Azure Cloud Discovery | HTTP 400 Error | AADSTS900382: Confidential Client is not supported in Cross Cloud requestIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Issue: Azure Cloud Discovery fails with HTTP 400 error response message like below in Pattern Logs: Discovery Subscription Error : Failed to execute API - Fetching token failed, status code: 400, response body: {"error":"invalid_request","error_description":"AADSTS900382: Confidential Client is not supported in Cross Cloud request.\r\nTrace ID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\r\nCorrelation ID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\r\nTimestamp: 2050-01-01 00:00:000","error_codes":[900382],"timestamp":"2050-01-01 00:00:000","trace_id":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX0","correlation_id":XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"} (script_include:AzureAPIInvoker; line 38) Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Releases: All Environment: Microsoft Azure Government Cloud / Regulated Markets Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } 1. The Azure Government Cloud URL has not been configured in the Datacenter URL field on the Cloud Service Account record being used for Discovery. The Azure Discovery Patterns use the Datacenter URL field on the Cloud Service Account to get Government Cloud URLs.If the Datacenter URL field is empty, then the pattern will default to commercial Azure URL.This is a requirement for government accounts per ServiceNow Documentation Add an Azure Service Account Datacenter URLURL of the datacenter. This field is required only for the government and regional accounts. Discovery and Service Mapping Patterns supports the US, Germany, and China Microsoft Azure government clouds. 2. MID Server Properties are not configured or incorrectly configured. Following ServiceNow Documentation, the below MID Server Properties need to be set with the below values and should be checked first. Name Value mid.cmp.azure_api.base_endpoint https://management.usgovcloudapi.net/${apiPath} mid.cmp.azure_api.storage.container.path https://${accountName}.blob.core.usgovcloudapi.net/?comp=list mid.property.azure_token_manager.endpoint https://login.microsoftonline.us/${tenantId}/oauth2/token mid.property.azure_token_manager.endpoint_content grant_type=client_credentials&client_id=${clientId}&resource=https%3A%2F%2Fmanagement.usgovcloudapi.net%2F&client_secret=${clientSecret} mid.cmp.azure_api.storage.blob.path https://${accountName}.blob.core.usgovcloudapi.net/${containerName}?restype=container&include=snapshots&comp=list 3. On the Azure side all of the libraries default to using https://login.microsoftonline.com as the Azure Active Directory authority host. Each of the other clouds have different authority host endpoints that need to be configured in Azure. Please see below article for more details. https://blog.jongallant.com/2020/02/azure-identity-other-clouds/ * Note, the majority of issues with this error message have been resolved on the Azure side. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } 1. First, check that the Azure Service Account [cmdb_ci_cloud_service_account] record has the Azure Government Cloud URL below set to the Datacenter URL field. https://management.usgovcloudapi.net/ 2. Second, check the MID Server Properties above are defined and have the same values as our documentation. 3. In Azure, set Authority Host via the AZURE_AUTHORITY_HOST Environment Variable and Authority Host via the "AuthorityHost" property and AzureAuthorityHosts enums. as outlined in the below article. https://blog.jongallant.com/2020/02/azure-identity-other-clouds/ ** Please contact Microsoft/Azure Support with any configuration issues in Azure.