Can application in public cloud be authorized to fetch data from government tenant via graph api?

437 views Asked by At

I'm trying to fetch email list from government tenant via graph api and it worked fine until last week. I'm using client credentials flow. Last week i started to get the following error when trying to authorize my app in government tenants:

oauthlib.oauth2.rfc6749.errors.InvalidClientIdError: (invalid_request) AADSTS900441: Requests to applications hosted in the public cloud are not supported for USGov tenants.

Is there a way to authorize application from public azure cloud to read data from government tenant?

EDIT: code example and debug logs

    from oauthlib.oauth2 import BackendApplicationClient
    
    client = BackendApplicationClient(client_id=config.CLIENT_ID)
    MSGRAPH = requests_oauthlib.OAuth2Session(
        client=client
    )
    
    token = MSGRAPH.fetch_token(
        'https://login.microsoftonline.us' + '/<tenant>' + config.TOKEN_ENDPOINT,
        client_id=config.CLIENT_ID,
        client_secret=config.CLIENT_SECRET,
        include_client_id=True,
        scope=['https://graph.microsoft.us/.default'])

    endpoint = config.RESOURCE + config.API_VERSION + '/users'
    graphdata = MSGRAPH.get(endpoint).json()
DEBUG:requests_oauthlib.oauth2_session:Requesting url https://login.microsoftonline.us/<tenant-id>/oauth2/v2.0/token using method POST.
DEBUG:requests_oauthlib.oauth2_session:Supplying headers {u'Content-Type': u'application/x-www-form-urlencoded;charset=UTF-8', u'Accept': u'application/json'} and data {u'client_secret': u'...', u'grant_type': u'client_credentials', u'client_id': u'...', u'scope': u'https://graph.microsoft.us/.default'}
DEBUG:requests_oauthlib.oauth2_session:Passing through key word arguments {'verify': True, 'json': None, 'proxies': None, 'timeout': None, 'auth': None}.
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): login.microsoftonline.us:443
DEBUG:urllib3.connectionpool:https://login.microsoftonline.us:443 "POST /<tenant-id>/oauth2/v2.0/token HTTP/1.1" 400 522
DEBUG:requests_oauthlib.oauth2_session:Prepared fetch token request body grant_type=client_credentials&client_id=...&client_secret=...&scope=https%3A%2F%2Fgraph.microsoft.us%2F.default
DEBUG:requests_oauthlib.oauth2_session:Request to fetch token completed with status 400.

Basically i see this error when i'm trying to fetch access token. Adminconsent was already given to my application by tenant admin. This code worked for Gov tenants for month or so and suddenly stopped to work.

1

There are 1 answers

1
Nagdeep On BEST ANSWER

AAD started enforcing this about a month ago, GCC High/DoD tenants cannot use confidential apps published in commercial cloud. You need to publish your app from a GCC High/DoD tenant.