'Microsoft Login. You can't get there from here. Conditional access. Require approved client app

Our azure active directory application needs delegated "Calendars.Read" permission to read some information from the user's calendar after the login. But when I set up login scope to "Calendars.Read" and try to login in native Android app I get an error:

You can't get there from here

It looks like you're trying to open this resource with an app that hasn't been approved by your IT department. Ask them for a list of approved applications.

Our tenant has conditional access on Office 365 (preview) with a "Require approved client app" in the Grant section. If review information mark near "Require approved client app" checkbox item we will see a list of trusted applications.

Does it mean that login with this scope is only available from those applications? Does it possible to make our application trusted to some tenants? What is the concept to handle the cases when your application needs access to the Office 365 but is prohibited by the admin of a tenant by "Require approved client app" checkbox

azure-active-directory


Solution 1:[1]

Your understanding is correct. The admin has created a policy which requires approved client app under Conditional Access. See reference here.You can find the list of approved client apps here.

The Azure AD application you are using to access O365 is not an approved client app.

This policy only allows approved client apps to access O365 from Mobile app. We cannot add your own Azure AD app into the approved client apps. The policy needs to be strictly observed. If your tenant has enabled it, you cannot bypass it.

Solution 2:[2]

After long discussions with the MS specialists, we figured out that there is no possible way to log into our app with MS login when a specific tenant has the "Approved client app" enabled. MS is going to provide something that will help to log in by using MS login when the "Approved client app is enabled" in the first chapter of 2021.

Solution 3:[3]

If you are getting this issue, and are using the Chrome with the right extension version, and the correct Windows version, and the device is domain joined (thus meeting all of the stated criteria), you can resolve this by clicking on the Windows 10 accounts Chrome extension icon and completing any login prompts (if they even show up).

enter image description here

That should open a tab with office.com and show that you are now logged in. At that point you can relaunch the shortcut or link that had originally given the "You can't get there from here" message and be able to continue as originally expected.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Allen Wu
Solution 2 Joe Black
Solution 3 halfer

Related Questions

Synapse external table "Unauthorized"

How to redirect from VB.NET legacy web application login page to azure portal to validate azure ad with MFA

Receive a request when Azure AD User receive a call

Can I use SVG within a customized the Azure AD B2C user interface?

Connecting to Dynamics 365 TDS-enabled database with OLEDB Linked Server

How do I define the SignedOut page in Microsoft.Identity.Web?

Azure AD API request 401 Unauthorized

Using multiple authentication providers in C# .net core

Active directory check if user belongs to a group

Web API with Microsoft Identity Platform Authentication

azure ad authentication issue with razor handlers

How to open the file on browser instead of downloading in local that is stored in Azure Data lake Gen 2

Error - Intent filter for: BrowserTabActivity is missing. While using AzureAD MSAL Lilbary

Azure AD B2C - Supporting a daemon app along with B2C clients such as Web page and native mobile app

what is role of User did in Verifiable Credentials ? did:ion:username and when user did will generate?