Bug: Add Conditional Access support for Microsoft EntraID

[michaelyockey]

Is there an existing request for this feature?

• I have searched the existing issues and found none that matched mine

Describe the feature

Canonical team:

Please note that AuthD does not work with EntraID tenants that enforce AzureAD InTune Conditional Access. This is a non-starter for large enterprises as Conditional Access is required for preventing unauthorized access to enterprise systems from unmanaged devices.

I am attaching the error message from an attempted login after setting up the proper AzureAD entry. The company information is reacted for privacy reasons.

The error is caused because the AuthD broker is using an integrated micro browser for the SSO login attempt. These integrated micro browsers do not work with InTune and will not pass Conditional Access.

Describe the ideal solution

In order to resolve this issue AuthD will need to transition to instead linking to the user's default web browser that supports AzureAD Conditional Access. On Ubuntu Linux this currently is possible with Microsoft Edge by itself. The user would need to enroll into inTune first on their Linux machine.

It is also possible to get Conditional Access working on the .deb/APT versions of Firefox, Firefox-ESR and Google Chrome. Instructions for this are found on the Linux Entra SSO project GitHub page: https://github.com/siemens/linux-entra-sso

A possible problem is that since AuthD uses snap packages rather than native apt packages that it might be more difficult to get this package to reference the default local browser.

Alternatives and current workarounds

The AzureAD/EntraID admin can perform one of the following to allow the EntraAD authentication to take place in AuthD:

• Conditional Access can be completely turned off at the tenant, user or group level. This is not likely to be approved by any IT security department except for testing purposes with a limited scope of users.
• Conditional Access can be turned off for enforcement at the application level in Azure. This is likely to encounter resistance from most IT security departments as this would open the possibility of allowing Azure logins from devices not setup with inTune.

System information and logs

Environment

• broker version: please run snap info authd-msentraid
• authd version: please run /usr/libexec/authd version
• gnome shell version: please run apt policy gnome-shell
• Distribution: (NAME in /etc/os-release)
• Distribution version: (VERSION_ID on /etc/os-release):

Log files

Please redact/remove sensitive information:

Authd entries:

journalctl -u authd.service

MS Entra ID broker entries:

journalctl -u snap.authd-msentraid.authd-msentraid.service

Google broker entries:

journalctl -u snap.authd-google.authd-google.service

Application settings

Please redact/remove sensitive information:

MS Entra ID broker configuration:

cat /var/snap/authd-msentraid/current/broker.conf

MS Entra ID broker authd configuration:

cat /etc/authd/brokers.d/msentraid.conf

Google broker configuration:

cat /var/snap/authd-google/current/broker.conf

Google broker authd configuration:

cat /etc/authd/brokers.d/google.conf

Relevant information

https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview

https://learn.microsoft.com/en-us/entra/identity/conditional-access/plan-conditional-access

Double check your logs

• I have redacted any sensitive information from the logs

[kevinxriva]

"Conditional Access can be turned off for enforcement at the application level in Azure".
No, CA targets a resource and this application uses the resource Microsoft Graph which no company would exclude from protection