Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MFA prompt appears during MSAL interactive token flow even though MFA is disabled #429

Open
viwod opened this issue May 3, 2024 · 1 comment
Open

MFA prompt appears during MSAL interactive token flow even though MFA is disabled #429

viwod opened this issue May 3, 2024 · 1 comment
Assignees
@pmod2

Comments

@viwod
Copy link

viwod commented May 3, 2024
edited
Loading

Describe the bug:
The MFA prompt to install the Authenticator app appears even though the user's MFA requirement has been disabled. This occurs during the MSAL interactive token acquisition flow. We have checked to ensure that MFA for this user has been disabled via three methods:

  1. Navigating to per-user MFA settings, the user has multi-factor authentication set to disabled
  2. Within Entra ID -> Overview -> Properties -> Security defaults are disabled for this user as they are targeted by a conditional access policy
  3. Within the access controls for the conditional access policy targeting this user, the only control enforced is the requirement of an app protection policy. The user is already targeted by a valid app protection policy for the app.

To Reproduce
Steps to reproduce the behavior:

  1. loginAndEnrollAccount() for user
  2. Intune SDK displays prompt to restart app to apply app protection policies
  3. App restarts
  4. Attempt to acquire MSAL token silently
  5. Receive interaction required error, initiate interactive token acquisition via acquireTokenInteractively()
  6. Enter account credentials on Microsoft page that appears
  7. MFA prompt (in attached image) appears. (Error code 50127)

Expected behavior:
Allow interactive token acquisition to proceed without requiring Authenticator app interaction.

Screenshots and logs:
Screenshot 2024-05-02 at 5 18 28 PM

Smartphone (please complete the following information):

  • Device: iPhone 13
  • OS: iOS 17.4.1

Intune App SDK for iOS (please complete the following information):

  • What version of the Intune SDK are you using? Are you using the latest version? -> Yes, version 19.3.1

  • What platform is your app based in (native, Xamarin based, Cordova, etc)? -> native

  • For errors during build, does the app build without Intune SDK integration? -> N/A

  • For errors post build, does the app launch without being Intune SDK integrated? -> N/A

  • Who is the customer? -> N/A

  • Do you see a trend with it only being reproduced on a specific device? -> Easily reproducible with test account

Additional context:
Add any other context about the problem here.
@pmod2 pmod2 self-assigned this May 3, 2024
@pmod2
Copy link

pmod2 commented May 3, 2024
edited
Loading

Thanks for reaching out.
Kindly contact me directly at my email address priyankamodi@microsoft.com to provide additional details that might include Personally Identifiable Information (PII), which may not be suitable for public disclosure.

  1. Intune Logs
  2. Intune Diagnostic Logs
  3. Application ID
  4. Fiddler trace of repro
  5. Video recording of the repro.
  6. User ID:
  7. Intune Device ID:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pmod2 pmod2

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@viwod @pmod2