Managed Home Screen MSAL - severe issuse
Hi Intune Community! We are currently experiencing severe issues with Managed Home Screen and MSAL on our shared Android devices, managed as dedicated with Entra Shared mode. Anyone else experiencing issues? Quite often when a user types her user name at the MHS sign in page and press the Sign In button, the screen only blinks and nothing happens. Only workaround is to restart the device and then it often works to sign in a user once or twice, until same issue happens again. It affects all devices and all users and we have tried both the latest version of MHS and some older version. No difference. Some things that we have seen is: If we exit kiosk mode and start the Intune app it says "Something went wrong" and shows a Register button. This is however gone when restarting the device. (see images below) If we start the Authenticator app, also after exit kiosk, it asks for "organization email" and shows a Register button. This is also back to normal once you restart the device. (see images below) If we let the device be after trying to sign in, 10-20 minutes later it has managed to sign in and asks for setting a Session PIN. The problem is that it is the user who last made a successful sign in who gets signed in. Huge security issue. We also see that Edge and Teams (probably other msal-enabled apps as well) doesn't behave as normal even if you successfully sign in. Teams ask what account to sign in with. Either selecting the suggested account or pressing the Back-button (<) signs you in. (see images below)
Error resetting last modified date
Hi! I am using CSOM to change SharePoint Online files and reset the last modified date of their items. It works, when I log in to SharePoint with user name and password. When I create an app registration and use MSAL to get a token through interactive login, the reset of the last modified date will not work. The code is the same. It is just the token, that makes the difference. The app registrations API permissions are set to AllSites.Manage, so it should have enough rights to change meta data. Any suggestions what I could change? Cheers Alex
MSAL vs. Microsoft Teams
As ADAL hasn't been touched in over two years now, I have migrated my application to MSAL. Sadly enough the Teams docs are still ADAL based. I have an application that is working fine outside Microsoft Teams. Once I embed it as an app inside Microsoft Teams, two things happen: MSAL's acquireTokenSilent method, which returns a promise, fails silently without any possibility to know what happened. This has been raised before, many times: https://github.com/OfficeDev/TrainingContent/issues/606 https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/222 https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/470 I tried to enable MSAL's debug logging info. Working fine stand-alone; inside Teams: not one log message. There seems to have been https://github.com/OfficeDev/TrainingContent/blob/master/Teams/04%20Fundamentals%20of%20Microsoft%20Teams/Lab.md#exercise3 with MSAL's acquireTokenSilent in it, but that probably worked because it was launched from the config screen (or elsewhere) and not from the tab. So on what location would acquireTokenSilent work? Should we move it to such an authentication popup to get it to work (far less silent though).
Showing an external WebApp in Teams tab - Authentication issue
We have some important company websites - Angular applications that are using ADAL/MSAL or no authentication at all - that our users are using very often. Currently they have the browser open + MS Teams and use both tools. I thought its nicer to show our App inside an MS Teams tab, to use Teams as a "browser" and to make life easier for our users. What I did is simply creating a test app that I deployed to our tenant. The app is having the web address to our external web app as a content-uri in a tab: Now our app is appearing in the Teams client on the left side after installation: If I launch this app our page appears a short time and then reloads for a hundred times at once. What I would expect is a redirection to the MS page to login, to get a token for the user (like it works in Chrome) I tried out different scenarios: In the Teams-Browser app: - Everything works perfectly In the Teams Desktop app - that everyone is using: - Using ADAL with redirection method => Like described above - Using MSAL with interactionType: InteractionType.Popup => Tries to open "about" in the MS store, because there is no app available. The popup blocker cannot be a problem, because I have a button for login (user interaction) so I expect a window opening where I can login, but I get this: I can never press ok - why is not a browser used? - Using MSAL with interactionType: InteractionType.Redirect => Blank page - Using an app without any authentication => Works as expected, the page is shown I am now confused why this is happening. The teams iframe does allow popups explicitly if I inspect the iframe with DevTools. Everything we want is to display one external page with MSAL or ADAL authentication enabled. Another approach I tried: Using a "real" teams App that uses SSO. Once I have the token I pass it to the iframe with a #token=ey.... Howevery, this approach also does not work and the page is blank. I think I am already to complicated in how I think. There must be an easy solution for this problem. Any proposals are highly appreciated.
SharePoint Guest Users API Access - Unauthorized
Hello, we've build an Azure AD App that uses MSAL to authenticate against SharePoint. The auth flow works fine, till we try to access SharePoint resources with guest users. We've tried several solutions and configurations but we always get the answere: "Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown." Is there any policy that does not allow guest users to access sharepoint through the sharepoint api? Direct access to sharepoint works without a problem. Thanks in advance Michael
Silent SSO with MSAL
Hi the Teams documentation and samples use adal.js for authentication, as in https://docs.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-silent-aad. Can anyone confirm that the Teams SDK and samples will move to msal.js - and if so, when? The latest thread about MSAL is already half a year old..
