search

microsoftconnect / ms-intune-app-sdk-android

Intune App SDK for Android enables data protection features and mobile app management via Microsoft Intune
41 stars 17 forks source link

Unable to signin with Conditional Access flow #224

Open bgore opened 3 months ago

bgore commented 3 months ago

Intune Android App SDK Policy Enforcement Issue

Summary

I have a similar problem to [Issue #87]: https://github.com/msintuneappsdk/ms-intune-app-sdk-android/issues/87, but not only do I not get the MsalIntuneAppProtectionPolicyRequiredException, I do not complete enrollment or receive an access token.

The test org is internal, so I have access, but am unsure how to check everything for compliance. In theory, the site has been setup according to: Intune app protection polices have been applied to the app: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policies The CA policy was created: https://learn.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune-create

The auth_config.json file has: { "client_capabilities": "protapp", "client_id": private, "authorization_user_agent": "DEFAULT", "account_mode": "SINGLE", "redirect_uri": private, "broker_redirect_uri_registered": true, "authorities": [{ "type": "AAD", "audience": { "type": "AzureADMultipleOrgs", "tenant_id": "organizations" }}]} and AcquireSilentTokenParameters.Builder() includes .forceRefresh(false)

Repro Steps

  1. Android emulator with client application and MS Company Portal installed
  2. Client app is launched
  3. Intune/Client email is gathered and enrollment started via: 
        msalClientApplication?.let {
        val scopes = listOf("User.Read")
        val singleClientApplication = msalClientApplication as ISingleAccountPublicClientApplication
        val params = SignInParameters.builder()
            .withScopes(scopes)
            .withCallback(AuthCallback())
            .withLoginHint(email)
            .withActivity(fromActivity)
            .build()
        singleClientApplication.signIn(params)
  4. The user password is entered in a WebView

Expectation:

Expected AuthenticationCallback.onError() to be called with a MsalIntuneAppProtectionPolicyRequiredException

Observation:

Instead, receive a 'You can't get there from here' WebView. Clicking OK causes AuthenticationCallback.onCancel() to be called.

Screenshot from 2024-03-26 13-02-58

Details

Logs

Company Portal Logs

Incident ID:

5FJKX6T9

mukeshk-ms commented 2 months ago

@bgore Based on the logs, it seems you should be getting the exception MsalIntuneAppProtectionPolicyRequiredException. Can you please check if you have handled it as per the doc and the sample here

bgore commented 2 months ago

Yes, I have read that documentation and implemented the check for MsalIntuneAppProtectionPolicyRequiredException in the onError(MsalException) callback. But as noted, onError() is not called--the application blocks on the screen above. Clicking OK causes onCancel() to be called.

bgore commented 2 months ago

Any update? What else can be tried...looked at?

mukeshk-ms commented 2 months ago

@bgore can you please confirm if you followed the MSAL prerequisite guide and added Brokered Authentication as this will be needed for Conditional Access policy to work. There are some additional link in the same doc to verify if brokered authentication is working as expected.

bgore commented 2 months ago

We are using Brokered Authentication. Our application requires the MS Company Portal to be present when signing in. We have verified that the the correct base64 URL encoded signature hash and redirect URI: were created; are in the application's JSON configuration correctly; and has been registered with the application in Azure (per the link above).

For verification, we are using the code sample from above, which attempts to sign-in the user from a ISingleAccountPublicClientApplication. While enrollment and sign-in fail, as documented above, when I go to Settings -> Accounts, I do see a new account for: <user's email> Work account so I assume that verifies proper broker configuration.

For what it's work, I actually see 2 accounts created. The other one says: Work account Work account I don't know if there was some redundant call or if this is a byproduct of the sign-in failure?

If there is a better/different request to make to verify the broker, let me know; otherwise, what's next?

bgore commented 2 months ago

If any help, I've included logcat output from the device, filtered by: "[Intune]" and "companyportal". The former are emitted from our application; the latter from MS CP as it attempts to sign in the user. logcat.txt

bgore commented 2 months ago

I guess I'll open an Intune support case, maybe I can get help there.