From 3b3ea8ac47fa611cd6d2ff1d9c06d3f311912b0b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Mon, 2 Jun 2025 14:00:07 +0100
Subject: [PATCH] [PM-15456] Update AzureDirectoryService to dynamically select
 Graph API endpoint based on identity authority (public or government) (#777)

Co-authored-by: bnagawiecki <107435978+bnagawiecki@users.noreply.github.com>
---
 src/services/azure-directory.service.ts | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/services/azure-directory.service.ts b/src/services/azure-directory.service.ts
index 2f6055dc..8c332bfc 100644
--- a/src/services/azure-directory.service.ts
+++ b/src/services/azure-directory.service.ts
@@ -18,7 +18,9 @@ import { BaseDirectoryService } from "./baseDirectory.service";
 import { IDirectoryService } from "./directory.service";
 
 const AzurePublicIdentityAuhtority = "login.microsoftonline.com";
+const AzurePublicGraphEndpoint = "https://graph.microsoft.com";
 const AzureGovermentIdentityAuhtority = "login.microsoftonline.us";
+const AzureGovernmentGraphEndpoint = "https://graph.microsoft.us";
 
 const NextLink = "@odata.nextLink";
 const DeltaLink = "@odata.deltaLink";
@@ -207,7 +209,7 @@ export class AzureDirectoryService extends BaseDirectoryService implements IDire
     if (keyword === "excludeadministrativeunit" || keyword === "includeadministrativeunit") {
       for (const p of pieces) {
         let auMembers = await this.client
-          .api(`https://graph.microsoft.com/v1.0/directory/administrativeUnits/${p}/members`)
+          .api(`${this.getGraphApiEndpoint()}/v1.0/directory/administrativeUnits/${p}/members`)
           .get();
         // eslint-disable-next-line
         while (true) {
@@ -478,7 +480,7 @@ export class AzureDirectoryService extends BaseDirectoryService implements IDire
           client_id: this.dirConfig.applicationId,
           client_secret: this.dirConfig.key,
           grant_type: "client_credentials",
-          scope: "https://graph.microsoft.com/.default",
+          scope: `${this.getGraphApiEndpoint()}/.default`,
         });
 
         const req = https
@@ -542,4 +544,10 @@ export class AzureDirectoryService extends BaseDirectoryService implements IDire
     exp.setSeconds(exp.getSeconds() + expSeconds);
     this.accessTokenExpiration = exp;
   }
+
+  private getGraphApiEndpoint(): string {
+    return this.dirConfig.identityAuthority === AzureGovermentIdentityAuhtority
+      ? AzureGovernmentGraphEndpoint
+      : AzurePublicGraphEndpoint;
+  }
 }