Author: David Garcia [MSFT]

Segment Users in Azure AD

If you have been using Microsoft Graph API to add or modify users in Azure Active Directory (Azure AD) you may have noticed that when you create a new user it lives with all the other users, some of which may have nothing to do with your application. Ideally, you may want a sub-directory or business unit of sorts. Fortunately, there are ways to segment these users in a more practical way. There are currently two ways to do this: Groups and Administrative Units.

GROUPS

Groups are pretty straight forward and the name says it all. You can create a basic group using the Azure AD portal. See here for detailed instructions on how to create a basic group and add members.

ADMINISTRATIVE UNITS

An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. In this preview release, these resources can be only users. For example, an administrative unit-scoped User account admin can update profile information, reset passwords, and assign licenses for users only in their administrative unit.

You can use administrative units to delegate administrative permissions over subsets of users and applying policies to a subset of users. You can use administrative units to delegate permissions to regional administrators or to set policy at a granular level.

Check out these demo scripts to help get you started and the MS Graph API administrativeUnit resource type. You can find more information about Administrative Units here.

NOTE:

ADMINISTRATIVE UNITS IS CURRENTLY IN PREVIEW AND CAN ONLY BE DONE VIA POWERSHELL CMDLETS OR WITH MS GRAPH BETA REST ENDPOINT AT THE MOMENT.

Why am I getting a Login Request after initial login using iOS MSAL?

Does your app keep asking you to login after initial login when implementing iOS MSAL? Did you implement this in your Android without any issues? Did you look over all your code a million times and your configurations look correct but still cannot figure out why this is happening? Well, you are in luck because we go over why this happens and how to fix it!

SCENARIO

Using MSAL SDK for implementing mobile authentication in iOS app following this tutorial.

This sample uses the Microsoft Authentication library (MSAL) to implement Authentication. MSAL will automatically renew tokens, deliver single sign-on (SSO) between other apps on the device, and manage the Account(s). The key thing to note here is in order for SSO to work, tokens need to be shared between apps. This requires a token cache, or broker application, such as Microsoft Authenticator for iOS.

Expected Behavior:
User does not get prompted to login since user already logged in using MSAL

Actual Behavior:
Received login request

ISSUE

You may have your web browsers configured in a way that does not allow cookie sharing.

A web browser is required for interactive authentication. On iOS, the Microsoft Authentication Library (MSAL) uses the system web browser by default to do interactive authentication to sign in users. Using the system browser has the advantage of sharing the Single Sign ON (SSO) state with other applications and with web applications.

Since the system browser is the default, you may have opted to customize this configuration in the process by redirecting to one of the following:

For iOS only: For iOS and macOS:
ASWebAuthenticationSession
SFAuthenticationSession
SFSafariViewController 		WKWebView

All of that is completely fine but you have to set this up in a way that enables cookie sharing.

RESOLUTION

You can use one of the following combinations in order to allow cookie sharing:

  • ASWebAuthenticationSession in MSAL + openURL in Safari browser (not SafariViewController, the full browser)
  • SFSafariViewController in MSAL + SFSafariViewController in your app
  • WKWebView in MSAL + WKWebView in your app

See here for additional details on customizing webviews and browsers.

NOTE

For Xamarin.iOS there are several considerations to take that are separate from the issue described in this blog post including enabling token caching and using Microsoft Authenticator. You can find more information on how to achieve this here.