AzAppConfiguration module doesn't support US Government environment

[elearningforce-ag]

Description

When I run any AppConfiguration command in US Government tenant like Set-AzAppConfigurationKeyValue for example I get the following error:
AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope AzureAppConfigurationEndpointResourceId/.default is not valid.

Looks like government endpoint is not set in Authentication module.
The url of AppConfiguration instance in government is ".azconfig.azure.us".

Issue script & Debug output

DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing: 
DEBUG: CmdletProcessRecordStart: 
DEBUG: CmdletGetPipeline: 
DEBUG: CmdletBeforeAPICall: 
DEBUG: URLCreated: /kv/...?api-version=1.0
DEBUG: RequestCreated: /kv/...?api-version=1.0
DEBUG: HeaderParametersAdded: 
DEBUG: BodyContentSet: 
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://....azconfig.azure.us/kv/...?api-version=1.0

Headers:
x-ms-client-request-id        : af0052db-99ac-42aa-b73d-639afe9ffe89
CommandName                   : Set-AzAppConfigurationKeyValue
FullCommandName               : Set-AzAppConfigurationKeyValue_PutExpanded
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v11.3.1,PSVersion/v7.4.1,Az.AppConfigurationdata/1.3.0

Body: ...

DEBUG: BeforeCall: 
DEBUG: Finally: 
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd: 
DEBUG: [CmdletException]: Received Exception with message 'AuthenticationFailedException - ClientSecretCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope AzureAppConfigurationEndpointResourceId/.default is not valid. Trace ID: 54e1da63-5e57-408f-9479-8db7a6385b00 Correlation ID: df13c5e8-086d-4d9e-bc7f-62f90c2e4dcf Timestamp: 2024-02-22 15:15:17Z :    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.ClientSecretCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.GetAccessTokenAsync(String callerClassName, String parametersLog, TokenCredential tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken, String tenantId, String userId, String homeAccountId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass15_0.<AuthorizeRequest>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthorizeRequest(IAzureContext context, HttpRequestMessage request, CancellationToken cancellationToken, String endpointResourceIdKey, String endpointSuffixKey, Func`6 tokenAudienceConverter, IDictionary`2 extensibleParamters)
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthenticationHelper(IAzureContext context, String endpointResourceIdKey, String endpointSuffixKey, HttpRequestMessage request, CancellationToken cancelToken, Action cancelAction, Func`4 signal, Func`5 next, Func`6 tokenAudienceConverter)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass10_0.<<AddAuthorizeRequestHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass9_0.<<AddPatchRequestUriHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.PowerShell.Cmdlets.AppConfigurationdata.AppConfigurationdata.PutKeyValue_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.AppConfigurationdata.AppConfigurationdata.PutKeyValue_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.AppConfigurationdata.AppConfigurationdata.PutKeyValue(String key, String syncToken, String ifMatch, String ifNoneMatch, String label, String endpoint, IKeyValue body, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender, SerializationMode serializationMode)
   at Microsoft.Azure.PowerShell.Cmdlets.AppConfigurationdata.Cmdlets.SetAzAppConfigurationKeyValue_PutExpanded.ProcessRecordAsync()
   at Microsoft.Azure.PowerShell.Cmdlets.AppConfigurationdata.Cmdlets.SetAzAppConfigurationKeyValue_PutExpanded.ProcessRecordAsync()'
DEBUG: CmdletException: AuthenticationFailedException - ClientSecretCredential authentication failed: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope AzureAppConfigurationEndpointResourceId/.default is not valid. Trace ID: 54e1da63-5e57-408f-9479-8db7a6385b00 Correlation ID: df13c5e8-086d-4d9e-bc7f-62f90c2e4dcf Timestamp: 2024-02-22 15:15:17Z :    at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
   at Azure.Identity.ClientSecretCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Microsoft.Azure.PowerShell.Authenticators.MsalAccessToken.GetAccessTokenAsync(String callerClassName, String parametersLog, TokenCredential tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken, String tenantId, String userId, String homeAccountId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
   at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass15_0.<AuthorizeRequest>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthorizeRequest(IAzureContext context, HttpRequestMessage request, CancellationToken cancellationToken, String endpointResourceIdKey, String endpointSuffixKey, Func`6 tokenAudienceConverter, IDictionary`2 extensibleParamters)
   at Microsoft.Azure.Commands.Common.ContextAdapter.AuthenticationHelper(IAzureContext context, String endpointResourceIdKey, String endpointSuffixKey, HttpRequestMessage request, CancellationToken cancelToken, Action cancelAction, Func`4 signal, Func`5 next, Func`6 tokenAudienceConverter)
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass10_0.<<AddAuthorizeRequestHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.Commands.Common.ContextAdapter.<>c__DisplayClass9_0.<<AddPatchRequestUriHandler>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.Azure.PowerShell.Cmdlets.AppConfigurationdata.AppConfigurationdata.PutKeyValue_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.AppConfigurationdata.AppConfigurationdata.PutKeyValue_Call(HttpRequestMessage request, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Azure.PowerShell.Cmdlets.AppConfigurationdata.AppConfigurationdata.PutKeyValue(String key, String syncToken, String ifMatch, String ifNoneMatch, String label, String endpoint, IKeyValue body, Func`3 onOk, Func`3 onDefault, IEventListener eventListener, ISendAsync sender, SerializationMode serializationMode)
   at Microsoft.Azure.PowerShell.Cmdlets.AppConfigurationdata.Cmdlets.SetAzAppConfigurationKeyValue_PutExpanded.ProcessRecordAsync()
   at Microsoft.Azure.PowerShell.Cmdlets.AppConfigurationdata.Cmdlets.SetAzAppConfigurationKeyValue_PutExpanded.ProcessRecordAsync()
DEBUG: CmdletProcessRecordEnd: 
Set-AzAppConfigurationKeyValue_PutExpanded: /home/vsts/work/_temp/2e718c6e-538d-4ad8-b1f4-7e7a1d41b7af.ps1:11
Line |
  11 |  Set-AzAppConfigurationKeyValue -endpoint https://lms365-configuration …
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | ClientSecretCredential authentication failed: AADSTS70011: The provided
     | request must include a 'scope' input parameter. The provided value for
     | the input parameter 'scope' is not valid. The scope
     | AzureAppConfigurationEndpointResourceId/.default is not valid. Trace ID:
     | 54e1da63-5e57-408f-9479-8db7a6385b00 Correlation ID:
     | df13c5e8-086d-4d9e-bc7f-62f90c2e4dcf Timestamp: 2024-02-22 15:15:17Z
##[error]PowerShell exited with code '1'.

