Is it possible to use an Azure AD App registered in 'commercial' public Azure portal from a US Gov tenant?

Question

We have an app registered in public Azure portal (with client id & secret) which we have been using for a while. It's set up to use OAuth2 and is multi-tenant and has been successfully used by a number of commercial customers to retrieve Sharepoint data.

Can customers on US Gov tenants also use this app or will we need to set up a new one? I came across a post that suggested this used to work but has been recently tightened up. Perhaps we need to set up a new app for each US Gov tenant / customer? I have not found much about this in the documentation so far, so any links appreciated!

So far we have two US Gov customers who have attempted to complete the OAuth2 flow but each gets a different error:

1. AADSTS900441 'Requests to applications hosted in the public cloud are not supported for US Gov tenants'
2. AADSTS7000215 'Invalid client secret is provided'

The only thing we have changed so far to support these customers is the auth endpoint (https://login.microsoftonline.com -> https://login.microsoftonline.us). Perhaps there is something else we need to update?

Answer 1

As mentioned by @Steve Michelotti(the guy works at Microsoft on Azure Government), this has been more locked down recently, if your customers need to use Oauth2 flow to login to your app, you need to create a new app for each US Gov tenant.

Answer 2

To share our experience with this. With the help of our customer as our "sponsor", we were able to get approval for a US Gov Azure instance from Microsoft. Using our own US Gov Azure instance, we registered a new application and this application is able to run successfully with the same existing code. Only difference are the CLIENT_ID and CLIENT_SECRET being swapped out. This new US Gov application can handle registrations from anyone who is on the Gov Cloud and is not limited to just one customer.