[AppConfig] Added Audience Scope support (#44399)

* App Config Audience Scope

* pylint updates

* Update CHANGELOG.md

* Update sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/_utils.py

Co-authored-by: Copilot <[email protected]>

* Update _utils.py

* Update _utils.py

* Code review comments

* Update _scope.py

* fixed cspell

* _DEFAULT_SCOPE_SUFFIX usage

* case insenstitive

* Rename to _credential_scope

* pr comments

* Update test_credential_scope.py

* switching to audience

* rename everything to audience

* Update CHANGELOG.md

* added doc string + test rename

* Update sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/_azure_appconfiguration_client.py

Co-authored-by: Avani Gupta <[email protected]>

* Update _azure_appconfiguration_client_async.py

---------

Co-authored-by: Copilot <[email protected]>
Co-authored-by: Avani Gupta <[email protected]>

Author: 3 people

sdk/appconfiguration/azure-appconfiguration/CHANGELOG.md

@@ -4,13 +4,16 @@
 
 ### Features Added
 
+- Added support for custom authentication audiences via the `audience` keyword argument in `AzureAppConfigurationClient` constructor to enable authentication against sovereign clouds.
+
 ### Breaking Changes
 
 ### Bugs Fixed
 
 ### Other Changes
 
 - Replaced deprecated `datetime.utcnow()` with timezone-aware `datetime.now(timezone.utc)`.
+- Improved authentication scope handling to automatically detect and use correct audience URLs for Azure Public Cloud, Azure US Government, and Azure China cloud environments.
 
 ## 1.7.2 (2025-10-20)
 

sdk/appconfiguration/azure-appconfiguration/assets.json

@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "python",
   "TagPrefix": "python/appconfiguration/azure-appconfiguration",
-  "Tag": "python/appconfiguration/azure-appconfiguration_710e235678"
+  "Tag": "python/appconfiguration/azure-appconfiguration_5a7879bd17"
 }

sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/_audience.py

@@ -0,0 +1,38 @@
+# ------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+# -------------------------------------------------------------------------
+
+# Azure Configuration audience URLs
+DEFAULT_SCOPE_SUFFIX = ".default"
+_AZURE_PUBLIC_CLOUD_AUDIENCE = "https://appconfig.azure.com/"
+_AZURE_US_GOVERNMENT_AUDIENCE = "https://appconfig.azure.us/"
+_AZURE_CHINA_AUDIENCE = "https://appconfig.azure.cn/"
+
+
+# Endpoint suffixes for cloud detection
+_US_GOVERNMENT_SUFFIX_LEGACY = "azconfig.azure.us"  # cspell:disable-line
+_US_GOVERNMENT_SUFFIX = "appconfig.azure.us"
+_CHINA_SUFFIX_LEGACY = "azconfig.azure.cn"  # cspell:disable-line
+_CHINA_SUFFIX = "appconfig.azure.cn"
+
+
+def get_audience(endpoint: str) -> str:
+    """
+    Gets the default audience for the given endpoint.
+
+    :param endpoint: The endpoint to get the default audience for.
+    :type endpoint: str
+    :return: The default audience for the given endpoint.
+    :rtype: str
+    """
+    # Normalize endpoint by stripping trailing slashes and converting to lowercase for suffix checks
+    normalized_endpoint = endpoint.rstrip("/").lower()
+    if normalized_endpoint.endswith(_US_GOVERNMENT_SUFFIX_LEGACY) or normalized_endpoint.endswith(
+        _US_GOVERNMENT_SUFFIX
+    ):
+        return _AZURE_US_GOVERNMENT_AUDIENCE
+    if normalized_endpoint.endswith(_CHINA_SUFFIX_LEGACY) or normalized_endpoint.endswith(_CHINA_SUFFIX):
+        return _AZURE_CHINA_AUDIENCE
+    return _AZURE_PUBLIC_CLOUD_AUDIENCE

sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/_azure_appconfiguration_client.py

