand this - seems like a lot of overhead i.e. creating new app registrations per Gov tenant. Perhaps it's not a common use case... – Nick Baker Dec 07 '20 at 08:17
  • @NickBaker Yes, but looks there is no other way in your scenario. – Joy Wang Dec 07 '20 at 08:27
  • thanks I've marked as accepted answer. It would be great if you could add a link to an 'official' source about it being locked down recently if possible... – Nick Baker Dec 10 '20 at 19:27
  • @NickBaker Not found a link, but I think the comment from Azure Gov Team is enough to be the official basis. – Joy Wang Dec 11 '20 at 01:11
  • Just to 'get closure' on this: this is what we had to do (1) get customer to create their own app registration (2) get customer to configure (an updated) version of our product to use their 'custom' app registration details. We have one customer successfully using this now (and hopefully it will be a pretty rare case for us). – Nick Baker Feb 08 '21 at 20:58
1

To share our experience with this. With the help of our customer as our "sponsor", we were able to get approval for a US Gov Azure instance from Microsoft. Using our own US Gov Azure instance, we registered a new application and this application is able to run successfully with the same existing code. Only difference are the CLIENT_ID and CLIENT_SECRET being swapped out. This new US Gov application can handle registrations from anyone who is on the Gov Cloud and is not limited to just one customer.

jet
  • 698
  • 6
  • 12