Conditional Access : Device registration flow after deleting the device entry in the Azure portal

[vramasam]

Describe the bug
Step 1: Did the device registration in Authenticator via our app.
Step 2: Now the entry of the device will be available in the Azure portal.
Step 3: Now delete the device entry in the Azure portal
Step 4: Now in the end user device, Authenticator will have all the device registration details.
Step 5: Now from end user device if we try to do the registration, register button is not showing up. Authenticator app is showing progress bar for long time and end up throwing an exception. Added the exception details in the stack trace.

So here Authenticator app should allow to Register again, because Azure portal is not having the entry and end user also not able to register again. so it's like a blocker scenario.
We know that explicitly remove the account details from phone settings screen will make the register button to show up, which is not acceptable, so please resolve this blocker case.

Smartphone (please complete the following information):

• Device: All
• Android Version: All
• Browser N/A
• MSAL Version 2.0.12

Stacktrace
com.microsoft.identity.client.exception.MsalServiceException: The device registration record failed to propagate within the given time frame. Please try again later.

Caused by: The device registration record failed to propagate within the given time frame. Please try again later.
    at com.microsoft.identity.client.internal.controllers.MsalExceptionAdapter.msalExceptionFromBaseException(MsalExceptionAdapter.java:74)
    at com.microsoft.identity.client.SingleAccountPublicClientApplication$3.onError(SingleAccountPublicClientApplication.java:350)
    at com.microsoft.identity.client.SingleAccountPublicClientApplication$3.onError(SingleAccountPublicClientApplication.java:336)
    at com.microsoft.identity.common.internal.controllers.CommandDispatcher.commandCallbackOnError(CommandDispatcher.java:435)
    at com.microsoft.identity.common.internal.controllers.CommandDispatcher.access$1000(CommandDispatcher.java:80)
    at com.microsoft.identity.common.internal.controllers.CommandDispatcher$3.run(CommandDispatcher.java:417)
    at android.os.Handler.handleCallback(Handler.java:938)
    at android.os.Handler.dispatchMessage(Handler.java:99)
    at android.os.Looper.loopOnce(Looper.java:201)
    at android.os.Looper.loop(Looper.java:288)
    at android.app.ActivityThread.main(ActivityThread.java:7858)
    at java.lang.reflect.Method.invoke(Native Method)
    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:548)
    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:984)
 Caused by: 
 Caused by: The device registration record failed to propagate within the given time frame. Please try again later.
    at com.microsoft.identity.common.internal.result.MsalBrokerResultAdapter.getServiceException(MsalBrokerResultAdapter.java:441)
    at com.microsoft.identity.common.internal.result.MsalBrokerResultAdapter.getBaseExceptionFromExceptionType(MsalBrokerResultAdapter.java:286)
    at com.microsoft.identity.common.internal.result.MsalBrokerResultAdapter.getBaseExceptionFromBundle(MsalBrokerResultAdapter.java:199)
    at com.microsoft.identity.common.internal.result.MsalBrokerResultAdapter.getAcquireTokenResultFromResultBundle(MsalBrokerResultAdapter.java:554)
    at com.microsoft.identity.common.internal.controllers.BrokerMsalController.acquireToken(BrokerMsalController.java:266)
    at com.microsoft.identity.common.internal.commands.InteractiveTokenCommand.execute(InteractiveTokenCommand.java:67)
    at com.microsoft.identity.common.internal.commands.InteractiveTokenCommand.execute(InteractiveTokenCommand.java:39)
    at com.microsoft.identity.common.internal.controllers.CommandDispatcher.executeCommand(CommandDispatcher.java:369)
    at com.microsoft.identity.common.internal.controllers.CommandDispatcher.access$100(CommandDispatcher.java:80)
    at com.microsoft.identity.common.internal.controllers.CommandDispatcher$4.run(CommandDispatcher.java:563)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
    at java.lang.Thread.run(Thread.java:920)

To Reproduce
Step 1: Did the device registration in Authenticator via our app.
Step 2: Now the entry of the device will be available in the Azure portal.
Step 3: Now delete the device entry in the Azure portal
Step 4: Now in the end user device, Authenticator will have all the device registration details.
Step 5: Now from end user device if we try to do the registration, register button is not showing up. Authenticator app is showing progress bar for long time and end up throwing an exception. Added the exception details in the stack trace.

If related to user experience, use the format:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

If related to development, please provide relevant configuration details necessary to understand your problem including any relevant traces, logs, or otherwise.

Expected behavior
It should show the register button option. And it should allow to register and the entry should come again in the Azure portal.
Ideally we need a way to do force "device registration" even though all the details present in the device but the device entry not present in the Azure portal.

Actual Behavior
Register button is not coming up in this case.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Used SingleAccountPublicClientApplication
`mSingleAccountApp.acquireToken(getAcquireTokenData(activity)); This is the api used
AcquireTokenParameters getAcquireTokenData(Activity activity)
{
AcquireTokenParameters parameters = new AcquireTokenParameters.Builder()
.startAuthorizationFromActivity(activity)
.withScopes(Arrays.asList(getScopes()))
.withCallback(getAuthInteractiveCallback())
.withClaims(getClaimsDeviceRequest()).withPrompt(Prompt.LOGIN)
.build();

    return parameters;
}

private static ClaimsRequest getClaimsDeviceRequest()
{
final ClaimsRequest deviceIdClaimsRequest = new ClaimsRequest();
final RequestedClaimAdditionalInformation deviceIdAdditionalInfo = new RequestedClaimAdditionalInformation();
deviceIdAdditionalInfo.setEssential(true);
deviceIdClaimsRequest.requestClaimInAccessToken(DEVICE_CLAIM_KEY, deviceIdAdditionalInfo);
return deviceIdClaimsRequest;
}

Scope used : "urn:ms-drs:enterpriseregistration.windows.net/.default"`

Please note: Do not include sensitive information like PII, OII, credentials, secrets, and tokens.

For privacy/security issues please see instructions here

[vramasam]

Here we are expecting Authenticator app to show an option to "Register" button when the device record is not present in the Azure Portal.

Can you please assign this ticket to some one and look into it the scenario.

[ghtaylor]

This could potentially be related to the following issue where we are not seeing register button appear when user is on Android 11 with Company Portal version 5.0.5164.0

AzureAD/azure-activedirectory-library-for-android#1612

[vramasam]

@ghtaylor I am not very sure above mentioned issue and this one are identical. The issue mentioned here will happen irrespective of any OS.
And the steps mentioned in the issue here and the other one are not same.

Kindly ask the development to see and come to conclusion and give the solution ASAP.

Thank you

[vramasam]

Any update here

[p3dr0rv]

Thanks for reporting this,
I have added a workitem in our backlog to address this. (PRODUCT BACKLOG ITEM 1446457)
I will get in contact soon