While Entra ID Single Sign-On (SSO) on Windows has been extensively studied leading to techniques such as ROADtoken and BAADTokenBroker, but the macOS implementation has unexplored. In this talk, we present new findings on how Microsoft implements SSO within the Intune Company Portal for macOS, and demonstrate how we successfully bypassed its signature validation logic to extract Primary Refresh Tokens (PRTs) Cookie under user-level permissions.

We begin by comparing the SSO authentication flows and security checks on both Windows and macOS, highlighting the stricter verification mechanisms(e.g. signature check, process check…). Through our research, we discovered certain authentication validation weaknesses in the implementation that could allow attackers to bypass process checks and obtain authentication tokens under specific conditions.

This talk includes a live demo of PRT Cookie extraction on a latest macOS system. We conclude with practical defense recommendations for enterprises deploying Entra ID on macOS.