microsoft-authentication-library-for-dotnet
microsoft-authentication-library-for-dotnet copied to clipboard
AzureAD
[Bug] MSAL Conditional Access policy not throwing exception for required App Protection Policy
Which version of MSAL.NET are you using? MSAL.NET 4.50.0
Platform Xamarin Forms (iOS)
What authentication flow has the issue?
- Desktop / Mobile
- [x] Interactive
- [ ] Integrated Windows Authentication
- [ ] Username Password
- [ ] Device code flow (browserless)
- Web app
- [ ] Authorization code
- [ ] On-Behalf-Of
- Daemon app
- [ ] Service to Service calls
Other?
Is this a new or existing app? Existing app, new feature.
Repro
- Create a conditional access policy that requires an App Protection Policy.
- Authenticate via AcquireTokenInteractive.
- User is met with an in browser message of "You can't get there from here", "It looks like you're trying to open this resource with a client app that is not available for use with app protection policies."
Expected behavior
Once the user enters their credentials, if they do not have the App Protection Policy, then an error of IntuneAppProtectionPolicyRequiredException should be thrown. The app can then handle this error to make the device compliant.
Actual behavior
Once the user enter their credentials, they are shown an message in the browser of "You can't get there from here", "It looks like you're trying to open this resource with a client app that is not available for use with app protection policies." On clicking the "OK" button an error is thrown with an Error Code of authentication_canceled.
Additional context / logs / screenshots / links to code
The error of IntuneAppProtectionPolicyRequiredException has been thrown once when running through this flow but I have been unable to replicate this, even with uninstalling the app multiple times.
Looking at the Sign-in Diagnostic for AAD Conditional Access, the failures are reporting as Error Code: 53009, with a message of "Application Needs To Enforce Intune Protection Policies". The app has no way to handle this though as no error is thrown.
A few questions:
- Are you passing client capabilities in the call?
- Did you try sample?
- Can you share your code?
- Yes the client capability of "ProtApp" is passed
- The code is based off of this sample
private string _redirectUri = "msauth.com.*****.******://auth";
private IPublicClientApplication _pca;
private string[] _scopes = new[] { "******" };
var builder = PublicClientApplicationBuilder
.Create(**ClientID**)
.WithAuthority(**AuthorityURL**)
.WithIosKeychainSecurityGroup("com.microsoft.adalcache")
.WithRedirectUri(_redirectUri)
.WithHttpClientFactory(new HttpSnifferClientFactory())
.WithLogging(MSALLogCallback, LogLevel.Verbose)
.WithClientCapabilities(new string[] { "ProtApp" })
.WithBroker();
_pca = builder.Build();
try
{
var accounts = await _pca.GetAccountsAsync().ConfigureAwait(false);
var authResult = await _pca.AcquireTokenSilent(_scopes, accounts.FirstOrDefault())
.ExecuteAsync();
//Handle success result
}
catch (MsalUiRequiredException)
{
try
{
var authResult = await MainThread.InvokeOnMainThreadAsync(() => _pca.AcquireTokenInteractive(_scopes)
//App.MainActivity is set to new UIViewController in AppDelegate
.WithParentActivityOrWindow(App.MainActivity)
.WithUseEmbeddedWebView(true)
.WithPrompt(Prompt.ForceLogin)
.ExecuteAsync());
//Handle success result
}
catch(IntuneAppProtectionPolicyRequiredException e)
{
//Handle App Protection Policy Required - Redirect user to app store to install broker and RemediateComplianceForIdentity
}
catch (Exception e)
{
//Handle general interactive Exception
}
}
catch (Exception e)
{
//Handle general silent exception
}
As an additional note:
The IntuneAppProtectionPolicyRequiredException is thrown correctly if the device has a broker already installed. The problem arises when the device doesn't have a broker installed and tries to authenticate. Without an exception being thrown there is no way to instruct the user/redirect them to install a broker required for compliance.
@iris-georgej thanks for sharing the code. The issue happens only when broker is not present. Unfortunately, it requires that broker be preinstalled and we do not do the correct redirect to install. There is a known issue. https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3303
Thanks for that @SameerK-MSFT.
At the point of authentication there is no requirement for a broker. Only once we have determined there is a conditional access policy with app protection policy required assigned to the authenticating user should we require the broker to be installed.
The problem with this is that as the browser does not throw an error there is no way to let the user know a broker is required at this point. Making the broker a requirement before authentication is not a valid solution in this case as it shouldn't be a requirement unless an app protection policy is required, which it may not be for certain users.
What's the best way to handle this situation then if there is no specific requirement for the broker to be installed to use the app?
@SameerK-MSFT - I thought that AAD is responsible for failing gracefully here? The error message in the browser should say something like "You need to install Microsoft Authenticator. Click here to install". Is this not happening? How do MSAL iOS and MSAL Android handle this?
CC @pmaytak as you opened the original issue - https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3303 and @trwalke as you worked on this in the past.
Is there any update on this? We have moved over to using MSAL with .NET MAUI and this is still an issue on iOS. This works on Android, a dialog pops up prompting the user to install a broker, but just displays the "You can't get there from here" message on iOS
@SameerK-MSFT @pmaytak @bgavrilMS It would be good if someone could provide an update on where this is up to. It has been almost 2 years now.