User sees Authenticator app prompt even when Authenticator is already installed, tapping on button does not work

[viwod]

Describe the bug: We have a customer running into an issue where the authenticator page is presented, but interacting with the button on the page does not launch the authenticator app.

In our .plist we have Auto-Enroll on Launch set to true, so the user meets the Microsoft SSO page from the SDK on app launch. They then attempt to sign-in. After entering their credentials, they are prompted by a screen requesting that they install the Microsoft Authenticator app even though it is already installed. And when pressing on the button, they do not link to the app.

To Reproduce Steps to reproduce the behavior:

1. Open app (Auto-Enroll set to true, so Microsoft SSO page from SDK is presented on app launch)
2. Enter user credentials on Microsoft SSO page
3. See Microsoft Authenticator screen
4. Pressing on button does not open Authenticator app

Expected behavior: Opening button links to Authenticator app from our app.

Screenshots and logs:

Smartphone (please complete the following information):

• Device: iPhone 15
• OS: iOS 17

Intune App SDK for iOS (please complete the following information):

• What version of the Intune SDK are you using? Are you using the latest version? Yes - 19.1.0

• What platform is your app based in (native, Xamarin based, Cordova, etc)? Native

• For errors during build, does the app build without Intune SDK integration? N/A

• For errors post build, does the app launch without being Intune SDK integrated? N/A

• Who is the customer?

• Do you see a trend with it only being reproduced on a specific device?

Additional context: Why does the user see this prompt even though they already have the Authenticator app installed on their device?

Does the SDK expect our app to handle the Microsoft authenticator app deeplink when this occurs? And if so, what is the exact deeplink URL (i.e. scheme, etc.) we should be looking out for? We'll want to know this because we do not want to call the SDK handler for deeplinks on all deeplinks, we want to filter for just Microsoft deeplinks

[jitheshncxe]

Hi, could you please confirm if this is happening with only a specific application and device or happening across the applications that leverage brokered authentication? Do you see it works fine with simple MSAL applications that would use broker for authentication (Something like a sample application built using instructions on https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Leveraging-the-broker-on-iOS-and-Android/93bd655f2b86da765868158b766d3c84345c98f1). If it fails for other applications which are not Intune MAM SDK integrated as well, we may suspect something related to the authenticator itself on that device. If so, please try to remove and re-install the authenticator app and see if that helps. Also see if the broker logs described in the troubleshooting section of the above link provides some clues...

[viwod]

Thanks for your response. We have done all the required configuration steps, though it appears we'll need to filter on these link requests with the AuthenticationContinuationHelper mentioned in that doc to verify that the link we receive in AppDelegate (in our case SceneDelegate) is an authenticator deeplink request. I'm having trouble finding additional documentation on that object, would you mind linking where there is additional documentation on the AuthenticationContinuationHelper object?

I've also noticed that this particular page is from 2020, I found a more recent page last week here: https://github.com/AzureAD/microsoft-authentication-library-for-objc#ios-only-steps

But a recent PR has completely removed all code samples from that page and has no linking to new documentation. Is there more recent documentation on the implementation of this linking flow?

[jitheshncxe]

Hi, could you please confirm the original application is using AuthenticationContinuationHelper or are you just trying to create a sample MSAL.net based application to isolate the issue? My original suggestion was to help isolate where the issue lies. If you could confirm the authenticator works for all other applications except this one, that would be sufficient too. If you are blocked on implementing sample application mentioned in my previous post, you may try following MSAL IOS sample based on https://github.com/Azure-Samples/ms-identity-mobile-apple-swift-objc as well. But if your original application is based on AuthenticationContinuationHelper and still looking for documentation around that, I will check and see if we still have a public one

[viwod]

Noted, this is happening just on our app, the authenticator works for other applications on the customer's device. Thanks for clearing that up, our application is not based around AuthenticationContinuationHelper.

I've looked through the sample app and it's this line that I was asking about here: https://github.com/Azure-Samples/ms-identity-mobile-apple-swift-objc/blob/master/MSALiOS/AppDelegate.swift#L90

I'd like to add implementation to make this function call when we receive a URL from the SDK. However, I don't want to call this function every time, I'd like to filter on the URL so that we're only calling the MSAL function when we receive a known Intune deeplink. For example:

func application(_ app: UIApplication, open url: URL, options: [UIApplication.OpenURLOptionsKey : Any] = [:]) -> Bool {

        if url.scheme = "insert_authenticator_app_deeplink_scheme_here" {
            return MSALPublicClientApplication.handleMSALResponse(url, sourceApplication: options[UIApplication.OpenURLOptionsKey.sourceApplication] as? String)
        } else {
            return "insert_our_app_handling_for_other_deeplinks_here"
        }
}

What I'd like to know is what that deeplink URL will look like so that I can defer to the MSALPublicClientApplication if we are receiving an Intune URL, and our other logic when receiving other URLs

[jitheshncxe]

@viwod , the url scheme should be of the format described on https://learn.microsoft.com/en-us/entra/identity-platform/scenario-mobile-app-configuration#step-2-register-a-url-scheme. Have you already tried it and see if that provides the required result?

[viwod]

Thanks for the recommendation, we've updated our code and .plist to include this. We've prepared a build for our customer with these changes and are waiting to see if this resolves the issue for them

[jitheshncxe]

@viwod, can you please let us know the status? If it is resolved or taking time to confirm, we may close this thread for now and reopen when needed...Please let us know