GCC High/Azure Gov Tenants receive AADSTS900382: Confidential Client is not supported in Cross Cloud request

[rritters-gryph]

We maintain a tenant in GCC High which uses the Azure Government datacenters. When trying to configure the extension on an app service, the configuration fails with AADSTS900382: Confidential Client is not supported in Cross Cloud request

Generally, that error occurs when the login request is directed at the commercial tenant endpoint (login.microsoftonline.com) instead of the Azure government endpoint (login.microsoftonline.us). Tenants can be queried for their placement, which could help the extension choose the right endpoint for login (https://www.reddit.com/r/NISTControls/comments/hzosgo/quick_script_to_determine_microsoft_365_tenant/)

[rritters-gryph]

Issue addressed by documentation already present. https://github.com/sjkp/letsencrypt-siteextension/wiki/Azure-Germany,-US-or-China

[IsQiao]

China:

letsencrypt:AzureAuthenticationEndpoint

• https://login.windows.net/
• https://login.chinacloudapi.cn/

letsencrypt:AzureTokenAudience

• https://management.core.windows.net/
• https://management.core.chinacloudapi.cn/

letsencrypt:AzureManagementEndpoint

• https://management.azure.com/
• https://management.chinacloudapi.cn

letsencrypt:AzureDefaultWebSiteDomainName

• azurewebsites.net
• chinacloudsites.cn