Azure · annelo-msft · Jun 4, 2021 · Jun 1, 2021 · Jun 1, 2021 · Jun 1, 2021
diff --git a/sdk/containerregistry/Azure.Containers.ContainerRegistry/README.md b/sdk/containerregistry/Azure.Containers.ContainerRegistry/README.md
@@ -35,15 +35,37 @@ az acr create --name MyContainerRegistry --resource-group MyResourceGroup --loca
 
 ### Authenticate the client
 
-The [Azure Identity library][identity] provides easy Azure Active Directory support for authentication.
+The [Azure Identity library][identity] provides easy Azure Active Directory support for authentication.  You can set the environment variables `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_CLIENT_SECRET` to configure `DefaultAzureCredential` to authenticate with AAD. For more information refer to [Azure Identity environment variables](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/identity/Azure.Identity#environment-variables) or [DefaultAzureCredential](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/identity/Azure.Identity#defaultazurecredential).
 public bool ExcludeEnvironmentCredential { get; set; } 
 public bool ExcludeEnvironmentCredential { get; set; } 
 
 ```C#
-// Create a ContainerRegistryClient that will authenticate through Active Directory
+// Create a ContainerRegistryClient that will authenticate through Azure Active Directory
 Uri endpoint = new Uri(Environment.GetEnvironmentVariable("REGISTRY_ENDPOINT"));
 ContainerRegistryClient client = new ContainerRegistryClient(endpoint, new DefaultAzureCredential());
 ```
 
-Note that these samples assume you have a `REGISTRY_ENDPOINT` environment variable set, which is the URL including the name of the login server and the `https://` prefix.
+Note that this samples assume you have a `REGISTRY_ENDPOINT` environment variable set.  This would be set to a string containing the `https://` prefix and the name of the login server, for example "https://myregistry.azurecr.io".
+
+#### National Clouds
+
+To authenticate with a registry in a [National Cloud](https://docs.microsoft.com/azure/active-directory/develop/authentication-national-cloud), you will need to make the following additions to your client configuration:
+
+- Set the `AuthorityHost` in the credential options or via the `AZURE_AUTHORITY_HOST` environment variable
+- Set the `AuthenticationScope` in `ContainerRegistryClientOptions`
+
+```C#
+// Create a ContainerRegistryClient that will authenticate through AAD in the China national cloud
+Uri endpoint = new Uri(Environment.GetEnvironmentVariable("REGISTRY_ENDPOINT"));
+ContainerRegistryClient client = new ContainerRegistryClient(endpoint,
+    new DefaultAzureCredential(
+        new DefaultAzureCredentialOptions()
+        {
+            AuthorityHost = AzureAuthorityHosts.AzureChina
+        }),
+    new ContainerRegistryClientOptions()
+    {
+        AuthenticationScope = "https://management.chinacloudapi.cn/.default"
+    });
+```
 
 For more information on using AAD with Azure Container Registry, please see the service's [Authentication Overview](https://docs.microsoft.com/azure/container-registry/container-registry-authentication).
 

diff --git a/sdk/containerregistry/Azure.Containers.ContainerRegistry/src/ContainerRegistryClient.cs b/sdk/containerregistry/Azure.Containers.ContainerRegistry/src/ContainerRegistryClient.cs
@@ -19,7 +19,6 @@ public partial class ContainerRegistryClient
         private readonly ClientDiagnostics _clientDiagnostics;
         private readonly ContainerRegistryRestClient _restClient;
         private readonly AuthenticationRestClient _acrAuthClient;
-        private readonly string AcrAadScope = "https://management.core.windows.net/.default";
 
         /// <summary>
         /// Initializes a new instance of the <see cref="ContainerRegistryClient"/> for managing container images and artifacts,
@@ -80,7 +79,7 @@ public ContainerRegistryClient(Uri endpoint, TokenCredential credential, Contain
             _acrAuthPipeline = HttpPipelineBuilder.Build(options);
             _acrAuthClient = new AuthenticationRestClient(_clientDiagnostics, _acrAuthPipeline, endpoint.AbsoluteUri);
 
-            _pipeline = HttpPipelineBuilder.Build(options, new ContainerRegistryChallengeAuthenticationPolicy(credential, AcrAadScope, _acrAuthClient));
+            _pipeline = HttpPipelineBuilder.Build(options, new ContainerRegistryChallengeAuthenticationPolicy(credential, options.AuthenticationScope, _acrAuthClient));
             _restClient = new ContainerRegistryRestClient(_clientDiagnostics, _pipeline, _endpoint.AbsoluteUri);
         }
 

diff --git a/...ontainerregistry/Azure.Containers.ContainerRegistry/src/ContainerRegistryClientOptions.cs b/...ontainerregistry/Azure.Containers.ContainerRegistry/src/ContainerRegistryClientOptions.cs
@@ -13,6 +13,17 @@ public class ContainerRegistryClientOptions : ClientOptions
     {
         internal string Version { get; }
 
