MSAL - Problem acquiring token with IntegratedWindowsAuth

2
votes

I am using MSAL to acquire token from an auth app in Azure using integrated windows authentication. The code is:

var tenant = $"https://login.microsoftonline.com/<myTenantId>";
var clientId = "<myClientId>";
var scopes =  new string[] { "https://graph.microsoft.com/.default" };

var publicApplication = PublicClientApplicationBuilder.Create(clientId).WithAuthority(tenant).Build();
var token = await publicApplication.AcquireTokenByIntegratedWindowsAuth(scopes).ExecuteAsync();

This throws the following exception:

Integrated Windows Auth is not supported for managed users.
  • I have verified that the user running the application is not a managed user (user was created in local AD and was synced to Azure AD via AD Connect sync).
  • I have enabled SSO in my Azure tenant with pass-through authentication.
  • Admin has consented for the auth application.

I have followed the steps from https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Integrated-Windows-Authentication and as far as I can confirm I have not missed anything.

Is there something that I might have missed in my configuration? Any help in this is highly appreciated.

2
azureazure-active-directoryazure-ad-graph-apimsalazure-authentication
Just making sure, the device running this is AD or AAD joined? - juunas
The error comes from here, seems like it thinks it is a managed environment? github.com/AzureAD/microsoft-authentication-library-for-dotnet/… - juunas
@juunas the device is Hybrid Azure AD joined. - Saalim Aslam

2 Answers

2
votes

From my discussion with Microsoft, IWA is not supported for pass-through authentication (which was the scenario in my case). For IWA to work, we need to have ADFS in our environment.

0
votes

IWA only support Federated users, those created in an Active Directory and backed by Azure Active Directory.

Try to check if your users are recognized as federated instead of managed.

And refer to this code sample.