ADAL Authentication Requires Device managed

3
votes

I've setup a Demo app for ADAL Authentication. Our company request the InTune app installed: https://itunes.apple.com/us/app/intune-company-portal/id719171358?mt=8

After the installation and the setup of InTune, I've installed the demo with ADAL that i've developed:

  1. added ADAL as Pod Library

  2. added redirect URI inside my Azure Portal (https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps) (one with schema://bundle_id and one with msauth://code/schema%3A%2F%2Fbundle_id)

  3. added to app's info.plist:

    <key>LSApplicationQueriesSchemes</key>
<array>
    <string>msauth</string>
</array>

4.added to app's info.plist

<key>CFBundleURLTypes</key>
<array>
    <dict>
        <key>CFBundleTypeRole</key>
        <string>Editor</string>
        <key>CFBundleURLName</key>
        <string>bundle_id</string>
        <key>CFBundleURLSchemes</key>
        <array>
            <string>schema</string>
        </array>
    </dict>
</array>

  1. added [_authContext setCredentialsType:AD_CREDENTIALS_AUTO]; to use inTune App Portal for broker auth.

  2. create the authentication with: 

    ADAuthenticationError *error = nil;
 _authContext = [ADAuthenticationContext authenticationContextWithAuthority:@"https://login.microsoftonline.com/common" error:&error];  
[_authContext setCredentialsType:AD_CREDENTIALS_AUTO];

[_authContext acquireTokenWithResource:@"https://graph.microsoft.com"
                          clientId:@"my_client_id"                          // Comes from App Portal
                       redirectUri:[NSURL URLWithString:@"schema://bundle_id"] // Comes from App Portal
                   completionBlock:^(ADAuthenticationResult *result)
{
   NSLog(result.accessToken);
 }];

Application will correctly prompt microsoft authentication to the user, that is redirected on microsofth authentication on the company page, but after the Authentication, this is the result:

enter image description here

1
iosobjective-cazureazure-active-directoryadal
Is your device managed? I.e. does it show under "Devices" in the Comp Portal app? - Paulw11
Yes, It's showed - Alessio Crestani
And the device shows as "in compliance"? What happens if you tap "enroll now"? Do you get an error that the device is already enrolled? This is a conditional access failure. You should get your AD admins to see what conditional access policies have been applied to the graph endpoint and your application id - Paulw11
@Paulw11If I press the button an HTML page with the button that opens the AppStore on Intune will appear - Alessio Crestani
@Paulw11 the same AD application is used on Android without problems - Alessio Crestani

1 Answers

3
votes

For Azure AD to determine that a device is managed in order to satisfy conditional access requirements, you must use Brokered Authentication. This is enabled by specifying AD_CREDENTIALS_AUTO (which you have done), adding msauth to LSApplicationQueriesSchemes (which you have done) and configuring the appropriate callback URI scheme for your app (which you have also done).

The broker that will be used is the Microsoft Authenticator app. If you don't have this installed (which the ADALios framework determines by checking to see if there is an app that responds to the msauth url scheme) then the ADAL library will default to showing the login form in a web view in your app.

Since your app cannot determine whether the device is managed, you get the "authentication successful but your device isn't enrolled" result.

Once you install the Microsoft Authenticator app, you will see that it is opened in response to the authentication request. This app can determine the enrolment status of your device and you should then be returned to your app with a successful token.

The requirement to install the authenticator app could be called out more explicitly in the library documentation, but it is mentioned:

Brokered Authentication

If your app requires conditional access or certificate authentication (currently in preview) support, you must set up your AuthenticationContext and redirectURI to be able to talk to the Azure Authenticator app.