Merge branch 'main' into support_otel_traces_sampler

Author: rads-1996

sdk/appconfiguration/azure-appconfiguration/CHANGELOG.md

@@ -4,13 +4,16 @@
 
 ### Features Added
 
+- Added support for custom authentication audiences via the `audience` keyword argument in `AzureAppConfigurationClient` constructor to enable authentication against sovereign clouds.
+
 ### Breaking Changes
 
 ### Bugs Fixed
 
 ### Other Changes
 
 - Replaced deprecated `datetime.utcnow()` with timezone-aware `datetime.now(timezone.utc)`.
+- Improved authentication scope handling to automatically detect and use correct audience URLs for Azure Public Cloud, Azure US Government, and Azure China cloud environments.
 
 ## 1.7.2 (2025-10-20)
 

sdk/appconfiguration/azure-appconfiguration/assets.json

@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "python",
   "TagPrefix": "python/appconfiguration/azure-appconfiguration",
-  "Tag": "python/appconfiguration/azure-appconfiguration_710e235678"
+  "Tag": "python/appconfiguration/azure-appconfiguration_5a7879bd17"
 }

sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/_audience.py

@@ -0,0 +1,38 @@
+# ------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+# -------------------------------------------------------------------------
+
+# Azure Configuration audience URLs
+DEFAULT_SCOPE_SUFFIX = ".default"
+_AZURE_PUBLIC_CLOUD_AUDIENCE = "https://appconfig.azure.com/"
+_AZURE_US_GOVERNMENT_AUDIENCE = "https://appconfig.azure.us/"
+_AZURE_CHINA_AUDIENCE = "https://appconfig.azure.cn/"
+
+
+# Endpoint suffixes for cloud detection
+_US_GOVERNMENT_SUFFIX_LEGACY = "azconfig.azure.us"  # cspell:disable-line
+_US_GOVERNMENT_SUFFIX = "appconfig.azure.us"
+_CHINA_SUFFIX_LEGACY = "azconfig.azure.cn"  # cspell:disable-line
+_CHINA_SUFFIX = "appconfig.azure.cn"
+
+
+def get_audience(endpoint: str) -> str:
+    """
+    Gets the default audience for the given endpoint.
+
+    :param endpoint: The endpoint to get the default audience for.
+    :type endpoint: str
+    :return: The default audience for the given endpoint.
+    :rtype: str
+    """
+    # Normalize endpoint by stripping trailing slashes and converting to lowercase for suffix checks
+    normalized_endpoint = endpoint.rstrip("/").lower()
+    if normalized_endpoint.endswith(_US_GOVERNMENT_SUFFIX_LEGACY) or normalized_endpoint.endswith(
+        _US_GOVERNMENT_SUFFIX
+    ):
+        return _AZURE_US_GOVERNMENT_AUDIENCE
+    if normalized_endpoint.endswith(_CHINA_SUFFIX_LEGACY) or normalized_endpoint.endswith(_CHINA_SUFFIX):
+        return _AZURE_CHINA_AUDIENCE
+    return _AZURE_PUBLIC_CLOUD_AUDIENCE

sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/_azure_appconfiguration_client.py

@@ -32,6 +32,7 @@
     ConfigurationSnapshot,
     ConfigurationSettingLabel,
 )
+from ._audience import get_audience, DEFAULT_SCOPE_SUFFIX
 from ._utils import (
     get_key_filter,
     get_label_filter,
@@ -49,6 +50,9 @@ class AzureAppConfigurationClient:
     :keyword api_version: Api Version. Default value is "2023-11-01". Note that overriding this default
         value may result in unsupported behavior.
     :paramtype api_version: str
+    :keyword audience: The audience to use for authentication with Microsoft Entra. Defaults to the public Azure App
+        Configuration audience. See the supported audience list at https://aka.ms/appconfig/client-token-audience
+    :paramtype audience: str
 
     """
 
@@ -65,11 +69,9 @@ def __init__(self, base_url: str, credential: TokenCredential, **kwargs: Any) ->
 
         self._sync_token_policy = SyncTokenPolicy()
 
