Reputation: 209
Authentication from mobile devices with OpenID Connect / Azure AD not working with Microsoft Graph API
I have a website that uses OpenID Connect authentication/ADAL to authenticate users with an Azure AD. The application also uses the Microsoft Graph API to retreive user data from the AD.
Authentication has been working well from all kinds of devices ever since it was implemented a couple of months ago.
But a few weeks ago (on august 23rd, to be exact), authentication from mobile devices stopped working all of a sudden, although no changes was made in the code or (to my knowledge) in the company infrastucture.
In the AuthorizationCodeReceived event handler of my ConfigureAuth method, i aquire an authentication result in this manner:
var authenticationContext = new AuthenticationContext(settings.Authority);
var authenticationResult = authenticationContext.AcquireTokenByAuthorizationCode(context.Code, new Uri(settings.RedirectUri), new ClientCredential(settings.ClientId, settings.ClientSecret), resource);
where resource is the Microsoft Graph API URL.
However, ever since august 23rd, the AcquireTokenByAuthorizationCode throws an AdalServiceException with the message:
AADSTS50097: Device authentication is required.
If I omit the resource parameter in my AcquireTokenByAuthorizationCode call or change it to "https://graph.windows.net", for example, authentication from mobile devices works like a charm. But then I obviously cannot access the MS Graph API.
Is there a way to solve this so that i can access the MS Graph API and have users log on with mobile devices?
Upvotes: 0
Views: 1483
Answers (1)
Reputation: 123
Sriram's answer is correct.
The company administrator has enabled conditional access policy for Exchange Online, which at present applies to Microsoft Graph as well. We are aware that this affects applications that use Microsoft Graph for artifacts other than mail/calendar, and are working on decoupling them. The change should roll out in the next few months. Please check with your company administrator if the policy can be relaxed. If not feasible, contact our support channel to request exclusion of Microsoft Graph from policy enforcement
Upvotes: 2
Related Questions
- MS Graph api user authentication failing
- Azure AD authentication not working as expected for mobile devices
- Azure AD only generates invalid Access Token to use with Microsoft Graph
- Microsoft graph and Azure Ad user authentication
- Azure AD V1 endpoint registered native app: Graph API consent given but user can't get through
- Microsoft Graph OAuth issues
- Azure AD authentication to call Office 365 and Graph API REST
- Using Microsoft Graph APIs with Azure AD 1.0 Authentication
- Non-interactive login (cached credentials) against Azure Graph API on iOS
- Azure AD Graph API - Getting token on iOS/Android