@@ -32,6 +32,7 @@
     ConfigurationSnapshot,
     ConfigurationSettingLabel,
 )
+from ._audience import get_audience, DEFAULT_SCOPE_SUFFIX
 from ._utils import (
     get_key_filter,
     get_label_filter,
@@ -49,6 +50,9 @@ class AzureAppConfigurationClient:
     :keyword api_version: Api Version. Default value is "2023-11-01". Note that overriding this default
         value may result in unsupported behavior.
     :paramtype api_version: str
+    :keyword audience: The audience to use for authentication with Microsoft Entra. Defaults to the public Azure App
+        Configuration audience. See the supported audience list at https://aka.ms/appconfig/client-token-audience
+    :paramtype audience: str
 
     """
 
@@ -65,11 +69,9 @@ def __init__(self, base_url: str, credential: TokenCredential, **kwargs: Any) ->
 
         self._sync_token_policy = SyncTokenPolicy()
 
-        credential_scopes = kwargs.pop("credential_scopes", [f"{base_url.strip('/')}/.default"])
-        # Ensure all scopes end with /.default
-        kwargs["credential_scopes"] = [
-            scope if scope.endswith("/.default") else f"{scope}/.default" for scope in credential_scopes
-        ]
+        audience = kwargs.pop("audience", get_audience(base_url))
+        # Ensure all scopes end with /.default and strip any trailing slashes before adding suffix
+        kwargs["credential_scopes"] = [audience + DEFAULT_SCOPE_SUFFIX]
 
         if isinstance(credential, AzureKeyCredential):
             id_credential = kwargs.pop("id_credential")
@@ -81,7 +83,9 @@ def __init__(self, base_url: str, credential: TokenCredential, **kwargs: Any) ->
         elif isinstance(credential, TokenCredential):
             kwargs.update(
                 {
-                    "authentication_policy": BearerTokenCredentialPolicy(credential, *credential_scopes, **kwargs),
+                    "authentication_policy": BearerTokenCredentialPolicy(
+                        credential, *kwargs["credential_scopes"], **kwargs
+                    ),
                 }
             )
         else:

sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/aio/_azure_appconfiguration_client_async.py

@@ -35,6 +35,7 @@
     ConfigurationSnapshot,
     ConfigurationSettingLabel,
 )
+from .._audience import get_audience, DEFAULT_SCOPE_SUFFIX
 from .._utils import (
     get_key_filter,
     get_label_filter,
@@ -51,6 +52,10 @@ class AzureAppConfigurationClient:
     :keyword api_version: Api Version. Default value is "2023-11-01". Note that overriding this default
         value may result in unsupported behavior.
     :paramtype api_version: str
+    :keyword audience: The audience to use for authentication with Microsoft Entra. Defaults to the public Azure App
+        Configuration audience. See the supported audience list at https://aka.ms/appconfig/client-token-audience
+    :paramtype audience: str
+
 
     This is the async version of :class:`~azure.appconfiguration.AzureAppConfigurationClient`
 
@@ -69,11 +74,9 @@ def __init__(self, base_url: str, credential: AsyncTokenCredential, **kwargs: An
 
         self._sync_token_policy = AsyncSyncTokenPolicy()
 
-        credential_scopes = kwargs.pop("credential_scopes", [f"{base_url.strip('/')}/.default"])
-        # Ensure all scopes end with /.default
-        kwargs["credential_scopes"] = [
-            scope if scope.endswith("/.default") else f"{scope}/.default" for scope in credential_scopes
-        ]
+        audience = kwargs.pop("audience", get_audience(base_url))
+        # Ensure all scopes end with /.default and strip any trailing slashes before adding suffix
+        kwargs["credential_scopes"] = [audience + DEFAULT_SCOPE_SUFFIX]
 
         if isinstance(credential, AzureKeyCredential):
             id_credential = kwargs.pop("id_credential")
@@ -85,7 +88,9 @@ def __init__(self, base_url: str, credential: AsyncTokenCredential, **kwargs: An
         elif hasattr(credential, "get_token"):  # AsyncFakeCredential is not an instance of AsyncTokenCredential
             kwargs.update(
                 {
-                    "authentication_policy": AsyncBearerTokenCredentialPolicy(credential, *credential_scopes, **kwargs),
+                    "authentication_policy": AsyncBearerTokenCredentialPolicy(
+                        credential, *kwargs["credential_scopes"], **kwargs
+                    ),
                 }
             )
         else:

sdk/appconfiguration/azure-appconfiguration/tests/test_audience.py

@@ -0,0 +1,82 @@
+# -------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+# --------------------------------------------------------------------------
+
+from azure.appconfiguration._audience import get_audience
+
+# Expected scope constants
+_EXPECTED_PUBLIC_CLOUD_AUDIENCE = "https://appconfig.azure.com/"
+_EXPECTED_US_GOVERNMENT_AUDIENCE = "https://appconfig.azure.us/"
+_EXPECTED_CHINA_AUDIENCE = "https://appconfig.azure.cn/"
+
+
+class TestGetDefaultScope:
+    """Tests for the get_default_scope utility function."""
+
+    def test_get_default_scope_public_cloud_legacy(self):
+        """Test default scope for Azure public cloud with legacy endpoint."""
+        endpoint = "https://example1.azconfig.azure.com"  # cspell:disable-line
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_PUBLIC_CLOUD_AUDIENCE
+
+    def test_get_default_scope_public_cloud(self):
+        """Test default scope for Azure public cloud with regular endpoint."""
+        endpoint = "https://example1.appconfig.azure.com"
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_PUBLIC_CLOUD_AUDIENCE
+
+    def test_get_default_scope_china_legacy(self):
+        """Test default scope for Azure China cloud with legacy endpoint."""
+        endpoint = "https://example1.azconfig.azure.cn"  # cspell:disable-line
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_CHINA_AUDIENCE
+
+    def test_get_default_scope_china(self):
+        """Test default scope for Azure China cloud with regular endpoint."""
+        endpoint = "https://example1.appconfig.azure.cn"
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_CHINA_AUDIENCE
+
+    def test_get_default_scope_us_government_legacy(self):
+        """Test default scope for Azure US Government cloud with legacy endpoint."""
+        endpoint = "https://example1.azconfig.azure.us"  # cspell:disable-line
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_US_GOVERNMENT_AUDIENCE
+
+    def test_get_default_scope_us_government(self):
+        """Test default scope for Azure US Government cloud with regular endpoint."""
+        endpoint = "https://example1.appconfig.azure.us"
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_US_GOVERNMENT_AUDIENCE
+
+    def test_default_scope_with_different_subdomain(self):
+        """Test that different subdomains still resolve to correct scope."""
+        endpoint = "https://my-store-123.appconfig.azure.com"
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_PUBLIC_CLOUD_AUDIENCE
+
+    def test_get_default_scope_public_cloud_with_trailing_slash(self):
+        """Test default scope for Azure public cloud with trailing slash."""
+        endpoint = "https://example1.appconfig.azure.com/"
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_PUBLIC_CLOUD_AUDIENCE
+
+    def test_get_default_scope_china_with_trailing_slash(self):
+        """Test default scope for Azure China cloud with trailing slash."""
+        endpoint = "https://example1.appconfig.azure.cn/"
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_CHINA_AUDIENCE
+
+    def test_get_default_scope_us_government_with_trailing_slash(self):
+        """Test default scope for Azure US Government cloud with trailing slash."""
+        endpoint = "https://example1.appconfig.azure.us/"
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_US_GOVERNMENT_AUDIENCE
+
+    def test_get_default_scope_legacy_with_trailing_slash(self):
+        """Test default scope for legacy endpoint with trailing slash."""
+        endpoint = "https://example1.azconfig.azure.us/"  # cspell:disable-line
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_US_GOVERNMENT_AUDIENCE