Merged
Conversation
jairmyree
requested review from
JasonYeMSFT,
Copilot,
fanyang-mono,
g2vinay,
joshfree,
saikoumudi,
tmeschter and
xiangyan99
Member
Author
|
This PR does not account for Services that hard-code Azure Public endpoints. Those servers still need to be adjusted to enable sovereign cloud support. The following services will need additional updates:
|
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request introduces comprehensive support for Azure sovereign clouds by adding a --cloud command-line option and wiring cloud configuration throughout the authentication and resource management flows. The implementation enables users to specify Azure cloud environments (AzureCloud, AzureChinaCloud, AzureUSGovernment, AzureGermanyCloud) or custom authority host URLs, with configuration sources prioritized as: command-line arguments > appsettings.json > environment variables.
Changes:
- Introduced
IAzureCloudConfigurationinterface andAzureCloudConfigurationimplementation to centralize cloud configuration management - Updated authentication credential chain to respect cloud-specific authority hosts across all credential types (ManagedIdentity, VisualStudio, AzureCli, etc.)
- Enhanced ARM client creation to target cloud-specific ARM environments for resource management operations
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/sovereign-clouds.md | Comprehensive documentation for sovereign cloud configuration with examples for CLI, Docker, and MCP client setups |
| core/Azure.Mcp.Core/tests/Azure.Mcp.Core.UnitTests/Services/Azure/Authentication/AzureCloudConfigurationTests.cs | Extensive unit tests covering cloud name mappings, custom URLs, configuration priority, and edge cases |
| core/Azure.Mcp.Core/src/Services/Azure/Tenant/TenantService.cs | Integrated cloud configuration and applied ARM environment to tenant enumeration |
| core/Azure.Mcp.Core/src/Services/Azure/Tenant/ITenantService.cs | Extended interface to expose cloud configuration |
| core/Azure.Mcp.Core/src/Services/Azure/BaseAzureService.cs | Applied ARM environment from cloud configuration to all ARM client creation |
| core/Azure.Mcp.Core/src/Services/Azure/Authentication/IAzureCloudConfiguration.cs | New interface defining authority host and ARM environment properties |
| core/Azure.Mcp.Core/src/Services/Azure/Authentication/CustomChainedCredential.cs | Added static cloud configuration property and applied authority host to all credential types |
| core/Azure.Mcp.Core/src/Services/Azure/Authentication/AzureCloudConfiguration.cs | Implementation that reads cloud configuration from multiple sources with proper priority |
| core/Azure.Mcp.Core/src/Services/Azure/Authentication/AuthenticationServiceCollectionExtensions.cs | Registered cloud configuration service and initialized static credential property |
| core/Azure.Mcp.Core/src/Areas/Server/Options/ServiceStartOptions.cs | Added Cloud property to support command-line cloud configuration |
| core/Azure.Mcp.Core/src/Areas/Server/Options/ServiceOptionDefinitions.cs | Defined Cloud option with description and default value |
| core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs | Registered and bound Cloud option to service start options |
Comments suppressed due to low confidence (1)
core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs:100
- The Cloud option lacks input validation in the command validator. Consider adding validation to ensure that if a URL is provided, it starts with "https://", and potentially warn users if they provide an unrecognized cloud name. This would provide better user feedback at the command line rather than silently defaulting to public cloud.
command.Validators.Add(commandResult =>
{
string transport = ResolveTransport(commandResult);
bool httpIncomingAuthDisabled = commandResult.GetValueOrDefault<bool>(ServiceOptionDefinitions.DangerouslyDisableHttpIncomingAuth);
ValidateMode(commandResult.GetValueOrDefault(ServiceOptionDefinitions.Mode), commandResult);
ValidateTransportConfiguration(transport, httpIncomingAuthDisabled, commandResult);
ValidateNamespaceAndToolMutualExclusion(
commandResult.GetValueOrDefault<string[]?>(ServiceOptionDefinitions.Namespace.Name),
commandResult.GetValueOrDefault<string[]?>(ServiceOptionDefinitions.Tool.Name),
commandResult);
ValidateOutgoingAuthStrategy(commandResult);
ValidateSupportLoggingFolder(commandResult);
});
…udConfiguration.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…udConfiguration.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…e/sov-cloud-no-multicloud
…e/sov-cloud-no-multicloud
jairmyree
requested review from
JonathanCrd,
conniey,
jongio and
srnagar
as code owners
…e/sov-cloud-no-multicloud
alzimmermsft
approved these changes
Jan 27, 2026
colbytimm
pushed a commit
to colbytimm/microsoft-mcp
that referenced
this pull request
Apr 20, 2026
* Sov Cloud Support (No multi-cloud); successful build; unit tests passing; need live testing * Sov cloud support; live testing passed * Update core/Azure.Mcp.Core/src/Services/Azure/Authentication/AzureCloudConfiguration.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update core/Azure.Mcp.Core/src/Services/Azure/Authentication/AzureCloudConfiguration.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Dotnet format * Updating tests * dotnet format * Updating tests * Updated tests * Changelog YAML * Updates based on PR feedback * Updating documentation --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces support for specifying the Azure cloud environment used for authentication and Azure Resource Manager operations. It adds a new
--cloudcommand-line option, wires cloud configuration through dependency injection, and ensures all Azure credential types respect the selected cloud authority host. This enables seamless use of sovereign or custom clouds (such as AzureChinaCloud, AzureUSGovernment, or custom authority host URLs) across authentication and ARM client creation.Cloud configuration support:
Added a new
--cloudcommand-line option toServiceStartCommand, allowing users to specify the Azure cloud environment for authentication (e.g., AzureCloud, AzureChinaCloud, AzureUSGovernment, or a custom authority host URL). This is reflected inServiceOptionDefinitions, option registration, option binding, and theServiceStartOptionsmodel. [1] [2] [3] [4] [5]Introduced the
IAzureCloudConfigurationinterface and its implementationAzureCloudConfiguration, which determines the authority host and ARM environment from command line, configuration, or environment variables. [1] [2]Dependency injection and service registration:
AuthenticationServiceCollectionExtensionsto registerIAzureCloudConfigurationand inject it into the custom credential provider, making the cloud configuration available to all authentication flows. [1] [2]Credential authority host propagation:
CustomChainedCredentialand all credential creation methods to use the authority host from the cloud configuration, ensuring that authentication respects the selected cloud environment for all supported credential types (e.g., ManagedIdentity, VisualStudio, AzureCli, etc.). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]ARM client environment support:
BaseAzureServiceandTenantServiceto use the ARM environment from the cloud configuration when creatingArmClientinstances, ensuring resource management operations are performed against the correct cloud endpoints. [1] [2] [3]Tenant service cloud configuration exposure:
ITenantServiceand its implementation to expose the cloud configuration, enabling other components to access the selected cloud environment. [1] [2]These changes collectively allow the application to operate in different Azure cloud environments by propagating the cloud selection throughout authentication and resource management flows.