MSAL Redirect on Failure AADSTS50105
I have an Angular App set up with MSAL (msal-angular 2.5.5). My app authenticates against an App Registration on Azure which has "Assignment Required" as true.
Ideally, I'd like it that if a user has successfully signed in, but has not been assigned to the application - they're directed back to the Angular App to an anonymously available (No MsalGuard route) page which informs them what steps they need to take to get permission to access the app.
My understanding is that it's not possible to redirect in this case. Once the user fails to meet the condition, they're sent to this page (not my image, but same error) and I lose all control over the flow:
Is this the case? And if so, are my only options the following:
Don't automatically route users to sign in page - route them to a page informing them the requirements to access the application, alongside a "Sign In" button which will bring them to sign in on Microsoft?
Create another App Registration which all users are a member of, and use this to do a "pre-check" to ensure they're members of the groups which have access to the target application (requiring two sign ins)
Add all users to the target application, and restrict access based on their group membership / assigned roles
Does this sound correct?
When using MSAL with Azure AD, if a user isn't assigned to the application and tries to sign in, they’ll get an error (like AADSTS50105).
- Azure AD will handle this error and show its default error page. Unfortunately, this means your Angular app can’t control what happens next.
- Azure AD takes over the error handling, and you can’t easily change the flow to redirect users to your own page when they fail to meet the app’s requirements.
Manual Routing to Informational Page:
- You can create an informational page in your Angular app that explains the access requirements. This page will have a "Sign In" button, allowing users to manually start the sign-in process instead of being automatically redirected.
Pre-Check with Another App Registration:
- You could set up a separate App Registration that all users are part of. This app would serve as a "pre-check" to confirm if users belong to the necessary groups to access the main application, though it would require them to sign in twice.
- This approach creates extra complexity because users need to sign in twice. It also adds more work, as you’ll have to manage two apps and their permissions.
Assign All Users to the Target Application:
- If all users have default access to the app, you can use Azure AD’s groups and roles to control what they can do within the app, preventing them from encountering the AADSTS50105 error.
- If you have too many users, adding them all to the target application might become difficult to manage.
Handling AADSTS50105 Errors with MSAL:
- You can use MSAL’s
handleRedirectPromiseoracquireTokenSilentmethods in your Angular app to check if the user is logged in. If the user encounters theAADSTS50105error, you can catch it and redirect them to a custom page instead of the default Azure error page. - This helps to control the user experience, but requires to manage error handling and user redirects within your app.
Otherwise, implement a custom error handling mechanism in your application.
- Unable to send email from local machine via Azure Communication Service and using logged-in user's credentials
- How to get parameters after hash mark # from a redirect URL in FastAPI?
- What is the behaviour when publishing a single-tenant Open ID Connect application to the EntraID Gallery?
- Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue
- b2c tenant - automate custom policy under identity experience framework
- Azure B2C access & refresh token costing
- Connect-ExchangeOnline UnAuthorized
- Software development start-up: Signing into Microsoft services
- How to configure the VMs in two different zones using Availability Sets and install the Active Directory Domain services
- How to create an authentication token for Dynamics CRM
- BrowserAuthError: interaction_in_progress: Interaction is currently in progress with azure/msal-browser@2.11.2
- Why is "Application permissions" disabled in Azure AD's "Request API permissions"?
- EntraID: how to pass application roles downstream
- Provide SSL certificate for internal Website
- How to log in to Azure service principal
- Spring boot oauth2 client with Azure AD, but common tenantID
- How To Add Query Params in ADB2C to ADB2C Federated Authentication Using OIDC protocol
- how to Get token from URL?
- Microsoft Identity Web: Change Redirect Uri
- How to create a new user in multi tenant App registration?
- Can't make Azure Conditional Access working
- Exchange 2016 Error assigning TlsCertificateName to Receive Connector
- Retrieving the last or most recent SignInLogs in a specific Azure AD B2C using Get-MgAuditLogSignIn -All throws error Stream does not support reading
- How to get Name of Authenticated user in ASP.NET Core application using Azure Active Directory
- How can I sign a JWT to exchange an access token from azure active directory?
- Azure Web App EasyAuth callback throws error
- "AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'PowerBI'. Send an interactive authorization request
- Azure Correlation Id and Request ID
- PowerShell Graph SDK to retrieve Azure AD / Entra B2C Resource Group Name
- Users and Shared mailboxes within one Excel file using powershell