Merge pull request #453 from AzureAD/user/danigon/yeehaw

feat: macOS brokered authentication support

Author: dggsax

CHANGELOG.md

@@ -5,6 +5,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- Added support for macOS brokered authentication via Enterprise SSO Extension (opt-in with `--mode broker`)
+
+### Changed
+- Upgrade MSAL from `4.65.0` to `4.83.1`
+- Added `Microsoft.Identity.Client.NativeInterop` v0.20.3
 
 ## [0.9.5] - 2026-02-24
 ### Added

README.md

@@ -20,7 +20,7 @@ The CLI is designed for authenticating and returning an access token for public
 | Operating System                           | Integrated Windows Auth | Auth Broker Integration | Web Auth Flow            | Device Code Flow | Token Caching | Multi-Account Support           |
 | ------------------------------------------ | ----------------------- | ----------------------- | ------------------------ | ---------------- | ------------- | ------------------------------- |
 | Windows                                    | ✅                      | ✅                      | ✅                      | ✅              | ✅          | ⚠️ `--domain` account filtering |
-| OSX (MacOS)                                | N/A                      | ⚠️ via Web Browser      | ✅                      | ✅             | ✅          | ⚠️ `--domain` account filtering |
+| OSX (macOS)                                | N/A                      | ✅ via Enterprise SSO    | ✅                      | ✅             | ✅          | ⚠️ `--domain` account filtering |
 | Ubuntu (Linux)                             | N/A                      | ⚠️ via Edge             | ⚠️ in GUI environments | ✅        | ✅      | ⚠️ `--domain` account filtering |
 
