Issue

When SSO login is attempted using a Microsoft Entra ID on Box for EMM, the error message “Application Error. Error: invalid_client” appears, and login fails.

Occurrence Conditions:

• In the Admin Console > Enterprise Settings > Mobile tab, the option Intune Mobile Application Management (Intune MAM) is enabled.
• SSO is configured with a Microsoft Entra ID.
• Box for EMM version 5.34 or later is in use.
• The primary or secondary email address for the Box account does not contain the Microsoft Entra ID user principal name (UPN).

Root Cause

With the enhanced support for Microsoft Entra ID conditional access (You can get the details of the release here) , the login flow for mobile apps in the MAM environment has been strengthened.

Therefore, if the above conditions apply, the Microsoft Entra ID UPN must be registered as either the primary or secondary email address of the Box account.

Resolution

Add the Microsoft Entra ID UPN to the Box account as a secondary email address.

When SSO Required is Disabled

You can add a secondary email address from the user’s account settings. For more information, see https://support.box.com/hc/en-us/articles/360044196513-Manage-Account-Settings#h_01GKJF7FP5E54W06XSHYK5MG28.

When SSO Required is Enabled and Cannot be Disabled

You can add a secondary email address by using the Box API.

The following is an example command using the Box CLI.

Preparation

• Check the managed domain

  From Admin Console > Enterprise Settings > Custom Settings tab > Domain Management, check whether the Microsoft Entra ID UPN domain is registered as a managed domain.

• Set up the Box CLI

  For more information, see https://developer.box.com/guides/cli/cli-docs/jwt-cli/.

  Make sure that the app access level is set to App + Enterprise.

  Make sure that the scope includes Manage users.

• Prepare the user’s User ID and additional email address

Instructions

1. Verify you have completed the above preparation process.
2. When the relevant email address domain is not registered as a managed domain and user email verification is not required, add the domain and complete the verification process.

3. Run the command below. Replace <User ID> with the user’s User ID, and <UPN email address> with the secondary email address to be added.

   box users:email-aliases:add <User ID> <UPN email address> --confirm

   When using the “--confirm” option, the domain of the secondary email address to be added must be registered as a managed domain for the Box tenant.

   If the domain is not registered as a managed domain, do not use the “--confirm” option; instead, the user must verify the address through a confirmation email.

4. Finally, verify that the secondary email address has been added to the user.

Temporary Workaround (Not recommended depending on the environment)

By disabling the option Enterprise Settings > Mobile > Intune Mobile Application Management (Intune MAM) in the Box Admin Console, you can use the conventional login flow.

However, this may disable app-based conditional access security features.

When the Above Method Does not Resolve the Issue

Contact Box Support with the following information:

• A video or screenshot captured when the issue occurred
• The date and time of the issue
• Email addresses of the affected users
• Box for EMM version information
• Screenshots showing Microsoft Intune app configuration and protection policy details
• Whether conditional access is enabled
• Box Mobile App log (For details of how to obtain the log, see https://support.box.com/hc/en-us/articles/35789233920147-Submitting-Logs-for-Box-Mobile-Apps.)