+        /// <summary>
+        /// Gets or sets the authentication scope to use for authentication with AAD.
+        /// This defaults to the Azure Resource Manager "Azure Global" scope.  To
+        /// connect to a different cloud, set this value to "&lt;resource-id&gt;/.default",
+        /// where &lt;resource-id&gt; is one of the Resource IDs listed at
+        /// https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities#azure-resource-manager.
+        /// For example, to connect to the Azure Germany cloud, create a client with
+        /// <see cref="AuthenticationScope"/> set to "https://management.microsoftazure.de/.default".
+        /// </summary>
+        public string AuthenticationScope { get; set; } = "https://management.azure.com/.default";
+
         /// <summary>
         /// </summary>
         /// <param name="version"></param>

diff --git a/...inerregistry/Azure.Containers.ContainerRegistry/tests/ContainerRegistryClientLiveTests.cs b/...inerregistry/Azure.Containers.ContainerRegistry/tests/ContainerRegistryClientLiveTests.cs
@@ -3,14 +3,15 @@
 
 using System.Collections.Generic;
 using Azure.Core.TestFramework;
+using Azure.Identity;
 using NUnit.Framework;
 using Task = System.Threading.Tasks.Task;
 
 namespace Azure.Containers.ContainerRegistry.Tests
 {
     public class ContainerRegistryClientLiveTests : ContainerRegistryRecordedTestBase
     {
-        public ContainerRegistryClientLiveTests(bool isAsync) : base(isAsync)
+        public ContainerRegistryClientLiveTests(bool isAsync) : base(isAsync, RecordedTestMode.Record)
         {
         }
 
@@ -152,5 +153,15 @@ public void CanDeleteRepostitory_Anonymous()
 
             Assert.ThrowsAsync<RequestFailedException>(() => client.DeleteRepositoryAsync(repository));
         }
+
+        [RecordedTest]
+        public void InvalidAuthenticationScope_FailsToAuthenticate()
+        {
+            // Arrange
+            string repository = $"library/hello-world";
+            var client = CreateClient(false, "https://management.azure.other-cloud/.default");
+
+            Assert.ThrowsAsync<AuthenticationFailedException>(() => client.DeleteRepositoryAsync(repository));
+        }
     }
 }
diff --git a/...nerregistry/Azure.Containers.ContainerRegistry/tests/ContainerRegistryRecordedTestBase.cs b/...nerregistry/Azure.Containers.ContainerRegistry/tests/ContainerRegistryRecordedTestBase.cs
@@ -26,8 +26,14 @@ public ContainerRegistryRecordedTestBase(bool isAsync, RecordedTestMode mode) :
             Sanitizer = new ContainerRegistryRecordedTestSanitizer();
         }
 
-        public ContainerRegistryClient CreateClient(bool anonymousAccess = false)
+        public ContainerRegistryClient CreateClient(bool anonymousAccess = false, string authenticationScope = null)
         {
+            ContainerRegistryClientOptions options = new ContainerRegistryClientOptions();
+            if (authenticationScope != null)
+            {
+                options.AuthenticationScope = authenticationScope;
+            }
+
             return anonymousAccess ?
 
                 InstrumentClient(new ContainerRegistryClient(
@@ -38,7 +44,7 @@ public ContainerRegistryClient CreateClient(bool anonymousAccess = false)
                 InstrumentClient(new ContainerRegistryClient(
                     new Uri(TestEnvironment.Endpoint),
                     TestEnvironment.Credential,
-                    InstrumentClientOptions(new ContainerRegistryClientOptions())
+                    InstrumentClientOptions(options)
                 ));
         }
 

diff --git a/...rregistry/Azure.Containers.ContainerRegistry/tests/Samples/Sample03_SetImageProperties.cs b/...rregistry/Azure.Containers.ContainerRegistry/tests/Samples/Sample03_SetImageProperties.cs
@@ -82,5 +82,26 @@ public async Task SetImagePropertiesAsync()
                 CanDelete = true
             });
         }
+
+        //public async Task NationalCloudAuth()
+        //{
+        //    Identity.DefaultAzureCredential credential = new Identity.DefaultAzureCredential(
+        //        new DefaultAzureCredentialOptions()
+        //        {
+        //            AuthorityHost = AzureAuthorityHosts.AzureChina
+        //        });
+
+        //    ContainerRegistryClient client = new ContainerRegistryClient(new Uri("https://myreg.azurecr.us"),
+        //        new Identity.DefaultAzureCredential(
+        //            new DefaultAzureCredentialOptions()
+        //            {
+        //                AuthorityHost = AzureAuthorityHosts.AzureChina
+        //            }),
+        //        new ContainerRegistryClientOptions()
+        //        {
+        //            AuthenticationScope = "https://management.chinacloudapi.cn/.default"
+        //        });
+
+        //}
     }
 }
diff --git a/...ords/ContainerRegistryClientLiveTests/InvalidAuthenticationScope_FailsToAuthenticate.json b/...ords/ContainerRegistryClientLiveTests/InvalidAuthenticationScope_FailsToAuthenticate.json
diff --git a/...ContainerRegistryClientLiveTests/InvalidAuthenticationScope_FailsToAuthenticateAsync.json b/...ContainerRegistryClientLiveTests/InvalidAuthenticationScope_FailsToAuthenticateAsync.json