 <br/>

bin/mac/test-macos-broker.sh

@@ -0,0 +1,234 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Functional test script for macOS brokered auth changes
+# Tests AzureAuth CLI with Work IQ's 3P Graph app registration
+#
+# Usage:
+#   ./bin/mac/test-macos-broker.sh                              # defaults (debug verbosity, 120s timeout)
+#   AZUREAUTH_TEST_VERBOSITY=info  ./bin/mac/test-macos-broker.sh   # less noise
+#   AZUREAUTH_TEST_VERBOSITY=trace ./bin/mac/test-macos-broker.sh   # max detail
+#   AZUREAUTH_TEST_TIMEOUT=60     ./bin/mac/test-macos-broker.sh   # shorter timeout
+#
+# Each interactive test has a timeout (default 120s). If azureauth hangs
+# waiting for browser/broker, it will be killed and you can choose to
+# mark it as SKIP or FAIL, then the script continues to the next test.
+#
+# You can also Ctrl+C during any individual test — the script traps it
+# and moves on.
+
+REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+AZUREAUTH="$REPO_ROOT/src/AzureAuth/bin/Debug/net8.0/azureauth"
+CLIENT="ba081686-5d24-4bc6-a0d6-d034ecffed87"
+TENANT="common"
+RESOURCE="https://graph.microsoft.com"
+TIMEOUT="${AZUREAUTH_TEST_TIMEOUT:-120}"
+VERBOSITY="${AZUREAUTH_TEST_VERBOSITY:-debug}"  # debug, trace, info, warn
+
+PASS=0
+FAIL=0
+SKIP=0
+
+header() {
+    echo ""
+    echo "========================================"
+    echo "  $1"
+    echo "========================================"
+}
+
+result() {
+    local name="$1" exit_code="$2" expected="$3"
+    if [ "$exit_code" -eq "$expected" ]; then
+        echo "✅ PASS: $name (exit=$exit_code, expected=$expected)"
+        PASS=$((PASS + 1))
+    else
+        echo "❌ FAIL: $name (exit=$exit_code, expected=$expected)"
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+# Run azureauth with a timeout. On Ctrl+C or timeout, offer skip/fail.
+# Usage: run_test "Test Name" expected_exit args...
+run_test() {
+    local test_name="$1" expected_exit="$2"
+    shift 2
+
+    echo ""
+    echo "→ Running: azureauth $*"
+    echo "  (timeout: ${TIMEOUT}s — Ctrl+C to abort this test)"
+    echo ""
+
+    local interrupted=false
+    local pid=""
+
+    # Trap SIGINT (Ctrl+C) for this test only
+    trap 'interrupted=true; [ -n "$pid" ] && kill "$pid" 2>/dev/null' INT
+
+    set +e
+    # Run azureauth in background, then wait with timeout
+    "$AZUREAUTH" "$@" 2>&1 &
+    pid=$!
+
+    # Wait up to TIMEOUT seconds for the process to finish
+    local elapsed=0
+    while [ "$elapsed" -lt "$TIMEOUT" ] && kill -0 "$pid" 2>/dev/null; do
+        sleep 1
+        ((elapsed++))
+        if [ "$interrupted" = true ]; then
+            break
+        fi
+    done
+
+    # If still running after timeout, kill it
+    if kill -0 "$pid" 2>/dev/null; then
+        kill "$pid" 2>/dev/null
+        wait "$pid" 2>/dev/null
+        if [ "$interrupted" = false ]; then
+            echo ""
+            echo "⏱️  Test timed out after ${TIMEOUT}s"
+        fi
+        interrupted=true
+        EXIT_CODE=124
+    else
+        wait "$pid"
+        EXIT_CODE=$?
+    fi
+    pid=""
+    set -e
+
+    # Restore default SIGINT behavior
+    trap - INT
+
+    if [ "$interrupted" = true ]; then
+        echo ""
+        echo "Test was interrupted/timed out."
+        read -p "Mark as [s]kip or [f]ail? (s/f, default=s): " choice </dev/tty || choice="s"
+        choice="${choice:-s}"
+        if [[ "$choice" =~ ^[fF] ]]; then
+            echo "❌ FAIL: $test_name (interrupted, marked as fail)"
+            FAIL=$((FAIL + 1))
+        else
+            echo "⏭️  SKIP: $test_name (interrupted)"
+            SKIP=$((SKIP + 1))
+        fi
+        return
+    fi
+
+    result "$test_name" "$EXIT_CODE" "$expected_exit"
+}
+
+# ── Step 0: Build ──────────────────────────────────────────────
+header "Step 0: Building AzureAuth"
+dotnet build "$REPO_ROOT/AzureAuth.sln" \
+    --no-restore -c Debug -v quiet 2>&1 | tail -3
+
+if [ ! -x "$AZUREAUTH" ]; then
+    echo "❌ Build failed — binary not found at $AZUREAUTH"
+    exit 1
+fi
+echo "✅ Binary ready: $AZUREAUTH"
+echo "   Version: $("$AZUREAUTH" --version)"
+
+# ── Step 0.5: CP version info ─────────────────────────────────
+header "Step 0.5: Company Portal status"
+CP_PLIST="/Applications/Company Portal.app/Contents/Info.plist"
+if [ -f "$CP_PLIST" ]; then
+    CP_VERSION=$(defaults read "/Applications/Company Portal.app/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "unknown")
+    echo "Company Portal version: $CP_VERSION"
+    # Extract release number (middle segment of 5.RRRR.B)
+    RELEASE=$(echo "$CP_VERSION" | awk -F. '{print $2}')
+    if [ "$RELEASE" -ge 2603 ] 2>/dev/null; then
+        echo "⚡ CP >= 2603 — broker tests WILL attempt real broker auth"
+        BROKER_AVAILABLE=true
+    else
+        echo "⚠️  CP $CP_VERSION (release $RELEASE) < 2603 — broker will be gated off"
+        BROKER_AVAILABLE=false
+    fi
+else
+    echo "⚠️  Company Portal not installed — broker will be gated off"
+    BROKER_AVAILABLE=false
+fi
+
+# ── Test 1: Broker-only mode (opt-in) ────────────────────────
+header "Test 1: Broker-only mode (--mode broker)"
+if [ "$BROKER_AVAILABLE" = true ]; then
+    echo "CP >= 2603 detected — this will attempt real broker auth"
+    echo "Expect: broker interactive prompt via Enterprise SSO Extension"
+    EXPECTED_EXIT=0
+else
+    echo "CP < 2603 or not installed — expecting clear error about Company Portal"
+    echo "Expect: InvalidOperationException with CP version/path info"
+    EXPECTED_EXIT=1
+fi
+run_test "Broker-only (opt-in)" "$EXPECTED_EXIT" \
+    aad --client "$CLIENT" --tenant "$TENANT" \
+    --resource "$RESOURCE" \
+    --mode broker --output json --verbosity "$VERBOSITY"
+
+# ── Test 2: Trace verbosity — verify CP diagnostics in logs ───
+header "Test 2: Trace verbosity — CP diagnostic logging"
+echo "Running with --verbosity trace to verify Company Portal metadata is logged."
+echo "🔍 Watch for: CP path, raw version output, release parsing"
+if [ "$BROKER_AVAILABLE" = true ]; then
+    EXPECTED_EXIT=0
+else
+    EXPECTED_EXIT=1
+fi
+run_test "Trace CP diagnostics" "$EXPECTED_EXIT" \
+    aad --client "$CLIENT" --tenant "$TENANT" \
+    --resource "$RESOURCE" \
+    --mode broker --output json --verbosity trace
+
+# ── Test 3: Clear cache ───────────────────────────────────────
+header "Test 3: Clear token cache"
+run_test "Cache clear" 0 \
+    aad --client "$CLIENT" --tenant "$TENANT" \
+    --resource "$RESOURCE" \
+    --clear --verbosity "$VERBOSITY"
+
+# ── Test 4: Clear cache (before re-testing broker interactive) ─
+header "Test 4: Clear token cache"
+run_test "Cache clear (pre-broker retest)" 0 \
+    aad --client "$CLIENT" --tenant "$TENANT" \
+    --resource "$RESOURCE" \
+    --clear --verbosity "$VERBOSITY"
+
+# ── Test 5: Broker interactive again (after cache clear) ──────
+header "Test 5: Broker interactive (after cache clear)"
+if [ "$BROKER_AVAILABLE" = true ]; then
+    echo "Cache was just cleared — broker must prompt interactively again"
+    echo "Expect: broker account picker / SSO Extension prompt"
+    EXPECTED_EXIT=0
+else
+    echo "CP unavailable — broker skipped, CachedAuth only (will fail)"
+    EXPECTED_EXIT=1
+fi
+run_test "Broker interactive (re-prompt)" "$EXPECTED_EXIT" \
+    aad --client "$CLIENT" --tenant "$TENANT" \
+    --resource "$RESOURCE" \
+    --mode broker --output json --verbosity "$VERBOSITY"
+
+# ── Test 6: Final cache clear ─────────────────────────────────
+header "Test 6: Final cache clear"
+run_test "Cache clear (final)" 0 \
+    aad --client "$CLIENT" --tenant "$TENANT" \
+    --resource "$RESOURCE" \
+    --clear --verbosity "$VERBOSITY"
+
+# ── Summary ────────────────────────────────────────────────────
+header "Results"
+echo "✅ Passed: $PASS"
+echo "⏭️  Skipped: $SKIP"
+echo "❌ Failed: $FAIL"
+echo ""
+echo "Broker available: $BROKER_AVAILABLE"
+if [ "$BROKER_AVAILABLE" = false ]; then
+    echo "ℹ️  To test actual broker auth, upgrade Company Portal to >= 5.2603.x"
+fi
+echo ""
+echo "Tip: Set AZUREAUTH_TEST_TIMEOUT=60 to change the per-test timeout (default: 30s)"
+echo ""
+
+if [ "$FAIL" -gt 0 ]; then
+    exit 1
+fi

