AzureAD · mohitc1 · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026
@@ -1,5 +1,6 @@
 vNext
 ----------
+- [MINOR] Add provisionResourceAccountCredentials API to DeviceRegistrationClientApplication with V0 protocol params/response and add IPPhone to AppRegistry (#3086)
 - [PATCH] Fix ABBA deadlock between AzureActiveDirectory and AzureActiveDirectoryAuthority class monitors by extracting polymorphic getAuthorityURL() calls outside synchronized scopes and removing unnecessary synchronized from ConcurrentHashMap read-only methods (#3082)
 - [PATCH] Optimize AcquireTokenSilent save path: replace keySet() decrypt-all with in-memory map lookup in removeAccount()/removeCredential(), add telemetry for deleteAccessTokensWithIntersectingScopes, and remove unused elapsed_time_save_account_shared_preferences attribute (#3074)
 - [MINOR] Add DeviceRegistrationClientApplication as public API for OneAuth device registration with mandatory correlationId, DeviceState and DrsDiscoveryEndpoint enums (#3073)

@@ -29,6 +29,9 @@ import com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broke
 import com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.INTUNE_APP_PACKAGE_NAME
 import com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.INTUNE_APP_SHA512_DEBUG_SIGNATURE
 import com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.INTUNE_APP_SHA512_RELEASE_SIGNATURE
+import com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.IPPHONE_APP_PACKAGE_NAME
+import com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.IPPHONE_APP_SHA512_DEBUG_SIGNATURE
+import com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.IPPHONE_APP_SHA512_RELEASE_SIGNATURE
 import com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.ONE_AUTH_TEST_APP_SIGNATURE
 import com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.SHARED_EDGE_SIGNATURE
 import com.microsoft.identity.common.internal.broker.BrokerData
@@ -112,6 +115,18 @@ object AppRegistry {
         signingCertificateThumbprint = INTUNE_APP_SHA512_DEBUG_SIGNATURE
     )
 
+    val TEAMS_IPPHONE_PROD = App(
+        nickName = "Teams IP Phone - Teams Devices (prod)",
+        packageName = IPPHONE_APP_PACKAGE_NAME,
+        signingCertificateThumbprint = IPPHONE_APP_SHA512_RELEASE_SIGNATURE
+    )
+
+    val TEAMS_IPPHONE_DEBUG = App(
+        nickName = "Teams IP Phone - Teams Devices (debug)",
+        packageName = IPPHONE_APP_PACKAGE_NAME,
+        signingCertificateThumbprint = IPPHONE_APP_SHA512_DEBUG_SIGNATURE
+    )
+
     val MSAL_TEST_APP = App(
         nickName = "MSAL Test App",
         packageName = "com.msft.identity.client.sample.local",
@@ -145,12 +160,14 @@ object AppRegistry {
         add(BrokerData.prodCompanyPortal)
         add(INTUNE_CE_PROD)
         add(INTUNE_AOSP_AGENT_PROD)
+        add(TEAMS_IPPHONE_PROD)
         if (BrokerData.getShouldTrustDebugBrokers()) {
             add(INTUNE_AOSP_AGENT_DEBUG)
             add(BrokerData.debugBrokerHost)
             add(BrokerData.debugMicrosoftAuthenticator)
             add(BrokerData.debugCompanyPortal)
             add(INTUNE_CE_DEBUG)
+            add(TEAMS_IPPHONE_DEBUG)
         }
     }
 

@@ -52,6 +52,7 @@ import com.microsoft.identity.deviceregistration.java.protocol.parameters.GetIns
 import com.microsoft.identity.deviceregistration.java.protocol.parameters.GetRegistrationStateV0Parameters
 import com.microsoft.identity.deviceregistration.java.protocol.parameters.InstallCertificateSilentlyV0Parameters
 import com.microsoft.identity.deviceregistration.java.protocol.parameters.PreProvisionedBlobV0Parameters
+import com.microsoft.identity.deviceregistration.java.protocol.parameters.ProvisionResourceAccountCredentialsV0Parameters
 import com.microsoft.identity.deviceregistration.java.protocol.parameters.UnregisterDeviceV0Parameters
 import com.microsoft.identity.deviceregistration.java.protocol.response.DeviceRegistrationPreAuthorizedV0Response
 import com.microsoft.identity.deviceregistration.java.protocol.response.DeviceRegistrationWithTokensV0Response
@@ -62,6 +63,9 @@ import com.microsoft.identity.deviceregistration.java.protocol.response.GetInsta
 import com.microsoft.identity.deviceregistration.java.protocol.response.GetRegistrationStateV0Response
 import com.microsoft.identity.deviceregistration.java.protocol.response.InstallCertificateSilentlyV0Response
 import com.microsoft.identity.deviceregistration.java.protocol.response.PreProvisionedBlobV0Response
+import com.microsoft.identity.deviceregistration.java.protocol.response.ProvisionResourceAccountCredentialsV0Response
+import com.microsoft.identity.common.java.dto.AccountRecord
+import com.microsoft.identity.common.java.request.SdkType
 import java.util.UUID
 
