update arcgis configuration for usgov and other api fixes

Author: aloverro

articles/planetary-computer/create-connection-arc-gis-pro.md

@@ -28,12 +28,12 @@ By the end of this guide, you'll be able to securely browse and access Microsoft
 > Before you begin, review [Register an application in Microsoft Entra ID](/entra/identity-platform/quickstart-register-app) for background information on app registration.
 
 ## Register web API application for ArcGIS Pro
-
+### [Public](#tab/public)
 1. Open the Azure Portal and go to **Microsoft Entra ID**.
 
     [ ![Screenshot showing a user selecting Microsoft Entra ID from Azure portal.](media/microsoft-entra-id.png) ](media/microsoft-entra-id.png#lightbox)
 
-1. Navigate to **App registrations** \> **New registration**.
+1. Navigate to **App registrations** > **New registration**.
 
     [ ![Screenshot showing new app registration.](media/new-app-registration.png) ](media/new-app-registration.png#lightbox)
 
@@ -42,6 +42,7 @@ By the end of this guide, you'll be able to securely browse and access Microsoft
     - ArcGIS Pro
 
 1. Set **Multitenant** as the account type.
+
     [ ![Screenshot showing register an app ArcGIS Pro.](media/register-an-app-arcgis-pro.png) ](media/register-an-app-arcgis-pro.png#lightbox)
 
     [ ![Screenshot showing new app  registration ArcGIS Pro.](media/new-app-registration-arcgis-pro.png) ](media/new-app-registration-arcgis-pro.png#lightbox)
@@ -75,8 +76,87 @@ By the end of this guide, you'll be able to securely browse and access Microsoft
 1. Go to **API Permissions**.
 
