question

PiyumiPerera-0571 avatar image
0 Votes"
PiyumiPerera-0571 asked PiyumiPerera-0571 commented

How to implement an AAD PRT (primary refresh token) into the app

I am developing an outlook addin and I need to use PRT to obtain access token to call Graph APIs. I got this requirement because of getting following authentication error when trying to get access token

ErrorCode: invalid_grant

Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.

I got to know that the token we are currently using does not contain Device Id claim and that is the reason for getting the above error. So to have device id claim, we must have PRT.

I am having a react front end and .net core web api as the back end service.

I need to know is it possible to use PRT in this architecture. I went through the documentation and according to them, all are about windows applications.
https://docs.microsoft.com/en-us/windows/uwp/security/web-account-manager#request-a-token

azure-active-directoryazure-ad-single-sign-on
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered PiyumiPerera-0571 commented

@PiyumiPerera-0571 Thanks for reaching out. If I understand you correctly, you are trying to find a way to have the Device ID claim with the request so that it can full fill the Device based conditional access.

For Android and IOS apps, you will have to use a broker application which is made available by MS and enable your app to utilize the MSAL broker support. Utilizing the broker app also enables you for :
1) Single sign-on (SSO): Users don't need to sign in to each application.
2) Device identification: The broker accesses the device certificate. This certificate is created on the device when it's joined to the workplace.
3) Application identification verification: When an application calls the broker, it passes its redirect URL. The broker verifies the URL.

Here are the broker app made available from MS for Xamarin applications :
IOS - Microsoft Authenticator
Android - Company Portal.


You will need to follow this article to understand the process and requirement : https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-use-brokers-with-xamarin-apps#brokered-authentication-for-ios



Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Here I need to find a way to use broker authentication for Outlook Addin

0 Votes 0 ·