Skip to content

[Identity][Core] Add support for the Bleu national partner cloud (France)#48069

Draft
devi0042JD wants to merge 4 commits into
Azure:mainfrom
devi0042JD:identity/add-azure-bleu-authority-host
Draft

[Identity][Core] Add support for the Bleu national partner cloud (France)#48069
devi0042JD wants to merge 4 commits into
Azure:mainfrom
devi0042JD:identity/add-azure-bleu-authority-host

Conversation

@devi0042JD

@devi0042JD devi0042JD commented Jul 15, 2026

Copy link
Copy Markdown

Description

Adds official support for the Bleu national partner cloud (France) across azure-identity, azure-core, and azure-mgmt-core.

azure-identity

  • New constant AzureAuthorityHosts.AZURE_BLEUCLOUD = "login.sovcloud-identity.fr" in _constants.py (also available through the KnownAuthorities alias).
  • Added the Bleu Azure Resource Manager scope (https://management.sovcloud-api.fr//.default) to _DEFAULT_AUTHENTICATE_SCOPES so interactive credentials' authenticate() method works against Bleu without explicit scopes.
  • CHANGELOG entry under 1.26.0b3 (Unreleased) / Features Added.
  • New test test_well_known_authority_hosts in tests/test_authority.py.

azure-core (1.42.0)

  • New AzureClouds.AZURE_BLEUCLOUD enum member in _azure_clouds.py. It is automatically accepted by the AZURE_SDK_CLOUD_CONF environment variable and settings.current.azure_cloud (conversion iterates over the enum).
  • Extended test_convert_azure_cloud to cover conversion of all enum members.

azure-mgmt-core (1.7.0)

  • get_arm_endpoints now supports AzureClouds.AZURE_BLEUCLOUD, returning:
    • resource_manager: https://management.sovcloud-api.fr/
    • credential_scopes: ["https://management.sovcloud-api.fr/.default"]
  • Raised the minimum azure-core requirement to >=1.42.0: the new AzureClouds.AZURE_BLEUCLOUD attribute is evaluated on every get_arm_endpoints call, so running against an older azure-core would raise AttributeError for all clouds.
  • Bumped the unreleased version from 1.6.1 to 1.7.0 since this adds a feature.
  • Added the Bleu case to test_arm_endpoints.

With these changes, authenticating against Bleu works with DefaultAzureCredential(authority=AzureAuthorityHosts.AZURE_BLEUCLOUD), and export AZURE_SDK_CLOUD_CONF=AZURE_BLEUCLOUD (or passing cloud_setting=AzureClouds.AZURE_BLEUCLOUD to a generated mgmt client) is enough for recent azure-mgmt-* clients to resolve their base URL and credential scopes for Bleu.

Context

Bleu is a Microsoft national partner cloud operated in France by a joint venture between Orange and Capgemini, designed to meet the French ANSSI SecNumCloud requirements. Its Entra authority host (login.sovcloud-identity.fr) is already a well-known authority host in MSAL Python (AZURE_GOV_FR, since msal 1.35.1).

Testing

  • pytest sdk/identity/azure-identity/tests/test_authority.py — 3 passed
  • pytest sdk/identity/azure-identity/tests/test_browser_credential.py tests/test_device_code_credential.py tests/test_interactive_credential.py tests/test_username_password_credential.py — 94 passed, 2 skipped
  • pytest sdk/core/azure-core/tests/test_settings.py — 61 passed
  • pytest sdk/core/azure-mgmt-core/tests/test_arm_endpoints.py — 1 passed
  • End-to-end check: AZURE_SDK_CLOUD_CONF=AZURE_BLEUCLOUDsettings.current.azure_cloud resolves to AzureClouds.AZURE_BLEUCLOUD and get_arm_endpoints returns the Bleu endpoints
  • black --check clean on all modified files

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
Successfully started running 1 pipeline(s).
8 pipeline(s) were filtered out due to trigger conditions.
There may be pipelines that require an authorized user to comment /azp run to run.

@github-actions github-actions Bot added Azure.Identity Community Contribution Community members are working on the issue customer-reported Issues that are reported by GitHub users external to the Azure organization. labels Jul 15, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Thank you for your contribution @devi0042JD! We will review the pull request and get back to you soon.

@devi0042JD

Copy link
Copy Markdown
Author

@microsoft-github-policy-service agree

@devi0042JD

Copy link
Copy Markdown
Author

Dear @yonzhan, Could you please review this PR ?

I work as a Cloud Architect at Bleu, the French national partner cloud. I can confirm the authority host, ARM scope, and DNS suffixes used in this PR are correct and match Bleu environment.

Today, users onboarding to Bleu with the Azure SDK for Python have to configure the authority manually.