     - Add and grant admin consent for:
-      - Azure Storage \> user_impersonation.
-      - Microsoft Graph \> User.Read (This permission is enabled by default).
+      - Azure Storage > user_impersonation.
+      - Microsoft Graph > User.Read (This permission is enabled by default).
+    
+    [ ![Screenshot showing howto configure the addition of API permissions.](media/add-api-permissions.png) ](media/add-api-permissions.png#lightbox)
+
+1. **Grant admin consent** after permissions are added.
+
+    [ ![Screenshot showing how to grant admins consent.](media/grant-admin-consent.png) ](media/grant-admin-consent.png#lightbox)
+
+1. Go to **Expose an API**.
+
+    - Add **App ID URI**.
+
+    [ ![Screenshot showing how to add the app id URI .](media/add-app-id-uri.png) ](media/add-app-id-uri.png#lightbox)
+
+1. Define scopes:
+
+    - user_authentication (Display name: ArcGISPro-API-User-Auth)
+    - user_impersonation (Display name: ArcGISPro-API-Impersonation)
+
+    [ ![Screenshot showing add user authentication scope.](media/add-user-authentication-scope.png) ](media/add-user-authentication-scope.png#lightbox)
+    
+    [ ![Screenshot showing add user impersonation scope.](media/add-user-impersonation-scope.png) ](media/add-user-impersonation-scope.png#lightbox)
+
+1. Select **Add a client application** and note the App ID.
+
+    [ ![Screenshot showing how to add a client app.](media/add-a-client-app.png) ](media/add-a-client-app.png#lightbox)
+
+### [US Gov](#tab/usgov)
+1. Open the Azure Portal and go to **Microsoft Entra ID**.
+
+    [ ![Screenshot showing a user selecting Microsoft Entra ID from Azure portal.](media/microsoft-entra-id.png) ](media/microsoft-entra-id.png#lightbox)
+
+1. Navigate to **App registrations** > **New registration**.
+
+    [ ![Screenshot showing new app registration.](media/new-app-registration.png) ](media/new-app-registration.png#lightbox)
+
+1. Register the Web API app. Suggested names:
+    - ArcGISPro-GeoCatalog-WebAPI or 
+    - ArcGIS Pro
+
+1. Set **Multitenant** as the account type.
+    [ ![Screenshot showing register an app ArcGIS Pro.](media/register-an-app-arcgis-pro.png) ](media/register-an-app-arcgis-pro.png#lightbox)
+
+    [ ![Screenshot showing new app  registration ArcGIS Pro.](media/new-app-registration-arcgis-pro.png) ](media/new-app-registration-arcgis-pro.png#lightbox)
+
+1. After registration, complete the following configuration within the new app registration ArcGIS Pro.
+
+   - Go to the **Authentication** tab.
+
+   - Add platform: **Web**.
+
+   [ ![Screenshot showing the selection to add a web platform type of authentication.](media/add-web-platform.png) ](media/add-web-platform.png#lightbox)
+
+1. Set **Redirect URI**: <https://localhost>.
+  
+    [ ![Screenshot showing how to add a redirect URI.](media/add-redirect-uri.png) ](media/add-redirect-uri.png#lightbox)
+
+1. Add platform: **Mobile and Desktop applications**
+
+    [ ![Screenshot showing add mobile desktop app.](media/add-mobile-desktop-app.png) ](media/add-mobile-desktop-app.png#lightbox)
+    
+1. Set **Custom Redirect URI**: arcgis-pro://auth.
+
+    [ ![Screenshot showing configure desktop device.](media/usgov-mobile-redirect-1.png) ](media/usgov-mobile-redirect-1.png#lightbox)
+
+1. In the new **Mobile and desktop applications** panel, select *Add URI* to add a second Redirect URI: https://login.microsoftonline.us/common/oauth2/nativeclient
+
+    [ ![Screenshot showing configure desktop device.](media/usgov-mobile-redirect-2.png) ](media/usgov-mobile-redirect-2.png#lightbox)
+
+1. Enable **ID tokens** under **Implicit grant and hybrid flows**.
+
+1. Select **Save**.
+
+    [ ![Screenshot showing enable ID tokens ArcGIS App authentication.](media/enable-id-tokens.png) ](media/enable-id-tokens.png#lightbox)
+
+1. Go to **API Permissions**.
+
+    - Add and grant admin consent for:
+      - Azure Storage > user_impersonation.
+      - Microsoft Graph > User.Read (This permission is enabled by default).
 
     [ ![Screenshot showing howto configure the addition of API permissions.](media/add-api-permissions.png) ](media/add-api-permissions.png#lightbox)
 
@@ -103,7 +183,66 @@ By the end of this guide, you'll be able to securely browse and access Microsoft
 
     [ ![Screenshot showing how to add a client app.](media/add-a-client-app.png) ](media/add-a-client-app.png#lightbox)
 
