Hello All -

I recently developed an Office 365 app, which in function, is very simple.   The app is basically a video gallery which retrieves the default embed code for a video from the Office 365 Video Portal using the Video Portal API. The logic targets specific channels (5 in total) and the retrieves the top 3 from each and renders the videos in a grid layout using bootstrap.  The app is integrated with SharePoint 2016 on-prem and is working as expected from an authentication/authorization(so I thought) standpoint.  I am using the ADAL.js library and some custom JS to handle the request/response for each video retrieved.  

NOTE:

The production application is using session storage not local storage. I also cleared my cache many times during my testing.

Now my issue-

A non-licensed Office 365 user can view an Office 365 Video configured using the embed link or in my case a custom app that is using the defaultEmbedCode from the Office 365 Video API.

The non-licensed user is prompted to authenticate and after entering their email/password, viola they are redirected back to my video gallery page and all the videos load.  The same behavior happens on any page where the embed link is used such as in a CEWP or the Office 365 Video WP. So this is not specific to my app but a more general behavior when using the embed video link.

If I navigate to the Office 365 Video Portal using my non-licensed account I receive the expected message stating "You are not authorized/licensed to view this application"(Verbiage is not exact).

In viewing the payload I can see a boolean check called "IsLicensedForVideoPortal" and for my test account it returns FALSE, however the videos load regardless.

HTTPCLIENT: /portals/hub/_api/VideoService.Discover/IsLicensedForVideoPortal

We are using AD On-Prem with ADFS & Office 365.

 Any guidance or insight is greatly appreciated.

Best,

Bobby Cruz