Authentication not passing credentials with Entra App Proxy

KunRap 0 Reputation points

Hello everyone

For our office use we are planning to put all our applications behind the Entra App Proxy. We have already done this with some test applications and ran into some issues that seem to be of the same nature.

In general, it seems that the authentication from the desktop applications cannot be passed on to the App Proxy authentication flow.

On one of the two specific issues:

We have an uptime monitor running on one of our machines behind an application proxy. We want to make the status page of the app proxy-protected uptime page in our Sharepoint intranet site accessible through an Ifram. The intranet will then be accessible in Microsoft Teams through the Microsoft Viva plugin. After following the solution in this post, the iframe with the app proxy is now easily accessible in the web browser as well as when we access it through Teams in a browser. When we run it in the Teams desktop application, it doesn't work and just gives us a white window with no information.

The second with similar symptoms is running an Excel add-in behind the app proxy.

We don't quite understand how to deploy these if we want to run them behind the app proxy, as our understanding is that some authentication logic would be done by the manifest.

However, when running the addin in the browser version of Excel, the authentication tokens of the logged-in user seem to be passed on, as the addin loads just fine, pulling all the necessary data defined in the manifest from behind the app proxy. It doesn't work at all in the Excel desktop version.

Are there any solutions to this on how to pass tokens/authentication to the app proxy?

Any help is appreciated as we are out of ideas.

Thank you and best regards

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
8,157 questions
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
8,614 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,605 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Carlos Solís Salazar 15,171 Reputation points

    Implementing Azure AD Application Proxy for your applications can indeed present some unique challenges, especially when integrating with desktop applications like Microsoft Teams and Excel. Your description indicates issues with authentication flow and token passing when accessing these applications through the desktop versions of Teams and Excel. Let's address each scenario:

    Uptime Monitor in SharePoint through Microsoft Teams

    1. IFrame Issues with Desktop Apps:
      • Desktop applications like Teams often have stricter security controls compared to their web counterparts. This includes limitations on IFrames due to security concerns like Clickjacking.
      • Teams desktop app may not accept cookies or maintain session data the same way a browser does, which is crucial for SSO (Single Sign-On) to work seamlessly.
    2. Possible Solutions:
      • Custom Tab in Teams: Instead of using an IFrame, consider creating a custom tab in Teams that opens the SharePoint page. This approach can handle authentication more seamlessly.
      • Token Passing: Investigate if the Teams desktop application can pass the necessary authentication tokens. This may require custom development.
      • Consult Teams Development Documentation: Review the Microsoft Teams development documentation for guidelines on integrating web content within the Teams desktop app.

    Excel Add-In Behind App Proxy

    1. Authentication Differences:
      • The behavior you're observing suggests that the Excel desktop app may not be passing the authentication token to the add-in, unlike the web version.
      • Desktop versions of Office applications may not share the same authentication/session context as the browser.
    2. Possible Solutions:
    • Office Add-in Authentication: Explore the Office Add-ins documentation for guidance on handling authentication within Office Add-ins, especially for desktop applications.
      - **Use of MSAL Libraries**: Consider using Microsoft Authentication Library (MSAL) within your add-in to handle token acquisition and refresh.
    • Manifest Adjustments: Ensure that your add-in’s manifest is properly configured to request the necessary permissions and handle authentication correctly.

    General Recommendations

    • Testing and Logging: Implement detailed logging to track the authentication process and identify where the flow breaks.
    • Microsoft Support: If you're unable to resolve these issues, consider reaching out to Microsoft Support for more tailored assistance.

    In both cases, the key challenge is ensuring that the desktop applications can handle authentication tokens in a manner similar to their web counterparts. This often requires specific configurations and sometimes custom development to ensure seamless integration with Azure AD Application Proxy.

    If this information was helpful or if you need further assistance, feel free to ask. I'm here to help!