-## Register desktop client application for ArcGIS Pro 
+## Register desktop client application for ArcGIS Pro
+### [Public](#tab/public)
+
+Register a second application (with a distinct name) to represent ArcGIS
+Pro Desktop and configure its API permissions --- ensuring it includes
+access to the web API exposed by the first application.
+
+1. Create a second app registration for the ArcGIS Pro desktop client.
+
+    - Suggested name: ArcGISPro-GeoCatalog-DesktopClient or GeoCatalog-ArcGIS.
+    
+    - Set account type: **Single tenant**.
+
+    [ ![Screenshot showing register second app arcgisprodesktopclient.](media/register-second-app-arcgis-pro-desktop-client.png) ](media/register-second-app-arcgis-pro-desktop-client.png#lightbox)
+
+    [ ![Screenshot showing new app  registration GeoCatalog ArcGIS.](media/new-app-registration-geocatalog-arcgis.png) ](media/new-app-registration-geocatalog-arcgis.png#lightbox)
+
+1. Configure the Desktop Client App.
+
+    Complete the following configuration within the new App registration GeoCatalog-ArcGIS.
+
+    - For **Authentication**, repeat the same steps as in Step 1:
+    
+      - Add platform: **Web**.
+      - Set **Redirect URI**: https://localhost.
+      - Add platform: **Mobile and desktop applications**
+      - Set **Redirect URI**: arcgis-pro://auth.
+      - Enable **ID tokens** under **Implicit grant and hybrid flows**.
+      - Select **Save**.
+
+    - **API Permissions**: Adding Access to the Web API App.
+    
+      - In the **API permissions** tab, select **Add a permission**.
+    
+      - Go to the **APIs my organization uses** tab and search for the **Web
+        API app** created in Step 1 (for example, ArcGIS Pro).
+    
+      - Select the app name to open the **Request API Permissions** screen.
+
+   [ ![Screenshot showing request API permissions.](media/request-api-permissions.png) ](media/request-api-permissions.png#lightbox)
+
+    - Select both user_authentication and user_impersonation; the delegated permissions defined in the first app.
+
+    - Select **Add permissions**.
+
+    [ ![Screenshot showing add API permissions ArcGIS Pro.](media/add-api-permissions-arcgis-pro.png) ](media/add-api-permissions-arcgis-pro.png#lightbox)
+
+    - Continue to add the following delegated permissions:
+    
+      - **Azure Storage** > user_impersonation.
+      - **Azure Orbital Spatio** > user_impersonation.
+      - **Microsoft Graph** > User.Read (This permission is enabled by default).
+      - Select **Add permissions**.
+      - Select **Grant admin consent**.
+    
+    [ ![Screenshot showing app selection on request API permissions screen.](media/app-selection-on-request-api-permissions-screen.png) ](media/app-selection-on-request-api-permissions-screen.png#lightbox)
+  
+    [ ![Screenshot showing grant admin consents (4).](media/grant-admin-consents-4.png) ](media/grant-admin-consents-4.png#lightbox)
+
+### [US Gov](#tab/usgov)
 
 Register a second application (with a distinct name) to represent ArcGIS
 Pro Desktop and configure its API permissions --- ensuring it includes
@@ -127,8 +266,9 @@ access to the web API exposed by the first application.
 
       - Add platform: **Web**.
       - Set **Redirect URI**: https://localhost.
-      - Add platform.
+      - Add platform: **Mobile and desktop applications**
       - Set **Redirect URI**: arcgis-pro://auth.
+      - Add another **Mobile and desktop applications** Redirect URI: https://login.microsoftonline.us/common/oauth2/nativeclient.
       - Enable **ID tokens** under **Implicit grant and hybrid flows**.
       - Select **Save**.
 
@@ -151,9 +291,9 @@ access to the web API exposed by the first application.
 
     - Continue to add the following delegated permissions:
 
-      - **Azure Storage** \> user_impersonation.
-      - **Azure Orbital Spatio** \> user_impersonation.
-      - **Microsoft Graph** \> User.Read (This permission is enabled by default).
+      - **Azure Storage** > user_impersonation.
+      - **Azure Orbital Spatio** > user_impersonation.
+      - **Microsoft Graph** > User.Read (This permission is enabled by default).
       - Select **Add permissions**.
       - Select **Grant admin consent**.
 
@@ -166,6 +306,7 @@ access to the web API exposed by the first application.
 This section outlines how to configure authentication and data access in the **ArcGIS Pro desktop application**, using OAuth 2.0 integration with **Microsoft Entra ID** and access to the **Microsoft Planetary Computer Pro GeoCatalog**. It includes steps to add an authentication connection and create storage and STAC data connections.
 
 ## Add an authentication connection
+### [Public](#tab/public)
 
 1. Open the **ArcGIS Pro settings** page in one of the following ways:
 
@@ -186,6 +327,10 @@ This section outlines how to configure authentication and data access in the **A
 
     - Enter your **Entra Domain** and **Client ID**.
 