-        credential_scopes = kwargs.pop("credential_scopes", [f"{base_url.strip('/')}/.default"])
-        # Ensure all scopes end with /.default
-        kwargs["credential_scopes"] = [
-            scope if scope.endswith("/.default") else f"{scope}/.default" for scope in credential_scopes
-        ]
+        audience = kwargs.pop("audience", get_audience(base_url))
+        # Ensure all scopes end with /.default and strip any trailing slashes before adding suffix
+        kwargs["credential_scopes"] = [audience + DEFAULT_SCOPE_SUFFIX]
 
         if isinstance(credential, AzureKeyCredential):
             id_credential = kwargs.pop("id_credential")
@@ -81,7 +83,9 @@ def __init__(self, base_url: str, credential: TokenCredential, **kwargs: Any) ->
         elif isinstance(credential, TokenCredential):
             kwargs.update(
                 {
-                    "authentication_policy": BearerTokenCredentialPolicy(credential, *credential_scopes, **kwargs),
+                    "authentication_policy": BearerTokenCredentialPolicy(
+                        credential, *kwargs["credential_scopes"], **kwargs
+                    ),
                 }
             )
         else:

sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/aio/_azure_appconfiguration_client_async.py

@@ -35,6 +35,7 @@
     ConfigurationSnapshot,
     ConfigurationSettingLabel,
 )
+from .._audience import get_audience, DEFAULT_SCOPE_SUFFIX
 from .._utils import (
     get_key_filter,
     get_label_filter,
@@ -51,6 +52,10 @@ class AzureAppConfigurationClient:
     :keyword api_version: Api Version. Default value is "2023-11-01". Note that overriding this default
         value may result in unsupported behavior.
     :paramtype api_version: str
+    :keyword audience: The audience to use for authentication with Microsoft Entra. Defaults to the public Azure App
+        Configuration audience. See the supported audience list at https://aka.ms/appconfig/client-token-audience
+    :paramtype audience: str
+
 
     This is the async version of :class:`~azure.appconfiguration.AzureAppConfigurationClient`
 
@@ -69,11 +74,9 @@ def __init__(self, base_url: str, credential: AsyncTokenCredential, **kwargs: An
 
         self._sync_token_policy = AsyncSyncTokenPolicy()
 
-        credential_scopes = kwargs.pop("credential_scopes", [f"{base_url.strip('/')}/.default"])
-        # Ensure all scopes end with /.default
-        kwargs["credential_scopes"] = [
-            scope if scope.endswith("/.default") else f"{scope}/.default" for scope in credential_scopes
-        ]
+        audience = kwargs.pop("audience", get_audience(base_url))
+        # Ensure all scopes end with /.default and strip any trailing slashes before adding suffix
+        kwargs["credential_scopes"] = [audience + DEFAULT_SCOPE_SUFFIX]
 
         if isinstance(credential, AzureKeyCredential):
             id_credential = kwargs.pop("id_credential")
@@ -85,7 +88,9 @@ def __init__(self, base_url: str, credential: AsyncTokenCredential, **kwargs: An
         elif hasattr(credential, "get_token"):  # AsyncFakeCredential is not an instance of AsyncTokenCredential
             kwargs.update(
                 {
-                    "authentication_policy": AsyncBearerTokenCredentialPolicy(credential, *credential_scopes, **kwargs),
+                    "authentication_policy": AsyncBearerTokenCredentialPolicy(
+                        credential, *kwargs["credential_scopes"], **kwargs
+                    ),
                 }
             )
         else:

