[MS] General Availability: Refresh Token (RT) Transfer to Apple Watch in Microsoft Entra External ID Native Authentication - devamazonaws.blogspot.com

We’re excited to announce the General Availability (GA) of Single Sign-On (SSO) from Native Apps to Embedded Web Views for Microsoft Entra External ID (EEID) Native Authentication.

This release marks a major milestone in delivering end-to-end seamless authentication experiences for modern CIAM applications bridging the gap between native and web-based app surfaces.

[cta-button align='center' text='Get started with Native Authentication on iOS/macOS' url='https://ift.tt/Bv96DLp' color='#0078D4']

Why RT transfer matters for Native Auth

Native Authentication enables developers to build fully in‑app, customizable sign-in experiences with secure token management.

However, modern applications increasingly extend beyond a single device.

Real-world scenarios include:

  • Companion apps (e.g., Apple Watch)
  • Widgets and background experiences
  • Multi-surface mobile ecosystems

In these cases, devices like Apple Watch must independently access APIs even when disconnected from the phone.

Without RT transfer:

  • Watch apps cannot refresh expired access tokens
  • Users experience interruptions or forced re-authentication
  • Developers resort to unsupported or insecure workarounds

As highlighted in customer scenarios (e.g., GM), this gap creates significant friction and can block adoption of native authentication in production environments. With GA of RT transfer, this problem is now solved.

What’s now generally available

With this release, developers can securely enable token continuity across devices, allowing companion apps like Apple Watch to maintain authenticated sessions independently.

Independent token refresh on Apple Watch Companion devices can refresh access tokens without relying on phone connectivity ensuring uninterrupted API access.

Seamless cross-device experience Users authenticate once on their mobile app and continue interacting on secondary devices without additional sign-in prompts.

Opt-in developer control RT access is explicitly enabled via configuration, ensuring developers consciously opt into advanced scenarios.

Secure-by-design guidance Clear best practices for storage, transfer, and revocation are provided to maintain strong security posture when handling refresh tokens.

How it works (high-level)

The RT transfer model builds on top of EEID Native Authentication and extends it to companion devices:

  1. User signs in via native authentication on iOS
  2. The app retrieves authentication tokens (including RT via opt-in API)
  3. The RT is securely transmitted to the Apple Watch (e.g., via WatchConnectivity)
  4. The watch independently uses the RT to renew access tokens when needed

This enables a secure, long-lived authentication bridge across devices, even in offline or intermittent connectivity scenarios.

Developer scenarios unlocked

This capability is especially impactful for CIAM developers building multi-device ecosystems:

Companion device experiences (Apple Watch) Enable fully functional, authenticated watch apps without requiring constant phone connectivity.

📱 Background and widget scenarios Support independent token refresh for widgets and background services running outside the primary app session.

🚗 Connected experiences (e.g., automotive apps) Unblock real-world use cases where devices must operate autonomously while maintaining secure access.

🔒 Consistent authentication across surfaces Avoid fragmented identity flows and deliver a cohesive, trusted user experience across devices.

Behind the scenes: Why this matters

By design, MSAL historically does not expose refresh tokens, prioritizing security by keeping long-lived credentials protected within the SDK. However, this creates limitations for multi-device scenarios where token state must extend beyond a single device.

In practice, customers have already implemented workarounds extracting tokens from secure storage and transferring them manually which introduces inconsistency and risk.

With this GA release:

  • RT access is formally supported via a controlled, opt-in API
  • Developers receive clear security guidance (encryption, secure transport, revocation)
  • The platform enables companion device scenarios without requiring unsupported approaches

This balances developer flexibility with enterprise-grade security expectations.

This is just the beginning of cross-device authentication

RT transfer represents a critical first step toward a broader vision of multi-device SSO and session continuity for Native Authentication.

We are actively investing in:

  • Short-lived session transfer tokens for secure, brokered session handoff
  • SSO across multiple apps and devices
  • Advanced token lifecycle and rotation management
  • Deeper integration with identity security controls (Conditional Access, policy)

Our goal is to deliver a modern, secure, multi-surface identity platform for CIAM.

