Skip to content

Fix endpoint validation to pass ArmEnvironment always#2320

Merged
alzimmermsft merged 4 commits into
microsoft:mainfrom
alzimmermsft:SovereignCloudAuthFollowup
Apr 1, 2026
Merged

Fix endpoint validation to pass ArmEnvironment always#2320
alzimmermsft merged 4 commits into
microsoft:mainfrom
alzimmermsft:SovereignCloudAuthFollowup

Conversation

@alzimmermsft
Copy link
Copy Markdown
Contributor

@alzimmermsft alzimmermsft commented Apr 1, 2026

What does this PR do?

Updates EndpointValidator to remove overload of ValidateAzureServiceEndpoint that doesn't take ArmEnvironment and update all calling locations to use the variant that does and to pass the ArmEnvironment configured in the TenantService.

GitHub issue number?

[Link to the GitHub issue this PR addresses]

Pre-merge Checklist

  • Required for All PRs
    • Read contribution guidelines
    • PR title clearly describes the change
    • Commit history is clean with descriptive messages (cleanup guide)
    • Added comprehensive tests for new/modified functionality
    • Created a changelog entry if the change falls among the following: new feature, bug fix, UI/UX update, breaking change, or updated dependencies. Follow the changelog entry guide
  • For MCP tool changes:
    • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
    • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
    • Validate README.md changes running the script ./eng/scripts/Process-PackageReadMe.ps1. See Package README
    • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
    • For tools with new names, including new tools or renamed tools, update consolidated-tools.json
    • For renamed tools, follow the Tool Rename Checklist and tag the PR with the breaking-change label
    • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
  • Extra steps for Azure MCP Server tool changes:
    • Updated command list in servers/Azure.Mcp.Server/docs/azmcp-commands.md
    • Ran ./eng/scripts/Update-AzCommandsMetadata.ps1 to update tool metadata in azmcp-commands.md (required for CI)
    • Updated test prompts in servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
    • 👉 For Community (non-Microsoft team member) PRs:
      • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
      • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

@alzimmermsft alzimmermsft self-assigned this Apr 1, 2026
Copilot AI review requested due to automatic review settings April 1, 2026 14:10
@github-project-automation github-project-automation Bot moved this to Untriaged in Azure MCP Server Apr 1, 2026
@github-actions github-actions Bot added tools-ACR tools-AppConfig AppConfig tools-Communication tools for Azure communication services labels Apr 1, 2026
Copilot AI reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates endpoint domain validation to always consider the configured Azure cloud (ArmEnvironment) so that sovereign cloud endpoints (China/Gov/etc.) validate correctly across tools and helpers.

Changes:

  • Removed the EndpointValidator.ValidateAzureServiceEndpoint(string endpoint, string serviceType) overload so callers must provide ArmEnvironment.
  • Updated tool services to pass TenantService.CloudConfiguration.ArmEnvironment into endpoint validation.
  • Updated/added unit tests and added a server changelog entry for the fix.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
tools/Azure.Mcp.Tools.Communication/src/Services/CommunicationService.cs Passes tenant-configured ArmEnvironment into endpoint validation for Communication endpoints.
tools/Azure.Mcp.Tools.AppConfig/src/Services/AppConfigService.cs Passes tenant-configured ArmEnvironment into endpoint validation for AppConfig endpoints.
tools/Azure.Mcp.Tools.Acr/src/Services/AcrService.cs Passes tenant-configured ArmEnvironment into endpoint validation for ACR login server endpoints.
servers/Azure.Mcp.Server/changelog-entries/1775052619914.yaml Adds changelog entry documenting the sovereign cloud endpoint validation fix.
core/Microsoft.Mcp.Core/tests/Microsoft.Mcp.Core.UnitTests/Helpers/EndpointValidatorTests.cs Updates tests to use the 3-parameter validation API (but currently contains failing assertions).
core/Microsoft.Mcp.Core/src/Helpers/EndpointValidator.cs Removes the 2-parameter overload so ArmEnvironment must be provided by callers.
Comments suppressed due to low confidence (1)

core/Microsoft.Mcp.Core/src/Helpers/EndpointValidator.cs:106

  • Removing the public 2-parameter overload is a breaking API change for any external consumers of Microsoft.Mcp.Core. If this library is published, consider keeping the overload and marking it [Obsolete] (forwarding to the 3-parameter method) for at least one release, or ensure versioning/changelog reflects the breaking change.
    /// <summary>
    /// Validates that an endpoint belongs to an allowed Azure service domain for the specified cloud environment.
    /// </summary>
    /// <param name="endpoint">The endpoint URL to validate.</param>
    /// <param name="serviceType">The type of Azure service (e.g., "storage-blob", "keyvault").</param>
    /// <param name="armEnvironment">The Azure cloud environment (Public, China, Government, etc.).</param>
    public static void ValidateAzureServiceEndpoint(string endpoint, string serviceType, ArmEnvironment armEnvironment)
    {

