The listed Azure AD tokens are issued for the following apps: ClientId The GUIDs after “accesstoken-” and “refreshtoken-” are representing the “ClientId” of 1st Party (Microsoft) Enterprise applications. In addition, token artifacts can be found in the Keychain after you signed into a Microsoft Edge profile with Azure AD credentials: At next, a user sign-in to “Edge” profile for using Azure AD SSO and satisfying (device compliant-based) Conditional Access Policies.Īfter synchronization has been finished, Microsoft Edge has assigned permissions for the following existing Keychain entries: Let’s have a closer look on the Edge profile sync with Azure AD account and the cached tokens… AAD Authenticated Edge Profile and KeychainĪ Keychain entry with the name “Microsoft Edge Safe Storage” will be created immediately after initial startup. The MSAL token cache and service principal entries are saved as encrypted files on Windows, and plaintext files on Linux and MacOS. According to Microsoft docs, the cached tokens will be stored in files as cleartext if you are using Service Principals for authentication on macOS: Side note: Azure CLI on macOS uses also MSAL in the recent versions. Therefore, most of the research results should be covered scenarios with „Enterprise SSO plug-in“ as well. Token caching in Keychain (by using access group “”) seems to be the default for apps using MSAL. Note: I’ve used an Azure AD unregistered device without Enterprise SSO plug-in for the following tests and use cases. Reference to user’s objectId is included. Various refresh token, primary refresh and access token has been cached. , Microsoft Edge Safe Storage com.microsoft Microsoft Teams Identities Cache, .Ĭom.microsoft.oneauth. I have found the following Keychain entries in relation to authentication for various Microsoft products on a macOS device: Product Source: Configure keychain - Microsoft identity platform - Microsoft Docs SSO is achieved via the keychain access groups functionality. Caching tokens in the keychain allows MSAL to provide silent single sign-on (SSO) between multiple apps that are distributed by the same Apple developer. When the Microsoft Authentication Library for iOS and macOS (MSAL) signs in a user, or refreshes a token, it tries to cache tokens in the keychain. macOS Keychain items from Microsoft productsĪccording to Microsoft docs, Keychain plays a central role to store cached tokens which provides SSO between MSAL apps: Overview of the sign-in, token cache flow and potential replay attack paths on macOS devices. Limit token lifetime on non-corporate or non-managed devices.Continuous Access Evaluation (CAE) and Critical Event of User/Sign-in risk.Re-authentication if sign-in risk has been detected.Risk Detection of Azure AD Identity Protection.Using Token Tactics to request refresh and access tokens.Access to token (secrets) from Keychain.Exfiltration and replay of (Primary) Refresh Token.Synchronization of tokens across Apple devices by iCloud Keychain.Cached tokens still alive after sign-out from Edge profile.Security considerations on cached tokens in Keychain.Microsoft Bing Search and Family Refresh Token.AAD Authenticated Edge Profile and Keychain.macOS Keychain items from Microsoft products.