Not Able to Test MSAL Success with Work Account or MDM: MSALServiceException or Cannot see Broker App

[bmalumphy]

Intune Android App SDK Policy Enforcement Issue

Questions to Ask Before Submission

1. Have you completed the exit criteria for each phase in the Intune App SDK for Android Integration Guide? YES
2. Have you checked the Microsoft Intune App SDK for Android repository for similar issues? YES
3. Are you using the latest version of the SDK? YES

Summary

Each phase of the Intune App SDK for Android Integration Guide outlines specific exit criteria for proceeding to subsequent phases.

Please reference the specific exit criteria scenario that is failing.

MSAL INTEGRATION-Phase 2 -Have you tested brokered authentication, confirmed that a work account is added to Android's Account Manager, and tested SSO with other Microsoft 365 apps?

We can validly check this on all work apps installed using Microsoft (Edge for instance) but with a work profile, we cannot see the Broker Application with our device registered when installing from Android Studio. When trying to install app directly to work profile user using add shell install -r PACKAGE_NAME --user USER_ID (where USER_ID is our work profile's user number) we get a Java Security Exception which says we don't have permission to install to the Work Profile.

-If you implemented Conditional Access, have you tested both device-based CA and app-based CA to validate your CA implementation?

We are running into issues here on the MDM while we don't always have issues with he above. We repeatedly get an MSALServiceException "unauthorized_client" code with a message of "Application must enforce Intune protection policy." Which doesn't indicate what we're doing wrong here. This seems to behave differently based on how we've setup our Tennant-which leads us to believe we are misconfigured. We've attached our Tennant configuration below in screens and text.

Repro Steps

Please provide concrete steps to reproduce the issue you are encountering.

Our App Protection Policy is reflected in the screens below:

Our CA Policies are as such:

• Deployed to users in our test group

• Conditions must be iOS or Android

• Must have 2Factor, must have App Protection Policy

  Details

• **Intune Android App SDK Version:14.10.0 for MSAL, 10.0.0 for Intune

• **Android Device Make and Model:Pixel 5

• **Android Device OS Version:Android 13

• **Android Studio Version:Android Studio Giraffe | 2022.3.1 Patch 1

Logs

Company Portal Logs

Incident ID: MEDVM436

Screenshots and Recordings

AndroidX Dependencies

If your app includes any AndroidX libraries, please list them here, along with the version info:

• NA

Third-Party Library Dependencies

If your app includes any third-party libraries, please list them here, along with the version info:

• NA

[bmalumphy]

So the solution here seemed to be that our package id in our App Configuration was wrong. Our Application swapped those about 2 years ago before we released and we didn't swap them out for our redirect url or the identifier we had handed Intune on the device. Once we fixed that the rest of our errors became apparent and we got through. Closing this now.