Unable enforce Policy. AUTHORIZATION_NEEDED Error is thrown

[rassackak]

Intune Android App SDK Policy Enforcement Issue

Questions to Ask Before Submission

1. Have you completed the exit criteria for each phase in the Intune App SDK for Android Integration Guide? - Yes
2. Have you checked the Microsoft Intune App SDK for Android repository for similar issues? - Yes
3. Are you using the latest version of the SDK? - Yes

Summary

I'm Followed all the steps from the document. After MSAL acquireToken call I' getting MsalIntuneAppProtectionPolicyRequiredException. But after calling remediateCompliance(), I'm getting AUTHORIZATION_NEEDED in MAMEnrollmentNotification.

In tried with the sample application as well. But, Same issue happens

• Intune Android App SDK Version: 10.0+
• Android Device Make and Model: Samsung Galaxy Tab Active 3
• Android Device OS Version: 13
• Android Studio Version: 2024.1.1 Patch 2

Logs

com.microsoft.identity.client.exception.MsalUiRequiredException: no account found for ad9fe314-1e14-4161-b118-7b2f00503ed7 at com.microsoft.intune.samples.taskr.authentication.MSALUtil.acquireTokenSilentSync(MSALUtil.java:148) at com.microsoft.intune.samples.taskr.authentication.AuthenticationCallback.acquireToken(AuthenticationCallback.java:38) at java.lang.reflect.Method.invoke(Native Method) at o.forCodedOutput$cancelAll.invoke(:84) at java.lang.reflect.Proxy.invoke(Proxy.java:1006) at $Proxy13.acquireToken(Unknown Source) at com.microsoft.intune.mam.policy.AbstractEnrollmentManager$1.acquireToken(:93) at com.microsoft.intune.mam.policy.AbstractEnrollmentManager$2.acquireToken(:109) at com.microsoft.intune.mam.policy.MAMEnrollmentManagerImpl$StrictAuthenticationCallbackWrapper.acquireToken(:221) at com.microsoft.intune.mam.client.app.AuthCallbackUtils.acquireMAMServiceToken(:48) at com.microsoft.intune.mam.client.ipcclient.OnlineAuthCallbackUtils.acquireMAMServiceTokenWithTelemetry(:56) at com.microsoft.intune.mam.policy.MAMEnrollmentManagerImpl.lambda$attemptMamEnrollment$2(:770) at com.microsoft.intune.mam.policy.MAMEnrollmentManagerImpl.$r8$lambda$WM6rw15dJ2GWTLxdrifJqhGCseM(:0) at com.microsoft.intune.mam.policy.MAMEnrollmentManagerImpl$$ExternalSyntheticLambda3.run(:0) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644) at java.lang.Thread.run(Thread.java:1012)

Company Portal Logs

Incident ID: 3GBNS2JX

[kanishkaBagga]

I am looking into this

[kanishkaBagga]

@rassackak - could you please share the package name

[rassackak]

@rassackak - could you please share the package name

package name is com.morohub.smartoffice.

Update: When I tried in a new device(custom app and company portal installed for the first time) it is working for one user. When I try to login to a different user the same error is thrown.

[kanishkaBagga]

@rassackak The error com.microsoft.identity.client.exception.MsalUiRequiredException: no account found for ad9fe314-1e14-4161-b118-7b2f00503ed7 indicates that the Microsoft Authentication Library (MSAL) could not find an account with the specified ID. This exception typically occurs when a silent token acquisition attempt is made, but no account is found in the token cache that matches the provided account ID.

Here are some key points from the stack trace:

MSALUtil.acquireTokenSilentSync: The error occurs in the acquireTokenSilentSync method of the MSALUtil class. This method attempts to acquire a token silently (without user interaction) using the cached account information. AuthenticationCallback.acquireToken: The acquireToken method in the AuthenticationCallback class is invoked, which likely calls the acquireTokenSilentSync method. MAM Enrollment: The error is related to the Microsoft Intune Mobile Application Management (MAM) enrollment process. The MAMEnrollmentManagerImpl class attempts to acquire a MAM service token using the AuthCallbackUtils and OnlineAuthCallbackUtils classes.

To resolve this issue, you can take the following steps:

Ensure that the account with the specified ID (ad9fe314-1e14-4161-b118-7b2f00503ed7) is present in the token cache. If the account is not found, you may need to prompt the user to sign in again to add the account to the cache i.e. If the silent token acquisition fails, you can fall back to an interactive token acquisition method. This will prompt the user to sign in and obtain a new token. If the token cache is corrupted or contains stale data, clearing the token cache and prompting the user to sign in again can help resolve the issue. Verify that the MSAL configuration (such as client ID, redirect URI, and authority) is correct and matches the settings in the Azure portal.

[rassackak]

@kanishkaBagga I have tried the same user with (ID ad9fe314-1e14-4161-b118-7b2f00503ed7) in a different device. And it is working fine. I'm getting the token and MAM Policy is applied successfully. But, as I mentioned earlier, I'm unable to login another user in the same device.

I'm using a account_mode= SINGLE as my app requires only once user to be logged In at a time. I'm calling the signout method provided. Still I'm unable to login to a different account in the same device.

[kanishkaBagga]

@rassackak - is this issue specific to this user on all devices?

[rassackak]

@kanishkaBagga It is not specific to a user. It happens when a user try to login to a device where another user is logged in and applied the MAM policies. As I mentioned earlier, it works when we try to login for the first. Also it works when I go to device settings and delete the account added to accounts section.

[kanishkaBagga]

did you try this?

• MSALUtil.acquireTokenSilentSync: The error occurs in the acquireTokenSilentSync method of the MSALUtil class. This method attempts to acquire a token silently (without user interaction) using the cached account information. AuthenticationCallback.acquireToken: The acquireToken method in the AuthenticationCallback class is invoked, which likely calls the acquireTokenSilentSync method. MAM Enrollment: The error is related to the Microsoft Intune Mobile Application Management (MAM) enrollment process. The MAMEnrollmentManagerImpl class attempts to acquire a MAM service token using the AuthCallbackUtils and OnlineAuthCallbackUtils classes.

To resolve this issue, you can take the following steps:

Ensure that the account with the specified ID (ad9fe314-1e14-4161-b118-7b2f00503ed7) is present in the token cache. If the account is not found, you may need to prompt the user to sign in again to add the account to the cache i.e. If the silent token acquisition fails, you can fall back to an interactive token acquisition method. This will prompt the user to sign in and obtain a new token. If the token cache is corrupted or contains stale data, clearing the token cache and prompting the user to sign in again can help resolve the issue. Verify that the MSAL configuration (such as client ID, redirect URI, and authority) is correct and matches the settings in the Azure portal.