Open jayanth-quintet opened 1 month ago
I am looking into this
Any update on this?
Also, I was also trying to find the documentation about the permissions that need to be given for Intune MAM to work with mobile apps. I found dedicated Entra documentation about how to grant permission. However, what I am looking for is a documentation on what permissions are needed specifically for Intune MAM to work in mobile apps.
@jayanth-quintet , is this a multi-tenant application?
@kanishkaBagga Our app is a multi tenant application.
@jayanth-quintet - The error AADSTS650052 you’re encountering indicates that your application is trying to access a service that your organization doesn’t have a service principal for. This typically happens in multi-tenant applications when the required service principal hasn’t been created or consented to by the tenant admin. Here are some steps to resolve this issue:
@kanishkaBagga Thanks. Let me go through the above. I will get back to you.
@kanishkaBagga While I look into other points you mentioned in your comment, this is about the third point
Check API Permissions: Ensure that the API permissions required by your application are correctly configured in the Azure portal. Navigate to Azure Active Directory > App registrations > Your App > API permissions and verify that the necessary permissions are listed.
We assume the permissions are already provided. Reattaching the screenshot from the first message in this thread.
Do you think I need to grant any other permission for getting Intune MAM to work with Android application? I am still having difficulties finding a documentation that mentions about permissions in the context of getting Intune MAM to work.
Please find the link here - https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-get-started#give-your-app-access-to-the-intune-mobile-app-management-service ( It is already defined in your case ) Did you verify the above steps?
@kanishkaBagga Thanks for your reply.
_
KnownClientApplications: If your application is a multi-tier application, ensure that the knownClientApplications parameter is set in the app manifest. This parameter should include the client IDs of the applications that need to access the API. _
Our's is a single tier application.
_
Tenant-Specific Endpoint: : Instead of using the common endpoint, use the tenant-specific endpoint for authorization. This can sometimes resolve issues related to multi-tenant applications. _
During the development stage, we are working with a single tenant. In the auth_config.json file, we replaced tenant_id with the specific tenant_id.
{
"client_id" : "<our_client_id>",
"authorization_user_agent" : "DEFAULT",
"redirect_uri" : "msauth://<package_name>/<our_key_hash>",
"account_mode" : "SINGLE",
"authorities" : [
{
"type": "AAD",
"audience": {
"type": "AzureADandPersonalMicrosoftAccount",
"tenant_id": "<our_tenant_id>"
}
}
]
}
However, this didn't make any difference.
We assume, moving forward, we will need to move away from static config json file and dynamically configure the tenant details in code. But for now, we only have one tenant.
_
Admin Consent: Ensure that the tenant admin has granted consent for the application. You can do this by constructing an admin consent URL and having the admin navigate to it. The URL format is: _
Will get back to you on this. Just waiting for the admin consent to be done.
@kanishkaBagga Regarding your solution about granting admin consent
Admin Consent: Ensure that the tenant admin has granted consent for the application. You can do this by constructing an admin consent URL and having the admin navigate to it. The URL format is:
When the admin tried to do this, it took us to a screen where all the Permissions were listed with an Accept CTA button at the bottom (see screenshot). However, the Accept button is not doing anything when we click on it. It continued to load.
We used the developer option to see what is going on underneath and saw that the following error was displayed in the console.
Failed to launch 'msauth://code/msauth.
%3A%2F%2Fauth?admin_consent=True&tenant= ' because the scheme does not have a registered handler.
Any idea what is going on here? At least, we now know there is a permission there to be granted, but could you help out about this error?
Intune Android App SDK Policy Enforcement Issue
Questions to Ask Before Submission
Yes
Yes
MSAL SDK version 5.4.2 Intune SDK version 10.3.1
Summary
We are trying to integrate Microsoft Intune with our Android app to make it MAM aware. So far, we have integrated both MSAL and Intune SDK.
Integrated MSAL SDK with the app. When trying to login/acquire a token with MSAL, the app is requesting the following scopes.
val MSAL_SCOPES = arrayOf("https://graph.microsoft.com/User.Read", "https://msmamservice.api.application/DeviceManagementManagedApps.ReadWrite")
However, we are seeing that onError method of AuthenticationCallback is getting called with following error
We did some research and did not find a way to assign a Service Principal for MAM anywhere in both the Entra or Intune admin console. Such a step was not mentioned in Intune documentation as well. Any idea why this error is returning?
On a side note, in the sample app bundled with the Intune SDK, the second scope is not requested. So, we tried the same by removing the second scope from the MSAL_SCOPES array above and then tried to login/acquire token. This time, we received the MSAL token. However, when we tried to register for MAM, we received a different error.
val MSAL_SCOPES = arrayOf("https://graph.microsoft.com/User.Read")
Other Details:
Let me know if any other info is needed. I have attached some screenshots as well.
Any help is appreciated.