workspaces-issues icon indicating copy to clipboard operation
workspaces-issues copied to clipboard

Published 20 hours ago verified publisher icon kasmtech

One Drive Setup

Open githubja-lab opened this issue 1 year ago • 2 comments

Describe the bug After following the procedure outlined in the following link: https://kasmweb.com/docs/latest/guide/storage_providers/onedrive.html, we encountered issues with users mapping their OneDrive into their sessions due to consent problems.

Due to our security setup, all applications require administrator approval. In this instance, users need to send their consent back to the administrator for approval. (See Pict[4])

After obtaining administrator approval, KASM is still unable to map the drive due to issues in Kasm Logs Pict[1] and Web Browser Pict[2].

The only workaround we found to bypass the problem and achieve the desired behavior outlined in the documentation is by allowing users to consent to the app themselves. However, this contradicts our security policy. Refer to Pict[3] for an example of our secure setup.

Is there another option that we could use to allow the mapping?

Screenshots Pict [1]: Screenshot 2024-03-11 at 11 45 36 AM Pict [2]: Screenshot 2024-03-11 at 11 45 16 AM Pict[3]
Screenshot 2024-03-11 at 11 51 56 AM Pict[4] Screenshot 2024-03-11 at 11 57 05 AM

Kasm Version Version 1.14

githubja-lab avatar Mar 11 '24 18:03 githubja-lab

In Azure, you should be able to pre-approve consent for individual apps as an admin. Is this an option for you?

j-travis avatar Mar 11 '24 19:03 j-travis

In your situation, the best path forward is to "Grant admin consent" on the individual Enterprise Application in the permissions section. image

Next, on the Storage Provider defined inside Kasm, update the Authorization URL Options to:

{
  "prompt": "select_account"
}

The default we document...

{
  "prompt": "consent"
}

... will re prompt the user for consent even though the admin has pre-approved it. You can read more about these options here: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-authorization-code

From that point on , when the users try to register their one drive, they should be allowed.

If you don't pre-approve the app, and the user is prompted to request permission from the admin, then they will get that unhandled error message. Thats because its technically being denied at the OAuth level back to Kasm. We could probably handle that better and tell them they've been denied.

image

Regardless, the approval request to the admin should still go through.

The thing is, when the admin accepts the request, they are essentially doing the same thing as approving the app for all users like above, Its not a per-user approval.

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/review-admin-consent-requests

image

So, to avoid your users experiencing that error, its probably best to just pre-approve the app

j-travis avatar Mar 22 '24 04:03 j-travis