Correct entry Graph Endpoint Gov Cloud?

[dmd0822]

I am trying to run Terraform against Azure Gov Cloud using a service principal. I am getting the following error "Confidential Client is not supported in Cross Cloud request." It is trying to reach https://graph.windows.net/***/servicePrincipals?. When I have seen that Error before it usually means the URL is pointing to Commercial Cloud instead of Gov cloud.

Looking in https://github.com/Azure/go-autorest/blob/master/autorest/azure/environments.go I see the GraphEndpoint is set to "https://graph.windows.net/" I don't think that is the correct endpoint for the Graph API in the gov cloud.

[don4of4]

It appears the endpoint is incorrect: https://developer.microsoft.com/en-us/graph/blogs/new-microsoft-graph-endpoints-in-us-government-cloud/

It should be https://graph.microsoft.us

[jhendrixMSFT]

I can update this, can either of you clarify if this should be both GraphEndpoint and ResourceIdentifier.Graph? And for the latter, is it with or without a trailing '/'?

[dmd0822]

I am not sure what the ResourceIdentifier does, but "https://graph.windows.net/" will throw a cross-cloud exception.

[jhendrixMSFT]

The value in ResourceIdentifier is used during authentication when requesting a token. E.g. it would be the value you pass to auth.NewAuthorizerFromEnvironmentWithResource().

[kalafut]

Is there an update on this? We've had the same question from a Vault user who is seeing some issues.

[jhendrixMSFT]

So it appears that there are two graph endpoints for usgov now.

1. https://graph.microsoft.us
2. https://dod-graph.microsoft.us

Presumably GraphEndpoint should be updated to use the first and a new entry be added for the second. Thoughts?

[jhendrixMSFT]

I just realized this is for Microsoft Graph. The current entries we have are for AAD Graph which is different. This will be addressed in #585.