[Investigate] MSAL behavior when mobile broker is not installed but required by CA policies

[pmaytak]

Goal What is the developer experience and how should MSAL.NET behave when mobile broker is not installed but is required by conditional access policies, for example, in Mobile App Management (MAM) scenario? Xamarin behavior should be on par with MSAL Android and iOS SDKs. Based on the final findings we should make sure our samples and docs are clear on the expected behavior and suggestions to users.

Additional info Currently if user specifies to use broker but it is not available we fall back to using a browser (embedded or system, whatever is specified). However, the browser behavior is different. Tested with the Intune Android sample:

1. Embedded WebView – prompt to install Edge browser.
2. Unmanaged Edge and Chrome system browser – error saying this app/browser doesn’t support app protection policies.
3. Managed Edge system browser – correct prompt to install Intune, which does take me to app store.

Based on the talk with CA team, the above behavior for the browsers seem correct. Per spec, it should match the third option - there should be a prompt to install Intune. This is the behavior in MSAL iOS. Additionally MSAL iOS for first-party apps also caches the current app's name, and after Intune is installed, redirects back to the app.

We do have this code where in the interactive request we try to extract the broker installation URL from the auth code response and then handle it by starting a new Activity with it. However, in my testing that code (the response with auth code) was never hit.

CA team mentioned that when I tested, they saw the requests as coming from a confidential app on their end, which triggered the behavior to prompt to install Edge. We do use PCA.