From e03a0929f4deb9654a6eae6557230338f73e7c4d Mon Sep 17 00:00:00 2001
From: msbrett <msbrett@users.no-reply.github.com>
Date: Mon, 6 Apr 2026 09:49:23 -0700
Subject: [PATCH 1/2] feat(finops-hub): Add sovereign cloud DNS suffix support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add environment-aware Kusto DNS suffix lookup map covering
  AzureCloud, AzureUSGovernment, and AzureChinaCloud with
  replace() fallback heuristic for unknown clouds
- Fix incorrect Azure China ADX DNS suffix
  (kusto.chinacloudapi.cn → kusto.windows.cn)
- Fix createUiDefinition.json storage URL validation regex
  to accept sovereign cloud storage suffixes
- Fix gitapp.hub.com typo in ADF linked service URL

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .gitignore                                    |  4 ++++
 docs-mslearn/toolkit/changelog.md             |  5 +++++
 .../finops-hub/createUiDefinition.json        |  6 +++---
 .../Microsoft.FinOpsHubs/Analytics/app.bicep  | 21 ++++++++++---------
 4 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/.gitignore b/.gitignore
index b78a348fc..e4fb25448 100644
--- a/.gitignore
+++ b/.gitignore
@@ -373,3 +373,7 @@ env/
 
 # Auto-generated build artifacts
 src/templates/finops-hub-copilot-studio/knowledge/query-catalog.md
+.gate/
+todo/
+done/
+release/scloud-occurrence-report.md
diff --git a/docs-mslearn/toolkit/changelog.md b/docs-mslearn/toolkit/changelog.md
index 30f3c252f..ff413afc9 100644
--- a/docs-mslearn/toolkit/changelog.md
+++ b/docs-mslearn/toolkit/changelog.md
@@ -54,6 +54,7 @@ _Released March 2026_
 ### [FinOps hubs](hubs/finops-hubs-overview.md) v14
 
 - **Added**
+  - Added [Microsoft Sovereign Cloud](/azure/azure-sovereign-clouds/microsoft-sovereign-cloud) support with environment-aware DNS suffix handling for Azure Government, Azure China, and other sovereign environments ([#2072](https://github.com/microsoft/finops-toolkit/pull/2072)).
   - Added [Copilot Studio agent template](hubs/configure-ai-copilot-studio.md) with instructions, schema reference, query catalog, and weekly report guide for creating a FinOps Hub Agent in Microsoft Copilot Studio using the Kusto Query MCP Server.
 - **Changed**
   - Improved deployment UI to consolidate hub mode selection into a single radio button group with four mutually exclusive options: None (storage only for Power BI reports), Azure Data Explorer, Microsoft Fabric, or Remote Hub ([#1929](https://github.com/microsoft/finops-toolkit/issues/1929)).
@@ -61,6 +62,10 @@ _Released March 2026_
   - Data Explorer SKU and retention settings are now only visible when Azure Data Explorer mode is selected.
   - Added typed metadata contracts between hub apps to formalize dependency management and enable compile-time verification of inter-app interfaces.
 - **Fixed**
+  - Fixed hardcoded Kusto DNS suffix to use an environment-aware lookup map with correct values for all supported clouds ([#2072](https://github.com/microsoft/finops-toolkit/pull/2072)).
+  - Fixed incorrect Azure China ADX DNS suffix (`kusto.chinacloudapi.cn` → `kusto.windows.cn`) ([#2072](https://github.com/microsoft/finops-toolkit/pull/2072)).
+  - Fixed `createUiDefinition.json` storage URL validation to accept sovereign cloud storage suffixes ([#2072](https://github.com/microsoft/finops-toolkit/pull/2072)).
+  - Fixed `gitapp.hub.com` typo in ADF linked service URL ([#2072](https://github.com/microsoft/finops-toolkit/pull/2072)).
   - Fixed Init-DataFactory deployment script failing when an Event Grid subscription is already provisioning by checking subscription status before attempting subscribe/unsubscribe and polling separately for completion ([#1996](https://github.com/microsoft/finops-toolkit/issues/1996)).
   - Added row count check in `msexports_ExecuteETL` pipeline to fix error when export files have no rows ([#1535](https://github.com/microsoft/finops-toolkit/issues/1535)).
 
