Modern Point of Sale (MPOS) leverages Azure Active Directory (AAD) to authenticate a user while activating a device. So far MPOS used an older ADAL V2 library which is no longer recommended way to interact with AAD from within Java Script based UWP applications. The recommended way is to use native to Windows 10 API Web Account Manager. MPOS was recently modified to not rely on ADAL but leverage the Web Account Manager instead, the change is available starting Monthly Update 4. It is also available as a hotfix for 7.1 via the KB4051347.

This change also made MPOS closer to support some Federated AAD scenarios which were not possible to achieve with the older ADAL version.

This uptake dictates a change to the way MPOS application is registered with AAD: while doing so one has to provide Callback/Reply Uri. When ADAL was used we had a luxury to register any Uri we want but with Web Account Manager we have to use a callback Uri with very specific value - the one which is unique for any given app package (APPX) and which is generated by Windows 10 API. While shipping the MPOS we took the callback corresponding to the package we ship and registered it with corresponding AAD First Party Application. So, If the MPOS is used as is without any changes then AAD flow will work without any modifications in MPOS but if MPOS is customized in any way which leads to a different APPX ID (for instance, if you change anything in Package->Identity inside package.appxmanifest file) then such an app will have different callback Url which must be registered with corresponding AAD Application. Since it is not realistic for us to change the First Party application with each and every possible callback Uri the way to solve this is to register your own AAD application which you fully control and therefore can specify any Callback Uri you want and as many of them as you want.

If you will try to use the customized APPS package with the First Party AAD application (means without making any below mentioned changes in AAD) you will see error similar to this one while authenticating against AAD:

AADSTS50011: The reply address 'ms-appx-web://Microsoft.AAD.BrokerPlugin/...' does not match the reply addresses configured for the application

Note that it complains about the reply address used for the AppId which corresponds to the MPOS First Party Application.

The list below enumerates steps needed to create 2 AAD applications: one for MPOS and one for Retail Server. Retail Server one is needed because MPOS must specify a Web Application which contains resources needed for MPOS to work, both of those applications are used by MPOS while acquiring a security token from AAD, in other words MPOS will say to AAD something like this: "I am client application MPOS who needs to access resources protected by a server application Retail Server".

1. Navigate to https://portal.azure.com/
2. Go to Azure Active Directory->App registrations
3. Create AAD Retail Server application by clicking New application registration and provide the following values for the 3 fields:
  a) "Name" - Customized Retail Server (you can put here any name you want)
  b) "Application type" - Web app / API
  c) "Sign-on URL" - specify here any uri which doesn't have to point to any real physical location, for instance: https://YourCustomizedRetailServer
4. Press [TAB] button and then Click Create button and wait until the operation completes successfully, if it fails address the errors and try again.

5. Find the application by using its name - Customized Retail Server and then click it.

6. While at the application's settings page go to Properties, copy the value from the field App ID URI and paste it into the attribute value corresponding to the key AADRetailServerResourceId in the file DLLHost.exe.config
7. Create AAD MPOS application by repeating steps 3-4, provide the following values:
  a) Name - specify Customized MPOS (again, you can put here any name you want)
  b) Application type - specify Native
  c) Redirect URI - specify the reply address corresponding to the error seen at the above screenshot, the reply address starts with ms-appx-web://Microsoft.AAD.BrokerPlugin/

That callback can also be seen in the Event Viewer (Microsoft-Dynamics-Commerce-ModernPos/Operational) in one of the first events once MPOS is started. The event's ID is 40619, it is logged with the text which starts with:

"This UWP application was assigned the following callback Uri to be used while interacting with AAD: ms-appx-web://Microsoft.AAD.BrokerPlugIn/S-1-15-2-"

Just copy the value of the Url from your event and use it for the above Redirect URI parameter.

Note that once you created the AAD Application you can specify as many callback URLs as you want which means that, if, by any reason, while developing or for Production, you have multiple packages with different Callback Urls, you then could just keep this one single AAD Application and maintain all your CallbackUrls in this single application.

8. Press [TAB] button and then Click Create button and wait until the operation completes successfully, if it fails address the errors and try again.
9. Find the application by using its name - Customized MPOS and then click it.
10. Copy the Application ID and paste it into the attribute value corresponding to the key AADClientId in the file DLLHost.exe.config
11. While in AAD Portal's page displaying the MPOS details click "Required permission" at "Settings" pane and then "Add"->Select an API
Type Customized Retail Server in the search box and then click the same name in the search results' list and then "Select" button

Check the line "Access Customized Retail Server" and then click the Select button

12. click "Done" button and then "Grant Permissions" -> "Yes".

This completes setup on MPOS side, next set of steps is to whitelist newly created AAD applications on AX side so AAD issued security token would be accepted.

13. In AX go to Retail Shared Parameters->Identity Providers

14. In the grid "Identity Providers" select a row corresponding to your Azure Active Directory tenant, once you select it the 2 below grids will be refreshed with the applications setup for that tenant

15. In the grid "Relying Parties" click "Add" and add new row with the following parameters:

  a) ClientID - specify the one you used in the step #10 above

  b) Type - Public

  c) UserType - Worker

  d) Name - type anything you want there

16. Click button "Save"

17. Keep newly added into Relying Party grid record selected and click "Add" in the Server Resource IDs, specify:

  a) Server Resource ID - specify the value you used in step #6 above.

  b) Name - anything

18. Click Save button. Make sure all your newly created records are stored as expected - to check that you can navigate between different rows in those grids.

19. Execute the job 1110 and wait until it is completed

20. At this time the data will be synced to the channel DB but CRT/RS employs a cache which is few minutes, if you don't want to wait until the cache expires and your are not dealing with PROD environment you can consider recycling app pool of the Retail Server.

21. Close MPOS and kill, by using a Task Manager for instance, all instances of the process DllHost.exe

Now try to activate device in MPOS again, if you will still experience issues look into Windows Event Viewer logs corresponding to MPOS and Retail Server for warnings/errors which would be helpful in the investigation.