Azure: servicePrincipalTokenFromFederatedToken ignores AZURE_AUTHORITY_HOST, breaks federated token auth in sovereign clouds

[cmich3625]

When using useFederatedToken: true in Azure Government, Loki ignores the AZURE_AUTHORITY_HOST env var injected by the Azure Workload Identity webhook. Auth requests
hit login.microsoftonline.com instead of login.microsoftonline.us, resulting in AADSTS900382: Confidential Client is not supported in Cross Cloud request.

The root cause is in pkg/storage/chunk/client/azure/blob_storage_client.go lines 518-544, where the AD endpoint is resolved via azure.EnvironmentFromName() from the
config field rather than from AZURE_AUTHORITY_HOST. Loki already reads AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_FEDERATED_TOKEN_FILE from env vars but misses
AZURE_AUTHORITY_HOST.

To Reproduce

1. Deploy Loki on Azure Kubernetes Service in an Azure Government subscription
2. Enable Azure Workload Identity (webhook injects AZURE_AUTHORITY_HOST=https://login.microsoftonline.us/)
3. Configure Loki with useFederatedToken: true and Azure Blob storage backend without explicitly setting environment: AzureUSGovernment
4. Observe auth failure: AADSTS900382: Confidential Client is not supported in Cross Cloud request

Expected behavior
Loki should respect AZURE_AUTHORITY_HOST when constructing the federated token credential, consistent with how the Azure Workload Identity webhook communicates the
correct authority endpoint to workloads.

Proposed fix

• Check AZURE_AUTHORITY_HOST before falling back to azure.EnvironmentFromName(), or
• Migrate from deprecated go-autorest/adal to azidentity which respects AZURE_AUTHORITY_HOST natively

Workaround
Set environment: AzureUSGovernment under loki.storage.azure in Helm values.

Environment:

• Infrastructure: Kubernetes (AKS, Azure Government)
• Deployment tool: Helm

Relevant code
https://github.com/grafana/loki/blob/main/pkg/storage/chunk/client/azure/blob_storage_client.go#L518-L544