Skip to content

Add sovereign cloud support to next/core (GCCH, DoD, China)#413

Open
corinagum wants to merge 4 commits intonext/corefrom
cg/sovereign-cloud-nextcore
Open

Add sovereign cloud support to next/core (GCCH, DoD, China)#413
corinagum wants to merge 4 commits intonext/corefrom
cg/sovereign-cloud-nextcore

Conversation

@corinagum
Copy link
Copy Markdown
Contributor

@corinagum corinagum commented Apr 3, 2026

Summary

  • Cherry-picks Libraries-layer sovereign cloud changes from Add sovereign cloud support (GCCH, DoD, China) #352
  • Adds core/ package support: BotConfig cloud resolution, MSAL Instance from CloudEnvironment.LoginEndpoint, cloud-aware default scope, cloud-aware UserTokenClient endpoint

core/ changes

File Change
core/src/.../Hosting/BotConfig.cs Cloud property, resolved from config key in all 3 formats (BF, Core, AzureAd)
core/src/.../Hosting/BotClientOptions.cs Cloud property, scope defaults from cloud
core/src/.../Hosting/AddBotApplicationExtensions.cs Cloud-aware MSAL Instance, resolves cloud from config, threads through all auth methods
core/src/.../UserTokenClient.cs Cloud-aware default token service endpoint

Test plan

  • dotnet build — 0 errors
  • dotnet test — 42 sovereign cloud tests pass (24 CloudEnv + 9 BotTokenClient + 9 TeamsValidationSettings)

Depends on

🤖 Generated with Claude Code

@rido-min rido-min added the CORE label Apr 9, 2026
This was referenced Apr 9, 2026
Merged
Draft
@rajan-chari
Copy link
Copy Markdown
Contributor

rajan-chari commented Apr 9, 2026

Review: GraphScope needed here too

This PR extends #352's CloudEnvironment to next/core — the right approach since core/ is the shipping path.

Same gap as #352: the CloudEnvironment class is missing a GraphScope property. In core/, the MSAL Instance is correctly wired from CloudEnvironment.LoginEndpoint (in AddBotApplicationExtensions.cs), but the Graph token scope still needs to come from CloudEnvironment too.

The correct Graph scopes per cloud (from Microsoft Graph national cloud deployments):

Preset Graph scope
Public https://graph.microsoft.com/.default
USGov (GCC High) https://graph.microsoft.us/.default
USGovDoD https://dod-graph.microsoft.us/.default
China https://microsoftgraph.chinacloudapi.cn/.default

Note: DoD uses a different Graph host than GCC High (dod-graph.microsoft.us vs graph.microsoft.us).

Source: Access national cloud deployments with the Microsoft Graph SDKs

Once #352 adds GraphScope, this PR picks it up automatically via the cherry-pick.

@heyitsaamir heyitsaamir requested a review from Copilot April 10, 2026 19:14
Copilot AI reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds sovereign cloud support (GCCH, DoD, China) across the libraries layer and next/core by introducing a shared CloudEnvironment model and threading cloud-aware endpoints/scopes through configuration, auth/token acquisition, and token-service clients.

Changes:

  • Introduces CloudEnvironment (Public/USGov/USGovDoD/China) and updates credentials + token clients to use cloud-specific endpoints/scopes.
  • Adds configuration-driven cloud resolution (TeamsSettings, ASP.NET Core host builders, core bot hosting) and uses CloudEnvironment.LoginEndpoint to configure MSAL Instance.
  • Adds/extends tests covering cloud endpoint presets, token scopes, and validation settings per cloud.

