You’re offline. This is a read only version of the page.
We have a business need for a canvas application that assigns secure items to users in our organization. The application should assign an item to a person and they must electronically "accept" custody of that item. We were looking at the user being prompted to log in inside the canvas application as a form of electronically accepting the item. By having to present their login credentials they are using confidential information to accept the item, which in theory allows us to track and trace items.
We understand that canvas applications do not allow secondary logins INSIDE canvas applications because it would violate the "user impersonation" rules Microsoft has put in. Does anyone have a thought on how this could be done within the application that allows the organization to utilize the AD credentials of the user accepting the item?
Yes this seems like a good alternative to the solution. Initially my client was unwilling to accept a two-app system and wanted the signoff to happen within the single application but it is a good alternative. Will see if this login can be accepted. Thanks!
Can I suggest a slight rework to your solution, so that you can be assured (through AAD authentication) that the user has accepted the book in your example? Create two apps, or an app and an approval flow to accomplish the following:
What do you think?
Bryan
So yes, we know that we cannot sign into a canvas application as a different user than the one that ran the app to begin but i was hoping someone has had an experience similar that found a solution that was as close to that as we can get.
So what we are concerned about is assigning ownership of a particular item in the database to a user of the application. Let me maybe explain this better through an example:
Larry is an admin on a canvas application that allows people to borrow books. John comes in and asks for a particular book. Larry looks up the book and see's that it is available. Larry selects that book and assigns it to John but John must log in using his AAD credentials to verify that he is accepting the book. So if we look in the database we see that john's electronic credentials were successfully used to accept the book.
What this gives us is confirmation that the person who is now assigned the book at some point actually signed for the book and they are responsible for its return. We can look at what books are assigned to the person through reporting and whatnot.
Simply having Larry assign the book to John is not secure enough for our auditors as it does not account for the possibility of assigning to the wrong person or worse, assigning to someone fraudulently.
In order to run a canvas app, a user must already be authenticated through AAD. A canvas app does not have the ability to trigger a second authentication from within.
If you are concerned about user devices being left accessible to someone other than the intended user, can I suggest you force a sign out on all devices using AAD before you ask users to access the app?
Hope that helps,
Bryan
#1
WarrenBelz
42
Most Valuable Professional
#2
mmbr1606
41
Super User 2025 Season 1
#3
MS.Ragavendar
36
Share
Report
All responses (
Answers (
