Skip to content

Access Tokens

0v3rride edited this page Dec 8, 2024 · 1 revision

Note

There are entries requiring a refresh token with the brk_client_id. A refresh token with the brk_client_id can be obtained by logging into the portal using the habu2.py get delegation-token using the authflow or selenium method. Otherwise, you can manually retrieve the refresh token that is in the session storage of the browser when logged into the Azure, Intune or Security portals.

Not much is known about brk_client_id and brk_redirect_url. Based on my observation alone the brk_client_id is assigned to refresh tokens that can be retrieved from session storage in the browser when logged into one of the aforementioned portals. You cannot use these refresh tokens to get an access token for Azure Management, Graph, etc. Conversely, you cannot use a standard refresh token that you would obtain from one of the OAuth flows when getting an access token for Management or Graph to get a token for Intune or any of the extensions. This results in error AADSTS900054 which states that that the broker client id is missing from the refresh token. I haven't been able to find this error in official Microsoft documentation anywhere other than various forums.

More detailed information on permission scopes can be found at https://graphpermissions.merill.net/permission/


Service Client Scope/Resource Refresh Token with Brk_Client_Id Needed
Exchange Office Graph
Defender365 Azure CLI MTP
EWS, Substrate Teams, Office O365
Teams Teams, Office TeamsV1
Intune (basic, only lists managed devices) Graph CLI Graph
Intune - BitLocker Aad Devices Graph Yes
Intune - CloudPC Cloud PC Graph Yes
Intune - Portal Intune Portal Extension Graph Yes
Clone this wiki locally