David Mulder
David Mulder
> Even worse: When the MFA is enforced by the AAD backend, but never given by the user due to the successful login, this looks like a "PW of the...
> Define technically "same device". > > It's easy on an MS Intune managed device. The browser sends along the device identifier and the backend can identify the device by...
Here's a spec I wrote up with instructions on how to domain join with AAD: [aad-join-spec.pdf](https://github.com/ubuntu/aad-auth/files/13478105/aad-join-spec.pdf)
You can see how I implemented AAD MFA in himmelblau here: https://github.com/himmelblau-idm/himmelblau/blob/main/src/common/src/idprovider/himmelblau.rs The code is a bit complicated, but here's the jist of it: Do a simple auth with `acquire_token_by_username_password`....
> It'd be good to map out the requirements, for sure, because it's WAY too little detail to understand what's actually required so far. I'm traveling to Göttingen in Aug,...
aad-auth should request group memberships using the graph url /me/memberOf. You just have to authenticate the user with the `GroupMember.Read.All` scope.
The device needs to be [enrolled](https://github.com/himmelblau-idm/aad-join-spec/blob/main/aad-join-spec.md#21-join-service-details) in order to support reading group memberships.
> @dmulder even with devices enrolled I am seeing no membership attributes aad-auth doesn't provide device enrollment. I was saying this isn't possible without significant changes to aad-auth.
Take a look at #467. I've emailed the Ubuntu devs about collaboration on improving aad-auth, but they stopped responding months ago. The Samba and SSSD teams are working on the...