When using an app like PDF Expert or Adobe Acrobat on a mobile phone, if the user wants to open documents from OneDrive for business they have to setup a connection with the tenant first. Else they get warnings like these:
 |
 |
The actual workflow of where they get the prompt varies. In the case of Adobe, it launches the Microsoft Authenticator app to authenticate the user, and then throws the above warning. PDF Expert, on the other hand, asks the user to sign-in in an integrated browser and after doing so errors out.
What’s happening here is that the app needs access to our tenant to read the user’s files etc. In a “desktop” scenario this is a case of getting the authorize endpoint and signing in with an admin account that has permissions; but in the case of mobile devices that is not possible. I need a workaround – some way of extracting the authorize endpoint URL the app is sending my tenant, and launching that on a desktop as an admin.
In my case this was an iOS device. Here’s what I did to sort out PDF Expert.
I could have installed a proxy like Fiddler to capture the phone traffic, but that’s usually very involved. Instead, I Googled around for any iOS proxy apps and came across a 3rd party app called Proxyman.
Using it is very easy. I installed the app, followed its instructions to download a config profile (this is to enable VPN so it can capture the traffic) and set its certificate as trusted (so it can capture SSL traffic). Also, in the SSL Proxying List section I added “login.microsoftonline.com”.
 |
 |
After that, I toggled the “Enable VPN” switch; launched PDF Expert and tried to add a OneDrive connection as before. I didn’t actually sign in, merely enabling the connection which in turn opens the browser window asking you to login is enough.
In the Proxyman app if I now search for login.microsoftonline.com I will see an entry like this:
Note the “/authorize” endpoint.
Here’s the URL for anyone else stumbling upon this issue with PDF Expert: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?nonce=f7buTVb2jsYqIdglEfwxW4OYWSZ8pu3C6e6ArYXij1A&response_type=code&code_challenge_method=S256&scope=https://graph.microsoft.com/User.Read%20https://graph.microsoft.com/Files.ReadWrite.All%20offline_access&code_challenge=pUnIFpJSSbjD0NIAH3jDOBfCShezfC52bzwD51WhOy0&redirect_uri=msauth.com.readdle.pdfexpert5://auth/&client_id=8e27befb-4e35-4688-a548-769600f7b04e&state=qT-xZF7DIkEesGF_dy9TsZr8YSTqGtDcVJHKrF0IumA
I copy pasted this URL and visited it in on my desktop with an admin account after enabling the “Application Administrator” (or more powerful) role.
This brings up a window asking for permissions:
I accepted that.
Next, I logged in to Entra ID portal and found “PDF Expert” under Enterprise Applications. I went to the Permissions section to see what permissions were granted.
Looks good, Delegated permissions that lets the signed in user read their files and such.
At this point if an end user tries to use PDF Expert it still won’t work as I haven’t consented on behalf of the firm. So I clicked the button that did consent for everyone. This added more permissions to the list, with the result that I now have a consent for the following permissions for everyone:
I removed the ones I felt were unnecessary – the last two especially, and also the Sites.Manage.All Graph permission. If need be I can grant those later. The end result was:
After that I tested as a user and I was successfully able to connect PDF Expert with OneDrive.
Update (12th Oct 2023): I did the same for Adobe Acrobat today and here’s the URL for that:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?x-app-name=Acrobat&x-client-brkrver=3.3.0&login_hint=<email>%40<address.tld>&x-client-Ver=1.2.15&brkr=1&client-request-id=8B8E91F6-AF4D-4F37-B7BB-5B0C1B3D78BD&x-client-src-SKU=MSAL.iOS&response_type=code&redirect_uri=msauth.com.adobe.Adobe-Reader%3A%2F%2Fauth&x-client-CPU=64&x-app-ver=23.08.01&haschrome=1&state=QkRDNkQ5NDQtRUIyRC00MTMzLUE4QjAtRDNCRDI2MkYyQkEz&return-client-request-id=true&X-AnchorMailbox=Oid%3A78cdec0a-739e-4612-8ac6-d2e78580042d%40<tenantId>&scope=Files.ReadWrite.All%20User.Read%20openid%20profile%20offline_access&domain_req=<tenantId>&claims=%7B%22access_token%22%3A%7B%22xms_cc%22%3A%7B%22values%22%3A%5B%22protapp%22%5D%7D%7D%7D&x-client-SKU=MSAL.iOS&client_id=cf90ab8f-8091-4c2d-b6a9-0b89a3312382&x-client-OS=17.0.1&client_info=1&domain_hint=organizations&x-client-DM=iPhone&login_req=78cdec0a-739e-4612-8ac6-d2e78580042d
Got to replace some bits like the tenantId and email address (the %40 character is @).