Side note: Azure CLI on macOS uses also MSAL in the recent versions. Therefore, most of the research results should be covered scenarios with „Enterprise SSO plug-in“ as well. Token caching in Keychain (by using access group “”) seems to be the default for apps using MSAL. Note: I’ve used an Azure AD unregistered device without Enterprise SSO plug-in for the following tests and use cases. Reference to user’s objectId is included. Various refresh token, primary refresh and access token has been cached. , Microsoft Edge Safe Storage com.microsoft Microsoft Teams Identities Cache, .Ĭom.microsoft.oneauth. I have found the following Keychain entries in relation to authentication for various Microsoft products on a macOS device: Product Source: Configure keychain - Microsoft identity platform - Microsoft Docs SSO is achieved via the keychain access groups functionality. Caching tokens in the keychain allows MSAL to provide silent single sign-on (SSO) between multiple apps that are distributed by the same Apple developer. When the Microsoft Authentication Library for iOS and macOS (MSAL) signs in a user, or refreshes a token, it tries to cache tokens in the keychain. macOS Keychain items from Microsoft productsĪccording to Microsoft docs, Keychain plays a central role to store cached tokens which provides SSO between MSAL apps: Overview of the sign-in, token cache flow and potential replay attack paths on macOS devices. Limit token lifetime on non-corporate or non-managed devices.Continuous Access Evaluation (CAE) and Critical Event of User/Sign-in risk. ![]() Re-authentication if sign-in risk has been detected.Risk Detection of Azure AD Identity Protection. ![]()
0 Comments
Leave a Reply. |