Azure Government AAD Authority Endpoint Update

Bernarldo Ellis

We are continuing our efforts to provide a differentiated US Government platform and have updated our Identity architecture to bring additional capabilities inside the Azure Government infrastructure boundary. Part of this, as shared in our Azure Government endpoint mappings, is changing the Azure Active Directory (AAD) Authority for Azure Government from https://login-us.microsoftonline.com to https://login.microsoftonline.us. Many may have noticed this change when accessing https://portal.azure.us, https://account.windowsazure.us, or through a variety of cloud services already updated to leverage the new authority. We also communicated this change to customers using federated Identity to ensure their ADFS/IdP configurations were updated to trust this new authority.

Now, to complete the move to this new authority, we need all customers to update any applications using an AAD authority other than login.microsoftonline.us. This includes:

• login.windows.net
• login.microsoftonline.com
• login-us.microsoftonline.com
• accounts.accesscontrol.windows.net

What kind of applications?

This could be any of the following:

• A Web Application hosted in Azure PaaS.
• An application hosted in Azure IaaS enabled for AAD authentication.
• An application hosted on-premises enabled for AAD authentication.
• Any quick-start code samples you have deployed for testing.

What do I need to update?

1. If you are hosting an application in Azure Government, that is used to authenticate Azure Government, M365 GCC High, or M365 DoD users, please ensure that only https://login.microsoftonline.us is used as the authority in the authentication context.
   1. See Azure AD authentication contexts.
   2. This applies both to authentication to your application as well as authentication to any APIs your application may be calling (i.e. Microsoft Graph, Azure AD Graph, Azure Resource Manager).
      1. See Microsoft Graph in Azure Government
2. If you’re hosting an application in Azure Government that is designed to authenticate users from Public Azure Active Directory, consider the following:
   1. 1. 1. API permission access for objects that belong to Azure Government tenants, such as retrieving user/group details from Microsoft Graph, can only be granted to applications in Azure Government.
         2. If API permission access is required, the application must be hosted in Azure Government.
3. Update to the latest Azure Active Directory Authentication Libraries (ADAL). The versioning of ADAL varies by client/server. The package manager (NuGet, npm, etc.) for the development platform can also vary. We recommend updating to the latest version for your platform available at Azure Active Directory Authentication Libraries
   1. Preferred: Update to MSAL.NET
      1. MSAL.NET is the new authentication library to be used with the Microsoft identity platform.
      2. If you’re not able to go to MSAL.NET currently, this does not require you to update the major release of the SDK. For example, if you’re using ADAL for .NET 3.X, you do not need to update to 5.X.
         1. Note: ADAL .NET 2.X is no longer supported

What about administrative tools?

The following administrative tools should be upgraded to the most recent version to ensure they’re using the new authority:

• Azure PowerShell
• AAD PowerShell (MSOnline)
• AAD PowerShell (AzureAD)
• Azure CLI
• Azure AD Connect
• Azure Storage Explorer
• SQL Server Management Studio (Version 17.8 at minimum)
• Visual Studio (Visual Studio 2017 15.3 at minimum)
• Azure DevOps Server (formerly Team Foundation Server)
  • If still using Team Foundation Server, see Deployment from Team Foundation Server to Azure US Government Cloud fails and you cannot update a resource
• Skype for Business Online PowerShell
• Exchange Online PowerShell
• SharePoint Online PowerShell

Bernarldo Ellis

Follow