Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Bug] MSAL Conditional Access policy not throwing exception for required App Protection Policy
See original GitHub issueWhich version of MSAL.NET are you using? MSAL.NET 4.50.0
Platform Xamarin Forms (iOS)
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Authentication
- Username Password
- Device code flow (browserless)
- Web app
- Authorization code
- On-Behalf-Of
- Daemon app
- Service to Service calls
Other?
Is this a new or existing app? Existing app, new feature.
Repro
- Create a conditional access policy that requires an App Protection Policy.
- Authenticate via AcquireTokenInteractive.
- User is met with an in browser message of “You can’t get there from here”, “It looks like you’re trying to open this resource with a client app that is not available for use with app protection policies.”
Expected behavior
Once the user enters their credentials, if they do not have the App Protection Policy, then an error of IntuneAppProtectionPolicyRequiredException should be thrown. The app can then handle this error to make the device compliant.
Actual behavior
Once the user enter their credentials, they are shown an message in the browser of “You can’t get there from here”, “It looks like you’re trying to open this resource with a client app that is not available for use with app protection policies.” On clicking the “OK” button an error is thrown with an Error Code of authentication_canceled.
Additional context / logs / screenshots / links to code
The error of IntuneAppProtectionPolicyRequiredException has been thrown once when running through this flow but I have been unable to replicate this, even with uninstalling the app multiple times.
Looking at the Sign-in Diagnostic for AAD Conditional Access, the failures are reporting as Error Code: 53009, with a message of “Application Needs To Enforce Intune Protection Policies”. The app has no way to handle this though as no error is thrown.
Issue Analytics
- State:
- Created 7 months ago
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@SameerK-MSFT A bit more info here: in #3366
@SameerK-MSFT - I thought that AAD is responsible for failing gracefully here? The error message in the browser should say something like “You need to install Microsoft Authenticator. Click here to install”. Is this not happening? How do MSAL iOS and MSAL Android handle this?
CC @pmaytak as you opened the original issue - https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3303 and @trwalke as you worked on this in the past.