 /**
@@ -432,4 +436,33 @@ class DeviceRegistrationClientApplication {
         return GetDeviceRegistrationRecordV0Response.create(responseSerialized)
             .deviceRegistrationRecord
     }
+
+    /**
+     * Provisions resource account credentials for the specified tenant and resource account object ID.
+     *
+     * @param tenantId      tenant ID for the resource account.
+     * @param raObjectId    resource account object ID (user ID in home tenant).
+     * @param correlationId correlation ID for request tracing.
+     * @param sdkType       SDK type of the caller (required).
+     * @param sdkVersion    SDK version of the caller (required).
+     * @return [AccountRecord] representing the provisioned resource account credentials.
+     */
+    @Throws(BaseException::class)
+    fun provisionResourceAccountCredentials(
+        tenantId: String,
+        raObjectId: String,
+        correlationId: UUID,
+        sdkType: SdkType,
+        sdkVersion: String
+    ): AccountRecord {
+        val methodTag = "$TAG:provisionResourceAccountCredentials"
+        Logger.info(methodTag, "ProvisionResourceAccountCredentials started. CorrelationId: $correlationId")
+        val responseSerialized = mController.execute(
+            ProvisionResourceAccountCredentialsV0Parameters(correlationId, tenantId, raObjectId, sdkType.name, sdkVersion)
+        )
+        val response = ProvisionResourceAccountCredentialsV0Response.create(responseSerialized)
+        val result = response.accountRecord
+        Logger.info(methodTag, "ProvisionResourceAccountCredentials ended successfully.")
+        return result
+    }
 }
@@ -41,6 +41,10 @@ import com.microsoft.identity.deviceregistration.java.protocol.response.GetDevic
 import com.microsoft.identity.deviceregistration.java.protocol.response.GetDeviceRegistrationRecordsV0Response
 import com.microsoft.identity.deviceregistration.java.protocol.response.GetRegistrationStateV0Response
 import com.microsoft.identity.deviceregistration.java.protocol.response.PreProvisionedBlobV0Response
+import com.microsoft.identity.deviceregistration.java.protocol.parameters.ProvisionResourceAccountCredentialsV0Parameters
+import com.microsoft.identity.deviceregistration.java.protocol.response.ProvisionResourceAccountCredentialsV0Response
+import com.microsoft.identity.common.java.dto.AccountRecord
+import com.microsoft.identity.common.java.request.SdkType
 import org.junit.Assert
 import org.junit.Before
 import org.junit.Test
@@ -197,4 +201,49 @@ class DeviceRegistrationClientApplicationTest {
         drca.getPreProvisionedBlob("test-tenant", correlationId)
         // If we get here without exception, the correlationId was accepted and the flow completed
     }
+
+    @Test
+    fun provisionResourceAccountCredentials_returnsAccountRecord() {
+        val accountRecord = AccountRecord()
+        accountRecord.homeAccountId = "uid.utid"
+        accountRecord.localAccountId = "uid"
+        accountRecord.username = "ra@test.com"
+        accountRecord.environment = "login.microsoftonline.com"
+        accountRecord.realm = "utid"
+        val response = ProvisionResourceAccountCredentialsV0Response(UUID.randomUUID(), accountRecord)
+        val drca = createDrca(successStrategy(packer.pack(response)))
+
+        val result = drca.provisionResourceAccountCredentials("utid", "uid", UUID.randomUUID(), SdkType.MSAL, "1.0.0")
+
+        Assert.assertNotNull(result)
+        Assert.assertEquals("uid.utid", result.homeAccountId)
+        Assert.assertEquals("uid", result.localAccountId)
+        Assert.assertEquals("ra@test.com", result.username)
+        Assert.assertEquals("login.microsoftonline.com", result.environment)
+        Assert.assertEquals("utid", result.realm)
+    }
+
+    @Test
+    fun provisionResourceAccountCredentials_passesParamsToIpc() {
+        val correlationId = UUID.randomUUID()
+        val accountRecord = AccountRecord()
+        val response = ProvisionResourceAccountCredentialsV0Response(UUID.randomUUID(), accountRecord)
+        val strategy: IIpcStrategy = mock()
+        whenever(strategy.getType()).thenReturn(IIpcStrategy.Type.CONTENT_PROVIDER)
+        whenever(strategy.communicateToBroker(any())).thenAnswer { invocation ->
+            val bundle = (invocation.arguments[0] as BrokerOperationBundle).bundle
+            val protocolData = bundle?.getByteArray("protocol.data")
+            Assert.assertNotNull(protocolData)
+            val parameters = ProvisionResourceAccountCredentialsV0Parameters.create(protocolData)
+            Assert.assertEquals(correlationId, parameters.correlationId)
+            Assert.assertEquals("test-tenant", parameters.tenantId)
+            Assert.assertEquals("test-ra-oid", parameters.raObjectId)
+            Assert.assertEquals("MSAL", parameters.sdkType)
+            Assert.assertEquals("1.0.0", parameters.sdkVersion)
+            packer.pack(response)
+        }
+
+        val drca = createDrca(strategy)
+        drca.provisionResourceAccountCredentials("test-tenant", "test-ra-oid", correlationId, SdkType.MSAL, "1.0.0")
+    }
 }
@@ -36,5 +36,5 @@ public final class DeviceRegistrationProtocolConstants {
     public static final String UNREGISTER_DEVICE_V0 = "protocol.unregister.v0";
     public static final String INSTALL_CERTIFICATE_SILENTLY_V0 = "protocol.install.certificate.silently.v0";
     public static final String GET_DEVICE_REGISTRATION_RECORD_VO = "get.device.registration.record.v0";
-    public static final String PROVISION_RESOURCE_ACCOUNT_V0 = "protocol.provision.resource.account.v0";
+    public static final String PROVISION_RESOURCE_ACCOUNT_CREDENTIALS_V0 = "protocol.provision.resource.account.credentials.v0";
 }
@@ -22,42 +22,46 @@
 // THE SOFTWARE.
 package com.microsoft.identity.deviceregistration.java.protocol.parameters;
 
