MSAL
Auth - MSAL supports shared device mode from Microsoft. This connection supports Brokered authentication via MS Authenticator and Browser based authentication.
Last updated
Auth - MSAL supports shared device mode from Microsoft. This connection supports Brokered authentication via MS Authenticator and Browser based authentication.
Last updated
| Field | Description |
|---|---|
Auth4 Example:
For more information on configuring, see the AppAuth/OIDC IdP section.
client_id
string The client ID used to register this application in Azure AD.
authorization_user_agent
string Set to "DEFAULT".
redirect_uri
string The configured redirect callback URI for this application. For the MSAL library, the redirect must use the application ID and its signature. Use "msauth://com.bluefletch.ems.auth/KUKEusfKtqAOu9UB6jgjtTMKYas%3D".
authority_type
string Set to "AAD" for Azure AD.
authority_url
string The directory from which MSAL can request tokens. Typically, set to "https://login.microsoftonline.com/<audience_tenant_id>", where <audience_tenant_id> is the Azure Tenant ID.
logout_url
string Set to "https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2Fwww.office.com%2F%3Fref%3Dlogout", which will also log the user out of office365.
limit_to_launcher_groups
boolean If set to true, only the groups identified in the group_inclusion and layouts in the launcher configuration file will be passed into the session.
scopes
string OIDC scope values required for the identity provider. For MSAL, the values should be "openid email profile User.Read GroupMember.Read.All".
audience_tenant_id
string Set to the Azure Tenant ID. Replaces tenant_id starting in Auth version 4.5.9.
shared_device_mode_supported
boolean Set to true if using the Microsoft Authenticator application in Shared Device Mode on the device. Default is false.
broker_redirect_uri_registered
boolean If true, brokered authentication is applied; the Auth module will validate the redirect URI and return an exception if the Auth module is not formatted to communicate with the broker. Set to true if using the Microsoft Authenticator application in Shared Device Mode on the device. Default is false.
limit_groups_to_direct_membership
boolean If set to true, only direct group membership information will be returned from Azure. If false, all inherited/related group information (indentified as transitiveMemberOf in Azure) is returned. Default is false. Introduced in Auth version 4.7.8.
ignoreAccountChangeBroadcast
boolean if set to true, Auth will ignore the change account broadcast coming from the shared device broker, and will prevent Launcher from performing a force logout when a user signs out from MS Edge or other MS application. Default is false, which is the Microsoft recommended setting. Introduced in Auth version 4.8.31.
audience_type
string If set, overrides the default audience type of "AzureADMyOrg".
default_group
string If set, is the default group assigned to a logged in user.
account_mode
string If set, overrides the default account mode of "SINGLE".
idpPasswordChangePolicyDays
string The number of days set in the IdP after which the password needs to be changed.
idpPasswordChangeReminderDays
string Number of days prior to password expiration to start notifying users of upcoming password expirations.