sdk/appconfiguration/azure-appconfiguration/tests/test_audience.py

@@ -0,0 +1,82 @@
+# -------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+# --------------------------------------------------------------------------
+
+from azure.appconfiguration._audience import get_audience
+
+# Expected scope constants
+_EXPECTED_PUBLIC_CLOUD_AUDIENCE = "https://appconfig.azure.com/"
+_EXPECTED_US_GOVERNMENT_AUDIENCE = "https://appconfig.azure.us/"
+_EXPECTED_CHINA_AUDIENCE = "https://appconfig.azure.cn/"
+
+
+class TestGetDefaultScope:
+    """Tests for the get_default_scope utility function."""
+
+    def test_get_default_scope_public_cloud_legacy(self):
+        """Test default scope for Azure public cloud with legacy endpoint."""
+        endpoint = "https://example1.azconfig.azure.com"  # cspell:disable-line
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_PUBLIC_CLOUD_AUDIENCE
+
+    def test_get_default_scope_public_cloud(self):
+        """Test default scope for Azure public cloud with regular endpoint."""
+        endpoint = "https://example1.appconfig.azure.com"
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_PUBLIC_CLOUD_AUDIENCE
+
+    def test_get_default_scope_china_legacy(self):
+        """Test default scope for Azure China cloud with legacy endpoint."""
+        endpoint = "https://example1.azconfig.azure.cn"  # cspell:disable-line
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_CHINA_AUDIENCE
+
+    def test_get_default_scope_china(self):
+        """Test default scope for Azure China cloud with regular endpoint."""
+        endpoint = "https://example1.appconfig.azure.cn"
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_CHINA_AUDIENCE
+
+    def test_get_default_scope_us_government_legacy(self):
+        """Test default scope for Azure US Government cloud with legacy endpoint."""
+        endpoint = "https://example1.azconfig.azure.us"  # cspell:disable-line
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_US_GOVERNMENT_AUDIENCE
+
+    def test_get_default_scope_us_government(self):
+        """Test default scope for Azure US Government cloud with regular endpoint."""
+        endpoint = "https://example1.appconfig.azure.us"
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_US_GOVERNMENT_AUDIENCE
+
+    def test_default_scope_with_different_subdomain(self):
+        """Test that different subdomains still resolve to correct scope."""
+        endpoint = "https://my-store-123.appconfig.azure.com"
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_PUBLIC_CLOUD_AUDIENCE
+
+    def test_get_default_scope_public_cloud_with_trailing_slash(self):
+        """Test default scope for Azure public cloud with trailing slash."""
+        endpoint = "https://example1.appconfig.azure.com/"
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_PUBLIC_CLOUD_AUDIENCE
+
+    def test_get_default_scope_china_with_trailing_slash(self):
+        """Test default scope for Azure China cloud with trailing slash."""
+        endpoint = "https://example1.appconfig.azure.cn/"
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_CHINA_AUDIENCE
+
+    def test_get_default_scope_us_government_with_trailing_slash(self):
+        """Test default scope for Azure US Government cloud with trailing slash."""
+        endpoint = "https://example1.appconfig.azure.us/"
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_US_GOVERNMENT_AUDIENCE
+
+    def test_get_default_scope_legacy_with_trailing_slash(self):
+        """Test default scope for legacy endpoint with trailing slash."""
+        endpoint = "https://example1.azconfig.azure.us/"  # cspell:disable-line
+        actual_scope = get_audience(endpoint)
+        assert actual_scope == _EXPECTED_US_GOVERNMENT_AUDIENCE

sdk/monitor/azure-monitor-opentelemetry/CHANGELOG.md

@@ -5,6 +5,8 @@
 ### Features Added
 - Added support for OTEL_TRACES_SAMPLER
   ([#44535](https://github.com/Azure/azure-sdk-for-python/pull/44535))
+- Added ability to add additional Log Record Processors and Metric Readers via configure_azure_monitor
+  ([#44367](https://github.com/Azure/azure-sdk-for-python/pull/44367))
 
 ### Breaking Changes
 

sdk/monitor/azure-monitor-opentelemetry/README.md

@@ -68,6 +68,8 @@ You can use `configure_azure_monitor` to set up instrumentation for your app to
 | `resource` | Specifies the OpenTelemetry [Resource][ot_spec_resource] associated with your application. Passed in [Resource Attributes][ot_spec_resource_attributes] take priority over default attributes and those from [Resource Detectors][ot_python_resource_detectors]. | [OTEL_SERVICE_NAME][ot_spec_service_name], [OTEL_RESOURCE_ATTRIBUTES][ot_spec_resource_attributes], [OTEL_EXPERIMENTAL_RESOURCE_DETECTORS][ot_python_resource_detectors] |
 | `span_processors` | A list of [span processors][ot_span_processor] that will perform processing on each of your spans before they are exported. Useful for filtering/modifying telemetry. | `N/A` |
 | `views` | A list of [views][ot_view] that will be used to customize metrics exported by the SDK. | `N/A` |
+| `log_record_processors` | A list of [log record processors][ot_log_record_processor] that will process log records before they are exported. | `N/A` |
+| `metric_readers` | A list of [metric reader][ot_metric_reader] that will process metric readers before they are exported | `N/A` |
 | `traces_per_second` | Configures the Rate Limited sampler by specifying the maximum number of traces to sample per second. When set, this automatically enables the rate-limited sampler. Alternatively, you can configure sampling using the `OTEL_TRACES_SAMPLER` and `OTEL_TRACES_SAMPLER_ARG` environment variables as described in the table below. Please note that the sampling configuration via environment variables will have precedence over the sampling exporter/distro options. | `N/A`
 
 You can configure further with [OpenTelemetry environment variables][ot_env_vars].
@@ -232,6 +234,7 @@ contact [[email protected]](mailto:[email protected]) with any additio
 [ot_sdk_python]: https://github.com/open-telemetry/opentelemetry-python
 [ot_sdk_python_metric_reader]: https://opentelemetry-python.readthedocs.io/en/latest/sdk/metrics.export.html#opentelemetry.sdk.metrics.export.MetricReader
 [ot_span_processor]: https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/trace/sdk.md#span-processor
+[ot_log_record_processor]: https://github.com/open-telemetry/opentelemetry-specification/tree/main/specification/logs/sdk.md#log-record-processor
 [ot_view]: https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/metrics/sdk.md#view
 [ot_sdk_python_view_examples]: https://github.com/open-telemetry/opentelemetry-python/tree/main/docs/examples/metrics/views
 [ot_instrumentation_django]: https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-django

sdk/monitor/azure-monitor-opentelemetry/azure/monitor/opentelemetry/_configure.py

