Problem:

This blog provides more information about the error “AADSTS900439 – USGClientNotSupportedOnPublicEndpoint”.  This error typically occurs when a user uses a public cloud endpoint to sign in to an application registered in Azure Government sovereign cloud.

It is known fact that the official Azure Active Directory (AAD) Authority for Azure Government changed from `https://login-us.microsoftonline.com` to `https://login.microsoftonline.us`. This change also applied to Microsoft 365 GCC High and DoD, which Azure Government AAD also services.

Azure AD will now start enforcing the correct sign in endpoint.  One can no longer sign in to an application registered in a Azure Government cloud using the public .com endpoint.  The error happens due to this violation.

Here is the documentation on Azure Government Endpoint Mappings, which shows the mapping between some Azure services and Azure Government endpoints. Few to mention:

NameAzure Gov Endpoint
Portalhttps://portal.azure.us
Microsoft Graph APIhttps://graph.microsoft.us/
Active Directory Endpoint and Authorityhttps://login.microsoftonline.us

Each national cloud environment is unique and different than the Microsoft global environment. It is important to be aware of some of these below key differences when you develop applications for national cloud environments.

For example:- Registering Applications – App Registration Endpoints, Acquiring Tokens – AAD Authentication Endpoints, and calling the Microsoft Graph API can be different.

This article provides information about the different Microsoft Graph national cloud deployments and the capabilities that are available to developers within each.

Here is the sample for implementation : https://blogs.aaddevsup.xyz/2020/06/configure-net-application-to-call-microsoft-graph-in-a-national-cloud-tenant/

References:

Leave a Comment