Forum Discussion
Custom App requests authentication on Teams Mobile (iOS)
Hello everyone,
I have a legacy web app that is hosted locally and published via Entra ID App Proxy, ensuring it is secured by conditional access policies. I wanted to test its integration in Teams, and it works fine as a custom app. When I call the "Entra ID App Proxy" app within a custom Teams app, it functions seamlessly with SSO on the Teams app for Windows and in MS Edge.
However, I encounter an issue with SSO when I open the custom app in Microsoft Teams (version 6.18.2) on iOS (version 18.0.1). It always prompts for credentials (username, password, and MFA code), which is different from my experience on Windows and in the browser.
Has anyone else tried something similar to make a legacy app available within Microsoft Teams? Any insights or solutions would be greatly appreciated.
Thank you!
Erik365Online -Thank you for sharing the Teams App manifest. It looks well-structured, but the issue with SSO on iOS might be due to how the Entra ID app proxy handles authentication on different platforms.
The Entra ID app proxy settings are correctly configured for iOS devices. Sometimes, specific settings or policies might need to be adjusted to ensure seamless SSO on iOS. Ensure that the Entra ID app proxy is set up to pre-authenticate users before granting access to the application. This involves configuring the app proxy to use Azure AD for authentication. Review and configure conditional access policies to ensure they are not causing issues on iOS. Conditional access policies might treat iOS devices differently, leading to repeated authentication prompt.
Reference Document-
1. Plan a Microsoft Entra application proxy Deployment - Microsoft Entra ID | Microsoft Learn
2. Publish on-premises apps with Microsoft Entra application proxy - Microsoft Entra ID | Microsoft Learn
3.Translate links and URLs for Microsoft Entra application proxy. - Microsoft Entra ID | Microsoft Learn
4 Replies
Thank you, Sayali! I will check conditional access policies and Entra ID app proxy settings.
Just tried Pre Authentication with "Passthrough" which directly makes the website available and accessible even through MS Teams on iOS. However, this is insecure because it will not request any auth. I'll check conditional access policies as well.
Sayali-MSFTMicrosoft
Erik365Online- Thanks for reporting your issue.
Could you please share some code snippets/repro steps so that we can investigate from our end.Hi Sayali-MSFT,
sure, the Teams App manifest.
{
"$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.17/MicrosoftTeams.schema.json",
"version": "1.0.2",
"manifestVersion": "1.17",
"id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"name": {
"short": "EWA",
"full": "EWA - Eriks Web App"
},
"developer": {
"name": "Erik Kleefeldt",
"mpnId": "",
"websiteUrl": "https://somelegacywebappnamereplacedhere.msappproxy.net/",
"privacyUrl": "https://www.contoso.com/about/",
"termsOfUseUrl": "https://www.contoso.com/about/"
},
"description": {
"short": "EWA is designed to demo a web-based app showing up as a Teams integrated app",
"full": "Eriks Web App - EWA - Is designed to demo a web-based app showing up as a Teams integrated app"
},
"icons": {
"outline": "outline.png",
"color": "color.png"
},
"accentColor": "#FFFFFF",
"staticTabs": [
{
"entityId": "YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY",
"name": "Web",
"contentUrl": "https://somelegacywebappnamereplacedhere.msappproxy.net/",
"websiteUrl": "https://somelegacywebappnamereplacedhere.msappproxy.net/",
"scopes": [
"personal"
],
"context": [
"personalTab"
]
},
{
"entityId": "about",
"scopes": [
"personal"
]
}
],
"validDomains": [
"somelegacywebappnamereplacedhere.msappproxy.net",
"*.msappproxy.net",
"*.contoso.com"
],
"webApplicationInfo": {
"id": "ZZZZZZZZ-ZZZZ-ZZZZ-ZZZZ-ZZZZZZZZZZZZ",
"resource": "https://somelegacywebappnamereplacedhere.msappproxy.net/user_impersonation/"
},
"configurableProperties": [
"name",
"smallImageUrl",
"largeImageUrl",
"accentColor"
]
}The legacy web app behind is a HTML website secured behind a Entra ID app proxy (...msappproxy.net).
The HTML website itself does not require any authentication only the Entra ID app proxy seems to require pre-authentication. But this pre-authentication within Teams on iOS is not passed through.
Best Regards
Erik- Sayali-MSFT
Erik365Online -Thank you for sharing the Teams App manifest. It looks well-structured, but the issue with SSO on iOS might be due to how the Entra ID app proxy handles authentication on different platforms.
The Entra ID app proxy settings are correctly configured for iOS devices. Sometimes, specific settings or policies might need to be adjusted to ensure seamless SSO on iOS. Ensure that the Entra ID app proxy is set up to pre-authenticate users before granting access to the application. This involves configuring the app proxy to use Azure AD for authentication. Review and configure conditional access policies to ensure they are not causing issues on iOS. Conditional access policies might treat iOS devices differently, leading to repeated authentication prompt.
Reference Document-
1. Plan a Microsoft Entra application proxy Deployment - Microsoft Entra ID | Microsoft Learn
2. Publish on-premises apps with Microsoft Entra application proxy - Microsoft Entra ID | Microsoft Learn
3.Translate links and URLs for Microsoft Entra application proxy. - Microsoft Entra ID | Microsoft Learn
