[Question] How to pass AAD auth parameters in MSIX Authentication

[MoodieG]

Hey,

I have published an appinstaller to a custom web application and now I want to add authentication. The documentation says that this can be done by adding &msix=aad to the end of the URI. However, it does not mention how to specify the client ID, tenant ID of the app registration and the required scopes when requesting a bearer token from Azure Active Directory.

Is there a way to specify those parameters?

[MoodieG]

Hey, just bumping this thread. I tried adding ?msixauth=aad at the end of my Uri for AppInstaller and MainPackage to test the authentication flow. I do get prompted to log in, but the app installer fails to open app package due to

"An error occurred while attempting to authenticate. The user account does not have access to the target resource. Contact your administrator for assistance."

I believe the reason is because no tenant ID, scope and client ID is passed to AAD when retrieving a bearer token.

[MoodieG]

Bumping this thread again.

I assume app installer is expecting users to perform server side authentication if client side authentication is not supported. It would be great if anyone can point to a sample or documentation of that auth flow.

[florelis]

There is no way to specify a client ID or scope. App Installer uses its own client ID and sets the scope depending on whether the resource is on SharePoint or Azure Storage.

It may also be worth updating App Installer or testing installing the .msix directly (without using a .appinstaller file). There used to be a bug that caused cryptic errors when using auth for .appinstaller files.

[MoodieG]

Thanks for the reply. Unfortunately giving access to users to Azure Storage is not encouraged by Microsoft security policies. A web API that can authenticate via a managed service identity is encouraged. Hence why I require the app installer to authenticate with a custom web API.

I have not considered using SharePoint and not familiar with the experience there. Having said that, it would be nice if a user is able to customize the client ID and scope for app installer auth.