Reviewed changes

Copilot reviewed 18 out of 19 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
Tests/Microsoft.Teams.Plugins.AspNetCore.Tests/Extensions/TeamsValidationSettingsTests.cs Adds tests for cloud-aware token validation settings.
Tests/Microsoft.Teams.Api.Tests/Clients/BotTokenClientTests.cs Verifies ActiveBotScope default/override behavior and usage.
Tests/Microsoft.Teams.Api.Tests/Auth/CloudEnvironmentTests.cs Adds tests for cloud endpoint presets and override behavior.
Libraries/Microsoft.Teams.Plugins/Microsoft.Teams.Plugins.AspNetCore/Extensions/TeamsValidationSettings.cs Makes token validation settings cloud-aware via CloudEnvironment.
Libraries/Microsoft.Teams.Plugins/Microsoft.Teams.Plugins.AspNetCore/Extensions/HostApplicationBuilder.cs Wires resolved cloud into JWT validation settings.
Libraries/Microsoft.Teams.Extensions/Microsoft.Teams.Extensions.Hosting/Microsoft.Teams.Apps.Extensions/HostApplicationBuilder.cs Resolves cloud from config/options and propagates into credentials.
Libraries/Microsoft.Teams.Extensions/Microsoft.Teams.Extensions.Configuration/Microsoft.Teams.Apps.Extensions/TeamsSettings.cs Adds Cloud + per-endpoint overrides and resolves into AppOptions/credentials.
Libraries/Microsoft.Teams.Apps/AppOptions.cs Adds optional Cloud to app options.
Libraries/Microsoft.Teams.Apps/App.cs Applies cloud-specific bot scope and token service URLs to API clients.
Libraries/Microsoft.Teams.Api/Clients/UserTokenClient.cs Makes token service base URL configurable.
Libraries/Microsoft.Teams.Api/Clients/BotTokenClient.cs Adds ActiveBotScope and uses it for token acquisition.
Libraries/Microsoft.Teams.Api/Clients/BotSignInClient.cs Makes token service base URL configurable for sign-in URLs/resources.
Libraries/Microsoft.Teams.Api/Auth/CloudEnvironment.cs Adds cloud endpoint preset model and override mechanism.
Libraries/Microsoft.Teams.Api/Auth/ClientCredentials.cs Uses cloud login endpoint + tenant for token acquisition.
core/src/Microsoft.Teams.Bot.Core/UserTokenClient.cs Chooses default token service endpoint based on configured cloud.
core/src/Microsoft.Teams.Bot.Core/Hosting/BotConfig.cs Adds cloud resolution for BF/Core/AzureAd config formats.
core/src/Microsoft.Teams.Bot.Core/Hosting/BotClientOptions.cs Stores resolved cloud for client configuration defaults.
core/src/Microsoft.Teams.Bot.Core/Hosting/AddBotApplicationExtensions.cs Resolves cloud for scope defaults and configures MSAL Instance accordingly.
.gitignore Ignores additional local development configuration files.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread ...ns/Microsoft.Teams.Extensions.Configuration/Microsoft.Teams.Apps.Extensions/TeamsSettings.cs Outdated
Comment thread ...ns/Microsoft.Teams.Extensions.Configuration/Microsoft.Teams.Apps.Extensions/TeamsSettings.cs
Comment thread core/src/Microsoft.Teams.Bot.Core/Hosting/BotConfig.cs Outdated
Comment thread core/src/Microsoft.Teams.Bot.Core/Hosting/AddBotApplicationExtensions.cs Outdated
Comment thread core/src/Microsoft.Teams.Bot.Core/UserTokenClient.cs Outdated
Comment thread Libraries/Microsoft.Teams.Api/Auth/CloudEnvironment.cs
@corinagum corinagum marked this pull request as ready for review April 17, 2026 19:05
@corinagum corinagum force-pushed the cg/sovereign-cloud-nextcore branch from caf3422 to 3568d2e Compare April 21, 2026 22:51
@corinagum corinagum closed this Apr 22, 2026
@corinagum corinagum reopened this Apr 22, 2026
@corinagum corinagum force-pushed the cg/sovereign-cloud-nextcore branch 2 times, most recently from ce41e58 to 9ca073a Compare April 22, 2026 19:21
@corinagum corinagum force-pushed the cg/sovereign-cloud-nextcore branch from 9ca073a to e7a8e37 Compare April 22, 2026 22:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@heyitsaamir heyitsaamir heyitsaamir approved these changes

Assignees

No one assigned

Labels

CORE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@corinagum @rajan-chari @heyitsaamir @rido-min