Use auth method that is compatible with 2FA
complete
Gary Zimmer
I was disappointed that I wasn't able to use displagent at all since my org uses 2FA. I compared against Screencloud and I was able to get all my reports, public and private with the same login. I would at least like the ability to make slideshows out of public published to web reports in power bi.
Daniel Miradakis
complete
WHEW! After a PAINFUL 5+ weeks, I am DELIGHTED to say that Displagent now has a new Microsoft Integration built in that is MFA-compatible! See https://docs.displagent.io/setup/microsoft-integration for details.
Daniel Miradakis
Quick update, hoping to knock this one out this weekend!
Daniel Miradakis
in progress
Daniel Miradakis
planned
Daniel Miradakis
While awaiting reply, note to self for MSAL in Electron: https://stackoverflow.com/questions/51718222/microsoft-azure-login-fails-in-electron-app
Daniel Miradakis
Hey Gary Zimmer, thanks for the honest feedback!
The authentication is a tricky issue.
The way authentication works in Displagent today is that you enter your 3 azure credentials along with a username and password (https://docs.displagent.io/setup/required-credentials) into the encrypted settings page. The app then takes those credentials, dumps them into a JSON object, encrypts the JSON data, and then writes the encrypted string to a local file on your machine.
This offers several really nice advantages.
- Your security credentials stay stored on your machine, not somewhere in my app's backend. I'm assuming Screencloud stores your access_tokens or refresh_tokens somewhere in their backend (I don't know for sure, but that's my guess). To keep you logged into Microsoft and not have a login window appear constantly, they HAVE to be doing something along those lines somewhere in their backend. I'm not a huge fan of that system, and some of my early adopters were not either.
- You will never experience login timeouts with Displagent's authentication method (HUGE win). This is because Displagent doesn't have to resort to the typical access_token | refresh_token authentication flow that other digital signage apps like Screencloud have to use. Eventually, the refresh_token itself will expire, and after 90 days (last I checked), you will be forced to have to log back into Microsoft via the popup window. I'm curious as to whether or not Screencloud customers regularly deal with this.
- One of the major downsides to Displagent's type of authentication, though, is that MFA does not work, as you pointed out (https://docs.displagent.io/setup/required-credentials#multi-factor-authentication).
However, since Displagent is a desktop app, there might be a way where I could let you login via the Microsoft window, too, and I could take your access_tokens and refresh_tokens and store them on your machine locally. The advantage here would be, again, that security stuff stays stored on your machine, including your tokens. And then Displagent would just use those tokens to keep you logged in. The difficulty with this is grabbing your tokens from the popup window to store them on your machine, I would need to research this a bit first to see if I can actually do that in the first place.
One small risk here would be that you'd eventually have to log back into Microsoft once the auth stuff would expire, probably some popup window would appear. Again, I'm guessing that commonly happens in other signage solutions like Screencloud. Not the end of the world necessarily, but I think it really breaks the unattended/don't-have-to-worry-about-it experience that I want Displagent to provide you.
The other major difficulty here is that major parts of Displagent are currently built to exclusively use the current authentication system that it has today. It would be a pretty major change to add this alternate authentication flow to the app, but I'm not necessarily opposed to it if it's doable and does not totally break the app.
A few follow up questions for you:
- Can your organization provision a Power BI service account in your Active Directory just for Displagent? Could they do that and make an MFA exception just for the service account itself? If so, that would totally bypass this issue.
- For the Power BI reports that you published to web, do you just want to show one simple page at a time, or are you wanting to build advanced slideshows piece-by-piece (see https://docs.displagent.io/report-slideshows/ to see what I mean).
Gary Zimmer
Daniel Miradakis: I’ve been attempting something similar to what you’ve describing for your 2FA bypass idea. Kind of a “self session hijacking” so that your credentials could be reused without manual re-entry. Ive been using puppeteer.js + n8n to make it so everytime I have my automation log into PBi it chooses an alternate 2FA where MS calls me and I can just hit a key on my phone to authorize without any computer entry. I’d like to make it where the user session data persists between automations and only does the phone call as a backup when cookies expire. Also, I can’t imagine MS would be happy about this method.
RE: Service account, I can try asking my IT but they don’t like service accounts because they’ve been attack vectors before.
RE: Advanced Slideshows,
Yes I’d want that feature for the public dashboard since you more in-depth integration with PBi is what sold me on your product. Most services will give you page changing on a timer and call it a day.
Daniel Miradakis
Gary Zimmer: Thanks for the detailed information!
Can you check with your IT department and see if they would be willing to accept a service account usage for Displagent with a 2FA exception for said service account?
In the meantime, I'm looking to see what it would take for me to add this alternate form of Microsoft authentication.
What I'm thinking right now is, if I need to add this alternate form, I can have you login to the Microsoft auth window and do the 2FA step, at which point the auth window should produce an access_token and refresh_token per its normal operation.
If I can grab those tokens, then I can persist them on your filesystem and use them to keep you authenticated to Microsoft until the refresh_token stops working.
Again, I think you can continue getting new tokens for 90 days at a time, and I believe after 90 days, you will be forced to login again no matter what. I believe this hard restriction is enforced from Microsoft themselves and is not configurable in your Azure tenant anymore.
Quick question about your experiments with puppeteer.js: are you able to hijack the login window from Microsoft and have it auto-enter your credentials for you into the username and password textboxes? Since you mentioned not wanting to have to re-enter credentials and instead just do the 2FA notification on your phone.
Daniel Miradakis
Gary Zimmer: just wanted to check back in and see if your IT department was able to make you a service account? Or is that a no go?
Gary Zimmer
Daniel Miradakis: RE: puppeteer.js, Yes I use it to select the elements in the auth popup, automatically enter saved creds, navigate the follow ups about 2FA, choose the alternative phone option which calls my phone for a simple yes/no auth requiring no interaction with the virtual web browser session.
Gary Zimmer
The service account isn't the issue, but they are unwilling to remove the 2FA requirement. We get way too many spear fishing attempts.