We have a kiosk solution in a semi-public space deployed on a desktop as well as Surface. Both are using Assigned Access/Kiosk Mode, autologin to a non-admin local account provisioned only with access to the PowerApps desktop app.
My InfraSec and Exchange teams expressed concern around using a Service Account in place of an actual user, primarilly because we're leveraging Flow to send Skype/Teams messages to staff in certain scenarios, and stating that messaging via a Resource Account would be a violation of MS TOS. After hearing that, I went back to leadership and got approval on a process change to have staff sign-in themselves for each session. However, somewhat to my surprise, there was no prompt for sign-in after an initial session despite having selected not to store credentials.
I had a user who only has view access to the app sign in, once. Now all messages come through as if sent from this user and PowerApps opens as that user. (I happened to use our Director's account.)
I need to provide my OpsSec team some documentation of how this works, whether/how the credential is stored, and whether there is any risk and/or appropriate mitigation steps related to that credential being stored/passed.
For anyone in the same scenario, maybe skip down to the section after "I want to note:" for pertinent updates.
Thanks for pointing me to the GPO options related to clearning out cookies for IE. This might work if you're working in a browser session, but we're specifically working to avoid that approach and these steps did not have the desired outcome when working through the PowerApps desktop app.
Working from an OOBE Win10Pro 1038 desktop outside the domain, I signed out as the authenticated user within the PowerApps app. I then logged in as a local admin and made the changes described on the linked article, and then restarted the machine.
Being in Assigned Access with only the PowerApps app provisioned, the system booted into the standard user local account and opened PowerApps where it prompted for login. I authenticated and opened the application. I then restarted the computer once again.
Upon startup, PowerApps opened already authenticated but without any available apps listed. I used Ctrl+Alt+Del to bounce back to the Switch Users screen (since that's all you can do from that account) and then back in as the local user. PowerApps went through it's startup splash screen and then listed the expected applications. In otherwords the credential was not required in any new session. Upon restart this pattern persists. Since not having the apps listed is undesirable and because the authentication within PowerApps was retained, I'm reverting the changes to GPO.
I want to note:
Our team met with our MS representatives and Teams/PowerApps staff yesterday. (An unexpectedly great experience I should add.) It seems the understanding of licensing and potential for use of a service account in this scenario was not entirely accurate. The details of that don't belong on this thread, but I'll see if there's any related inquiries on Community to chime in on. We are now working to leverage a limited account, which changes the perception of the retained credential from a concern into a feature!
That said, unless individual domain users' authentication from within a Kiosk device signed in as a local user is appropriate in a future use case, I'll likely only dig into this particular question as free time allows. (Read as not in the forseeable future.)
If anyone does reply with a suggested solution, I'll test and follow up as I'm able. I just can't commit to pursuing this on my own at this time.