+      - You can [find your **Entra Domain**](/partner-center/account-settings/find-ids-and-domain-names) (also know as your **Primary Domain**) from with Microsoft Entra ID from your Azure Portal
+
+      - Your **Client ID** is the client ID you set above in the **Add a client application** step.
+
     - Add the following **scopes**:
 
       - `https://storage.azure.com/.default`
@@ -203,6 +348,48 @@ This section outlines how to configure authentication and data access in the **A
 > [!TIP] 
 > For more information, see the official ArcGIS Pro documentation [Connect to authentication providers from ArcGIS Pro](https://pro.arcgis.com/en/pro-app/latest/get-started/connect-to-authentication-providers-from-arcgis-pro.htm).
 
+### [US Gov](#tab/usgov)
+
+1. Open the **ArcGIS Pro settings** page in one of the following ways:
+
+    - From an open project, select the **Project** tab on the ribbon.
+    - From the start page, select the **Settings** tab.
+
+1. In the side menu, select **Options**.
+
+1. In the **Options** dialog box, under **Application**, select **Authentication**.
+
+1. Select **Add Connection** to add a new authentication connection.
+
+1. In the **Add Connection** dialog box:
+
+    - Enter a **Connection Name**.
+
+    - For **Type**, select **Microsoft Entra ID**.
+    
+    - Select **Azure US Government** under **Azure Environment**
+
+    - Enter your **Entra Domain** and **Client ID**.
+
+      - You can [find your **Entra Domain**](/partner-center/account-settings/find-ids-and-domain-names) (also know as your **Primary Domain**) from with Microsoft Entra ID from your Azure Portal
+      - Your **Client ID** is the client ID you set above in the **Add a client application** step.
+
+    - Add the following **scopes**:
+
+      - `https://storage.usgovcloudapi.net/.default`
+
+      - `https://geocatalog.spatio.azure.us/.default`
+
+    [ ![Screenshot showing how to add a connection.](media/add-authentication-usgov.png) ](media/add-authentication-usgov.png#lightbox)
+
+    - Select **OK**.
+    
+    - Sign in through the Authentication dialog and complete the prompts.
+    
+    [ ![Screenshot showing how to sign in with the Authentication dialog.](media/sign-in.png) ](media/sign-in.png#lightbox)
+
+> [!TIP] 
+> For more information, see the official ArcGIS Pro documentation [Connect to authentication providers from ArcGIS Pro](https://pro.arcgis.com/en/pro-app/latest/get-started/connect-to-authentication-providers-from-arcgis-pro.htm).
 
 ## Prepare and record GeoCatalog information
 
@@ -213,7 +400,7 @@ This section outlines how to configure authentication and data access in the **A
 
 1. Select on the GeoCatalog. For example, **arcgisprogeocatalog**.
 
-1. Record the **GeoCatalog URI**. For example, **https://arcgisprogeocatalog.\<unique-identity\>.\<cloud-region\>.geocatalog.spatio.azure.com**.
+1. Record the **GeoCatalog URI**. For example, **https://arcgisprogeocatalog.<unique-identity>.<cloud-region>.geocatalog.spatio.azure.com**.
 
     [ ![Screenshot showing how to retrieve the GeoCatalog URI.](media/get-geocatalog-uri.png) ](media/get-geocatalog-uri.png#lightbox)
 
@@ -224,17 +411,9 @@ This section outlines how to configure authentication and data access in the **A
 
 1. Record the **Collection Name**. For example, sentinel-2-l2a-tutorial-1000.
 
-1. Construct the **Token API Endpoint** using this pattern:
-
-      ```bash
-    \<GeoCatalog URI\>/sas/token/\<Collection Name\api-version=2025-04-30-preview
-      ```  
-    
-    Example:
-    
-    ```bash
-    https://arcgisprogeocatalog.\<unique-identity\>.\<cloud-region\>.geocatalog.spatio.azure.com/sas/token/sentinel-2-l2a-tutorial-1000?api-version=2025-04-30-preview
-    ```
+1. Construct the **Token API Endpoint** using this pattern: ```<GeoCatalog URI>/sas/token/<Collection Name>?api-version=2025-04-30-preview```
+ 
+   - Example:```https://arcgisprogeocatalog.<unique-identity>.<cloud-region>.geocatalog.spatio.azure.com/sas/token/sentinel-2-l2a-tutorial-1000?api-version=2025-04-30-preview```
 
