Is it possible to have my 3rd party iOS app use a shared token from the Intune Company Portal app to bypass authentication? I'm able to do this between two 3rd party apps by logging into one of them, and having the other one fetch token silently from iOS keychain. I'm using the MSAL framework for authenticating with Azure AD.
The apps are living on an MDM managed (Intune) iOS device running iOS 12.
I opened up an issue on the MSAL GitHub asking about this. It turns out it's only possible to have keychain sharing between your own apps. This is a restriction set by Apple:
Xcode automatically prefixes keychain groups with your team ID. This
ensures that your groups are specific to your development team.
Taken from the official docs.
Have you looked into MS Authenticator app to be used as cross-app SSO broker? As of my understanding Company Portal app acts as broker only for Android. Also Authenticator seems to support only ADAL and not MSAL so far.
Howto enable SSO for iOS
Related
We have AAD conditional access policy which applies to specific apps, to all users in the directory and all type of client app in condition.
We can see it working as expected however for external users MFA comes only in case of when they access web application and MFA policy does not apply If they access the mobile application.
We have one app which is configured as web and mobile and desktop app, using both platforms in the same under app registration.
I have checked all possibilities but no luck, can you suggest?
The Microsoft Graph beta API (here) allows us to POST new applications to Azure AD (v2.0).
If I post these applications to a specific tenant, using a url like this:
https://graph.microsoft.com/beta/{tenantId}/applications
and also authenticated without a user, where can I view these applications? They certainly aren't on my apps.dev.microsoft.com page (I checked), and they also aren't in the list of registered applications in the tenant on portal.azure.com
PS: I know my applications are being created because I can call GET against that url and it will return the applications in that tenant, including the ones I created through the API. Also don't question why I was doing this, I was poking around figuring some stuff out about the API.
More Details: The app that is posting these applications to the beta API is registered as an Azure AD v1.0 app in the same tenant these applications are being posted to. The POSTs use the app's authentication token.
I know that apps created in portal.azure are v1 apps, and apps created on apps.dev.microsoft are v2 apps. I am making my apps through the Microsoft Graph beta API, which makes v2 apps.
Also, for those that don't click the link to see what authentication without a user means, I am getting the bearer token for the POST request using the app's credentials, not a user's credentials.
If I post these applications to a specific tenant (which is an Azure
AD v1.0 tenant), using a url like this
Here there is no version definition for the tenant. V1.0 and V2.0 are the endpoints, not means tenant. You could know about their difference from Azure AD v2.0 endpointand v1 and v2 comparison.
If you register the app in the Azure portal, the app is v1 app; if you register the app by using App Registration Portal, the app is v2 app.
and also authenticated without a user, where can I view these
applications? They certainly aren't on my apps.dev.microsoft.com page,
and they also aren't in the list of registered applications in the
tenant on portal.azure.com
If you create the app in the App Registration Portal, the app could be seen in the apps.dev.microsoft.com page(App Registration Portal), but cannot be seen in the Azure portal.
If you create the app is v1 app, the app can be seen both in Azure portal and App Registration Portal.
I have developed few iOS/Android app using Azure Ad SDK 'ADAL'.
The app works properly for SSO feature and other login mechanisms. However now I want to add 'new contact' using Azure ad access token. But I came to know that Azure ad graph is no longer supported hence latest Microsoft Graph is suggested sdk for the same.
My issue is: The most important feature according to me is the Single Sign-On feature with respect to mobile apps SDK Azure ad SDK offers API for most convenient login user experience. Thus you are free to pick account from Authenticator app (if present) or any other app in the device which is already logged in.
But Microsoft Graph SDK does not support Authenticator app available on the mobile phone. And prompts user a Login screen though he has already logged in to other app having outlook/Microsoft login
Please help me with some more information on this use case so that I can migrate to Microsoft graph from Azure Ad app.
I have a huge tradeoff as follow
1. Azure ad supports SSO but does not support Latest Graph features like: Adding new contact in 'My Contacts'
2. Microsoft Graph being Latest library/SDK has all features EXCEPT SSO.
Please provide me answers for these question of any suggestion if I am missing anything.
The Graph SDKs do not contain any helpers for authentication/authorization. For that you need to use either ADAL or MSAL to acquire tokens to use with Microsoft Graph (to instantiate a GraphClient object). Please take a look at some of our Microsoft Graph samples. [NOTE the Azure AD Graph SDK also relied on ADAL or other mechanisms to acquire tokens and does not do this for you]. Here are the iOS samples: https://github.com/search?q=ios+sample+user:microsoftgraph&type=Repositories
Also Azure AD Graph does not support personal contacts - this is ONLY supported by Microsoft Graph.
If you want to see an integrated client library, where token acquisition is implicitly taken care of as part of GraphClient instantiation then please post a request on UserVoice for this feature.
Hope this helps,
We are migrating out applications from OpenID using UserService to OAuth2 / OpenID Connect to move our apps to the new Google Apps Marketplace.
We are using UserService.isAdmin() to check if a user is registered as admin for the GAE application.
How can we keep this functionality when moving to OAuth2 for login?
I don't think you can explicitly check who the admin is any other way.
It is rare that you would need to know the App Engine admin in a publicly-listed app. If the app is a general solution app, than aren't you the admin? Most developers care about the Domain Admin, which can be determined with the Admin SDK. If these is just for your own use, set the visibility options to your domain in the Chrome Webstore Developer Dashboard.
I have successfully followed the examples to gain an AuthSub token to authorize my GAE application to have access to the user's Google Calendar.
I have added the domain parameter to the method gdata.auth.generate_auth_sub_url so that the application is authenticated against a Google Apps Domain user. The app is then installed in one of our test domains.
This is working fine, however, each user in the domain has to go through the process of authorizing the app to use the calendar. In other Marketplace Apps that I have tried, this authorization is done once for the whole domain when the app is installed.
How is this achieved?
This page describes how Marketplace apps can access the gdata APIs on a user's behalf.