Home

Conditional Access and Forms tabs/apps using Form tabs

%3CLINGO-SUB%20id%3D%22lingo-sub-237824%22%20slang%3D%22en-US%22%3EConditional%20Access%20and%20Forms%20tabs%2Fapps%20using%20Form%20tabs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-237824%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everybody%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eto%20ensure%20some%20governance%20in%20the%20clients%20tenant%20we%20introduced%20a%20Forms%2FFlow%2FApproval%2FAzure%20Function%20combination%20to%20create%20something%20called%20%22permanent%20Team%22%20that%20is%20excluded%20from%20the%20AAD%20Groups%20expiration%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20far%2C%20so%20nice%2C%20but%20when%20we%20wrapped%20everything%20into%20a%20Teams%20app%20so%20that%20the%20user%20has%20a%20consistent%20UI%2C%20we%20stumbled%20upon%20the%20Conditional%20Access%20feature%20which%20lets%20Forms%20not%20work%20in%20a%20Teams%20tab.%20The%20form%20tried%20to%20load%20but%20leaves%20a%20gray%20window%20as%20it%20tries%20to%20authenticate%20and%20obviously%20%22losing%22%20the%20machine%20information%20for%20the%20CA%20check%20during%20doing%20so.%20When%20starting%20the%20Teams%20app%20in%20the%20web%20client%2C%20everything%20works%20smooth%2C%20so%20obviously%20the%20Windows%20client%20here%20is%20causing%20this%20behaviour.%20Similar%20approaches%20with%20e.g.%20Planner%20is%20working%20well%2C%20so%20this%20seems%20to%20be%20solved%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20workaround%20for%20this%20or%20any%20idea%20when%20this%20will%20be%20fixed%20for%20Forms%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%2C%3C%2FP%3E%3CP%3ECarsten%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-237824%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EForms%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETeams%20App%20Studio%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-238297%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20Forms%20tabs%2Fapps%20using%20Form%20tabs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238297%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%2C%20Microsoft%20is%20well%20aware%20of%20this%20behaviour%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20916px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F44303i8E6C010A05310F22%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22teams.png%22%20title%3D%22teams.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E(taken%20from%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fknown-issues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fknown-issues%3C%2FA%3E%20)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20just%20be%20interesting%20if%20there%20is%20any%20workaround%20or%20any%20idea%20when%20this%20gets%20fixed%20for%20Forms.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-238285%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20Forms%20tabs%2Fapps%20using%20Form%20tabs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238285%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20would%20be%20interesting%20to%20compare%20Forms%20operating%20in%20the%20browser%20to%20Forms%20embedded%20in%20the%20Teams%20desktop%20against%20your%20policies.%20The%20latest%20update%20to%20AzureAD%20sign-in%20logs%20lets%20you%20easily%20see%20how%20the%20CA%20policies%20were%20applied%20during%20login.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20did%20see%20a%20difference%20I%20think%20it%20would%20be%20time%20for%20a%20support%20request.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-238266%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20Forms%20tabs%2Fapps%20using%20Form%20tabs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238266%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20are%20several%2C%20dealing%20with%20different%20scenarios%20like%20Citrix%20access%20or%20different%20vendor-specific%20configurations.%20The%20one%20we%20are%20dealing%20here%20with%20is%20the%20restriction%20to%20Intune%20compliant%20devices%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20648px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F44290i46921D12DEEC13B0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Screenshot_1.png%22%20title%3D%22Screenshot_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20don't%20have%20access%20to%20the%20AD%20at%20the%20moment%2C%20so%20I%20can't%20provide%20the%20logs%20as%20c%26amp%3Bp%20in%20detail.%20When%20we%20checked%20we%20got%20the%20well-known%20%22You%20can't%20get%20there%20from%20here%22%20error%20messages.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-238217%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20Forms%20tabs%2Fapps%20using%20Form%20tabs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238217%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20sort%20of%20CA%20policy%20is%20set%2C%20and%20what%20do%20you%20see%20in%20the%20AzureAD%20logs%20for%20the%20user%20when%20it's%20failing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Carsten Büttemeier
Contributor

Hi everybody,

 

to ensure some governance in the clients tenant we introduced a Forms/Flow/Approval/Azure Function combination to create something called "permanent Team" that is excluded from the AAD Groups expiration policy.

 

So far, so nice, but when we wrapped everything into a Teams app so that the user has a consistent UI, we stumbled upon the Conditional Access feature which lets Forms not work in a Teams tab. The form tried to load but leaves a gray window as it tries to authenticate and obviously "losing" the machine information for the CA check during doing so. When starting the Teams app in the web client, everything works smooth, so obviously the Windows client here is causing this behaviour. Similar approaches with e.g. Planner is working well, so this seems to be solved here.

 

Any workaround for this or any idea when this will be fixed for Forms?

 

Best,

Carsten

4 Replies

What sort of CA policy is set, and what do you see in the AzureAD logs for the user when it's failing?

There are several, dealing with different scenarios like Citrix access or different vendor-specific configurations. The one we are dealing here with is the restriction to Intune compliant devices:

 

Screenshot_1.png

I don't have access to the AD at the moment, so I can't provide the logs as c&p in detail. When we checked we got the well-known "You can't get there from here" error messages.

It would be interesting to compare Forms operating in the browser to Forms embedded in the Teams desktop against your policies. The latest update to AzureAD sign-in logs lets you easily see how the CA policies were applied during login.

 

If you did see a difference I think it would be time for a support request.

I think, Microsoft is well aware of this behaviour:

teams.png

(taken from https://docs.microsoft.com/en-us/microsoftteams/known-issues )

 

Would just be interesting if there is any workaround or any idea when this gets fixed for Forms.

Related Conversations