Microsoft figured out how to improve security — and made it more vulnerable than ever
Microsoft’s new scheme simplifies access while alarming security professionals.
Microsoft’s new scheme simplifies access while alarming security professionals.
Microsoft has introduced a new mechanism called Nested App Authentication (NAA), which is gradually becoming a key part of the company’s cloud ecosystem. The idea is simple: if a user has already signed into one application, that application can act as a “broker” and issue tokens for access to other services. This approach both enhances security and streamlines workflows — for example, allowing seamless switching between administrator portals or Azure services without repeated logins.
The technology became generally available in October 2024, and can now be used both in Microsoft products and in third-party applications. Among researchers, another name has also taken hold — BroCI (brokered client IDs), by analogy with FOCI (“family of client IDs”). Since the abbreviation NAA is already used in other Microsoft products, some publications prefer BroCI.
Security experts’ interest in the new scheme is no accident. In early 2025, at a hackathon, the SpecterOps team was the first to thoroughly study how NAA works. Soon after, “brokered” request mechanisms appeared in popular Azure tools such as roadtx, Maestro, and EntraTokenAid. Other researchers, including Dirk-jan Mollema and Fabian Bader, released services for analyzing applications and their permissions, while the community quickly developed practical use cases.
Why is this useful? In some cases, the tokens cached by the user are not enough. With NAA, it’s possible to “transfer” an already issued token into a new application and gain access to additional resources. For example, one could activate a role in Privileged Identity Management even if the corresponding portal hasn’t been opened for a long time, or retrieve a secret from Azure Key Vault. A critical detail is that the MFA (multi-factor authentication) confirmation is carried along with the token. That means if an administrator has confirmed login with MFA once in Azure Portal, a brokered request allows this confirmation to be reused in other services — without re-entering the code.
Researchers have demonstrated different ways to use NAA: from manually crafting requests with curl to automating them in PowerShell and specialized utilities. For instance, Maestro makes it possible with just two commands — using only an Azure Portal refresh token — to retrieve a list of Intune devices. Meanwhile, roadtx simplifies extracting secrets from Key Vault, while still respecting MFA requirements.
Thus, NAA opens up new possibilities not only for developers but also for security specialists. On one hand, it is a convenient tool for building more flexible application architectures and simplifying authentication. On the other, it is a potential attack vector if an adversary obtains an administrator’s refresh token. This is why the research community is so actively studying and documenting the technology — to understand its strengths and weaknesses in advance.
And while Microsoft promotes Nested App Authentication as a way to “improve security and flexibility of architecture,” in practice it shows that in skilled hands the tool can serve both as a powerful aid for administration and as a convenient springboard for attackers.
