-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AADSTS650052: The app is trying to access a service 'serviceID'(Microsoft Mobile Application Management) that your organization lacks a service principal for. #239
Comments
I am looking into this |
Any update on this? Also, I was also trying to find the documentation about the permissions that need to be given for Intune MAM to work with mobile apps. I found dedicated Entra documentation about how to grant permission. However, what I am looking for is a documentation on what permissions are needed specifically for Intune MAM to work in mobile apps. |
@jayanth-quintet , is this a multi-tenant application? |
@kanishkaBagga Our app is a multi tenant application. |
@jayanth-quintet - The error AADSTS650052 you’re encountering indicates that your application is trying to access a service that your organization doesn’t have a service principal for. This typically happens in multi-tenant applications when the required service principal hasn’t been created or consented to by the tenant admin.
|
@kanishkaBagga Thanks. Let me go through the above. I will get back to you. |
@kanishkaBagga While I look into other points you mentioned in your comment, this is about the third point
We assume the permissions are already provided. Reattaching the screenshot from the first message in this thread. Do you think I need to grant any other permission for getting Intune MAM to work with Android application? I am still having difficulties finding a documentation that mentions about permissions in the context of getting Intune MAM to work. |
Please find the link here - https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-get-started#give-your-app-access-to-the-intune-mobile-app-management-service ( It is already defined in your case ) Did you verify the above steps? |
@kanishkaBagga Thanks for your reply. _
Our's is a single tier application. _
During the development stage, we are working with a single tenant. In the auth_config.json file, we replaced tenant_id with the specific tenant_id.
However, this didn't make any difference. We assume, moving forward, we will need to move away from static config json file and dynamically configure the tenant details in code. But for now, we only have one tenant. _
Will get back to you on this. Just waiting for the admin consent to be done. |
@kanishkaBagga
When the admin tried to do this, it took us to a screen where all the Permissions were listed with an Accept CTA button at the bottom (see screenshot). However, the Accept button is not doing anything when we click on it. It continued to load. We used the developer option to see what is going on underneath and saw that the following error was displayed in the console.
Any idea what is going on here? At least, we now know there is a permission there to be granted, but could you help out about this error? |
@jayanth-quintet - |
I am pretty sure that the organization admin had tried to grant consent for the application from his desktop web browser. And he ran into the error we have mentioned in my previous comment. As far as the mobile app is concerned, we always had the Intune company portal app installed on the mobile device we used to test our Intune integration.
This is what we had in the Android manifest file for the Android app. We assume this is what you meant.
As we mentioned in our previous comment, the admin was unable to grant consent. The Accept button seems to do nothing. Do you have any idea about what was happening there. |
is the URL looking like this - https://login.microsoftonline.com/<tenant_id>/adminconsent?client_id=<client_id>&redirect_uri=msauth.<package_name>://auth |
For iOS, Yes. For Android, it looked like below https://login.microsoftonline.com/<tenant_id>/adminconsent?client_id=<client_id>&redirect_uri=msauth://<app_package_name>/ |
@kanishkaBagga After this, we tried to login via MSAL from the app. We have played around with the following scopes again.
Case 1: When we tried with both the scopes mentioned aboveWhen we used both the scopes when trying to login, the Microsoft login screen showed up, but after signing in, the onError callback got called with the exception of type
For some reason the Case 2: When we tried login with only the Graph API User.Read permission
Basically we are kind of confused. If we add the permission We have used the Send logs feature in Company Portal APP and the incident ID that is shown there is YTJDDR42. Does this help you to get the logs for this issue? On a side note, do we really need the |
@jayanth-quintet yes this would help , I am checking the logs based on your incident id |
Intune Android App SDK Policy Enforcement Issue
Questions to Ask Before Submission
Yes
Yes
MSAL SDK version 5.4.2
Intune SDK version 10.3.1
Summary
We are trying to integrate Microsoft Intune with our Android app to make it MAM aware. So far, we have integrated both MSAL and Intune SDK.
Integrated MSAL SDK with the app. When trying to login/acquire a token with MSAL, the app is requesting the following scopes.
val MSAL_SCOPES = arrayOf("https://graph.microsoft.com/User.Read", "https://msmamservice.api.application/DeviceManagementManagedApps.ReadWrite")
However, we are seeing that onError method of AuthenticationCallback is getting called with following error
We did some research and did not find a way to assign a Service Principal for MAM anywhere in both the Entra or Intune admin console. Such a step was not mentioned in Intune documentation as well. Any idea why this error is returning?
On a side note, in the sample app bundled with the Intune SDK, the second scope is not requested. So, we tried the same by removing the second scope from the MSAL_SCOPES array above and then tried to login/acquire token. This time, we received the MSAL token. However, when we tried to register for MAM, we received a different error.
val MSAL_SCOPES = arrayOf("https://graph.microsoft.com/User.Read")
Other Details:
Let me know if any other info is needed. I have attached some screenshots as well.
Any help is appreciated.
The text was updated successfully, but these errors were encountered: