[Feature] Sovereign Cloud Support

[jairmyree]

This pull request introduces support for specifying the Azure cloud environment used for authentication and Azure Resource Manager operations. It adds a new --cloud command-line option, wires cloud configuration through dependency injection, and ensures all Azure credential types respect the selected cloud authority host. This enables seamless use of sovereign or custom clouds (such as AzureChinaCloud, AzureUSGovernment, or custom authority host URLs) across authentication and ARM client creation.

Cloud configuration support:

• Added a new --cloud command-line option to ServiceStartCommand, allowing users to specify the Azure cloud environment for authentication (e.g., AzureCloud, AzureChinaCloud, AzureUSGovernment, or a custom authority host URL). This is reflected in ServiceOptionDefinitions, option registration, option binding, and the ServiceStartOptions model. [1] [2] [3] [4] [5]

• Introduced the IAzureCloudConfiguration interface and its implementation AzureCloudConfiguration, which determines the authority host and ARM environment from command line, configuration, or environment variables. [1] [2]

Dependency injection and service registration:

• Updated AuthenticationServiceCollectionExtensions to register IAzureCloudConfiguration and inject it into the custom credential provider, making the cloud configuration available to all authentication flows. [1] [2]

Credential authority host propagation:

• Modified CustomChainedCredential and all credential creation methods to use the authority host from the cloud configuration, ensuring that authentication respects the selected cloud environment for all supported credential types (e.g., ManagedIdentity, VisualStudio, AzureCli, etc.). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]

ARM client environment support:

• Enhanced BaseAzureService and TenantService to use the ARM environment from the cloud configuration when creating ArmClient instances, ensuring resource management operations are performed against the correct cloud endpoints. [1] [2] [3]

Tenant service cloud configuration exposure:

• Updated ITenantService and its implementation to expose the cloud configuration, enabling other components to access the selected cloud environment. [1] [2]

These changes collectively allow the application to operate in different Azure cloud environments by propagating the cloud selection throughout authentication and resource management flows.

[jairmyree]

This PR does not account for Services that hard-code Azure Public endpoints. Those servers still need to be adjusted to enable sovereign cloud support. The following services will need additional updates:

• Storage
• Search
• KeyVault
• Postgres
• MySql
• ResourceHeath
• Marketplace
• Monitor
• Quota
• Kusto
• Speech
• AppLens

[Copilot]

Pull request overview

This pull request introduces comprehensive support for Azure sovereign clouds by adding a --cloud command-line option and wiring cloud configuration throughout the authentication and resource management flows. The implementation enables users to specify Azure cloud environments (AzureCloud, AzureChinaCloud, AzureUSGovernment, AzureGermanyCloud) or custom authority host URLs, with configuration sources prioritized as: command-line arguments > appsettings.json > environment variables.

Changes:

• Introduced IAzureCloudConfiguration interface and AzureCloudConfiguration implementation to centralize cloud configuration management
• Updated authentication credential chain to respect cloud-specific authority hosts across all credential types (ManagedIdentity, VisualStudio, AzureCli, etc.)
• Enhanced ARM client creation to target cloud-specific ARM environments for resource management operations

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
docs/sovereign-clouds.md	Comprehensive documentation for sovereign cloud configuration with examples for CLI, Docker, and MCP client setups
core/Azure.Mcp.Core/tests/Azure.Mcp.Core.UnitTests/Services/Azure/Authentication/AzureCloudConfigurationTests.cs	Extensive unit tests covering cloud name mappings, custom URLs, configuration priority, and edge cases
core/Azure.Mcp.Core/src/Services/Azure/Tenant/TenantService.cs	Integrated cloud configuration and applied ARM environment to tenant enumeration
core/Azure.Mcp.Core/src/Services/Azure/Tenant/ITenantService.cs	Extended interface to expose cloud configuration
core/Azure.Mcp.Core/src/Services/Azure/BaseAzureService.cs	Applied ARM environment from cloud configuration to all ARM client creation
core/Azure.Mcp.Core/src/Services/Azure/Authentication/IAzureCloudConfiguration.cs	New interface defining authority host and ARM environment properties
core/Azure.Mcp.Core/src/Services/Azure/Authentication/CustomChainedCredential.cs	Added static cloud configuration property and applied authority host to all credential types
core/Azure.Mcp.Core/src/Services/Azure/Authentication/AzureCloudConfiguration.cs	Implementation that reads cloud configuration from multiple sources with proper priority
core/Azure.Mcp.Core/src/Services/Azure/Authentication/AuthenticationServiceCollectionExtensions.cs	Registered cloud configuration service and initialized static credential property
core/Azure.Mcp.Core/src/Areas/Server/Options/ServiceStartOptions.cs	Added Cloud property to support command-line cloud configuration
core/Azure.Mcp.Core/src/Areas/Server/Options/ServiceOptionDefinitions.cs	Defined Cloud option with description and default value
core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs	Registered and bound Cloud option to service start options

Comments suppressed due to low confidence (1)

core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs:100

• The Cloud option lacks input validation in the command validator. Consider adding validation to ensure that if a URL is provided, it starts with "https://", and potentially warn users if they provide an unrecognized cloud name. This would provide better user feedback at the command line rather than silently defaulting to public cloud.

        command.Validators.Add(commandResult =>
        {
            string transport = ResolveTransport(commandResult);
            bool httpIncomingAuthDisabled = commandResult.GetValueOrDefault<bool>(ServiceOptionDefinitions.DangerouslyDisableHttpIncomingAuth);
            ValidateMode(commandResult.GetValueOrDefault(ServiceOptionDefinitions.Mode), commandResult);
            ValidateTransportConfiguration(transport, httpIncomingAuthDisabled, commandResult);
            ValidateNamespaceAndToolMutualExclusion(
                commandResult.GetValueOrDefault<string[]?>(ServiceOptionDefinitions.Namespace.Name),
                commandResult.GetValueOrDefault<string[]?>(ServiceOptionDefinitions.Tool.Name),
                commandResult);
            ValidateOutgoingAuthStrategy(commandResult);
            ValidateSupportLoggingFolder(commandResult);
        });

[Copilot]

Consider adding logging to AzureCloudConfiguration to log which cloud configuration is being used (authority host and ARM environment). This would help with troubleshooting sovereign cloud configuration issues and make it easier to verify that the correct cloud is being used, especially given the documentation mentions using --log-level Debug for verification.

[Copilot]

The new IAzureCloudConfiguration integration with TenantService and BaseAzureService lacks test coverage. Consider adding integration tests to verify that the cloud configuration is correctly propagated to ArmClient instances, ensuring that ARM operations target the correct cloud environment.

[Copilot]

According to the coding guidelines, primary constructors should be used in C#. Consider refactoring this class to use a primary constructor pattern. However, given the current logic that parses the cloud value in the constructor, a traditional constructor may be more appropriate unless the parsing is moved to a separate initialization method or property initializer.

[Copilot]

Azure Germany Cloud was retired on October 29, 2021. Including it in the documentation and implementation may be misleading for users. Consider removing AzureGermanyCloud support or adding a deprecation notice in the documentation to clarify that this cloud is no longer active.

Suggested change

	| Azure Germany Cloud | `https://login.microsoftonline.de` | `AzureGermanyCloud`, `germany` |
	| Azure Germany Cloud (retired) | `https://login.microsoftonline.de` | `AzureGermanyCloud`, `germany` |
	> **Note:** Azure Germany Cloud was retired on October 29, 2021 and is no longer an active Azure offering. Support for `AzureGermanyCloud` and `germany` is provided only for existing legacy tenants and should not be used for new deployments.