Use globally registered app id on Microsoft Graph operated by 21Vianet

Question

I've got a globally registered app id of type "Public Client" for consumer with multi-tenancy enabled using /common/oauth2/v2.0/-authentication endpoints.
Now using this app id doesn't work for AD tenants in Azure operated by 21Vianet.

There is no documentation I can find which describes this exact use case. Basically create a "public client" app registration in Azure Portal (.com) and use it in login.chinacloudapi.cn. Is there any way this integration works? Registering a company in china is no option.

Answer 1

Check this,
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-national-cloud?tabs=dotnet#choose-the-appropriate-identities

After you decide, a special consideration is where you perform your app registration. If you choose Azure AD Public identities for your Azure Government application, you must register the application in your Azure AD Public tenant.

For more info on Soverign cloud check below,
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-national-cloud?tabs=dotnet
https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud
https://learn.microsoft.com/en-us/azure/china/overview-connectivity-and-interoperability

The above links has been beautifully summarized in the below stack over flow discussion.
https://stackoverflow.com/questions/41599059/how-to-specify-a-different-aadinstance-for-a-web-api

<Copying the below from Stack over flow thread/>

Few things to note here about applications that use different sovereign clouds:

Each Sovereign Cloud (China, US Gov, Germany, Worldwide) is its own instance of AAD. In order for you to authenticate with an application to its token endpoint, you must have a separately registered application for that environment. An application registered in worldwide, that can call "https://login.microsoftonline.com" will generally not be able to authenticate to the other endpoints like "https://login.chinacloudapi.cn".

As a client application, you must make sure to request a token using all the correct parameters for the environment you are looking to authenticate to. If you want to get a token to the AAD Graph API in China, so that you may access directory information for a tenant based in the China Cloud AAD environment, you must ensure that:
You use the correct login endpoint (https://login.chinacloudapi.net)
You use the correct resource identifier for that environment (https://graph.chinacloudapi.cn/)
You use the correct client id, which is registered for that environment
You use the correct reply url, and other configurations registered for that environment

Answer 2

Please add the appropriate redirect URI for your Azure deployment.
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-redirect-uri

A valid entry for the response URI should be one of:

https://login.microsoftonline.us/common/oauth2/nativeclient (Microsoft Cloud for US Government)
https://login.microsoftonline.de/common/oauth2/nativeclient (Microsoft Cloud Germany)
https://login.chinacloudapi.cn/common/oauth2/nativeclient (Azure and Office 365 operated by 21Vianet in China)

For a single-tenant application, it may be necessary to use your specific tenant id instead of "common":

https://login.microsoftonline.us/example.onmicrosoft.us/oauth2/nativeclient (Microsoft Cloud for US Government)
https://login.microsoftonline.de/example.onmicrosoft.de/oauth2/nativeclient (Microsoft Cloud Germany)
https://login.chinacloudapi.cn/example.onmicrosoft.cn/oauth2/nativeclient (Azure and Office 365 operated by 21Vianet in China)

https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-redirect-uri