Auth - MSAL supports shared device mode from Microsoft. This connection supports Brokered authentication via MS Authenticator and Browser based authentication.



string The client ID used to register this application in Azure AD.


string Set to "DEFAULT".


string The configured redirect callback URI for this application. For the MSAL library, the redirect must use the application ID and its signature. Use "msauth://com.bluefletch.ems.auth/KUKEusfKtqAOu9UB6jgjtTMKYas%3D".


string Set to "AAD" for Azure AD.


string The directory from which MSAL can request tokens. Typically, set to "<audience_tenant_id>", where <audience_tenant_id> is the Azure Tenant ID.


string Set to "", which will also log the user out of office365.


boolean If set to true, only the groups identified in the group_inclusion and layouts in the launcher configuration file will be passed into the session.


string OIDC scope values required for the identity provider. For MSAL, the values should be "openid email profile User.Read GroupMember.Read.All".


string Set to the Azure Tenant ID. Replaces tenant_id starting in Auth version 4.5.9.


boolean Set to true if using the Microsoft Authenticator application in Shared Device Mode on the device. Default is false.


boolean If true, brokered authentication is applied; the Auth module will validate the redirect URI and return an exception if the Auth module is not formatted to communicate with the broker. Set to true if using the Microsoft Authenticator application in Shared Device Mode on the device. Default is false.


boolean If set to true, only direct group membership information will be returned from Azure. If false, all inherited/related group information (indentified as transitiveMemberOf in Azure) is returned. Default is false. Introduced in Auth version 4.7.8.


boolean if set to true, Auth will ignore the change account broadcast coming from the shared device broker, and will prevent Launcher from performing a force logout when a user signs out from MS Edge or other MS application. Default is false, which is the Microsoft recommended setting. Introduced in Auth version 4.8.31.


string If set, overrides the default audience type of "AzureADMyOrg".


string If set, is the default group assigned to a logged in user.


string If set, overrides the default account mode of "SINGLE".


string The number of days set in the IdP after which the password needs to be changed.


string Number of days prior to password expiration to start notifying users of upcoming password expirations.

Auth4 Example:

"auth_msal" : {
    "client_id": "<client_id during registration>",
    "authorization_user_agent" : "DEFAULT",
    "redirect_uri": "msauth://com.bluefletch.ems.auth/KUKEusfKtqAOu9UB6jgjtTMKYas%3D",
    "authority_type": "AAD",
    "authority_url": "<audience_tenant_id>",
    "audience_tenant_id" : "<audience_tenant_id>",
    "logout_url": "",
    "limit_to_launcher_groups": true,
    "scopes": "openid email profile User.Read GroupMember.Read.All",
    "shared_device_mode_supported": true,
    "broker_redirect_uri_registered": true,
    "limit_groups_to_direct_membership": true

For more information on configuring, see the AppAuth/OIDC IdP section.

Last updated