AADSTS650052: The app is trying to access a service 'serviceID'(Microsoft Mobile Application Management) that your organization lacks a service principal for.

[jayanth-quintet]

Intune Android App SDK Policy Enforcement Issue

Questions to Ask Before Submission

1. Have you completed the exit criteria for each phase in the [Intune App SDK for Android Integration Guide]?

Yes

2. Have you checked the [Microsoft Intune App SDK for Android] repository for similar issues?

Yes

3. Are you using the latest version of the [SDK]?

MSAL SDK version 5.4.2 Intune SDK version 10.3.1

Summary

We are trying to integrate Microsoft Intune with our Android app to make it MAM aware.  So far, we have integrated both MSAL and Intune SDK.

1. The app is a public app available in Google play store.
2. The app is a single identity app.
3. App is registered in the entra console. An entry for the Android platform is added as well along with the redirect URL. 
4. In the Entra console, necessary API permissions are granted for the user, including the permissions that need to be granted by the admin is there for the user who tried to login into the app.

Integrated MSAL SDK with the app. When trying to login/acquire a token with MSAL, the app is requesting the following scopes.

val MSAL_SCOPES = arrayOf("https://graph.microsoft.com/User.Read", "https://msmamservice.api.application/DeviceManagementManagedApps.ReadWrite")

However, we are seeing that onError method of AuthenticationCallback is getting called with following error

AADSTS650052: The app is trying to access a service ''(Microsoft Mobile Application Management) that your organization '' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal. Trace ID: dbc0de90-49d8-4359-95b7-5dd023294501 Correlation ID: 288e25af-3ef0-4e3d-9c08-f42f494e454b Timestamp: 2024-08-09 10:39:49Z

We did some research and did not find a way to assign a Service Principal for MAM anywhere in both the Entra or Intune admin console. Such a step was not mentioned in Intune documentation as well. Any idea why this error is returning?

On a side note, in the sample app bundled with the Intune SDK, the second scope is not requested.  So, we tried the same by removing the second scope from the MSAL_SCOPES array above and then tried to login/acquire token. This time, we received the MSAL token. However, when we tried to register for MAM, we received a  different error.

val MSAL_SCOPES = arrayOf("https://graph.microsoft.com/User.Read")

Failed to get token for MAM Service AADSTS65001: The user or administrator has not consented to use the application with ID '' named ''. Send an interactive authorization request for this user and resource. Trace ID: 329fb36f-1b87-45dc-ab3d-a3f1708c0f01 Correlation ID: 258b5140-c5b2-4317-9a77-ce3728d6c8b6 Timestamp: 2024-08-09 10:57:54Z

Other Details:

1. App targets Android API 34
2. Using Android Studio Koala | 2024.1.1
3. Company portal app is installed.

Let me know if any other info is needed. I have attached some screenshots as well.

Any help is appreciated. 

[kanishkaBagga]

I am looking into this

[jayanth-quintet]

Any update on this?

Also, I was also trying to find the documentation about the permissions that need to be given for Intune MAM to work with mobile apps. I found dedicated Entra documentation about how to grant permission. However, what I am looking for is a documentation on what permissions are needed specifically for Intune MAM to work in mobile apps.

[kanishkaBagga]

@jayanth-quintet , is this a multi-tenant application?

[jayanth-quintet]

@kanishkaBagga Our app is a multi tenant application.

[kanishkaBagga]

@jayanth-quintet - The error AADSTS650052 you’re encountering indicates that your application is trying to access a service that your organization doesn’t have a service principal for. This typically happens in multi-tenant applications when the required service principal hasn’t been created or consented to by the tenant admin. Here are some steps to resolve this issue:

1. Admin Consent: Ensure that the tenant admin has granted consent for the application. You can do this by constructing an admin consent URL and having the admin navigate to it. The URL format is:
2. https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}&redirect_uri={redirect-uri} Replace {tenant-id}, {client-id}, and {redirect-uri} with your tenant ID, client ID, and redirect URI respectively.
3. Check API Permissions: Ensure that the API permissions required by your application are correctly configured in the Azure portal. Navigate to Azure Active Directory > App registrations > Your App > API permissions and verify that the necessary permissions are listed.
4. KnownClientApplications: If your application is a multi-tier application, ensure that the knownClientApplications parameter is set in the app manifest. This parameter should include the client IDs of the applications that need to access the API.
5. Tenant-Specific Endpoint: : Instead of using the common endpoint, use the tenant-specific endpoint for authorization. This can sometimes resolve issues related to multi-tenant applications.

[jayanth-quintet]

@kanishkaBagga Thanks. Let me go through the above. I will get back to you.

[jayanth-quintet]

@kanishkaBagga While I look into other points you mentioned in your comment, this is about the third point

Check API Permissions: Ensure that the API permissions required by your application are correctly configured in the Azure portal. Navigate to Azure Active Directory > App registrations > Your App > API permissions and verify that the necessary permissions are listed.

We assume the permissions are already provided. Reattaching the screenshot from the first message in this thread.

Do you think I need to grant any other permission for getting Intune MAM to work with Android application? I am still having difficulties finding a documentation that mentions about permissions in the context of getting Intune MAM to work.

[kanishkaBagga]

Please find the link here - https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-get-started#give-your-app-access-to-the-intune-mobile-app-management-service ( It is already defined in your case ) Did you verify the above steps?

[jayanth-quintet]

@kanishkaBagga Thanks for your reply.

_

KnownClientApplications: If your application is a multi-tier application, ensure that the knownClientApplications parameter is set in the app manifest. This parameter should include the client IDs of the applications that need to access the API. _

Our's is a single tier application.

_

Tenant-Specific Endpoint: : Instead of using the common endpoint, use the tenant-specific endpoint for authorization. This can sometimes resolve issues related to multi-tenant applications. _

During the development stage, we are working with a single tenant. In the auth_config.json file, we replaced tenant_id with the specific tenant_id.

{
  "client_id" : "<our_client_id>",
  "authorization_user_agent" : "DEFAULT",
  "redirect_uri" : "msauth://<package_name>/<our_key_hash>",
  "account_mode" : "SINGLE",
  "authorities" : [
    {
      "type": "AAD",
      "audience": {
        "type": "AzureADandPersonalMicrosoftAccount",
        "tenant_id": "<our_tenant_id>"
      }
    }
  ]
}

However, this didn't make any difference.

We assume, moving forward, we will need to move away from static config json file and dynamically configure the tenant details in code. But for now, we only have one tenant.

_

Admin Consent: Ensure that the tenant admin has granted consent for the application. You can do this by constructing an admin consent URL and having the admin navigate to it. The URL format is: _

Will get back to you on this. Just waiting for the admin consent to be done.

[jayanth-quintet]

@kanishkaBagga Regarding your solution about granting admin consent

Admin Consent: Ensure that the tenant admin has granted consent for the application. You can do this by constructing an admin consent URL and having the admin navigate to it. The URL format is:

When the admin tried to do this, it took us to a screen where all the Permissions were listed with an Accept CTA button at the bottom (see screenshot). However, the Accept button is not doing anything when we click on it. It continued to load.

We used the developer option to see what is going on underneath and saw that the following error was displayed in the console.

Failed to launch 'msauth://code/msauth.%3A%2F%2Fauth?admin_consent=True&tenant=' because the scheme does not have a registered handler.

Any idea what is going on here? At least, we now know there is a permission there to be granted, but could you help out about this error?