MSAL Redirect on Failure AADSTS50105
I have an Angular App set up with MSAL (msal-angular 2.5.5). My app authenticates against an App Registration on Azure which has "Assignment Required" as true.
Ideally, I'd like it that if a user has successfully signed in, but has not been assigned to the application - they're directed back to the Angular App to an anonymously available (No MsalGuard route) page which informs them what steps they need to take to get permission to access the app.
My understanding is that it's not possible to redirect in this case. Once the user fails to meet the condition, they're sent to this page (not my image, but same error) and I lose all control over the flow:
Is this the case? And if so, are my only options the following:
Don't automatically route users to sign in page - route them to a page informing them the requirements to access the application, alongside a "Sign In" button which will bring them to sign in on Microsoft?
Create another App Registration which all users are a member of, and use this to do a "pre-check" to ensure they're members of the groups which have access to the target application (requiring two sign ins)
Add all users to the target application, and restrict access based on their group membership / assigned roles
Does this sound correct?
When using MSAL with Azure AD, if a user isn't assigned to the application and tries to sign in, they’ll get an error (like AADSTS50105).
- Azure AD will handle this error and show its default error page. Unfortunately, this means your Angular app can’t control what happens next.
- Azure AD takes over the error handling, and you can’t easily change the flow to redirect users to your own page when they fail to meet the app’s requirements.
Manual Routing to Informational Page:
- You can create an informational page in your Angular app that explains the access requirements. This page will have a "Sign In" button, allowing users to manually start the sign-in process instead of being automatically redirected.
Pre-Check with Another App Registration:
- You could set up a separate App Registration that all users are part of. This app would serve as a "pre-check" to confirm if users belong to the necessary groups to access the main application, though it would require them to sign in twice.
- This approach creates extra complexity because users need to sign in twice. It also adds more work, as you’ll have to manage two apps and their permissions.
Assign All Users to the Target Application:
- If all users have default access to the app, you can use Azure AD’s groups and roles to control what they can do within the app, preventing them from encountering the AADSTS50105 error.
- If you have too many users, adding them all to the target application might become difficult to manage.
Handling AADSTS50105 Errors with MSAL:
- You can use MSAL’s
handleRedirectPromiseoracquireTokenSilentmethods in your Angular app to check if the user is logged in. If the user encounters theAADSTS50105error, you can catch it and redirect them to a custom page instead of the default Azure error page. - This helps to control the user experience, but requires to manage error handling and user redirects within your app.
Otherwise, implement a custom error handling mechanism in your application.
- SSO Azure AD Authentication via POST using Oauth2 - PHP
- Azure Account Not able to login
- Possible to pull info from AdditionalProperties dictionary with Microsoft Graph PowerShell cmdlets?
- get all AAD groups in which service principal is added as member
- Azure powershell : Find the creator of a user, principal, application and group in Azure AD
- What is a Microsoft Azure Authority URL and how can it be tested?
- RabbitMQ - vhost permissions for AD?
- Why can't I login to Azure Database for Postgres, when I'm member of admin group
- Azure AD with Vue Authenticate
- Modify Users via Exchange Online REST Api
- Updating web redirect uri of Azure AD app registration
- Allowing Azure CDN to access Azure KeyVault
- AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '<AppId>'
- Is there any Filter condition for string "contains" in MS Graph API V1.0
- How to login to different tenant(non default) in Azure portal?
- Using Python Pyadomd Library to get PowerBI Data into Json Format
- How to make delegated permissions work without turning on Allow public client flows on the Azure App
- Unable to send email from local machine via Azure Communication Service and using logged-in user's credentials
- Unauthorized client in Azure AD B2C
- How to get parameters after hash mark # from a redirect URL in FastAPI?
- What is the behaviour when publishing a single-tenant Open ID Connect application to the EntraID Gallery?
- Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue
- b2c tenant - automate custom policy under identity experience framework
- Azure B2C access & refresh token costing
- Connect-ExchangeOnline UnAuthorized
- How to configure the VMs in two different zones using Availability Sets and install the Active Directory Domain services
- How to create an authentication token for Dynamics CRM
- BrowserAuthError: interaction_in_progress: Interaction is currently in progress with azure/msal-browser@2.11.2
- Why is "Application permissions" disabled in Azure AD's "Request API permissions"?
- EntraID: how to pass application roles downstream