docs/usage.md

@@ -1,9 +1,9 @@
 # Usage
 AzureAuth is a generic Azure credential provider. It currently supports the following modes of [public client authentication](https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-client-applications) (i.e., authenticating a human user.)
-* [IWA (Integrated Windows Authentication)](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token-integrated-windows-authentication)
-* [WAM (Web Account Manager)](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token-wam) (Windows only brokered authentication)
+* [IWA (Integrated Windows Authentication)](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token-integrated-windows-authentication) (Windows only)
+* [Brokered Authentication](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token-wam) (Windows via WAM, macOS via Enterprise SSO Extension)
 * [Embedded Web View](https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-web-browsers) (Windows Only)
-* [System Web Browser](https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-web-browsers) (Used on OSX in-place of Embedded Web View)
+* [System Web Browser](https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-web-browsers) (Used on macOS in-place of Embedded Web View)
 * [Device Code Flow](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Device-Code-Flow) (All platforms, terminal interface only).
 
 ## `aad` subcommand
@@ -23,6 +23,28 @@ The `azureauth aad` subcommand is a "pass-through" for using [MSAL.NET](https://
 
    ![WAM redirect URI configuration](wam-config.png "A screenshot of a WAM URI being configured as a custom redirect URI.")
 
+2b. Configure redirect URIs for the **macOS Enterprise SSO Extension** (the macOS broker)
+   1. Select the **Authentication** blade.
+   2. Under Platform configurations, find **Mobile and desktop applications**.
+   3. Select **Add URI** and enter
+      ```
+      msauth.com.msauth.unsignedapp://auth
+      ```
+   4. Select **Save**.
+   
+   > **Note:** macOS brokered authentication is **opt-in** via `--mode broker` and requires:
+   > - **Company Portal** version 5.2603.0 or later installed on the device
+   > - Device is **MDM-compliant**
+   > 
+   > If Company Portal is unavailable or below the minimum version, broker is
+   > silently skipped and the next auth flow in the chain is attempted.
+   > 
+   > Example usage:
+   > ```
+   > azureauth aad --client <clientID> --resource <resourceID> --tenant <tenantID> --mode broker
+   > azureauth aad --client <clientID> --resource <resourceID> --tenant <tenantID> --mode broker --mode web
+   > ```
+
 3. Configure redirect URIs for the **system web browser**
    1. Select the **Authentication** blade.
    2. Under Platform configurations, find **Mobile and desktop applications**

