Missing App registration in new sovereign clouds

[davpeet]

Describe the bug

When connecting to the new French sovereign cloud (Bleu Cloud) using a user-defined environment I get the following error indicating a missing app registration:

Troubleshooting details

If you contact your administrator, send this info to them.
Copy info to clipboard Copied

Request Id: f7b7b86a-a379-481b-aa7d-18b3198b5a00

Correlation Id: 34f0ef31-0f5a-4c64-b872-e90cc9e342ac

Timestamp: 2026-01-08T09:33:00Z

Message: AADSTS700016: Application with identifier '14d82eec-204b-4c2f-b7e8-296a70dab67e' was not found in the directory 'Microsoft'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

Flag sign-in errors for review: Enable flagging

If you plan on getting help for this problem, enable flagging and try to reproduce the error within 20 minutes. Flagged events make diagnostics available and are raised to admin attention.

Expected behavior

Connection should be successful

How to reproduce

1. Connect to a jumpbox with connectivity to the French sovereign cloud
2. Execute the following PowerShell:
   Import-Module Microsoft.Graph -Force
   Add-MgEnvironment -Name "BleuCloud"
   -AzureAdEndpoint "https://login.sovcloud-identity.fr" `
   -GraphEndpoint "https://graph.svc.sovcloud.fr"

$scopes = @("User.Read.All","Group.Read.All")
Connect-MgGraph -Environment BleuCloud -Scopes $scopes

SDK Version

2.28.0

Latest version known to work for scenario above?

No response

Known Workarounds

None

Debug output

DEBUG: InteractiveBrowserCredential.Authenticate invoked. Scopes: [ User.Read.All, Group.Read.All ] ParentRequestId:
DEBUG: Executing interactive authentication workflow inline.
DEBUG: False MSAL 4.67.2.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2026-01-08 09:51:22Z - 35f2fcc9-b141-43bb-9d25-2b2f674d1759] MSAL MSAL.Desktop with assembly version '4.67.2.
0'. CorrelationId(35f2fcc9-b141-43bb-9d25-2b2f674d1759)
DEBUG: False MSAL 4.67.2.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2026-01-08 09:51:22Z - 35f2fcc9-b141-43bb-9d25-2b2f674d1759] === InteractiveParameters Data ===
LoginHint provided: False
User provided: False
UseEmbeddedWebView: NotSpecified
ExtraScopesToConsent:
Prompt: select_account
HasCustomWebUi: False
DEBUG: False MSAL 4.67.2.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2026-01-08 09:51:22Z - 35f2fcc9-b141-43bb-9d25-2b2f674d1759]
=== Request Data ===
Authority Provided? - True
Scopes - User.Read.All Group.Read.All
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenInteractive
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 35f2fcc9-b141-43bb-9d25-2b2f674d1759
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.67.2.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2026-01-08 09:51:22Z - 35f2fcc9-b141-43bb-9d25-2b2f674d1759] === Token Acquisition (InteractiveRequest) start
ed:
Scopes: User.Read.All Group.Read.All
DEBUG: False MSAL 4.67.2.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2026-01-08 09:51:22Z - 35f2fcc9-b141-43bb-9d25-2b2f674d1759] [Instance Discovery] Instance discovery is enabl
ed and will be performed
DEBUG: False MSAL 4.67.2.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2026-01-08 09:51:22Z - 35f2fcc9-b141-43bb-9d25-2b2f674d1759] [Region discovery] Not using a regional authorit
y.
DEBUG: False MSAL 4.67.2.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2026-01-08 09:51:22Z - 35f2fcc9-b141-43bb-9d25-2b2f674d1759] Using legacy embedded browser.
DEBUG: False MSAL 4.67.2.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2026-01-08 09:51:51Z - 35f2fcc9-b141-43bb-9d25-2b2f674d1759] Authorization result status returned user cancel
led authentication.
DEBUG: False MSAL 4.67.2.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2026-01-08 09:51:51Z - 35f2fcc9-b141-43bb-9d25-2b2f674d1759] Exception type: Microsoft.Identity.Client.MsalCl
ientException
, ErrorCode: authentication_canceled
To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
at Microsoft.Identity.Client.Internal.AuthCodeRequestComponent.VerifyAuthorizationResult(AuthorizationResult authorizationResult, String originalState)
at Microsoft.Identity.Client.Internal.AuthCodeRequestComponent.d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.AuthCodeRequestComponent.d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<b__1>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Utils.StopwatchService.d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.d__11.MoveNext()

