fix: route app.graph + .ctx.graph to sovereign endpoints via cloud.graphScope#538
Merged
fix: route app.graph + .ctx.graph to sovereign endpoints via cloud.graphScope#538
app.graph + .ctx.graph to sovereign endpoints via cloud.graphScope#538Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes sovereign cloud support for Microsoft Graph by ensuring app.graph can target the correct Graph cloud endpoint instead of always using https://graph.microsoft.com.
Changes:
- Extend
@microsoft/teams.graphClientto accept an explicit Graph service root (baseUrlRoot) when cloning from an existing HTTP client. - Derive Graph base URL from the configured cloud’s
graphScopeinAppand pass it intoGraphClient. - Add unit tests covering the new positional
baseUrlRootbehavior in the Graph client constructor.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| packages/graph/src/index.ts | Adds positional baseUrlRoot support and updates base URL selection logic. |
| packages/graph/src/index.spec.ts | Adds tests validating sovereign base URL routing via the new constructor parameter. |
| packages/apps/src/app.ts | Derives Graph base URL from cloud.graphScope and wires it into this.graph. |
| package-lock.json | Lockfile updates (workspace dependency metadata refresh). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
corinagum
added a commit
that referenced
this pull request
Apr 22, 2026
…loud.graphScope Address Copilot review feedback on #538: - graph: simplify baseUrlRoot resolution to `baseUrlRoot ?? options?.baseUrlRoot ?? default`; restores honoring options.baseUrlRoot on the http.Client branch (subtle backward-compat fix). - apps: store derived graphBaseUrl as a readonly App field; thread it into userGraph and appGraph instantiations in app.process.ts so per-activity Graph clients also route sovereign-correctly. Log a warning when a non-empty graphScope doesn't parse as a URL. - tests: add App-level tests (PUBLIC / US_GOV / US_GOV_DOD / CHINA / non-URL scope) verifying graphBaseUrl derivation; add graph tests for positional-vs-options precedence and the attached-baseUrlRoot-on-http.Client backward-compat path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
heyitsaamir
reviewed
Apr 22, 2026
corinagum
changed the title
app.graph to sovereign endpoints via cloud.graphScopeapp.graph + .ctx.graph to sovereign endpoints via cloud.graphScope
…loud.graphScope Address Copilot review feedback on #538: - graph: simplify baseUrlRoot resolution to `baseUrlRoot ?? options?.baseUrlRoot ?? default`; restores honoring options.baseUrlRoot on the http.Client branch (subtle backward-compat fix). - apps: store derived graphBaseUrl as a readonly App field; thread it into userGraph and appGraph instantiations in app.process.ts so per-activity Graph clients also route sovereign-correctly. Log a warning when a non-empty graphScope doesn't parse as a URL. - tests: add App-level tests (PUBLIC / US_GOV / US_GOV_DOD / CHINA / non-URL scope) verifying graphBaseUrl derivation; add graph tests for positional-vs-options precedence and the attached-baseUrlRoot-on-http.Client backward-compat path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Missed in the previous commit: the onTokenExchange and onVerifyState handlers construct ctx.userGraph independently of app.process.ts. Both now receive this.graphBaseUrl so sovereign cloud OAuth flows route to the correct Graph endpoint. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
corinagum
force-pushed
the
cg/graph-cloud-baseurl
branch
from
82aeb5b to
b235c40
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
heyitsaamir
approved these changes
Apr 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
app.graphwas routing all Microsoft Graph calls to the public-cloud endpoint (https://graph.microsoft.com) regardless of the sovereign cloud configured on the app. Sovereign customers (GCCH, DoD, China) would be unable to useapp.graph- calls would hit the wrong cloud and fail. This PR fixes that by deriving the Graph base URL from the cloud'sgraphScopeand plumbing it throughGraphClient.Public cloud (default):
graphScope = "https://graph.microsoft.com/.default"→ derived base URL =https://graph.microsoft.com= previous hardcoded default. Zero behavior change.Sovereign clouds: behavior changes from broken (silently public) to correct (per-cloud). This is the fix.