SameerK-MSFT
commented
1 year ago Thanks for sharing the information. Taking a look at it.
Open tomzeni opened 1 year ago
SameerK-MSFT
commented
1 year ago Thanks for sharing the information. Taking a look at it.
tomzeni
commented
1 year ago Any updates on this? where u able to reproduce this issue using the provided demo app? or did it work as expected? Thanks a lot!
Xamarin Android - Conditional Access Grant Control “require app protection policy” does NOT enforce app protection policy.
We’re using the example app from here: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/tree/main/tests/devapps/Intune-xamarin-Android Based on that great Microsoft Article from here: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Protect-your-resources-in-iOS-and-Android-applications-using-Intune-MAM-and-MSAL.NET
While debugging the provided example app we see that „IntuneAppProtectionPolicyRequiredException“ get fired once at the first login, which then triggers the DoMAMRegister method. After DoMAMRegister was successful, MSAL returns a valid Token on the following DoSilentAsync method call. As we’re mam registered now, MSAL always returns a valid token on DoSilentAsync or if needed on DoInteractiveAsync, even if the app is completely restarted. BUT what is NOT happening here is, that the IntuneSdk “GUI” kicks in and tells the user that “the App is now being protected by Intune”… also what’s NOT happening is that the User has to set a PIN for this App (which we have configured in the app protection policy).
Looking at the Azure “Sign-in logs” we can see a successful login for the testuser into the example app. At the “Sign-in logs” > “Conditional Access Policy details” tab we also can see that “Grand Controls - Require app protection policy” was Satisfied (!) But this cannot be possible, because the User has never seen the IntuneSdk “GUI” stating “the App is now being protected by Intune”, nor was the user requested to set a PIN, nor asks the app the user to enter a pin on app restart. So, from the administrative view in Sign-in logs it looks like that everything is fine, conditional access was successful and the app protection policy has been applied. But on the App end, there are NO app protection policy settings enforced. The App behaves like if there is no app protection policy at all. How is this even possible?
Nevertheless, for cross checking we’ve added the outlook app as target for our conditional access and for our app protection policy. OFC the outlook app works as expected. After the first login, IntuneSdk “GUI” kicks in and tells the user that “the App is now being protected by Intune” and the User has to set a PIN for outlook.
We’ve verified this issue with some newly created Enterprise Applications, in two different LAB Tenants, on four different devices (Samsung, Pixel, LG and Xiami), using VS 2022 and VS 2019.
We’ve tried the example app as it is at GitHub, using Android 10 build target and including older Versions of MSAL and IntuneSDK. Also we pulled up Android build target to 13 and update any NuGet Package in the Example App to the latest version: • Microsoft.Identity.Client 4.51.0 • Microsoft.Intune.MAM.Xamarin.Android 3.0.4635.1 But the result is always the same, app protection does not happen in the app.
It’s easy to reproduce this issue with the provide example app. The only thing we configured different in the example app, is that we’ve set the SCOPES to "https://graph.microsoft.com/.default"
After researching and testing with this issue for more than a month, we are out of options now. Please advise.
This looks like kind of a similar problem we faced with iOS a year ago. You guys fixed this for iOS and Sameer provided a great Blogpost and a working example: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/2894 So my last question: Is there an alternative “working” example / reference implementation for Xamarin Android Conditional Access Grant Control “require app protection policy” besides the mentioned above.
Thanks a lot,
Tom
Which version of MSAL.NET are you using? ANY
Platform Xamarin Android
What authentication flow has the issue?
Is this a new or existing app? We have this Xamarin App working in production and on sale for iOS, now we want to publish it for Android
Repro see above
Expected behavior IntuneSDK GUI should show up and state "the App is now being protected by Intune" and the configured app protection policy settings should be enforced.
Actual behavior Even that Sign-in logs show that everything is fine, conditional access was successful and the app protection policy has been applied, the App behaves like if there is no app protection policy at all.