MSAL - AcquireTokenInteractive - different user experience

Andrew McDonald 1 Reputation point
2020-11-19T04:20:03.733+00:00

I am performing an oauth flow for signing into EWS using MSAL (4.22) and AcquireTokenInteractive.
This is working but it is offering a different and much less convenient sign-in experience from that in a 3rd party off-the-shelf tool that is also signing in using the same Azure App and the same user.
I do not know if this app is using MSAL (or ADAL etc).

My code gets the experience below:
40947-19-11-2020-11-46-43-am.png

When the user selects the account A the user is always asked to supply the password and always given an MFA challenge, even if already signed in and challenged previously.
MFA is set via CAP with a 30 day sign in.

The third party app has the following user experience:

40886-19-11-2020-10-27-10-am.png

In this case when choosing accoount A the user is immediately signed in with no request for password and no MFA challenge even on the first use.
This is much more convenient.

My problem is that I do not know what I need to do to provide this same experience.

The prompt above has some immediate differences from the prompt from my code.
It lists more accounts.
Two of the accounts, included Account A, have a larger desciption.
Instead of a single line with the email address they have a three line description, with the display name on the first line, the email on the second and "Connected to Windows" on the third.
Potentially the stream-lined sign-in for Account A in this case is related to it being "recognized" as connected to Windows.

Again I do not know how to get this experience, i.e. all 4 account listed, "Connected to Windows" displayed, sign-in without beiung promptoed for password and MGA every time.

I have referred to the following resources:

https://video2.skills-academy.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token?tabs=dotnet
https://video2.skills-academy.com/en-us/azure/active-directory/develop/msal-authentication-flows

Also googled, but still puzzled.

Apologies in advance if this has an obvious answer, but any advice is appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,116 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,461 Reputation points
    2020-11-20T20:49:53.683+00:00

    Hello @Anonymous , you need to follow the Acquire a token interactively pattern as detailed in the referred document. MSAL caches users token to avoid prompting for credentials all the time. For more information take a look to Get a user token silently.

    Let us know if this answer was helpful to you. If so, please remember to accept it so that others in the community with similar questions can more easily find a solution.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.