Home

Conditional Access and Forms tabs/apps using Form tabs

%3CLINGO-SUB%20id%3D%22lingo-sub-237824%22%20slang%3D%22en-US%22%3EConditional%20Access%20and%20Forms%20tabs%2Fapps%20using%20Form%20tabs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-237824%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everybody%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eto%20ensure%20some%20governance%20in%20the%20clients%20tenant%20we%20introduced%20a%20Forms%2FFlow%2FApproval%2FAzure%20Function%20combination%20to%20create%20something%20called%20%22permanent%20Team%22%20that%20is%20excluded%20from%20the%20AAD%20Groups%20expiration%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20far%2C%20so%20nice%2C%20but%20when%20we%20wrapped%20everything%20into%20a%20Teams%20app%20so%20that%20the%20user%20has%20a%20consistent%20UI%2C%20we%20stumbled%20upon%20the%20Conditional%20Access%20feature%20which%20lets%20Forms%20not%20work%20in%20a%20Teams%20tab.%20The%20form%20tried%20to%20load%20but%20leaves%20a%20gray%20window%20as%20it%20tries%20to%20authenticate%20and%20obviously%20%22losing%22%20the%20machine%20information%20for%20the%20CA%20check%20during%20doing%20so.%20When%20starting%20the%20Teams%20app%20in%20the%20web%20client%2C%20everything%20works%20smooth%2C%20so%20obviously%20the%20Windows%20client%20here%20is%20causing%20this%20behaviour.%20Similar%20approaches%20with%20e.g.%20Planner%20is%20working%20well%2C%20so%20this%20seems%20to%20be%20solved%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20workaround%20for%20this%20or%20any%20idea%20when%20this%20will%20be%20fixed%20for%20Forms%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%2C%3C%2FP%3E%3CP%3ECarsten%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-237824%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EForms%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETeams%20App%20Studio%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-238297%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20Forms%20tabs%2Fapps%20using%20Form%20tabs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238297%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%2C%20Microsoft%20is%20well%20aware%20of%20this%20behaviour%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20916px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F44303i8E6C010A05310F22%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22teams.png%22%20title%3D%22teams.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E(taken%20from%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fknown-issues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fknown-issues%3C%2FA%3E%20)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20just%20be%20interesting%20if%20there%20is%20any%20workaround%20or%20any%20idea%20when%20this%20gets%20fixed%20for%20Forms.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-238285%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20Forms%20tabs%2Fapps%20using%20Form%20tabs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238285%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20would%20be%20interesting%20to%20compare%20Forms%20operating%20in%20the%20browser%20to%20Forms%20embedded%20in%20the%20Teams%20desktop%20against%20your%20policies.%20The%20latest%20update%20to%20AzureAD%20sign-in%20logs%20lets%20you%20easily%20see%20how%20the%20CA%20policies%20were%20applied%20during%20login.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20did%20see%20a%20difference%20I%20think%20it%20would%20be%20time%20for%20a%20support%20request.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-238266%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20Forms%20tabs%2Fapps%20using%20Form%20tabs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238266%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20are%20several%2C%20dealing%20with%20different%20scenarios%20like%20Citrix%20access%20or%20different%20vendor-specific%20configurations.%20The%20one%20we%20are%20dealing%20here%20with%20is%20the%20restriction%20to%20Intune%20compliant%20devices%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20648px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F44290i46921D12DEEC13B0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Screenshot_1.png%22%20title%3D%22Screenshot_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20don't%20have%20access%20to%20the%20AD%20at%20the%20moment%2C%20so%20I%20can't%20provide%20the%20logs%20as%20c%26amp%3Bp%20in%20detail.%20When%20we%20checked%20we%20got%20the%20well-known%20%22You%20can't%20get%20there%20from%20here%22%20error%20messages.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-238217%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20Forms%20tabs%2Fapps%20using%20Form%20tabs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238217%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20sort%20of%20CA%20policy%20is%20set%2C%20and%20what%20do%20you%20see%20in%20the%20AzureAD%20logs%20for%20the%20user%20when%20it's%20failing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Carsten Büttemeier
Contributor

Hi everybody,

 

to ensure some governance in the clients tenant we introduced a Forms/Flow/Approval/Azure Function combination to create something called "permanent Team" that is excluded from the AAD Groups expiration policy.

 

So far, so nice, but when we wrapped everything into a Teams app so that the user has a consistent UI, we stumbled upon the Conditional Access feature which lets Forms not work in a Teams tab. The form tried to load but leaves a gray window as it tries to authenticate and obviously "losing" the machine information for the CA check during doing so. When starting the Teams app in the web client, everything works smooth, so obviously the Windows client here is causing this behaviour. Similar approaches with e.g. Planner is working well, so this seems to be solved here.

 

Any workaround for this or any idea when this will be fixed for Forms?

 

Best,

Carsten

4 Replies

What sort of CA policy is set, and what do you see in the AzureAD logs for the user when it's failing?

There are several, dealing with different scenarios like Citrix access or different vendor-specific configurations. The one we are dealing here with is the restriction to Intune compliant devices:

 

Screenshot_1.png

I don't have access to the AD at the moment, so I can't provide the logs as c&p in detail. When we checked we got the well-known "You can't get there from here" error messages.

It would be interesting to compare Forms operating in the browser to Forms embedded in the Teams desktop against your policies. The latest update to AzureAD sign-in logs lets you easily see how the CA policies were applied during login.

 

If you did see a difference I think it would be time for a support request.

I think, Microsoft is well aware of this behaviour:

teams.png

(taken from https://docs.microsoft.com/en-us/microsoftteams/known-issues )

 

Would just be interesting if there is any workaround or any idea when this gets fixed for Forms.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
12 Replies