Shipping Bleu as a well-known authority in AzureAuthorityHosts would significantly improve that onboarding experience. (especially editors).

@devi0042JD devi0042JD marked this pull request as ready for review July 15, 2026 13:36
@devi0042JD devi0042JD requested a review from danieljurek as a code owner July 15, 2026 13:36
Copilot AI review requested due to automatic review settings July 15, 2026 13:36
@devi0042JD devi0042JD requested review from a team, benbp and mikeharder as code owners July 15, 2026 13:36
@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
Successfully started running 1 pipeline(s).
8 pipeline(s) were filtered out due to trigger conditions.
There may be pipelines that require an authorized user to comment /azp run to run.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Bleu national partner cloud support to azure-identity.

Changes:

  • Adds the Bleu authority host and default ARM scope.
  • Documents the new support.
  • Adds authority validation and spell-check configuration.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.vscode/cspell.json Allows the sovcloud term.
sdk/identity/azure-identity/CHANGELOG.md Documents Bleu support.
azure/identity/_constants.py Adds AZURE_BLEU.
azure/identity/_internal/interactive.py Adds the Bleu default ARM scope.
tests/test_authority.py Verifies the new authority constant.

_LOGGER = logging.getLogger(__name__)

_DEFAULT_AUTHENTICATE_SCOPES = {
"https://" + KnownAuthorities.AZURE_BLEU: ("https://management.sovcloud-api.fr//.default",),
… cloud (France)

Adds the BleuCloud (login.sovcloud-identity.fr) authority host constant and
its default ARM scope for interactive credentials' authenticate() method.
@devi0042JD devi0042JD force-pushed the identity/add-azure-bleu-authority-host branch from 14d95b6 to cefe7a8 Compare July 15, 2026 14:15
@devi0042JD devi0042JD changed the title [Identity] Add AzureAuthorityHosts.AZURE_BLEU for the Bleu national partner cloud (France) [Identity] Add AzureAuthorityHosts.AZURE_BLEUCLOUD for the Bleu national partner cloud (France) Jul 15, 2026
…artner cloud (France)

azure-core: adds the AZURE_BLEUCLOUD member to the AzureClouds enum so the
Bleu cloud can be selected via AZURE_SDK_CLOUD_CONF or settings.azure_cloud.

azure-mgmt-core: get_arm_endpoints now returns the Bleu ARM endpoint
(management.sovcloud-api.fr) and credential scopes, and the minimum
azure-core requirement is raised to 1.42.0 accordingly.
@devi0042JD devi0042JD changed the title [Identity] Add AzureAuthorityHosts.AZURE_BLEUCLOUD for the Bleu national partner cloud (France) [Identity][Core] Add support for the Bleu national partner cloud (France) Jul 16, 2026
@devi0042JD devi0042JD marked this pull request as draft July 16, 2026 13:42
@devi0042JD

Copy link
Copy Markdown
Author

Note on the two failing checks — both are unrelated to this PR:

1. python - pullrequest — azure-ai-textanalytics playback failures

The failing tests are the 14 recorded tests of sdk/cognitivelanguage/azure-ai-textanalytics (all 3 OS × whl/sdist/mindependency). They run here only because this PR touches azure-core, which triggers dependent-package testing.

The failure is a URI mismatch in playback:

request <https://Sanitized.cognitiveservices.azure.com//language/analyze-text/jobs?api-version=2025-11-15-preview>
record  <https://Sanitized.cognitiveservices.azure.com/language/analyze-text/jobs?api-version=2025-11-15-preview>

The double slash comes from that package's test fixtures, which set text_analysis_endpoint="https://Sanitized.cognitiveservices.azure.com/" (trailing slash) while the generated client appends /language to the endpoint. The recordings expect a single slash, so the test proxy finds no matching entry (ResourceNotFoundError: Playback failure).

This looks like a latent issue in those fixtures, likely surfaced by the test-proxy bump to 1.0.0-dev.20260521.2 on May 27 (#47176) — stricter URI matching — and it only shows up on PRs that touch core. Nothing in this PR touches URL construction (the azure-core diff is an enum member, a changelog entry, a version bump, and a test), and the only azure-core commit on main since 1.41.0 is an unrelated datetime refactor (#46603). The last two runs of this pipeline on main (June 26) were also failing.

2. python - autorest - pr

Fails in "Prepare Environment" while cloning autorest.python: pnpm@9.5.0 is rejected because its npm registry signature can no longer be verified (npm signing-key rotation). Infrastructure issue, affects any PR running this pipeline.

Happy to help with a fix for the textanalytics fixtures in a separate PR if useful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Azure.Identity Community Contribution Community members are working on the issue customer-reported Issues that are reported by GitHub users external to the Azure organization.

Projects

Status: Untriaged

Development

Successfully merging this pull request may close these issues.

2 participants