Community

Authentication Provider Error with Azure AD connection

196
2
Jump to solution
2 weeks ago
Labels (1)
Labels
danbecker
by
Occasional Contributor III
2 weeks ago

Our Azure tenant is deployed in Azure Government. 

Followed these steps: Connect to authentication providers from ArcGIS Pro—ArcGIS Pro | Documentation

When I attempt to sign into the connection in Pro, I get this error:

Capture.PNG

 

I assigned demo_user permission to access the ArcGIS Pro Azure Enterprise app.

I also edited our conditional access policies to exclude demo_user from any policies requiring MFA. 

Even with MFA, I complete the MS Authenticator prompt and still see this error in Pro. 

The Azure enterprise app sign-in log shows successful login attempts with both MFA/not, no issues. 

Anyone have any ideas? 

 

Here's my concern: Redirect URI (reply URL) restrictions - Microsoft identity platform | Microsoft Learn

Redirect URIs must begin with the scheme https

From the first link, step #1C when you register Pro as an Azure app:

  1. For Redirect URI, choose Mobile and desktop applications as the platform and enter the URI: arcgis-pro://auth

Could this error be caused by the authorization server (Microsoft) not allowing demo_user to be redirected back to Pro because the arcgis-pro:// schema doesn't match the required https:// schema that MS requires?  

 

0 Kudos
1 Solution

Accepted Solutions
danbecker
by
Occasional Contributor III
2 weeks ago

@JonahLay 

Yes, that redirect URI is what I have. 

We can close this thread, the problem was a CA policy in InTune scoped to demo_user requiring "All users terms of use". This is odd because demo_user has already accepted our all users Terms of Use policy. So, it seems like the ESRI auth. connection doesnt' support that CA grant control. 

After excluding demo_user from that CA policy, everything works as expected both with/without MFA. 

This is great progress ESRI, thanks! 

View solution in original post

0 Kudos
2 Replies
JonahLay
by Esri Contributor
Esri Contributor
2 weeks ago

Hi @danbecker

Can you please confirm that you configured the redirect uri as "arcgis-pro://auth"? It doesn't need to be https since "arcgis-pro://auth" is not a localhost redirect uri.

Jonah 

0 Kudos
danbecker
by
Occasional Contributor III
2 weeks ago

@JonahLay 

Yes, that redirect URI is what I have. 

We can close this thread, the problem was a CA policy in InTune scoped to demo_user requiring "All users terms of use". This is odd because demo_user has already accepted our all users Terms of Use policy. So, it seems like the ESRI auth. connection doesnt' support that CA grant control. 

After excluding demo_user from that CA policy, everything works as expected both with/without MFA. 

This is great progress ESRI, thanks! 

0 Kudos