Unable to signin with Conditional Access flow

[bgore]

Intune Android App SDK Policy Enforcement Issue

Summary

I have a similar problem to [Issue #87]: #87, but not only do I not get the MsalIntuneAppProtectionPolicyRequiredException, I do not complete enrollment or receive an access token.

The test org is internal, so I have access, but am unsure how to check everything for compliance. In theory, the site has been setup according to:
Intune app protection polices have been applied to the app: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policies
The CA policy was created: https://learn.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune-create

The auth_config.json file has: { "client_capabilities": "protapp", "client_id": private, "authorization_user_agent": "DEFAULT", "account_mode": "SINGLE", "redirect_uri": private, "broker_redirect_uri_registered": true, "authorities": [{ "type": "AAD", "audience": { "type": "AzureADMultipleOrgs", "tenant_id": "organizations" }}]}
and AcquireSilentTokenParameters.Builder() includes .forceRefresh(false)

Repro Steps

1. Android emulator with client application and MS Company Portal installed
2. Client app is launched
3. Intune/Client email is gathered and enrollment started via:

        msalClientApplication?.let {
            val scopes = listOf("User.Read")
            val singleClientApplication = msalClientApplication as ISingleAccountPublicClientApplication
            val params = SignInParameters.builder()
                .withScopes(scopes)
                .withCallback(AuthCallback())
                .withLoginHint(email)
                .withActivity(fromActivity)
                .build()
            singleClientApplication.signIn(params)

4. The user password is entered in a WebView

Expectation:

Expected AuthenticationCallback.onError() to be called with a MsalIntuneAppProtectionPolicyRequiredException

Observation:

Instead, receive a 'You can't get there from here' WebView. Clicking OK causes AuthenticationCallback.onCancel() to be called.

Details

• Intune Android App SDK Version: - 10.0.0
• Android Device Make and Model: - Android Studio emulator
• Android Device OS Version: - x86, Android 11, API 30
• Android Studio Version: - Android Studio Giraffe | 2022.3.1 Patch 4

Logs

Company Portal Logs

Incident ID:

5FJKX6T9

[mukeshk-ms]

@bgore Based on the logs, it seems you should be getting the exception MsalIntuneAppProtectionPolicyRequiredException. Can you please check if you have handled it as per the doc and the sample here

[bgore]

Yes, I have read that documentation and implemented the check for MsalIntuneAppProtectionPolicyRequiredException in the onError(MsalException) callback. But as noted, onError() is not called--the application blocks on the screen above. Clicking OK causes onCancel() to be called.

[bgore]

Any update? What else can be tried...looked at?

[mukeshk-ms]

@bgore can you please confirm if you followed the MSAL prerequisite guide and added Brokered Authentication as this will be needed for Conditional Access policy to work. There are some additional link in the same doc to verify if brokered authentication is working as expected.

[bgore]

We are using Brokered Authentication. Our application requires the MS Company Portal to be present when signing in. We have verified that the the correct base64 URL encoded signature hash and redirect URI: were created; are in the application's JSON configuration correctly; and has been registered with the application in Azure (per the link above).

For verification, we are using the code sample from above, which attempts to sign-in the user from a ISingleAccountPublicClientApplication. While enrollment and sign-in fail, as documented above, when I go to Settings -> Accounts, I do see a new account for:
<user's email>
Work account
so I assume that verifies proper broker configuration.

For what it's work, I actually see 2 accounts created. The other one says:
Work account
Work account
I don't know if there was some redundant call or if this is a byproduct of the sign-in failure?

If there is a better/different request to make to verify the broker, let me know; otherwise, what's next?

[bgore]

If any help, I've included logcat output from the device, filtered by: "[Intune]" and "companyportal". The former are emitted from our application; the latter from MS CP as it attempts to sign in the user.
logcat.txt

[bgore]

I guess I'll open an Intune support case, maybe I can get help there.