src/AdoPat/AdoPat.csproj

@@ -10,7 +10,7 @@
     <AdditionalFiles Include="..\stylecop\stylecop.json" Link="stylecop.json" />
     <Compile Include="..\stylecop\GlobalSuppressions.cs" Link="GlobalSuppressions.cs" />
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.2" />
-    <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="4.65.0" />
+    <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="4.83.1" />
     <PackageReference Include="Microsoft.VisualStudio.Services.Client" Version="19.239.0-preview" />
     <PackageReference Include="System.Data.SqlClient" Version="4.8.6" />
     <!-- Transitive dependencies of Microsoft.VisualStudio.Services.Client temporarily pinned for security reasons. -->

src/AzureAuth.Test/AuthModeExtensionsTest.cs

@@ -58,13 +58,16 @@ public void Filterinteraction_Interactive_Auth_Disabled(string envVar)
             this.logTarget.Logs.Should().ContainInOrder("Interactive authentication is disabled.", "Only Integrated Windows Authentication will be attempted.");
         }
 #else
+        [Test]
+        [Platform("MacOsX,Linux")]
         public void CombinedAuthMode_Allowed()
         {
             // Arrange
             this.envMock.Setup(e => e.Get(EnvVars.NoUser)).Returns(string.Empty);
             this.envMock.Setup(e => e.Get("Corext_NonInteractive")).Returns(string.Empty);
 
-            var subject = new[] { AuthMode.Web, AuthMode.DeviceCode };
+            // Default on macOS is Web only (broker is opt-in).
+            var subject = new[] { AuthMode.Web };
 
             // Act + Assert
             subject.Combine().PreventInteractionIfNeeded(this.envMock.Object, this.logger).Should().Be(AuthMode.Default);
@@ -73,7 +76,8 @@ public void CombinedAuthMode_Allowed()
 
         [TestCase("AZUREAUTH_NO_USER")]
         [TestCase("Corext_NonInteractive")]
-        public void Filterinteraction_Interactive_Auth_Disabled(string envVar)
+        [Platform("MacOsX,Linux")]
+        public void Filterinteraction_Interactive_Auth_Disabled_NoBroker(string envVar)
         {
             // Arrange
             this.envMock.Setup(e => e.Get(envVar)).Returns("1");
@@ -83,6 +87,20 @@ public void Filterinteraction_Interactive_Auth_Disabled(string envVar)
             subject.Combine().PreventInteractionIfNeeded(this.envMock.Object, this.logger).Should().Be(AuthMode.None);
             this.logTarget.Logs.Should().ContainInOrder("Interactive authentication is disabled.");
         }
+
+        [TestCase("AZUREAUTH_NO_USER")]
+        [TestCase("Corext_NonInteractive")]
+        [Platform("MacOsX,Linux")]
+        public void Filterinteraction_Interactive_Auth_Disabled_WithBroker(string envVar)
+        {
+            // Arrange
+            this.envMock.Setup(e => e.Get(envVar)).Returns("1");
+            var subject = new[] { AuthMode.Broker, AuthMode.Web, AuthMode.DeviceCode };
+
+            // Act + Assert
+            subject.Combine().PreventInteractionIfNeeded(this.envMock.Object, this.logger).Should().Be(AuthMode.Broker);
+            this.logTarget.Logs.Should().ContainInOrder("Interactive authentication is disabled.", "Only Broker silent authentication will be attempted.");
+        }
 #endif
     }
 }

src/AzureAuth/AuthModeExtensions.cs

@@ -28,7 +28,14 @@ public static AuthMode PreventInteractionIfNeeded(this AuthMode authMode, IEnv e
                 logger.LogWarning($"Only Integrated Windows Authentication will be attempted.");
                 return AuthMode.IWA;
 #else
-                return 0;
+                // Keep broker for silent auth on macOS, where the broker can resolve tokens silently.
+                var silentMode = authMode & AuthMode.Broker;
+                if (silentMode != 0)
+                {
+                    logger.LogWarning($"Only Broker silent authentication will be attempted.");
+                }
+
+                return silentMode;
 #endif
             }
 

src/AzureAuth/Commands/CommandAad.cs

@@ -90,7 +90,7 @@ public class CommandAad
 #if PlatformWindows
         public const string AuthModeAllowedValues = "all, iwa, broker, web, devicecode";
 #else
-        public const string AuthModeAllowedValues = "all, web, devicecode";
+        public const string AuthModeAllowedValues = "all, broker, web, devicecode";
 #endif
 
         private const string ResourceOption = "--resource";