microsoft-authentication-library-for-dotnet: [Bug] Windows integrated authentication Azure AD and WinForms, Integrated Windows Auth is not supported for managed users

Which Version of MSAL are you using ? MSAL 4.10

Platform .net 4.6.1

What authentication flow has the issue?

  • Desktop / Mobile
    • Interactive
    • Integrated Windows Auth
    • Username Password
    • Device code flow (browserless)
  • Web App
    • Authorization code
    • OBO
  • Web API
    • OBO

Other? - please describe;

Is this a new or existing app?

c. This is a new app or experiment


using: authResult = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault()) and authResult = await app.AcquireTokenByIntegratedWindowsAuth(scopes)

Get error: Integrated Windows Auth is not supported for managed users

using the method:

app.AcquireTokenInteractive The application shows a prompt for the user to select what account wants to use (the prompt shows connected to windows) and I don’t need to enter the password, right after I click the user it sings in and gets the token. After I get the token and it is saved using PublicClientApp.UserTokenCache the next logins even if the token is expired I don’t need to select the account, the user sing in automatically. using the method app.AcquireTokenSilent

Expected behavior it should get the token without user interaction

Actual behavior methods returns:

Microsoft.Identity.Client.MsalClientException: Integrated Windows Auth is not supported for managed users. See for details.

at Microsoft.Identity.Client.Internal.Requests.IntegratedWindowsAuthRequest

Possible Solution

Additional context/ Logs / Screenshots I have tried 2 options (none worked):

  • A user created in Windows AD and then synced to AAD
  • A user created in AAD and then created in Windows AD

other info:

  • Treat application as a public client is marked yes in the app registration.​

  • I used the same app registration with a web application (SPA) and using Microsoft Edge I can login without the user interaction, it signs in automatically

  • in azure AD -> Seamless single sign-on | Enabled | 1 domain

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 17 (11 by maintainers)

Most upvoted comments

@jabbera nevermind. I have just confirmed that it indeed works 😃 I used the following example:


You must configure AD to be federated.

Why doesn’t MSAL support Seamless SSO? I can be unfederated and login to SSMS with a password or any web page that supports Seamless SSO. This seems natural to support as part of the integrated workflow no?

If I remember correctly, enabling seamless SSO would make the user discovery call report back a “federated” user without federation. MSAL makes the following call (please replace with your own user):

If seamless SSO was not configured correctly, please open a case with support to get some help. I am not sure anybody on the SDK can help further.

@mike7ang1rdz this is not a MSAL issue. MSAL can only perform SSO if the user realm reports back the correct response. The environment needs to be configured properly for this to work with MSAL.

i believe this can help explain a little more