Authorization considerations for tenants hosted in the Germany, China or US Government environments

When your Office 365 tenant is hosted in an specific environment like the Germany, China or US Government environments then you'll need to take this in account when you're developing against your tenant.

Applies to: Office 365 hosted in the Germany, China or US Government environments

Important

Using Azure ACS (Access Control Services) for SharePoint Online has been retired as of November 27th 2023, checkout the full retirement announcement to learn more. Using Azure ACS outside of the context of SharePoint was already retired on November 7th, 2018 and is end-of-life now.

Retirement means that the feature will not get any new investments, but it's still supported. End-of-life means that the feature will be discontinued and is no longer available for use.

Introduction

Microsoft has specific Office 365 deployments in Germany, China and for US Government to fulfill the specific regulations for those areas. Below links provide more context:

If you are a developer targeting applications for SharePoint Online hosted in these environments then you'll need to take in account that these environments have their own dedicated Azure AD authentication endpoints that you as developer need to use. Below chapters explain how do use these dedicated endpoints for the typical SharePoint Online customization options.

Using Azure AD to authorize

Azure AD endpoints

When your Azure AD application needs to authorize it needs to use the correct endpoint. Below table describes the endpoints to use depending on where your Azure AD application has been defined:

Environment Endpoint
Production https://login.windows.net
Germany https://login.microsoftonline.de
China https://login.chinacloudapi.cn
US Government https://login.microsoftonline.us

Using PnP to authorize using Azure AD

The PnP AuthenticationManager offers an easy way to obtain an SharePoint ClientContext object when you're using an Azure AD application. The impacted methods have been extended with an optional AzureEnvironment enum

/// <summary>
/// Enum to identify the supported Office 365 hosting environments
/// </summary>
public enum AzureEnvironment
{
    Production=0,
    PPE=1,
    China=2,
    Germany=3,
    USGovernment=4
}

Below snippet shows an app-only authorization, notice the last parameter in the GetAzureADAppOnlyAuthenticatedContext method:

string siteUrl = "https://contoso.sharepoint.de/sites/test";
string aadAppId = "079d8797-cebc-4cda-a3e0-xxxx"; 
string pfxPassword = "my password";
ClientContext cc = new AuthenticationManager().GetAzureADAppOnlyAuthenticatedContext(siteUrl, 
			aadAppId, "contoso.onmicrosoft.de", @"C:\contoso.pfx", pfxPassword, AzureEnvironment.Germany);

Another snippet is showing an interactive user login using the GetAzureADNativeApplicationAuthenticatedContext method:

string siteUrl = "https://contoso.sharepoint.de/sites/test";
string aadAppId = "ff76a9f4-430b-4ee4-8602-xxxx"; 
ClientContext cc = new AuthenticationManager().GetAzureADNativeApplicationAuthenticatedContext(siteUrl, 
			aadAppId, "https://contoso.com/test", environment: AzureEnvironment.Germany);

Using Azure ACS to authorize your SharePoint add-in

When you create SharePoint add-ins they'll typically low-trust authorization which depends on Azure ACS as descrived in Creating SharePoint Add-ins that use low-trust authorization.

Azure ACS endpoints

Environment Endpoint prefix Endpoint
Production accounts accesscontrol.windows.net
Germany login microsoftonline.de
China accounts accesscontrol.chinacloudapi.cn
US Government accounts accesscontrol.windows.net

Using this model the ACS endpoint url to use is formatted like https:// + endpoint prefix + / + endpoint. So the URL for production will be https://accounts.accesscontrol.windows.net, the one for Germany will be https://login.microsoftonline.de.

Updating tokenhelper.cs in your applications

When you want to do SharePoint add-in authorization using Azure ACS then you're using tokenhelper.cs (or tokenhelper.vb). The default tokenhelper class will have hardcoded references to the Azure ACS endpoints and methods to acquire the ACS endpoint as shown below:

...

private static string GlobalEndPointPrefix = "accounts";
private static string AcsHostUrl = "accesscontrol.windows.net";

...

Tokenhelper.cs updates for Germany

Update the static variables GlobalEndPointPrefix and AcsHostUrl to the Germany Azure ACS values.

...

private static string GlobalEndPointPrefix = "login";
private static string AcsHostUrl = "microsoftonline.de";

...

Tokenhelper.cs updates for China

Update the static variables GlobalEndPointPrefix and AcsHostUrl to the China Azure ACS values:

...

private static string GlobalEndPointPrefix = "accounts";
private static string AcsHostUrl = "accesscontrol.chinacloudapi.cn";

...

Using PnP to authorize your add-in using Azure ACS

The PnP AuthenticationManager offers an easy way to obtain an SharePoint ClientContext object when you're using Azure ACS to authorize. The impacted methods have been extended with an optional AzureEnvironment enum

/// <summary>
/// Enum to identify the supported Office 365 hosting environments
/// </summary>
public enum AzureEnvironment
{
    Production=0,
    PPE=1,
    China=2,
    Germany=3,
    USGovernment=4
}

Below snippet shows an app-only authorization, notice the last parameter in the GetAppOnlyAuthenticatedContext method:

string siteUrl = "https://contoso.sharepoint.de/sites/test";
string acsAppId = "955c10f2-7072-47f8-8bc1-xxxxx"; 
string acsAppSecret = "jgTolmGXU9DW8hUKgletoxxxxx"; 
ClientContext cc = new AuthenticationManager().GetAppOnlyAuthenticatedContext(siteUrl, acsAppId, 
				acsAppSecret, AzureEnvironment.Germany);

See also