Ready to get started with Native Authentication?

To enable refresh token transfer to Apple Watch:

  1. Configure Native Authentication in your Entra External ID tenant
  2. Enable RT access via explicit application configuration
  3. Implement secure token transfer (e.g., WatchConnectivity)
  4. Ensure proper handling of token rotation, revocation, and secure storage

[cta-button align='center' text='Get Started with Native Authentication' url='https://ift.tt/aQWT961' color='#0078D4']

Stay connected and informed

To learn more or test out features in the Microsoft Entra suite of products, visit our developer center. Make sure you subscribe to the Identity blog for more insights and to keep up with the latest on all things Identity. And, follow us on YouTube for video overviews, tutorials, and deep dives.


Post Updated on April 29, 2026 at 04:13PM
Thanks for reading
from devamazonaws.blogspot.com

Comments

Post a Comment

Popular posts from this blog

[MS] Pulling a single item from a C++ parameter pack by its index, remarks - devamazonaws.blogspot.com

In my earlier discussion of pulling a single item from a C++ parameter pack by its index , I noted that with the Pack Indexing proposal, you would be able to write this to pull an item from a parameter pack while preserving its reference category. template<int index, typename...Args> void example(Args&&... args) { auto&& arg = (Args...[index]&&)args...[index]; using Arg = Args...[index]&&; } Why did I need to apply the (Args...[index]&&) cast ? Why can't I just write this: auto&& arg = args...[index]; or possibly decltype(auto) arg = args...[index]; Well, when you write the name of a variable, the result is an lvalue reference, even if the variable is an rvalue reference . Watch: struct S { S(S&); // construct from lvalue S(S&&); // construct from rvalue }; void whathappens(S&& s) { S t = s; // which will it use? } Try it out in your favorite compiler. This code construc...
Read more

[MS] The case of the crash when destructing a std::map - devamazonaws.blogspot.com

A customer reported that they were getting crashes while destructing a std::map . Here's the point of the crash: eax=245bd25c ebx=00004d33 ecx=31feece4 edx=00c40000 esi=00000000 edi=31feece4 eip=563397db esp=245bd250 ebp=245bd268 iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286 contoso!std::_Tree<⟦...⟧>::~_Tree+0x2b: 563397db cmp byte ptr [esi+0Dh],0 ds:002b:0000000d=?? 0:054> k9 ChildEBP RetAddr (Inline) -------- contoso!std::_Tree_val<⟦...⟧>::_Erase_tree [xtree @ 1073] (Inline) -------- contoso!std::_Tree_val<⟦...⟧>::_Erase_head+0x5 [xtree @ 1073] 245bd268 56338313 contoso!std::_Tree<⟦...⟧>::~_Tree+0x2b [xtree @ 1073] 245bd290 56362695 contoso!Contoso::IdCollection::~IdCollection+0x163 245bd2b4 564c8510 contoso!Contoso::LogEntry::~LogEntry+0xd5 245bd2e0 5691a999 contoso!Contoso::LogEntries::Cleanup+0x90 (Inline) -------- con...
Read more

[MS] Going beyond the empty set: Embracing the power of other empty things - devamazonaws.blogspot.com

The empty set contains nothing. This sounds really silly, but it's actually really nice. The Windows Runtime has a policy that if a method returns a collection (such as an IVector ), and the method produces no results, then it should return an empty collection, rather than a null reference . That way, consumers can just iterate over the collection without having to deal with a null test. For example, suppose you have a method Widget:: Get­Associated­Doodads which returns an IVectorView<Doodad> representing the Doodad objects that have been associated with a Widget object. If no Doodad s have been associated with the Widget , then it should return an empty vector, not a null pointer. That allows developers to write the natural-looking code: // C# foreach (var doodad in widget.GetAssociatedDoodads()) { ⟦ process each doodad ⟧ } // C++/WinRT for (auto&& doodad : widget.GetAssociatedDoodads()) { ⟦ process each doodad ⟧ } // JavaScript widget.GetAssociated...
Read more