MAM Enrollment Failure With Broker Integration (Microsoft Authenticator)
Closed this issue · 10 comments
Describe the bug:
MAM use case, for multi-tenant authority, integration with broker (Microsoft Authenticator) breaks with MSAL Error -50000
To Reproduce
Steps to reproduce the behavior:
- Make sure Microsoft Authenticator app is installed on the device.
- Open Test App
- call IntuneMAMEnrollmentManager.instance().loginAndEnrollAccount(nil)
- Redirected to Microsoft Authenticator for authentication
- Authenticate to some chosen user (or register a new user)
- Get redirected back to the Test App, see MSAL -50000 error native popup alert
Expected behavior:
Since the user has authenticated correctly via Microsoft Authenticator, Intune MAM enrollment should be successful and not fail
Screenshots and logs:
- Logs:
TID=132246 MSAL 1.4.0 iOS 17.3 [2024-07-16 08:50:59 - E9D870FE-7A96-4EE8-99E9-AC909CE0CB89] [MSAL] No cached preferred_network for authority
TID=131233 MSAL 1.4.0 iOS 17.3 [2024-07-16 08:51:12] Invalid authority, error Error Domain=MSIDErrorDomain Code=-51100 "(null)" UserInfo={MSIDErrorDescriptionKey='authority' is a required parameter and must not be nil or empty.}
Smartphone (please complete the following information):
- Device: Multiple
- OS: Multiple
Intune App SDK for iOS (please complete the following information):
-
What version of the Intune SDK are you using? Are you using the latest version? - latest (19.5.0)
-
What platform is your app based in (native, Xamarin based, Cordova, etc)? - Native (swift)
-
For errors post build, does the app launch without being Intune SDK integrated? - Yes
-
Do you see a trend with it only being reproduced on a specific device? - reproduced on many devices and OSs
Additional context:
Add any other context about the problem here.
Can provide verbose logs in private if necessary
Hi, did you configure the authority parameter, did you follow below procedure to setup an app registration, set the ADALClientId, ADALAuthority, ADALRedirectUri properties on the IntuneMAMSettings class.
https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-phase2
You can find more MSAL and app registration setup details from here:
https://learn.microsoft.com/en-us/entra/identity-platform/tutorial-v2-ios
Authority format:
https://learn.microsoft.com/en-us/entra/identity-platform/msal-client-application-configuration#authority
Hi, thx for the quick response.
I do have an app registration for a multi-tenant application.
I have the following setup in my Info.plist file under IntuneMAMSettings:
- Under
ADALClientId
I set the multi-tenant application id - Under the
ADALRedirectUri
I set the redirect uri that I have configured in my app registration. - I did not configure
ADALAuthority
since it says in Microsoft documentation that for multi-tenant, I should leave it empty, and the SDK will default to the common authority
Note that I also added the following keychain sharing app groups : com.microsoft.adalcache
and com.microsoft.intune.mam
If you want I can share more descriptive logs privately. Please let me know for any additional information you need in order to troubleshoot this issue
Would you send the MAM logs and info.plist to wangxiao@microsoft.com
https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-appendix#how-can-i-troubleshoot-my-app
answered via email
@wangxiaoms any news? did you get my email?
Hi, can you check if you have added the MSALPublicClientApplication.handleMSALResponse() in AppDelegate as described here:
https://learn.microsoft.com/en-us/entra/msal/objc/single-sign-on-macos-ios#sso-through-authentication-broker-on-ios
The MAM logs appear to be incomplete, I did not see any "Invalid authority" or "Code=-51100" in the file you provided. Can you provide full logs, first reproduce the issue, then follow below procedrue to get full MAM logs, do not only copy out paragraphs.
https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-appendix#how-can-i-troubleshoot-my-app
In IntuneMAMSettings you can remove ADALLogOverrideDisabled.
@wangxiaoms Regarding the MSALPublicClientApplication.handleMSALResponse() - yes I do have it in my code (both in my app delegate and in my scene delegate but both of them don't get called after broker redirect me back to my app)
Regarding sharing the full logs from the diagnostics console - shared it via email. Please let me know if you need anything else from me and thank you for your help.
I checked the logs but it isn't clear what is the root cause for "Invalid authority" error, will need you to provide a minimal sample app that can reproduce the issue, I can then try to test and reproduce. Also make sure to upgrade Authenticator to latest version and make sure it works with other apps without problem.
Found the issue, it was my own codebase that created the problem. closing the issue now.