I'm writing a desktop application with C++/WinRT which needs to silently authenticate with Azure AD on a joined machine, using the Web Account Manager API.
Following the recent Microsoft documentation here, I can see that the redirect-uri set in the /oauth2/token
request when using this API is something like ms-appx-web://Microsoft.AAD.BrokerPlugin/{id}
.
When I try to set this redirect URI in the App Registrations page of my Azure AD application, I get an error saying that only HTTPS schemes are allowed. The (also recent) Azure AD documentation here states that (emphasis mine):
The new App registrations experience doesn't allow developers to add URIs with HTTP scheme on the UI. Adding HTTP URIs for apps that sign in work or school accounts is supported only through the app manifest editor. Going forward, new apps won't be able to use HTTP schemes in the redirect URI. However, older apps that contain HTTP schemes in redirect URIs will continue to work. Developers must use HTTPS schemes in the redirect URIs.
Does this mean that new apps won't be able to use non-HTTPS schemes in the redirect URI even when using the app manifest editor? Is this the correct way of setting up a native application for authentication with Azure AD?
It does seem like I don't really require a redirect-uri since this is a native application; I only need the token! It seems like there is the MSAL library for doing "Integrated Windows Authentication" (as documented here), but the API seems to be .NET only which unfortunately is not an option.