Skip to content

fix: automatic device code fallback when Conditional Access Policy blocks browser/WAM auth (#294)#323

Merged
sellakumaran merged 3 commits intomainfrom
users/sellak/browser-auth
Mar 25, 2026
Merged

fix: automatic device code fallback when Conditional Access Policy blocks browser/WAM auth (#294)#323
sellakumaran merged 3 commits intomainfrom
users/sellak/browser-auth

Conversation

@sellakumaran
Copy link
Copy Markdown
Contributor

@sellakumaran sellakumaran commented Mar 24, 2026

When AADSTS53003 (Conditional Access Policy) or AADSTS53000 (device compliance policy) blocks interactive browser or WAM authentication, the CLI now automatically falls back to device code flow instead of failing with no recovery path. Covers all 6 browser auth locations:

  • MsalBrowserCredential (primary fix, covers AuthenticationService, InteractiveGraphAuthService, MicrosoftGraphTokenProvider MSAL path, and BlueprintSubcommand)
  • MicrosoftGraphTokenProvider PowerShell path (retries Connect-MgGraph with -UseDeviceCode)
  • AuthenticationService belt-and-suspenders catch for future custom credential implementations

Closes #294

@sellakumaran @claude
fix: automatic device code fallback when Conditional Access Policy bl…
05f3275 
…ocks browser/WAM auth (#294)

When AADSTS53003 (Conditional Access Policy) or AADSTS53000 (device compliance policy) blocks
interactive browser or WAM authentication, the CLI now automatically falls back to device code
flow instead of failing with no recovery path. Covers all 6 browser auth locations:
- MsalBrowserCredential (primary fix, covers AuthenticationService, InteractiveGraphAuthService,
  MicrosoftGraphTokenProvider MSAL path, and BlueprintSubcommand)
- MicrosoftGraphTokenProvider PowerShell path (retries Connect-MgGraph with -UseDeviceCode)
- AuthenticationService belt-and-suspenders catch for future custom credential implementations

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 24, 2026 23:33
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 24, 2026
edited
Loading

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA d9e5375.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves CLI resiliency in enterprise tenants by automatically falling back to device code authentication when interactive browser/WAM auth is blocked by Conditional Access (AADSTS53003) or device compliance policy (AADSTS53000), addressing the login dead-end reported in #294.

Changes:

  • Add CAP/device-compliance detection constants and use them to trigger automatic device code fallback.
  • Implement fallback logic in MSAL browser/WAM path and in the PowerShell Connect-MgGraph path (retry with -UseDeviceCode).
  • Extend AuthenticationService tests to cover CAP/device-compliance fallback behavior and logging.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
src/Microsoft.Agents.A365.DevTools.Cli/Services/MsalBrowserCredential.cs Adds CAP/device-compliance detection and automatic device code fallback for interactive auth.
src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs Retries PowerShell Graph auth with device code when CAP/device compliance blocks browser auth.
src/Microsoft.Agents.A365.DevTools.Cli/Services/AuthenticationService.cs Adds a defensive CAP/device-compliance catch to initiate device code flow.
src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs Introduces constants for AADSTS53003/AADSTS53000 detection.
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AuthenticationServiceTests.cs Adds regression tests ensuring fallback happens only for the intended CAP/device-compliance errors.
CHANGELOG.md Documents the new automatic fallback behavior under Unreleased.

gwharris7
gwharris7 previously approved these changes Mar 24, 2026
View reviewed changes
sellakumaran and others added 2 commits March 24, 2026 16:45
@sellakumaran @claude
fix: address PR #323 Copilot review comments for CAP auth fallback
c2edf74 
- Remove belt-and-suspenders CAP catch from AuthenticationService (C1/C2):
  unreachable in production and risked double device code attempt
- Fix doc comment in AuthenticationConstants: device code flow may still
  be affected by CAP policies, not "bypasses" them (C3)
- Fix log message in MicrosoftGraphTokenProvider to cover both AADSTS53003
  and AADSTS53000 (Conditional Access and device compliance) (C4)
- Fix ErrorCode placeholder in MsalBrowserCredential to log the AADSTS code
  (extracted from message) instead of the OAuth "access_denied" code (C5)
- Fix comment in MsalBrowserCredential: "may still be affected" instead of
  "not subject to these policies" (C6)
- Remove 3 tests that covered the removed belt-and-suspenders catch; keep
  the device code error surface test (still valid)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran @claude
feat(review): add anti-patterns #19-21 from PR #323 Copilot findings
d9e5375 
Anti-pattern #19: Unreachable catch clause — when the inner method already
handles the exception before propagating, the outer catch is dead code and
risks a double-attempt on the same fallback (the AuthenticationService
belt-and-suspenders catch that slipped through review-staged).

Anti-pattern #20: MsalServiceException.ErrorCode used when AADSTS code
expected — ErrorCode is the OAuth code ("access_denied"), the AADSTS code
(e.g. AADSTS53003) is only in ex.Message; using ErrorCode in log messages
produces misleading diagnostics.

Anti-pattern #21: Log message / comment covers fewer cases than the code
handles — when a when-clause matches two error codes but the log only names
one, operators are misled during triage; also catches "bypasses" / "not
subject to" claims in comments that are not universally true.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sellakumaran sellakumaran requested review from a team as code owners March 24, 2026 23:53
@sellakumaran sellakumaran enabled auto-merge (squash) March 25, 2026 00:03
@sellakumaran sellakumaran merged commit d93e060 into main Mar 25, 2026
14 checks passed
@sellakumaran sellakumaran deleted the users/sellak/browser-auth branch March 25, 2026 01:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gwharris7 gwharris7 gwharris7 approved these changes

@ajmfehr ajmfehr ajmfehr approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CLI for Microsoft 365 MCP Server: Conditional Access Policy blocks browser login on Microsoft Corporate Tenant

4 participants

@sellakumaran @gwharris7 @ajmfehr