Azure Government AAD Authority Endpoint Update
We are continuing our efforts to provide a differentiated US Government platform and have updated our Identity architecture to bring additional capabilities inside the Azure Government infrastructure boundary. Part of this, as shared in our Azure Government endpoint mappings, is changing the Azure Active Directory (AAD) Authority for Azure Government from https://login-us.microsoftonline.com to https://login.microsoftonline.us. Many may have noticed this change when accessing https://portal.azure.us, https://account.windowsazure.us, or through a variety of cloud services already updated to leverage the new authority. We also communicated this change to customers using federated Identity to ensure their ADFS/IdP configurations were updated to trust this new authority.
Now, to complete the move to this new authority, we need all customers to update any applications using an AAD authority other than login.microsoftonline.us. This includes:
What kind of applications?
This could be any of the following:
- A Web Application hosted in Azure PaaS.
- An application hosted in Azure IaaS enabled for AAD authentication.
- An application hosted on-premises enabled for AAD authentication.
- Any quick-start code samples you have deployed for testing.
What do I need to update?
You need to update the AAD authority endpoint from any of the ones listed above to login.microsoftonline.us. See an example on how to integrate AAD authentication into a Web App on Azure Government; which is an OpenID Connect sample using C# on the .NET platform. For additional languages and platforms you can review our Azure Active Directory Code Samples to match what you have deployed and to find out where to update the authority endpoint.
Especially important: In addition to updating the AAD authority in code, you also need to update references to Azure Active Directory Authentication Libraries (ADAL). The versioning of ADAL varies by client/server. Also, the package manager (NuGet, npm, etc.) for the development platform also varies. We recommend updating to the latest version for your platform available at Azure Active Directory Authentication Libraries.
Note: This only applies to applications that leverage Azure Government as the identity source. If you’re running an application in Azure Government but are using Azure Public identities to sign in with…this does not apply.
What about administrative tools?
The following administrative tools should be upgraded to the most recent version to ensure they’re using the new authority: