AADSTS53009: Application needs to enforce Intune protection policies

[ACivilise]

Hi,

We are trying to integrate the Intune SDK in our application. We took the code from the sample and published it to our Intune Store and we still have an issue. We also updated the SDK to v9.70. We are getting this error log on the android side (logcat) :

authentication failed
com.microsoft.identity.client.exception.MsalUiRequiredException: AADSTS53009: Application needs to enforce Intune protection policies.
Timestamp: 2023-09-27 13:49:30Z
    at com.microsoft.identity.client.internal.controllers.MsalExceptionAdapter.msalExceptionFromBaseException(Unknown Source:67)
    at com.microsoft.identity.client.PublicClientApplication$18.onError(Unknown Source:0)
    at com.microsoft.identity.client.PublicClientApplication$18.onError(Unknown Source:2)
    at com.microsoft.identity.common.java.controllers.CommandDispatcher.commandCallbackOnError(Unknown Source:14)
    at com.microsoft.identity.common.java.controllers.CommandDispatcher.access$900(Unknown Source:0)
    at com.microsoft.identity.common.java.controllers.CommandDispatcher$4.run(Unknown Source:46)
    at android.os.Handler.handleCallback(Handler.java:942)
    at android.os.Handler.dispatchMessage(Handler.java:99)
    at android.os.Looper.loopOnce(Looper.java:226)
    at android.os.Looper.loop(Looper.java:313)
    at android.app.ActivityThread.main(ActivityThread.java:8762)
    at java.lang.reflect.Method.invoke(Native Method)
    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:604)
    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1067)

This log appears after we entered our credentials and passed the MFA on the Microsoft portal. The device is enrolled. If we exclude the app from the app protection, it's working but when the app protection is turned on we can't signin. We created a ticket with the Microsoft support already and Hugo Pereira tried to help us with our issue without success for now. He told us we should open a ticket here directly. Thanks in advanced.

[meghandaly]

@ACivilise Please refer to Troubleshooting app protection policy deployment in Intune . This is likely an issue in your deployment of Intune.

[ACivilise]

We've managed to resolve the issue, thanks in part to assistance from Microsoft Customer Support. Our problem centered around two key issues:

• Connecting without cross-app SSO was impossible. To rectify this problem, we referred to this documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-android-single-sign-on.

[!TIP] An important thing to remember is to keep the following boolean element set to 'true': json "broker_redirect_uri_registered": true,

• Even with cross-app SSO enabled, we encountered strange behavior; we could only access the TaskR sample app about half of the time. Conversations with Tanmay Manolka and Mohit Chandwani led us to a potential solution. They suggested we comment out this line of code: https://github.com/msintuneappsdk/Taskr-Sample-Intune-Android-App/blob/c11ee86771f7dbc537b2e19e88eaed77ae06b4f0/app/src/main/java/com/microsoft/intune/samples/taskr/MainActivity.java#L126

The combination of implementing cross-app SSO with broker apps and refraining from unregistering accounts for MAM allowed the authentication with InTune to work effectively under conditional access policies.