Search code examples
azureazure-active-directoryazure-ad-graph-apiazure-ad-msalazure-authentication

MSAL - Problem acquiring token with IntegratedWindowsAuth

I am using MSAL to acquire token from an auth app in Azure using integrated windows authentication. The code is:

var tenant = $"https://login.microsoftonline.com/<myTenantId>";
var clientId = "<myClientId>";
var scopes =  new string[] { "https://graph.microsoft.com/.default" };

var publicApplication = PublicClientApplicationBuilder.Create(clientId).WithAuthority(tenant).Build();
var token = await publicApplication.AcquireTokenByIntegratedWindowsAuth(scopes).ExecuteAsync();

This throws the following exception:

Integrated Windows Auth is not supported for managed users.
  • I have verified that the user running the application is not a managed user (user was created in local AD and was synced to Azure AD via AD Connect sync).
  • I have enabled SSO in my Azure tenant with pass-through authentication.
  • Admin has consented for the auth application.

I have followed the steps from https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Integrated-Windows-Authentication and as far as I can confirm I have not missed anything.

Is there something that I might have missed in my configuration? Any help in this is highly appreciated.

Solution

  • From my discussion with Microsoft, IWA is not supported for pass-through authentication (which was the scenario in my case). For IWA to work, we need to have ADFS in our environment.