@@ -12,7 +12,7 @@
 )
 from opentelemetry.metrics import set_meter_provider
 from opentelemetry.sdk.metrics import MeterProvider
-from opentelemetry.sdk.metrics.export import PeriodicExportingMetricReader
+from opentelemetry.sdk.metrics.export import PeriodicExportingMetricReader, MetricReader
 from opentelemetry.sdk.metrics.view import View
 from opentelemetry.sdk.resources import Resource
 from opentelemetry.sdk.trace import TracerProvider
@@ -38,6 +38,8 @@
     SAMPLING_RATIO_ARG,
     SAMPLING_TRACES_PER_SECOND_ARG,
     SPAN_PROCESSORS_ARG,
+    LOG_RECORD_PROCESSORS_ARG,
+    METRIC_READERS_ARG,
     VIEWS_ARG,
     ENABLE_TRACE_BASED_SAMPLING_ARG,
     SAMPLING_ARG,
@@ -105,6 +107,10 @@ def configure_azure_monitor(**kwargs) -> None:  # pylint: disable=C4758
      Attributes take priority over default attributes and those from Resource Detectors.
     :keyword list[~opentelemetry.sdk.trace.SpanProcessor] span_processors: List of `SpanProcessor` objects
      to process every span prior to exporting. Will be run sequentially.
+    :keyword list[~opentelemetry.sdk._logs.LogRecordProcessor] log_record_processors: List of `LogRecordProcessor`
+     objects to process every log record prior to exporting. Will be run sequentially.
+    :keyword list[~opentelemetry.sdk.metrics.MetricReader] metric_readers: List of MetricReader objects to read and
+     export metrics. Each reader can have its own exporter and collection interval.
     :keyword bool enable_live_metrics: Boolean value to determine whether to enable live metrics feature.
      Defaults to `False`.
     :keyword bool enable_performance_counters: Boolean value to determine whether to enable performance counters.
@@ -220,6 +226,8 @@ def _setup_logging(configurations: Dict[str, ConfigurationValue]):
         enable_performance_counters_config = configurations[ENABLE_PERFORMANCE_COUNTERS_ARG]
         logger_provider = LoggerProvider(resource=resource)
         enable_trace_based_sampling_for_logs = configurations[ENABLE_TRACE_BASED_SAMPLING_ARG]
+        for custom_log_record_processor in configurations[LOG_RECORD_PROCESSORS_ARG]:  # type: ignore
+            logger_provider.add_log_record_processor(custom_log_record_processor)  # type: ignore
         if configurations.get(ENABLE_LIVE_METRICS_ARG):
             qlp = _QuickpulseLogRecordProcessor()
             logger_provider.add_log_record_processor(qlp)
@@ -278,11 +286,12 @@ def _setup_logging(configurations: Dict[str, ConfigurationValue]):
 def _setup_metrics(configurations: Dict[str, ConfigurationValue]):
     resource: Resource = configurations[RESOURCE_ARG]  # type: ignore
     views: List[View] = configurations[VIEWS_ARG]  # type: ignore
+    readers: list[MetricReader] = configurations[METRIC_READERS_ARG]  # type: ignore
     enable_performance_counters_config = configurations[ENABLE_PERFORMANCE_COUNTERS_ARG]
     metric_exporter = AzureMonitorMetricExporter(**configurations)
-    reader = PeriodicExportingMetricReader(metric_exporter)
+    readers.append(PeriodicExportingMetricReader(metric_exporter))
     meter_provider = MeterProvider(
-        metric_readers=[reader],
+        metric_readers=readers,
         resource=resource,
         views=views,
     )

sdk/monitor/azure-monitor-opentelemetry/azure/monitor/opentelemetry/_constants.py

@@ -24,6 +24,8 @@
 RESOURCE_ARG = "resource"
 SAMPLING_RATIO_ARG = "sampling_ratio"
 SPAN_PROCESSORS_ARG = "span_processors"
+LOG_RECORD_PROCESSORS_ARG = "log_record_processors"
+METRIC_READERS_ARG = "metric_readers"
 VIEWS_ARG = "views"
 RATE_LIMITED_SAMPLER = "microsoft.rate_limited"
 FIXED_PERCENTAGE_SAMPLER = "microsoft.fixed.percentage"