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.1
PSEdition                      Core
GitCommitId                    7.4.1
OS                             Ubuntu 22.04.4 LTS
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

Name              : Az.Accounts
Path              : /usr/share/az_11.3.1/Az.Accounts/2.15.1/Az.Accounts.psm1
Description       : Microsoft Azure PowerShell - Accounts credential management
                     cmdlets for Azure Resource Manager in Windows PowerShell a
                    nd PowerShell Core.
                    
                    For more information on account credential management, plea
                    se visit the following: https://learn.microsoft.com/powersh
                    ell/azure/authenticate-azureps
Guid              : 17a2feff-488b-47f9-8729-e2cec094624c
Version           : 2.15.1
ModuleBase        : /usr/share/az_11.3.1/Az.Accounts/2.15.1
ModuleType        : Script
PrivateData       : {[PSData, System.Collections.Hashtable]}
AccessMode        : ReadWrite
ExportedAliases   : {[Add-AzAccount, Add-AzAccount], [Get-AzDomain, Get-AzDomai
                    n], [Invoke-AzRest, Invoke-AzRest], [Login-AzAccount, Login
                    -AzAccount]…}
ExportedCmdlets   : {[Add-AzEnvironment, Add-AzEnvironment], [Clear-AzConfig, C
                    lear-AzConfig], [Clear-AzContext, Clear-AzContext], [Clear-
                    AzDefault, Clear-AzDefault]…}
ExportedFunctions : {}
ExportedVariables : {}
NestedModules     : {Microsoft.Azure.PowerShell.Cmdlets.Accounts}

Error output

Can't get it from Azure DevOps pipeline.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @shenmuxiaosen, @avanigupta.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @shenmuxiaosen, @avanigupta.

[isra-fel]

I checked and the resourceid and endpoint of app config were not set for the sovereign clouds. https://github.com/Azure/azure-powershell-common/blob/main/src/Authentication.Abstractions/AzureEnvironmentConstants.cs#L271-L275
I have looped in App Configuration team. @shenmuxiaosen @avanigupta we can totally support this if you could provide a list of resource IDs and endpoints for different clouds.

[msJinLei]

@elearningforce-ag Could see run the following cmdlets to see whether the issue is workarounded?

$context = Get-AzContext
$context.Environment.ExtendedProperties['AzureAppConfigurationEndpointResourceId'] = "https://azconfig.azure.us"
$context.Environment.ExtendedProperties['AzureAppConfigurationEndpointSuffix'] = "azconfig.azure.us"
set-AzContext -Context $context

[elearningforce-ag]

@elearningforce-ag Could see run the following cmdlets to see whether the issue is workarounded?

$context = Get-AzContext
$context.Environment.ExtendedProperties['AzureAppConfigurationEndpointResourceId'] = "https://azconfig.azure.us"
$context.Environment.ExtendedProperties['AzureAppConfigurationEndpointSuffix'] = "azconfig.azure.us"
set-AzContext -Context $context

Yes, this workaround solved the issue. Thank you.

[vidai-msft]

The issue has been fixed with PRs #27380 and Azure/azure-powershell-common#440