Silent access to blobs from native applications is disabled by Security Defaults when using Azure AD Free? RRS feed

  • Question

  • Dear Community,

    I have a .NET application that various users use to automatically download updated data files periodically. Each user has a unique Azure AD user ID and has permissions to access a subset of files in a storage account. My thought was to have the program use the MSAL OAuth 2 resource owner password credentials grant to allow silent access for each user. When Security Defaults were turned on, this broke as there is no way to accommodate MFA (which is now required for all users).

    According to the documentation, you should be able to use any of four basic Conditional Access rules to replicate the four Security Defaults which would allow me to disable MFA for all users while keeping the other, very sensible, security rules. These four Basic Conditional Access Rules are supposedly available even to AD Free users but the Conditional Access blade tells me I need to upgrade to AD Premium for it now. Thus, it appears that Security Defaults are all-or-nothing for AD Free users now, unless I misunderstand?

    Is there a way to circumvent this using application secrets and user IDs? I don't want users to have to use interactive login to Azure, even at installation. I'd like the entire process to be silent once the user supplies their credentials to the program.

    Thank you for any help.

    Thursday, November 7, 2019 10:47 PM