We've implemented (public cloud) Azure SSO login without any issues on our site. However a new customer needs to use government cloud only. What is the correct way to support both government cloud login AND public cloud logins?
The approach I've taken is to create a brand new app in the government portal: portal.azure.us The problem is now I have an app in the public portal (portal.azure.com) and a separate app in the government portal (portal.azure.us) - this is a problem because can only do "domain verification" for our site's root domain on 1 tenant max. I'm not able to verify our root domain in both places (according to Microsoft support). This is a problem because without domain verification of our root domain, the application consent screen in government cloud shows UNVERIFIED under our company name, and this is clearly not ok for production use. The public consent screen is fine because we did "publisher verification" to verify our app. (publisher verification is not available in the government cloud)
Am I making a mistake by having 2 apps in the 2 clouds? Should we just be using the government cloud app, and having all end users (both public and government) login through that? Assuming that is possible and the best course of action, I can basically delete our public cloud app, and that frees up our root domain to only be verified in the government app, and that will fix our consent screen. Is this the best practice for our situation?
• According to your scenario, the identities in azure public and the identities in azure government will have their own sets of credentials as if you have both Azure Public and Azure Government subscriptions, separate identities for both are required. Thus, a single person will have two identities to access the resources in their subscriptions in Azure Public and Azure Government.
• If the root domain of the organization is verified in one subscription and the sub domain or the same domain is added in another subscription, then the one whose DNS records are updated in the Public DNS server will be verified and the other one will be shown as unverified. This scenario is regarding the directories that are hosted directly in Azure AD.
• In case you had an on premises Active Directory that is synced to Azure public AD tenant as well as Azure Government AD tenant, then the root domain in the public azure would be verified as the name of the root domain itself while the one in Azure Government AD will have ‘domainname.onmicrosoft.us’ as the domain suffix. This domain suffix will also be the same for the identities that are synced in respective cloud subscriptions, but the root domain would be shown as verified in both.
• Thus, for now, you will have to prioritize the access of the apps in azure public and azure government according to their importance and accordingly verify the domain name in that subscription for the app consent to show accordingly and comply. Your users who are accessing the apps in both the subscriptions, i.e., azure public and azure government will continue to have two sets of credentials respectively.
Please refer the below official documentation links for more information: -
https://learn.microsoft.com/en-us/azure/azure-government/documentation-government-plan-identity
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory