Failure to obtain token with ConfidentialClient - Azure Government

[miketheitguy]

Get-MsalToken -ClientId '' -TenantId '' -ClientSecret (read-host -AsSecureString) -AzureCloudInstance AzureUsGovernment

No matter the permutation here I seem to keep getting the following error:

Get-MsalToken :
 The application is configured for cloud login.microsoftonline.com and the request for a different cloud -
login.microsoftonline.us. This is not supported - the app and the request must target the same cloud.
See https://aka.ms/msal-net-authority-override for details
At line:1 char:1
+ Get-MsalToken -ClientId  -TenantI ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : AuthenticationError: (Microsoft.Ident...arameterBuilder:AcquireTokenForClientParameterBu
   ilder) [Write-Error], MsalClientException
    + FullyQualifiedErrorId : GetMsalTokenFailureAuthenticationError,Get-MsalToken

[SCOMnewbie]

Hi,
I don't have a Tenant in UsGov, but dummy question are you sure UsGov is using the default Grap api endpoint?
When I try to use the same flow as you (client_credential) but in China, I can fetch a token like this:

$clientId = "clientId"
$TenantId = "TenantId"
$secret = ConvertTo-SecureString -String "x~1YIryK....-lo_vsw651" -AsPlainText -Force
$scopes = "https://microsoftgraph.chinacloudapi.cn/.default" # <---- IMPORTANT

Get-MsalToken -ClientId $clientId -ClientSecret $secret -TenantId $TenantId -Scopes $scopes -AzureCloudInstance AzureChina

[benatsb]

I'll just piggy back this... I spent the last 90 minutes troubleshooting connecting to Azure Gov with the same error and I got it through finally. Similar I think to issue #45

The "AzureCloudInstance" parameter appears to do nothing. I tried ton of variations and always got an error and in the end I you don't need it.

On your Application Registration in Azure AD check a couple of things... There needs to be a redirect URI for https://login.microsoftonline.us/common/oauth2/nativeclient. As well, verify you're using the "Mobile and desktop applications" platform.

When performing the request, define the authority, redirect URI, and you must specify the Azure Gov related URI scopes. The scopes one almost got me. By default it does not provide the contextual Azure Government scopes even when the Cloud Instance parameter is set.

Example using the Graph API:

Define these:

-RedirectUri 'https://login.microsoftonline.us/common/oauth2/nativeclient'
-Authority 'https://login.microsoftonline.us/common'
-Scopes 'https://graph.microsoft.us/.default'

Example for Graph API with custom App Registration. This is forcing interactive and will request you login to the application.

$cloud = 'AzureUSGovernment' # You can remove the param below and it'll still work.
$AppRegistrationClientID ='xxxxx' # your own client id.

$msal= Get-MsalToken -ClientId $AppRegistrationClientID -AzureCloudInstance $cloud -Interactive -RedirectUri 'https://login.microsoftonline.us/common/oauth2/nativeclient' -Authority 'https://login.microsoftonline.us/common' -Scopes 'https://graph.microsoft.us/.default'

$msal

[jazuntee]

Yeah, it appears MSAL.NET added a requirement to define the AzureCloudInstance when creating the client app definition. MSAL.PS handles this automatically if you just call Get-MsalToken directly. I do not have the bandwidth to fix this right now but you can workaround it in a couple different ways. @benatsb called out one way which is to specify the Authority directly.
#48 (comment)

The other way is to manually create your client app definition first like below. It only works if you specify a tenantId as well for some reason.

$ClientApp = New-MsalClientApplication -ClientId a16fa73c-ee98-43ee-900c-ddfa5a687877 -AzureCloudInstance AzureUsGovernment -TenantId jasoth.onmicrosoft.us
$MsalToken = $ClientApp | Get-MsalToken -Scopes 'https://graph.microsoft.us/.default'