azure-active-directoryazure-ad-msalmsal-angularazure-app-registrationmsal

MSAL Redirect on Failure AADSTS50105


I have an Angular App set up with MSAL (msal-angular 2.5.5). My app authenticates against an App Registration on Azure which has "Assignment Required" as true.

Ideally, I'd like it that if a user has successfully signed in, but has not been assigned to the application - they're directed back to the Angular App to an anonymously available (No MsalGuard route) page which informs them what steps they need to take to get permission to access the app.

My understanding is that it's not possible to redirect in this case. Once the user fails to meet the condition, they're sent to this page (not my image, but same error) and I lose all control over the flow:

enter image description here

Is this the case? And if so, are my only options the following:

  1. Don't automatically route users to sign in page - route them to a page informing them the requirements to access the application, alongside a "Sign In" button which will bring them to sign in on Microsoft?

  2. Create another App Registration which all users are a member of, and use this to do a "pre-check" to ensure they're members of the groups which have access to the target application (requiring two sign ins)

  3. Add all users to the target application, and restrict access based on their group membership / assigned roles

Does this sound correct?


Solution

  • When using MSAL with Azure AD, if a user isn't assigned to the application and tries to sign in, they’ll get an error (like AADSTS50105).

    enter image description here

    enter image description here

    Manual Routing to Informational Page:

    Pre-Check with Another App Registration:

    Assign All Users to the Target Application:

    enter image description here

    Handling AADSTS50105 Errors with MSAL:

    Otherwise, implement a custom error handling mechanism in your application.