-
Notifications
You must be signed in to change notification settings - Fork 201
Conditional Access and Claims Challenges
When getting tokens silently, your application may receive errors when a Conditional Access claims challenge such as MFA policy is required by an API you're trying to access.
The pattern for handling this error is to interactively acquire a token using MSAL. Interactively acquiring a token prompts the user and gives them the opportunity to satisfy the required Conditional Access policy.
In certain cases when calling an API requiring Conditional Access, you can receive a claims challenge in the error from the API. For instance if the Conditional Access policy is to have a managed device (Intune) the error will be something like AADSTS53000: Your device is required to be managed to access this resource or something similar. In this case, you can pass the claims in the acquire token call so that the user is prompted to satisfy the appropriate policy.
When calling an API requiring Conditional Access, your application will need to handle claim challenge error. This will appear as an MSAL Python error response where the Claims property won't be empty.
To handle the claim challenge, you'll need to use the claims parameter of the get_authorization_request_url() method.