Home

Authentication with ADAL using managed Mobile devices

%3CLINGO-SUB%20id%3D%22lingo-sub-78821%22%20slang%3D%22en-US%22%3EAuthentication%20with%20ADAL%20using%20managed%20Mobile%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-78821%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everybody%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20facing%20a%20very%20strange%20authentication%20problem%20in%20my%20app.%3C%2FP%3E%3CP%3ETo%20get%20a%20valid%20adal%20token%20I%20use%20the%20adaljs%20library%2C%20which%20works%20fine.%20I%20get%20a%20valid%20token%20and%20can%20connect%20to%20my%20Azure%20AppService.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20app%20that%20runs%20in%20the%20Azure%20AppService%20then%20uses%20my%20adal%20token%20to%20get%20a%20new%20token.%20I%20create%20a%20UserAssertion%20object%20from%20the%20token%20I%20got%20from%20Javascript%20adaljs.%20I%20need%20to%20do%20this%2C%20because%20otherwise%20I%20could%20not%20connect%20to%20SharePoint%20Online%20without%20getting%20a%20401%20unauthorized.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20code%20works%20perfectly%20fine%20for%20desktop%20browsers%20but%20does%20fail%20when%20I%20try%20to%20access%20my%20AppService%20with%20a%20mobile%20device%20and%20a%20adfs%20managed%20user.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20a%20%22cloud%20only%22%20user%20works%20fine%2C%20but%20whenever%20I%20try%20to%20use%20a%20user%20which%20gets%20synced%20from%20my%20AD%20I%20get%20the%20following%20error%20when%20trying%20to%20get%20the%20second%20token%3A%3C%2FP%3E%3CP%3E%3CSPAN%3EAADSTS50131%3A%20Your%20device%20is%20required%20to%20be%20managed%20to%20access%20this%20resource.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20problem%20here%20is%20that%20the%20device%20is%20definitely%20managed.%20When%20I%20add%20an%20exception%20for%20this%20user%20in%20intune%2C%20I%20can%20access%20the%20App%20via%20the%20mobile%20device.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHas%20anybody%20a%20clue%20what%20could%20be%20the%20problem%20here%3F%20Any%20help%20would%20be%20appreciated.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20in%20advance%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAlex%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-78821%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-153812%22%20slang%3D%22en-US%22%3ERe%3A%20Authentication%20with%20ADAL%20using%20managed%20Mobile%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-153812%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%20Tim%2C%20I%20did%20not%20really%20manage%20to%20find%20a%20solution.%20I%20solved%20the%20issue%20by%20setting%20an%20exception%20for%20mobile%20browsers%20in%20the%20intunes%20settings.%20So%20basically%20we%20made%20the%20application%20accessible%26nbsp%3Bfor%20not%20managed%20devices.%20All%20apps%20like%20Outlook%20and%20so%20forth%20still%20need%20a%20device%20to%20be%20managed%2C%20so%20it%20was%20ok%20for%20our%20client.%20If%20you%20ever%20find%20a%20real%20solution%20for%20this%20problem%2C%20it%20would%20be%20nice%20if%20you%20would%20share%20it%20with%20me%20%5E%5E.%20Best%20regards%20Alex%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-153810%22%20slang%3D%22en-US%22%3ERe%3A%20Authentication%20with%20ADAL%20using%20managed%20Mobile%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-153810%22%20slang%3D%22en-US%22%3E%3CP%3EFacing%20the%20same%20issue.%26nbsp%3B%20I%20have%20a%20published%20app%20through%20Azure%20AD%20App%20Proxy%20that%20works%20from%20a%20managed%20PC%2C%20but%20will%20not%20load%20from%20a%20mobile%20device.%26nbsp%3B%26nbsp%3B%20The%20mobile%20device%20is%20Intune%20managed.%26nbsp%3B%20Getting%20the%20same%20error.%26nbsp%3B%20Any%20chance%20you%20found%20a%20resolution%20to%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-82307%22%20slang%3D%22en-US%22%3ERe%3A%20Authentication%20with%20ADAL%20using%20managed%20Mobile%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-82307%22%20slang%3D%22en-US%22%3E%3CP%3EI%20checked%20the%20App%20Service%20and%20O365%20App%20yesterday%20and%20came%20across%20these%20preview%20settings%20in%20the%20graph%20api%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20450px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F16446iC99E8D4C600B52A7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22snip_20170627084019.png%22%20title%3D%22snip_20170627084019.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20it%20be%20possible%20that%20there%20is%20a%20connection%20between%20my%20problem%20and%20these%20new%20features%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebest%20regards%3C%2FP%3E%3CP%3EAlex%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Alexander Adelmann
Occasional Contributor

Hi everybody,

 

I am facing a very strange authentication problem in my app.

To get a valid adal token I use the adaljs library, which works fine. I get a valid token and can connect to my Azure AppService. 

 

The app that runs in the Azure AppService then uses my adal token to get a new token. I create a UserAssertion object from the token I got from Javascript adaljs. I need to do this, because otherwise I could not connect to SharePoint Online without getting a 401 unauthorized.

 

The code works perfectly fine for desktop browsers but does fail when I try to access my AppService with a mobile device and a adfs managed user.

 

Using a "cloud only" user works fine, but whenever I try to use a user which gets synced from my AD I get the following error when trying to get the second token:

AADSTS50131: Your device is required to be managed to access this resource.

 

The problem here is that the device is definitely managed. When I add an exception for this user in intune, I can access the App via the mobile device.

 

Has anybody a clue what could be the problem here? Any help would be appreciated. 

 

Thanks in advance, 

Alex

3 Replies

I checked the App Service and O365 App yesterday and came across these preview settings in the graph api:

snip_20170627084019.png

 

Could it be possible that there is a connection between my problem and these new features?

 

best regards

Alex

 

 

 

Facing the same issue.  I have a published app through Azure AD App Proxy that works from a managed PC, but will not load from a mobile device.   The mobile device is Intune managed.  Getting the same error.  Any chance you found a resolution to this?

Hi Tim, I did not really manage to find a solution. I solved the issue by setting an exception for mobile browsers in the intunes settings. So basically we made the application accessible for not managed devices. All apps like Outlook and so forth still need a device to be managed, so it was ok for our client. If you ever find a real solution for this problem, it would be nice if you would share it with me ^^. Best regards Alex