Issue with acquireTokenAsync - access token missing deviceid

[leewhitbeck]

Issue Description

I'm running into an issue calling acquireTokenAsync. The generated token from the acquireTokenAsync call "appears" to be valid, but when I run a post to MSFT graph api using this generated token (post is happening in my express middleware), I get the error message below.

Note: I am using Microsoft Intune with broker authentication using Microsoft Authenticator.

# error : AADSTS5300 "your device is required to be managed to access this resource.

Anyone have any ideas why this is happening ?

Here is the configuration object I use in the post to the /oauth2/token endpoint.

        grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
        client_id: ********,
        client_secret:*******
        assertion: ******
        requested_token_use: 'on_behalf_of',
        resource: ‘https://graph.microsoft.com/’,
        scope: 'openid email offline_access User.Read Calendars.Read Calendars.ReadWrite Calendars.ReadWrite.Shared'

Here is my environment configuration cli packages: (/usr/local/lib/node_modules)

Issue Environment

@ionic/cli-utils : 1.19.2 ionic (Ionic CLI) : 3.20.0 global packages:

cordova (Cordova CLI) : 8.0.0 local packages:

@ionic/app-scripts : 3.1.9 Cordova Platforms : android 7.1.0 ios 4.5.4 Ionic Framework : ionic-angular 3.9.2 System:

Android SDK Tools : 26.1.1 ios-deploy : 1.9.2 Node : v8.11.1 npm : 5.6.0 OS : macOS High Sierra Xcode : Xcode 9.3 Build version 9E145

[leewhitbeck]

Update: I noticed that the jwt token generated by acquireTokenAsync does not include deviceId if I manually unenroll and then enroll again. I'm wondering if that finding highlights a potential configuration issue with Intune or AD? The 'your device is required to managed' error is occurring in IOS and Android.

[leewhitbeck]

Turns out this library needs to be updated https://github.com/AzureAD/azure-activedirectory-library-for-objc/issues/1249