-
Notifications
You must be signed in to change notification settings - Fork 0
Access Tokens
There are entries requiring a refresh token with the brk_client_id. A refresh token with the brk_client_id can be obtained by logging into the portal using the habu2.py get delegation-token
using the authflow or selenium method. Otherwise, you can manually retrieve the refresh token that is in the session storage of the browser when logged into the Azure, Intune or Security portals.
Not much is known about brk_client_id and brk_redirect_url. Based on my observation alone the brk_client_id is assigned to refresh tokens that can be retrieved from session storage in the browser when logged into one of the aforementioned portals. You cannot use these refresh tokens to get an access token for Azure Management, Graph, etc. Conversely, you cannot use a standard refresh token that you would obtain from one of the OAuth flows when getting an access token for Management or Graph to get a token for Intune or any of the extensions. This results in error AADSTS900054 which states that that the broker client id is missing from the refresh token. I haven't been able to find this error in official Microsoft documentation anywhere other than various forums.
More detailed information on permission scopes can be found at https://graphpermissions.merill.net/permission/
Service | Client | Scope/Resource | Refresh Token with Brk_Client_Id Needed |
---|---|---|---|
Exchange | Office | Graph | |
Defender365 | Azure CLI | MTP | |
EWS, Substrate | Teams, Office | O365 | |
Teams | Teams, Office | TeamsV1 | |
Intune (basic, only lists managed devices) | Graph CLI | Graph | |
Intune - BitLocker | Aad Devices | Graph | Yes |
Intune - CloudPC | Cloud PC | Graph | Yes |
Intune - Portal | Intune Portal Extension | Graph | Yes |