diff --git a/src/templates/finops-hub/createUiDefinition.json b/src/templates/finops-hub/createUiDefinition.json
index a2af4f504..da1f029b8 100644
--- a/src/templates/finops-hub/createUiDefinition.json
+++ b/src/templates/finops-hub/createUiDefinition.json
@@ -166,11 +166,11 @@
             "name": "remoteHubStorageUri",
             "type": "Microsoft.Common.TextBox",
             "label": "Remote hub storage URI",
-            "toolTip": "Data Lake storage endpoint from the remote hub storage account. Copy from the storage account Settings > Endpoints > Data Lake storage. Example: https://myremotehub.dfs.core.windows.net/",
+            "toolTip": "Data Lake storage endpoint from the remote hub storage account. Copy from the storage account Settings > Endpoints > Data Lake storage. Example: https://myremotehub.dfs.core.windows.net/ (endpoint suffix varies by cloud)",
             "constraints": {
               "required": "[equals(basics('analyticsBackend').analyticsEngine, 'remote')]",
-              "regex": "^https://.*\\.dfs\\.core\\.windows\\.net/?$",
-              "validationMessage": "Must be a valid Data Lake storage endpoint URL in the format: https://storageaccount.dfs.core.windows.net/"
+              "regex": "^https://.*\\.dfs\\.core\\.[a-z.]+/?$",
+              "validationMessage": "Must be a valid Data Lake storage endpoint URL (e.g., https://storageaccount.dfs.core.windows.net/ for Azure public cloud)"
             },
             "visible": "[equals(basics('analyticsBackend').analyticsEngine, 'remote')]"
           },
diff --git a/src/templates/finops-hub/modules/Microsoft.FinOpsHubs/Analytics/app.bicep b/src/templates/finops-hub/modules/Microsoft.FinOpsHubs/Analytics/app.bicep
index b880e7108..46b5ea819 100644
--- a/src/templates/finops-hub/modules/Microsoft.FinOpsHubs/Analytics/app.bicep
+++ b/src/templates/finops-hub/modules/Microsoft.FinOpsHubs/Analytics/app.bicep
@@ -143,7 +143,13 @@ var useFabric = !empty(fabricQueryUri)
 var useAzure = !useFabric && !empty(clusterName)
 
 // cSpell:ignore ftkver, privatelink
-var dataExplorerPrivateDnsZoneName = replace('privatelink.${app.hub.location}.${replace(environment().suffixes.storage, 'core', 'kusto')}', '..', '.')
+var dataExplorerDnsSuffixLookup = {
+  AzureCloud: 'kusto.windows.net'
+  AzureUSGovernment: 'kusto.usgovcloudapi.net'
+  AzureChinaCloud: 'kusto.windows.cn'
+}
+var dataExplorerDnsSuffix = dataExplorerDnsSuffixLookup[?environment().name] ?? replace(environment().suffixes.storage, 'core', 'kusto')
+var dataExplorerPrivateDnsZoneName = replace('privatelink.${app.hub.location}.${dataExplorerDnsSuffix}', '..', '.')
 
 // Actual = Minimum(ClusterMaximumConcurrentOperations, Number of nodes in cluster * Maximum(1, Core count per node * CoreUtilizationCoefficient))
 var ingestionCapacity = {
@@ -219,7 +225,7 @@ var dataExplorerIngestionCapacity = useFabric
 
 // WORKAROUND: Direct property access fails on cluster updates due to ARM bug
 // See: https://github.com/Azure/azure-resource-manager-templates/issues/[issue-number]
-var dataExplorerUri = useFabric ? fabricQueryUri : 'https://${cluster.name}.${app.hub.location}.kusto.windows.net'
+var dataExplorerUri = useFabric ? fabricQueryUri : 'https://${cluster.name}.${app.hub.location}.${dataExplorerDnsSuffix}'
 
 //==============================================================================
 // Resources
@@ -546,7 +552,7 @@ resource dataFactoryVNet 'Microsoft.DataFactory/factories/managedVirtualNetworks
       #disable-next-line BCP318 // Null safety warning for conditional resource access // Null safety warning for conditional resource access // Null safety warning for conditional resource access
       privateLinkResourceId: cluster.id
       fqdns: [
-        'https://${replace(clusterName, '_', '-')}.${app.hub.location}.kusto.windows.net'
+        'https://${replace(clusterName, '_', '-')}.${app.hub.location}.${dataExplorerDnsSuffix}'
       ]
     }
   }
@@ -594,19 +600,14 @@ resource linkedService_dataExplorer 'Microsoft.DataFactory/factories/linkedservi
   }
 }
 
-// GitHub repository linked service for FTK open data
+// GitHub repository linked service for FTK release files
 resource linkedService_ftkRepo 'Microsoft.DataFactory/factories/linkedservices@2018-06-01' = {
   name: 'ftkRepo'
   parent: dataFactory
   properties: {
     type: 'HttpServer'
-    parameters: {
-      filePath: {
-        type: 'string'
-      }
-    }
     typeProperties: {
-      url: '@concat(\'https://gitapp.hub.com/microsoft/finops-toolkit/\', linkedService().filePath)'
+      url: 'https://github.com/microsoft/finops-toolkit/'
       enableServerCertificateValidation: true
       authenticationType: 'Anonymous'
     }

From 3e78cd47f627ec47ed97af0831e749170897610f Mon Sep 17 00:00:00 2001
From: msbrett <msbrett@users.no-reply.github.com>
Date: Mon, 6 Apr 2026 10:22:19 -0700
Subject: [PATCH 2/2] chore: Update ms.date in changelog

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 docs-mslearn/toolkit/changelog.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs-mslearn/toolkit/changelog.md b/docs-mslearn/toolkit/changelog.md
index ff413afc9..4353eca72 100644
--- a/docs-mslearn/toolkit/changelog.md
+++ b/docs-mslearn/toolkit/changelog.md
@@ -3,7 +3,7 @@ title: FinOps toolkit changelog
 description: Review the latest features and enhancements in the FinOps toolkit, including updates to FinOps hubs, Power BI reports, and more.
 author: MSBrett
 ms.author: brettwil
-ms.date: 04/04/2026
+ms.date: 04/06/2026
 ms.topic: reference
 ms.service: finops
 ms.subservice: finops-toolkit