2025-06-26 –, Track 2 (AD & Entra ID Sec)
While Entra ID Single Sign-On (SSO) on Windows has been extensively studied leading to techniques such as ROADtoken and BAADTokenBroker, but the macOS implementation has unexplored. In this talk, we present new findings on how Microsoft implements SSO within the Intune Company Portal for macOS, and demonstrate how we successfully bypassed its signature validation logic to extract Primary Refresh Tokens (PRTs) Cookie under user-level permissions.
We begin by comparing the SSO authentication flows and security checks on both Windows and macOS, highlighting the stricter verification mechanisms(e.g. signature check, process check…). Through our research, we discovered certain authentication validation weaknesses in the implementation that could allow attackers to bypass process checks and obtain authentication tokens under specific conditions.
This talk includes a live demo of PRT Cookie extraction on a latest macOS system. We conclude with practical defense recommendations for enterprises deploying Entra ID on macOS.
This presentation provides an in-depth analysis of Entra ID’s Single Sign-On (SSO) implementation on macOS, focusing on both architectural design and practical attack vectors. By dissecting the SSO trust chain and examining how each component validates the identity of calling processes, we reveal how Primary Refresh Tokens (PRTs) Cookie can be extracted from Company Portal on macOS, all under standard user permissions.
Main topics to be covered:
- SSO request and authentication flows on Windows as a baseline comparison
- Breakdown of the Company Portal SSO implementation and flows on macOS
- Detailed analysis of Company Portal SSO components:
- BrowserCore implementation specific to macOS
- AppSSOAgent - macOS built-in framework for vendor SSO implementation
- Mac SSO Extension - Microsoft's authentication module for macOS
- Security checks and verification mechanisms
- Demo abuse methods
- Defense strategies and security recommendations
Key takeaways for the audience:
- Understanding of Microsoft's system integration with macOS
- Comparison of security strengths and weaknesses between platforms
- Guidance on implementing defense
Technical prerequisites:
Attendees should have a basic understanding of Entra ID concepts. While familiarity with macOS reverse engineering will be helpful, we will provide necessary background information to help Windows-focused professionals understand the content. The presentation will include detailed explanations of key concepts to ensure accessibility for all audience.
- Kazma is a university student from Taiwan and a cybersecurity intern of CyCraft — rumored to be the last surviving member of the Uchiha clan.
- His current work focuses on how Microsoft Entra ID integrates and behaves on macOS, diving deep into binary internals and real-world authentication logic.
- He’s also a CTF player with the B33F 50UP team, with a passion for reverse engineering and binary exploitation.
Shang-De Jiang is a deputy director of the research team of CyCraft. Currently, he focuses on research on Incident Response and Endpoint Security and Microsoft Security. He has presented technical presentations in non-academic technical conferences, such as TROOPERS, HITB, HITCON, CodeBlue, Blue Team Summit and BlackHat USA. He is the co-founder of UCCU Hacker the private hacker group in Taiwan.