Skip to content

Add sovereign cloud support for Bleu, Delos, and GovSG #5671

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add sovereign cloud support for Bleu, Delos, and GovSG #5671

Copilot wants to merge 2 commits into from
+65 −0

Conversation

Copy link
Contributor

Copilot AI commented Jan 23, 2026
edited
Loading

Changes proposed in this request

MSAL performs instance discovery to resolve cloud aliases and ensure token cache compatibility. For known clouds, instance discovery must target the cloud-specific endpoint rather than the global cloud (login.microsoftonline.com).

Added three new sovereign clouds to KnownMetadataProvider:

  • Bleu (France): login.sovcloud-identity.fr
  • Delos (Germany): login.sovcloud-identity.de
  • GovSG (Singapore): login.sovcloud-identity.sg

Each cloud entry follows the existing pattern:

InstanceDiscoveryMetadataEntry bleuCloudEntry = new InstanceDiscoveryMetadataEntry()
{
    Aliases = new[] { "login.sovcloud-identity.fr" },
    PreferredNetwork = "login.sovcloud-identity.fr",
    PreferredCache = "login.sovcloud-identity.fr"
};

Instance discovery for these clouds now routes to the cloud-specific endpoint, not the global cloud.

Testing

  • Added KnownMetadataProvider_NewSovereignClouds test validating metadata retrieval for all three clouds
  • Extended KnownMetadataProvider_IsKnown to verify case-insensitive recognition
  • Extended KnownMetadataProvider_publicEnvironment to ensure new clouds are not treated as public cloud

All tests pass.

Performance impact

None. Static initialization only, no runtime changes.

Documentation

  • All relevant documentation is updated.
Original prompt

This section details on the original issue you should resolve

<issue_title>[Feature Request] New sovereign cloud support</issue_title>
<issue_description>### MSAL client type

Confidential, Public

Problem statement

MSAL must keep all HTTP requests in the same cloud for the publicly known clouds. However, today MSAL will perform instance discovery, which in some cases goes to the global cloud, i.e. login.microsoftonline.com

The proposed solution is for MSAL to keep a list of known clouds. If the authority host matches a known host, then instance discovery should occur on that host.

Below is list of known cloud hosts. This is partially available here

"Public"
"login.microsoftonline.com" <-- use this for instance discovery
"login.windows.net",
"login.microsoft.com",
"sts.windows.net"

"PPE"
"login.windows-ppe.net",

"Fairfax",
"login.microsoftonline.us",

"Mooncake",
"login.partner.microsoftonline.cn" <-- use this for instance discovery
"login.chinacloudapi.cn"

"Bleu",
"login.sovcloud-identity.fr",

"Delos",
"login.sovcloud-identity.de",

"GovSG",
"login.sovcloud-identity.sg",

Notes:

  • MSAL.NET already does for most clouds, it just needs to be updated for Bleu, Delos and GovSG - see https://github.com/AzureAD/microsoft-authentication-library-for-
    dotnet/blob/main/src/client/Microsoft.Identity.Client/Instance/Discovery/KnownMetadataProvider.cs#L47

  • Instance discovery should continue to be performed for discovery of aliases

Acceptance tests

  1. Authority: "login.microsoftonline.com/tid". Instance discovery expected on: login.microsoftonline.com
  2. Authority: "login.microsoft.com/tid". Instance discovery expected on: login.microsoftonline.com
  3. Authority: "login.partner.microsoftonline.cn/tid". Instance discovery expected on: login.partner.microsoftonline.cn
  4. Authority: any of the list above. Instance discovery not expected on login.microsoftonline.com
  5. Authority not on the list above. Instance discovery expected on login.microsoftonline.com

</issue_description>

<agent_instructions>Look for other places where we handle sovereign clouds like login.partner.microsoftonline.cn and use that as an example. Only instance discovery logic is affected</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@iulico-1 Change and tests look good.

Adding few more details here. We call global in two flows: Instance discovery and authority validation.

For new sovereign clouds we'll rely on client-side authority validation (no calls to eSTS). Instance discovery logic will be controlled by the cloud specific configuration. </comment_new>

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@bgavrilMS
Add support for new sovereign clouds (Bleu, Delos, GovSG)
059c1c8 
Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>
Copilot AI changed the title [WIP] Add support for new sovereign cloud instances in MSAL Add sovereign cloud support for Bleu, Delos, and GovSG Jan 23, 2026
Copilot AI requested a review from bgavrilMS January 23, 2026 16:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgavrilMS bgavrilMS Awaiting requested review from bgavrilMS

At least 2 approving reviews are required to merge this pull request.

Assignees

@bgavrilMS bgavrilMS

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature Request] New sovereign cloud support

2 participants

@bgavrilMS