Kazma Ye
- Kazma is a university student from Taiwan and a cybersecurity intern of CyCraft — rumored to be the last surviving member of the Uchiha clan.
- His current work focuses on how Microsoft Entra ID integrates and behaves on macOS, diving deep into binary internals and real-world authentication logic.
- He’s also a CTF player with the B33F 50UP team, with a passion for reverse engineering and binary exploitation.
Session
While Entra ID Single Sign-On (SSO) on Windows has been extensively studied leading to techniques such as ROADtoken and BAADTokenBroker, but the macOS implementation has unexplored. In this talk, we present new findings on how Microsoft implements SSO within the Intune Company Portal for macOS, and demonstrate how we successfully bypassed its signature validation logic to extract Primary Refresh Tokens (PRTs) Cookie under user-level permissions.
We begin by comparing the SSO authentication flows and security checks on both Windows and macOS, highlighting the stricter verification mechanisms(e.g. signature check, process check…). Through our research, we discovered certain authentication validation weaknesses in the implementation that could allow attackers to bypass process checks and obtain authentication tokens under specific conditions.
This talk includes a live demo of PRT Cookie extraction on a latest macOS system. We conclude with practical defense recommendations for enterprises deploying Entra ID on macOS.