Issue Description
When running SimpleChat against an Azure Government Cloud (GCC-H) deployment with
managed_identity authentication for Azure OpenAI, agent invocations returned a 401 Unauthorized
error. The token being acquired used the public-cloud Cognitive Services audience
(https://cognitiveservices.azure.com/.default) instead of the government-cloud audience
(https://cognitiveservices.azure.us/.default), so Azure OpenAI rejected every request. Note: multiple AI model endpoints were not configured.
Root Cause Analysis
Two related gaps in semantic_kernel_loader.py:
-
Wrong scope for the global GPT token provider — resolve_global_gpt_token_provider built its
auth_settings dict from Cosmos app_settings fields only. The Cosmos record did not contain a
management_cloud key, so the value fell through to the hardcoded default "public". The
build_token_provider function then selected the public-cloud scope unconditionally.
-
Wrong scope for build_token_provider itself — Before this fix, build_token_provider did
not inspect management_cloud at all; scope was hardcoded to
https://cognitiveservices.azure.com/.default regardless of the cloud environment.
Neither path read the AZURE_ENVIRONMENT environment variable that is already used everywhere else in
the codebase (config.py, route handlers, Bicep-generated App Service settings) to signal the active
cloud.
Issue Description
When running SimpleChat against an Azure Government Cloud (GCC-H) deployment with
managed_identityauthentication for Azure OpenAI, agent invocations returned a 401 Unauthorizederror. The token being acquired used the public-cloud Cognitive Services audience
(
https://cognitiveservices.azure.com/.default) instead of the government-cloud audience(
https://cognitiveservices.azure.us/.default), so Azure OpenAI rejected every request. Note: multiple AI model endpoints were not configured.Root Cause Analysis
Two related gaps in
semantic_kernel_loader.py:Wrong scope for the global GPT token provider —
resolve_global_gpt_token_providerbuilt itsauth_settingsdict from Cosmosapp_settingsfields only. The Cosmos record did not contain amanagement_cloudkey, so the value fell through to the hardcoded default"public". Thebuild_token_providerfunction then selected the public-cloud scope unconditionally.Wrong scope for
build_token_provideritself — Before this fix,build_token_providerdidnot inspect
management_cloudat all;scopewas hardcoded tohttps://cognitiveservices.azure.com/.defaultregardless of the cloud environment.Neither path read the
AZURE_ENVIRONMENTenvironment variable that is already used everywhere else inthe codebase (
config.py, route handlers, Bicep-generated App Service settings) to signal the activecloud.