Replace CloudEnvironment with MSAL-aligned Instance property for sovereign cloud support#357
Draft
Replace CloudEnvironment with MSAL-aligned Instance property for sovereign cloud support#357
Conversation
- Add Startup section to CLAUDE.md with knowledge file loading, session context, private notes support, and quick-start commands - Add Lessons Learned section to CLAUDE.md for persistent knowledge - Create Claude-KB.md for cross-session learning - Add session-context.md and *-private.md to .gitignore Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Introduce CloudEnvironment class that bundles all cloud-specific service endpoints, with predefined instances for Public, USGov (GCCH), USGovDoD, and China (21Vianet). Thread the cloud environment through ClientCredentials, token clients, validation settings, and DI host builders so that all previously hardcoded endpoints are now configurable per cloud. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Allow users to override specific CloudEnvironment endpoints (e.g. LoginEndpoint, LoginTenant) via appsettings.json, enabling scenarios like China single-tenant bots that require a tenant-specific login URL. - Add CloudEnvironment.WithOverrides() for layering nullable overrides - Add 8 endpoint override properties + ResolveCloud() helper to TeamsSettings - Unify cloud resolution across Apply(), AddTeamsCore(), and AddTeamsTokenAuthentication() - Add WithOverrides unit tests Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
4 tasks
…oach Remove static preset instances (USGov, USGovDoD, China, Public) and FromName() from CloudEnvironment. Make constructor use default parameter values matching existing public cloud defaults. Remove Cloud string property from TeamsSettings. All sovereign cloud configuration now comes from appsettings.json endpoint properties or programmatic CloudEnvironment construction. Addresses review feedback from rido-min: don't hardcode Entra URLs we don't own in the codebase. Co-authored-by: rido-min <14916339+rido-min@users.noreply.github.com>
Contributor
Author
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Copilot
AI
changed the title
[WIP] Add sovereign cloud support for GCCH, DoD, and China
Remove hardcoded sovereign cloud presets, use configuration-only approach
Feb 27, 2026
Remove the CloudEnvironment class and all its usages across the codebase. Revert ClientCredentials, App, AppOptions, TeamsSettings, TeamsValidationSettings, BotTokenClient, UserTokenClient, BotSignInClient, and both HostApplicationBuilder files to their original state with hardcoded public cloud defaults. The SDK should not duplicate the configuration schema offered by MSAL/Microsoft Identity Web. Cloud endpoint configuration should follow the AzureAd configuration pattern described in the Microsoft Identity Web wiki. Co-authored-by: rido-min <14916339+rido-min@users.noreply.github.com>
Copilot
AI
changed the title
Remove hardcoded sovereign cloud presets, use configuration-only approach
Remove CloudEnvironment class — duplicates MSAL configuration
Feb 27, 2026
Follow the Microsoft Identity Web configuration schema by adding an Instance property to TeamsSettings and ClientCredentials. This allows overriding the Entra ID login endpoint for sovereign clouds (e.g., https://login.microsoftonline.us for US Gov) through appsettings.json: "Teams": { "Instance": "https://login.microsoftonline.us", "TenantId": "...", "ClientId": "...", "ClientSecret": "..." } The Instance property flows through to: - ClientCredentials.Resolve() for token acquisition - TeamsValidationSettings for issuer and OpenID metadata URLs Co-authored-by: rido-min <14916339+rido-min@users.noreply.github.com>
Co-authored-by: rido-min <14916339+rido-min@users.noreply.github.com>
Copilot
AI
changed the title
Remove CloudEnvironment class — duplicates MSAL configuration
Replace CloudEnvironment with MSAL-aligned Instance property for sovereign cloud support
Feb 27, 2026
corinagum
force-pushed
the
feature/sovereign-cloud-support
branch
4 times, most recently
from
834ec60 to
600f5da
Compare
Contributor
Recommendation: Close in favor of #352This PR replaces CloudEnvironment with a single Instance property, arguing that MSAL handles the rest. That premise is incorrect — MSAL only resolves the authority URL (login endpoint). The SDK also needs cloud-specific values for 5 other URL categories that MSAL does not manage:
Concrete example: Azure US Government uses Additionally, PR #203 (which would bring MSAL to the Libraries layer) is not being merged since the next version ships from core/ (which already has Microsoft.Identity.Web). Without #203, there is no MSAL in the Libraries layer to delegate to. The CloudEnvironment approach in #352 is the correct pattern:
Recommendation: Close this PR and proceed with #352 + #413 (which extends #352 to next/core). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CloudEnvironmentduplicated configuration already offered by MSAL. Replaced with anInstanceproperty following the Microsoft Identity Web configuration schema.Removed
CloudEnvironmentclass and its testsCloudproperty fromAppOptions,ClientCredentials,TeamsSettingsResolveCloud()and per-endpoint override properties fromTeamsSettingsHostApplicationBuilderextensionsAdded
Instanceproperty onTeamsSettings,ClientCredentials, andTeamsValidationSettingshttps://login.microsoftonline.com(public cloud)ClientCredentialsandTeamsValidationSettingsInstance behaviorUsage
Override the Entra ID login endpoint for sovereign clouds via
appsettings.json:{ "Teams": { "Instance": "https://login.microsoftonline.us", "TenantId": "...", "ClientId": "...", "ClientSecret": "..." } }Or programmatically:
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
token.botframework.com/usr/share/dotnet/dotnet /usr/share/dotnet/dotnet exec --runtimeconfig /home/REDACTED/work/teams.net/teams.net/Tests/Microsoft.Teams.Apps.Tests/bin/Debug/net8.0/Microsoft.Teams.Apps.Tests.runtimeconfig.json --depsfile /home/REDACTED/work/teams.net/teams.net/Tests/Microsoft.Teams.Apps.Tests/bin/Debug/net8.0/Microsoft.Teams.Apps.Tests.deps.json /home/REDACTED/work/teams.net/teams.net/Tests/Microsoft.Teams.Apps.Tests/bin/Debug/net8.0/testhost.dll --port 42727 --endpoint 127.0.0.1:042727 --role client --parentprocessid 5673 --telemetryoptedin false(dns block)/usr/share/dotnet/dotnet /usr/share/dotnet/dotnet exec --runtimeconfig /home/REDACTED/work/teams.net/teams.net/Tests/Microsoft.Teams.Apps.Tests/bin/Debug/net10.0/Microsoft.Teams.Apps.Tests.runtimeconfig.json --depsfile /home/REDACTED/work/teams.net/teams.net/Tests/Microsoft.Teams.Apps.Tests/bin/Debug/net10.0/Microsoft.Teams.Apps.Tests.deps.json /home/REDACTED/work/teams.net/teams.net/Tests/Microsoft.Teams.Apps.Tests/bin/Debug/net10.0/testhost.dll --port 32931 --endpoint 127.0.0.1:032931 --role client --parentprocessid 5666 --telemetryoptedin false(dns block)If you need me to access, download, or install something from one of these locations, you can either:
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.