+import com.microsoft.identity.common.java.exception.ClientException;
 import com.microsoft.identity.deviceregistration.java.protocol.DeviceRegistrationProtocolConstants;
+import com.microsoft.identity.deviceregistration.java.protocol.packer.DeviceRegistrationProtocolMoshiSerializer;
+import com.microsoft.identity.deviceregistration.java.protocol.packer.IDeviceRegistrationProtocolSerializer;
 
 import java.util.UUID;
 
+import edu.umd.cs.findbugs.annotations.Nullable;
 import lombok.Getter;
 import lombok.NonNull;
 import lombok.experimental.Accessors;
 
-import com.microsoft.identity.deviceregistration.java.protocol.packer.DeviceRegistrationProtocolMoshiSerializer;
-import com.microsoft.identity.deviceregistration.java.protocol.packer.IDeviceRegistrationProtocolSerializer;
-import com.microsoft.identity.common.java.exception.ClientException;
-
 /**
- * Implements a protocol parameters for provisioning a resource account.
+ * Implements protocol parameters for provisioning resource account credentials.
  */
 @Accessors(prefix = "m")
-public class ProvisionResourceAccountV0Parameters extends AbstractDeviceRegistrationProtocolParameters {
+public class ProvisionResourceAccountCredentialsV0Parameters extends AbstractDeviceRegistrationProtocolParameters {
 
-    private static final IDeviceRegistrationProtocolSerializer<ProvisionResourceAccountV0Parameters> serializer
-            = new DeviceRegistrationProtocolMoshiSerializer<>(ProvisionResourceAccountV0Parameters.class);
+    private static final IDeviceRegistrationProtocolSerializer<ProvisionResourceAccountCredentialsV0Parameters> serializer
+            = new DeviceRegistrationProtocolMoshiSerializer<>(ProvisionResourceAccountCredentialsV0Parameters.class);
 
     /**
      * Creates a protocol object from a byte array (serialized protocol).
      *
      * @param serializedData protocol data serialized
      */
-    public static ProvisionResourceAccountV0Parameters create(final byte[] serializedData) throws ClientException {
+    public static ProvisionResourceAccountCredentialsV0Parameters create(final byte[] serializedData) throws ClientException {
         return serializer.deserialize(serializedData);
     }
 