 1. Select the collection name.
 
@@ -247,13 +426,13 @@ This section outlines how to configure authentication and data access in the **A
 1. In the resulting JSON display, locate the key "**title:assets:thumbnail:href**" and copy the corresponding value. For example:
 
     ```bash
-    https://\<unique-storage\>.blob.core.windows.net/sentinel-2-l2a-tutorial-1000-\<unique-id\>/collection-assets/thumbnail/lulc.png
+    https://<unique-storage>.blob.core.windows.net/sentinel-2-l2a-tutorial-1000-<unique-id>/collection-assets/thumbnail/lulc.png
     ```
 
 1. Record the value of Account Name and Container Name:
 
-    - **Account Name**: for example \<unique-storage\>
-    - **Container Name**: for example sentinel-2-l2a-tutorial-1000-\<unique-id\>
+    - **Account Name**: ```<unique-storage>```
+    - **Container Name**: ```sentinel-2-l2a-tutorial-1000-<unique-id>```
 
     [ ![Screenshot showing collection json display.](media/collection-json-display.png) ](media/collection-json-display.png#lightbox)
 
@@ -269,14 +448,16 @@ This section outlines how to configure authentication and data access in the **A
 
 1. For **Authentication**, select the name of the auth profile that you created in previous steps.
 
-1. For **Access Key ID (Account Name)**, use the **Account Name** value that you recorded earlier: \<unique-storage\>.
+1. For **Access Key ID (Account Name)**, use the **Account Name** value that you recorded earlier: <unique-storage>.
 
-1. For **Bucket (Container) Name** use the **Container Name** value that you recorded earlier: sentinel-2-l2a-tutorial-1000-\<unique-id\>.
+1. For **Bucket (Container) Name** use the **Container Name** value that you recorded earlier: sentinel-2-l2a-tutorial-1000-<unique-id>.
+
+1. Do not specify a **Folder**.
 
 1. Add the provider option **ARC_TOKEN_SERVICE_API** and set the value to your **Token API Endpoint** that you constructed earlier. For example:
 
     ```bash
-    https://arcgisprogeocatalog.\<unique-identity\>.\<cloud-region\>.geocatalog.spatio.azure.com/api/token/sentinel-2-l2a-tutorial-1000?api=version=2025-04-30-preview
+    https://arcgisprogeocatalog.<unique-identity>.<cloud-region>.geocatalog.spatio.azure.com/api/token/sentinel-2-l2a-tutorial-1000?api=version=2025-04-30-preview
     ```
 
 1. Add the provider option **ARC_TOKEN_OPTION_NAME** and set the value **to AZURE_STORAGE_SAS_TOKEN**.
@@ -294,14 +475,16 @@ This section outlines how to configure authentication and data access in the **A
 
     - Provide a name for the STAC Connection: For example, GeoCatalog_Connection.
 
-    - For Connection use the form```\<GeoCatalog URI\>/api```. For example,
+    - For Connection use the form```<GeoCatalog URI>/stac```. For example,
       ```bash
-        https://arcgisprogeocatalog.\<unique-identity\>.\<cloud-storage\>.geocatalog.spatio.azure.com/api
+        https://arcgisprogeocatalog.<unique-identity>.<cloud-storage>.geocatalog.spatio.azure.com/stac
         ```
 
     - Reference the Authentication settings made in previous step.
+
+    - Add **Custom Paramaters**: Name: ```api-version```, Value: ```2025-04-30-preview```
 
-    - Add the ACS connection file that was created in previous step to the STAC connection.
+    - Add the ACS connection file that was created in previous step to the **Cloud Storage Connections** list.
 
     - Select **OK**.