Comment thread core/Microsoft.Mcp.Core/tests/Microsoft.Mcp.Core.UnitTests/Helpers/EndpointValidatorTests.cs Outdated
Comment thread core/Microsoft.Mcp.Core/tests/Microsoft.Mcp.Core.UnitTests/Helpers/EndpointValidatorTests.cs
Comment thread core/Microsoft.Mcp.Core/tests/Microsoft.Mcp.Core.UnitTests/Helpers/EndpointValidatorTests.cs
Comment thread core/Microsoft.Mcp.Core/tests/Microsoft.Mcp.Core.UnitTests/Helpers/EndpointValidatorTests.cs Outdated
Comment thread core/Microsoft.Mcp.Core/tests/Microsoft.Mcp.Core.UnitTests/Helpers/EndpointValidatorTests.cs Outdated
Comment thread core/Microsoft.Mcp.Core/tests/Microsoft.Mcp.Core.UnitTests/Helpers/EndpointValidatorTests.cs Outdated
Comment thread core/Microsoft.Mcp.Core/tests/Microsoft.Mcp.Core.UnitTests/Helpers/EndpointValidatorTests.cs
jongio
jongio reviewed Apr 1, 2026
View reviewed changes
Comment thread core/Microsoft.Mcp.Core/tests/Microsoft.Mcp.Core.UnitTests/Helpers/EndpointValidatorTests.cs Outdated
@github-project-automation github-project-automation Bot moved this from Untriaged to In Progress in Azure MCP Server Apr 1, 2026
@xiangyan99
Copy link
Copy Markdown
Member

xiangyan99 commented Apr 1, 2026

You need dotnet format

@alzimmermsft alzimmermsft force-pushed the SovereignCloudAuthFollowup branch from 0a49b53 to f0fb4be Compare April 1, 2026 15:26
@alzimmermsft alzimmermsft merged commit e449dcc into microsoft:main Apr 1, 2026
15 checks passed
@alzimmermsft alzimmermsft deleted the SovereignCloudAuthFollowup branch April 1, 2026 17:41
@github-project-automation github-project-automation Bot moved this from In Progress to Done in Azure MCP Server Apr 1, 2026
alzimmermsft added a commit to alzimmermsft/mcp that referenced this pull request Apr 1, 2026
@alzimmermsft
Fix endpoint validation to pass ArmEnvironment always (microsoft#2320)
ccb6ddc 
* Fix endpoint validation to pass ArmEnvironment always

* Add CHANGELOG entry

* Testing change revert

* Fix linting
vcolin7 pushed a commit that referenced this pull request Apr 1, 2026
@alzimmermsft
Fix endpoint validation to pass ArmEnvironment always (#2322)
fdc11c1 
Fix endpoint validation to pass ArmEnvironment always (#2320)

* Fix endpoint validation to pass ArmEnvironment always

* Add CHANGELOG entry

* Testing change revert

* Fix linting
colbytimm pushed a commit to colbytimm/microsoft-mcp that referenced this pull request Apr 20, 2026
@alzimmermsft @colbytimm
Fix endpoint validation to pass ArmEnvironment always (microsoft#2320)
ebb5419 
* Fix endpoint validation to pass ArmEnvironment always

* Add CHANGELOG entry

* Testing change revert

* Fix linting
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jongio jongio jongio left review comments

Copilot code review Copilot Copilot left review comments

@xiangyan99 xiangyan99 xiangyan99 approved these changes

@KarishmaGhiya KarishmaGhiya Awaiting requested review from KarishmaGhiya KarishmaGhiya is a code owner

@conniey conniey Awaiting requested review from conniey conniey is a code owner

@JonathanCrd JonathanCrd Awaiting requested review from JonathanCrd JonathanCrd is a code owner

@tmeschter tmeschter Awaiting requested review from tmeschter tmeschter is a code owner automatically assigned from microsoft/azure-mcp

@msalaman msalaman Awaiting requested review from msalaman msalaman is a code owner automatically assigned from microsoft/azure-mcp

@JasonYeMSFT JasonYeMSFT Awaiting requested review from JasonYeMSFT JasonYeMSFT is a code owner automatically assigned from microsoft/azure-mcp

Assignees

@alzimmermsft alzimmermsft

Labels

tools-ACR tools-AppConfig AppConfig tools-Communication tools for Azure communication services

Projects

Azure MCP Server
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@alzimmermsft @xiangyan99 @jongio