-    public ProvisionResourceAccountV0Parameters(@NonNull final UUID correlationId,
-                                                @NonNull final String tenantId,
-                                                @NonNull final String raObjectId) {
+    public ProvisionResourceAccountCredentialsV0Parameters(@NonNull final UUID correlationId,
+                                                           @NonNull final String tenantId,
+                                                           @NonNull final String raObjectId,
+                                                           @Nullable final String sdkType,
+                                                           @Nullable final String sdkVersion) {
         super(correlationId);
         mTenantId = tenantId;
         mRaObjectId = raObjectId;
+        mSdkType = sdkType;
+        mSdkVersion = sdkVersion;
     }
 
     @Getter
@@ -68,10 +72,18 @@ public ProvisionResourceAccountV0Parameters(@NonNull final UUID correlationId,
     @NonNull
     private final String mRaObjectId;
 
+    @Getter
+    @Nullable
+    private final String mSdkType;
+
+    @Getter
+    @Nullable
+    private final String mSdkVersion;
+
     @Override
     @NonNull
     public String getProtocolName() {
-        return DeviceRegistrationProtocolConstants.PROVISION_RESOURCE_ACCOUNT_V0;
+        return DeviceRegistrationProtocolConstants.PROVISION_RESOURCE_ACCOUNT_CREDENTIALS_V0;
     }
 
     /**

@@ -22,53 +22,56 @@
 // THE SOFTWARE.
 package com.microsoft.identity.deviceregistration.java.protocol.response;
 
+import com.microsoft.identity.common.java.dto.AccountRecord;
+import com.microsoft.identity.common.java.exception.ClientException;
 import com.microsoft.identity.deviceregistration.java.protocol.DeviceRegistrationProtocolConstants;
+import com.microsoft.identity.deviceregistration.java.protocol.packer.DeviceRegistrationProtocolMoshiSerializer;
+import com.microsoft.identity.deviceregistration.java.protocol.packer.IDeviceRegistrationProtocolSerializer;
 
 import java.util.UUID;
 
 import lombok.Getter;
 import lombok.NonNull;
 import lombok.experimental.Accessors;
 
-import com.microsoft.identity.deviceregistration.java.protocol.packer.DeviceRegistrationProtocolMoshiSerializer;
-import com.microsoft.identity.deviceregistration.java.protocol.packer.IDeviceRegistrationProtocolSerializer;
-import com.microsoft.identity.common.java.exception.ClientException;
-
+/**
+ * Response for the provision resource account credentials protocol.
+ */
 @Accessors(prefix = "m")
-public class ProvisionResourceAccountV0Response extends AbstractDeviceRegistrationProtocolResponse {
+public class ProvisionResourceAccountCredentialsV0Response extends AbstractDeviceRegistrationProtocolResponse {
 
-    private static final IDeviceRegistrationProtocolSerializer<ProvisionResourceAccountV0Response> serializer
-            = new DeviceRegistrationProtocolMoshiSerializer<>(ProvisionResourceAccountV0Response.class);
+    private static final IDeviceRegistrationProtocolSerializer<ProvisionResourceAccountCredentialsV0Response> serializer
+            = new DeviceRegistrationProtocolMoshiSerializer<>(ProvisionResourceAccountCredentialsV0Response.class);
 
     /**
      * Creates a protocol object from a byte array (serialized protocol).
      *
      * @param serializedData protocol data serialized
      */
-    public static ProvisionResourceAccountV0Response create(final byte[] serializedData) throws ClientException {
+    public static ProvisionResourceAccountCredentialsV0Response create(final byte[] serializedData) throws ClientException {
         return serializer.deserialize(serializedData);
     }
 
-    public ProvisionResourceAccountV0Response(@NonNull final UUID correlationId,
-                                              @NonNull final String result) {
+    public ProvisionResourceAccountCredentialsV0Response(@NonNull final UUID correlationId,
+                                                         @NonNull final AccountRecord accountRecord) {
         super(correlationId);
-        mResult = result;
+        mAccountRecord = accountRecord;
     }
 
     @Getter
     @NonNull
-    private final String mResult;
+    private final AccountRecord mAccountRecord;
 
     /**
      * Returns the name of the protocol.
      */
     @Override
     public String getProtocolName() {
-        return DeviceRegistrationProtocolConstants.PROVISION_RESOURCE_ACCOUNT_V0;
+        return DeviceRegistrationProtocolConstants.PROVISION_RESOURCE_ACCOUNT_CREDENTIALS_V0;
     }
 
     /**
-     * return the serialized the protocol.
+     * Serialization is handled by the packer layer.
      */
     @Override
     public byte[] serialize() {