DEBUG: InteractiveBrowserCredential.Authenticate was unable to retrieve an access token. Scopes: [ User.Read.All, Group.Read.All ] ParentRequestId: Exception: Azure.Identity.Authentica
tionFailedException (0x80131500): InteractiveBrowserCredential authentication failed: User canceled authentication.
---> Microsoft.Identity.Client.MsalClientException (0x80131500): User canceled authentication.
Connect-MgGraph : InteractiveBrowserCredential authentication failed: User canceled authentication.
At line:1 char:1

• Connect-MgGraph -Environment BleuCloud -Scopes $scopes -Debug

•   + CategoryInfo          : NotSpecified: (:) [Connect-MgGraph], AuthenticationFailedException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph
  
  
  

Configuration

• OS: Windows 11 Enterprise 25H2 26200.7392

Other information

No response

[davpeet]

I was able to create a workaround by manually registering an app in the Entra Directory on a sovereign cloud tenant:
Create the app registration (tenant admin center)

Go to the Microsoft Entra admin center → Microsoft Entra ID → Identity → Applications → App registrations → New registration.
• Name: e.g., Graph-PowerShell-Automation
• Supported account types: Accounts in this organizational directory only
• Redirect URI: http://localhost
• Click Register.
On the app’s Overview page, copy the:
• Application (client) ID
• Directory (tenant) ID
You’ll need both for Connect MgGraph later.
Assign Microsoft Graph Application permissions

1. In the app, open API permissions → Add a permission → Microsoft Graph → Application permissions.
2. Add the least privilege permissions your scripts require (examples below).
3. Click Grant admin consent (requires Global Admin or Privileged Role Admin).
   Common permission examples (pick only what you need):
   • User.Read.All (read users)
   • Group.ReadWrite.All (manage groups)
   • Directory.Read.All / Directory.AccessAsUser.All (careful—broad)
   • Policy.Read.All or Policy.ReadWrite.Authorization (configure consent settings)
   Configure certificate credentials (recommended)
4. Generate a certificate (self signed is fine for internal automation).
   PowerShell

Example: create a 2-year self-signed cert in CurrentUser\My

$cert = New-SelfSignedCertificate -Subject "CN=Graph-PowerShell-Automation"
-CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable
-KeyLength 2048 -KeyAlgorithm RSA
-HashAlgorithm SHA256 `
-NotAfter (Get-Date).AddYears(2)

Export a .cer (public key) to upload to Entra; keep the private key in your vault

Export-Certificate -Cert $cert -FilePath "$env:USERPROFILE\Desktop\GraphAutomation.cer"
2. In Certificates & secrets → Certificates → Upload certificate → select the .cer you exported.
Example – Conceptual Pattern
PowerShell to add use-defined environments for the Microsoft.Graph module
Import-Module Microsoft.Graph
Add-MgEnvironment -Name "BleuCloud"
-AzureAdEndpoint "https://login.sovcloud-identity.fr/" `
-GraphEndpoint "https://graph.svc.sovcloud.fr/"

PowerShell to connecting to a user-defined environment
$TenantId = "xxxx-xxxx-xxxx-xxxx-xxxx"
$ClientId = " xxxx-xxxx-xxxx-xxxx-xxxx "

Connect-MgGraph -TenantId $TenantID -ClientId $ClientId
-Environment BleuCloud