Azure Government / national cloud support

[milesgratz]

Would it be possible for the access token / bulk enrollment token functionality to not be hardcoded to the commercial tenants?

Current behavior will result in an error related to cross-cloud functionality: ConvertFrom-Json : Invalid JSON primitive: AADSTS90038.

Hardcoded Endpoints	Azure Government (GCCH endpoints)
graph.microsoft.net	graph.microsoft.us
urn:ms-drs:enterpriseregistration.windows.net	urn:ms-drs:enterpriseregistration.microsoftonline.us

It does not appear possible to specify manually the right endpoints:

VERBOSE: ACCESS TOKEN HAS WRONG AUDIENCE: . Exptected: urn:ms-drs:enterpriseregistration.windows.net.
The audience of the access token () is wrong. Should be urn:ms-drs:enterpriseregistration.windows.net!

Reference:

• https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-retrieve-an-azure-ad-bulk-token-with-powershell/ba-p/2944894
• https://learn.microsoft.com/en-us/azure/azure-government/compare-azure-government-global-azure

[NestoriSyynimaa]

Let me see how I could implement this. Would you be interested to test this (I don't have access to government endpoints)?

[yaurora]

Would be nice also to support China cloud:

Azure China endpoints microsoftgraph.chinacloudapi.cn urn:ms-drs:enterpriseregistration.partner.microsoftonline.cn

[wbrown0389]

Let me see how I could implement this. Would you be interested to test this (I don't have access to government endpoints)?

If you can spare some cycles on this, we would be happy to test. We are actively working on this for a GCCH customer.

[benatsb]

@NestoriSyynimaa , I can assit with testing in the GCCHigh/Azure Gov if you'd like.

[jelliott7]

Going to do a PR soon that should partially address this issue.