Describe the bug
When using MSAL Python with the broker (msal[broker]) on macOS Tahoe 26.4.1 (Intel), silent token acquisition via the SSO broker consistently fails with error code -42000 and domain MSALErrorDomain. The error is thrown in sourceArea: Broker with Status: Response_Status.Status_Unexpected.
From the Company Portal logs, the broker appears to be reachable (keychain lookups succeed, PSSO/secondary broker is selected), but the silent flow ultimately fails. No fallback to interactive auth occurs.
Environment
| Component |
Version |
| macOS |
Tahoe 26.4.1 (Intel) |
| Python |
3.13.10 (Python Build Standalone, darwin-x64) |
| msal[broker] |
>=1.34,<2 (pip-installed) |
| msal-extensions |
>=1.3.1 (pip-installed) |
| MSAL native (broker) |
2.9.0 |
| ADB |
v3.16.5 |
| WPJ |
v3.14.1 |
Steps to reproduce
- Install a Python CLI tool that uses
msal[broker] for authentication on macOS
- Configure an Azure AD app registration with broker-based auth (A2A flow)
- Run the tool, which triggers
acquire_token_silent() → broker flow
- Observe failure on every attempt
Expected behavior
Broker-based silent token acquisition should succeed, or cleanly fall back to interactive authentication.
Actual behavior
Token acquisition fails with the following error:
Failed to acquire token: Description: (pii), Domain: MSALErrorDomain.
Error was thrown in sourceArea: Broker.
Status: Response_Status.Status_Unexpected,
Error code: -42000, Tag: 508638916
Native Company Portal broker logs
From the terminal, run tail -f ~/Library/Containers/com.microsoft.CompanyPortalMac.ssoextension/Data/Library/Caches/Logs/Microsoft/SSOExtension/*
2026-05-07 13:26:11:691 | I | ADB v3.16.5/WPJ v3.14.1 | Beginning authorization request
2026-05-07 13:26:11:692 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] New Browser SSO state machine handler will be used
2026-05-07 13:26:11:692 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag enable_js_platform_authentication, value in config 1, value type __NSCFNumber, this feature is disabled by default
2026-05-07 13:26:11:692 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Feature flag enable_js_platform_authentication is enabled
2026-05-07 13:26:11:692 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag browser_sso_interaction_enabled, value in config (null), value type (null), this feature is enabled by default
2026-05-07 13:26:11:692 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag browser_sso_disable_mfa, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag disable_browser_sso_intercept_all, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag disable_inapp_sso_signin, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag allow_account_enumeration_for_any_app, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag allow_account_enumeration_for_managed_apps, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag allow_global_signout_for_managed_apps, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag sharedDeviceMode, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag suppress_camera_consent, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag sdm_suppress_camera_consent, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature strings get_sso_cookie_allowlist, value in config (null), value type (null), this feature is not set by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature strings get_sso_cookie_blocklist, value in config (null), value type (null), this feature is not set by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag admin_debug_mode_enabled, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag disable_explicit_app_prompt, value in config (null), value type (null), this feature is enabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag disable_explicit_app_prompt_and_autologin, value in config 1, value type __NSCFNumber, this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Feature flag disable_explicit_app_prompt_and_autologin is enabled
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag remove_sso_rt_header, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag disable_explicit_native_app_prompt, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag disable_explicit_native_app_prompt_and_autologin, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag sso_extension_exclude_msal_request_enabled, value in config (null), value type (null), this feature is enabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag sso_extension_disable_browser_interrupts, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag disable_ecc_prts, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature string preferred_auth_config, value in config (null), value type (null), this feature is not set by default
2026-05-07 13:26:11:708 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Pre-processing received json...
2026-05-07 13:26:11:708 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] No broker key in json payload, generate it from source application.
2026-05-07 13:26:11:709 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Return pre-preocess json.
2026-05-07 13:26:11:709 | E | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] token_type key is missing in dictionary.
2026-05-07 13:26:11:710 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] PID analysis - Parent is not launchd: YES, Runtime-like: YES
2026-05-07 13:26:11:710 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] No UI is needed. About to execute without UI.
2026-05-07 13:26:11:710 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Handling SSO request, requested operation: refresh
2026-05-07 13:26:11:710 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11 - 22BFFFB8-02DE-46B6-99E5-150B526FB531] Handling silent SSO request...
2026-05-07 13:26:11:714 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] PSSO status : enabled and registered
2026-05-07 13:26:11:715 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] bundleIdsAllowedInBrowserNativeMessageFlow {(
"com.microsoft.msedge.adhoc-df",
"com.microsoft.msedge.debug",
"com.microsoft.edgemac",
"com.microsoft.edgemac.Canary",
"com.microsoft.edgemac.Beta",
"com.microsoft.msedge",
"com.microsoft.edgemac.local",
"com.microsoft.edgemac.Dev",
"com.microsoft.msedge-df.dev",
"com.microsoft.msedge-df.canary",
"microsoft.com.browserMessagingHost",
"com.microsoft.msedge.dogfood",
"com.microsoft.msedge-df.beta"
)}
2026-05-07 13:26:11:718 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Keychain find status: -25300
2026-05-07 13:26:11:718 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Start redirect_uri validation with isRunTimeLikeApp: 1 teamID != nil: 0 sourceApp: redirectURI:
2026-05-07 13:26:11:718 | E | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Creating Error with description: SouceApplication is invalid
2026-05-07 13:26:11:719 | E | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Failed to handle SSO request, error Error Domain=MSALErrorDomain Code=-42000 "(null)" UserInfo={MSALErrorDescriptionKey=SouceApplication is invalid}
2026-05-07 13:26:11:719 | I | ADB v3.16.5/WPJ v3.14.1 | Finish calling executing SSO extension request. (new handler)
2026-05-07 13:26:11:719 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Finish executing request.
2026-05-07 13:26:11:719 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Finished SSO request.Additional context
- The issue reproduces consistently across cache-cleared runs.
- The calling application is an unsigned Python process (Python Build Standalone distribution), which may affect broker redirect URI validation or
sourceApplication resolution on macOS.
- Windows and Linux broker auth works correctly in the same codebase; this is macOS-specific.
Describe the bug
When using MSAL Python with the broker (
msal[broker]) on macOS Tahoe 26.4.1 (Intel), silent token acquisition via the SSO broker consistently fails with error code-42000and domainMSALErrorDomain. The error is thrown insourceArea: BrokerwithStatus: Response_Status.Status_Unexpected.From the Company Portal logs, the broker appears to be reachable (keychain lookups succeed, PSSO/secondary broker is selected), but the silent flow ultimately fails. No fallback to interactive auth occurs.
Environment
>=1.34,<2(pip-installed)>=1.3.1(pip-installed)Steps to reproduce
msal[broker]for authentication on macOSacquire_token_silent()→ broker flowExpected behavior
Broker-based silent token acquisition should succeed, or cleanly fall back to interactive authentication.
Actual behavior
Token acquisition fails with the following error:
Native Company Portal broker logs
From the terminal, run
tail -f ~/Library/Containers/com.microsoft.CompanyPortalMac.ssoextension/Data/Library/Caches/Logs/Microsoft/SSOExtension/*Additional context
sourceApplicationresolution on macOS.