AzureAD · kaisong1990 · Oct 23, 2025 · Oct 29, 2025 · Nov 4, 2025 · Nov 5, 2025
@@ -535,6 +535,7 @@
 		2A0278912D6E3216005655B4 /* MSIDAADTokenRequestServerTelemetryTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 2A0278902D6E3216005655B4 /* MSIDAADTokenRequestServerTelemetryTests.m */; };
 		2A0278922D6E3216005655B4 /* MSIDAADTokenRequestServerTelemetryTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 2A0278902D6E3216005655B4 /* MSIDAADTokenRequestServerTelemetryTests.m */; };
 		2A0278A32D6E3787005655B4 /* MSIDLastRequestTelemetry+Tests.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A0278A22D6E3787005655B4 /* MSIDLastRequestTelemetry+Tests.h */; };
+		2A1CBC892ECE5F6E00D2E6BB /* MSIDGCDStarvationDetector.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A886D6C2ECBE3D600675D31 /* MSIDGCDStarvationDetector.h */; };
 		2A24814D2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.m in Sources */ = {isa = PBXBuildFile; fileRef = 2A24814C2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.m */; };
 		2A24814E2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A24814B2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.h */; };
 		2A24814F2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.m in Sources */ = {isa = PBXBuildFile; fileRef = 2A24814C2CB06A1A006FCB34 /* MSIDSSORemoteSilentTokenRequest.m */; };
@@ -558,6 +559,8 @@
 		2A59B4402D7924E400304FB1 /* MSIDSSOXpcInteractiveTokenRequest.m in Sources */ = {isa = PBXBuildFile; fileRef = 2A59B43D2D7924E400304FB1 /* MSIDSSOXpcInteractiveTokenRequest.m */; };
 		2A59B4442D7A0CB500304FB1 /* MSIDXpcInteractiveTokenRequestController.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A59B4412D7A0CB500304FB1 /* MSIDXpcInteractiveTokenRequestController.h */; };
 		2A59B4452D7A0CB500304FB1 /* MSIDXpcInteractiveTokenRequestController.m in Sources */ = {isa = PBXBuildFile; fileRef = 2A59B4422D7A0CB500304FB1 /* MSIDXpcInteractiveTokenRequestController.m */; };
+		2A886D6E2ECBE3D600675D31 /* MSIDGCDStarvationDetector.m in Sources */ = {isa = PBXBuildFile; fileRef = 2A886D6D2ECBE3D600675D31 /* MSIDGCDStarvationDetector.m */; };
+		2A886D702ECBE3D600675D31 /* MSIDGCDStarvationDetector.m in Sources */ = {isa = PBXBuildFile; fileRef = 2A886D6D2ECBE3D600675D31 /* MSIDGCDStarvationDetector.m */; };
 		2AADDAC72DADB84D00CB7740 /* MSIDSSOXpcSilentTokenRequest.m in Sources */ = {isa = PBXBuildFile; fileRef = 2AADDAC62DADB84D00CB7740 /* MSIDSSOXpcSilentTokenRequest.m */; };
 		2AADDAC82DADB84D00CB7740 /* MSIDSSOXpcSilentTokenRequest.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AADDAC52DADB84D00CB7740 /* MSIDSSOXpcSilentTokenRequest.h */; };
 		4B6D22262E831B0B00546EC8 /* MSIDFlightManagerQueryKeyDelegate.h in Headers */ = {isa = PBXBuildFile; fileRef = 4B6D22252E831AEA00546EC8 /* MSIDFlightManagerQueryKeyDelegate.h */; };
@@ -2515,6 +2518,8 @@
 		2A59B43D2D7924E400304FB1 /* MSIDSSOXpcInteractiveTokenRequest.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDSSOXpcInteractiveTokenRequest.m; sourceTree = "<group>"; };
 		2A59B4412D7A0CB500304FB1 /* MSIDXpcInteractiveTokenRequestController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDXpcInteractiveTokenRequestController.h; sourceTree = "<group>"; };
 		2A59B4422D7A0CB500304FB1 /* MSIDXpcInteractiveTokenRequestController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDXpcInteractiveTokenRequestController.m; sourceTree = "<group>"; };
+		2A886D6C2ECBE3D600675D31 /* MSIDGCDStarvationDetector.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDGCDStarvationDetector.h; sourceTree = "<group>"; };
+		2A886D6D2ECBE3D600675D31 /* MSIDGCDStarvationDetector.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDGCDStarvationDetector.m; sourceTree = "<group>"; };
 		2AADDAC52DADB84D00CB7740 /* MSIDSSOXpcSilentTokenRequest.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDSSOXpcSilentTokenRequest.h; sourceTree = "<group>"; };
 		2AADDAC62DADB84D00CB7740 /* MSIDSSOXpcSilentTokenRequest.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDSSOXpcSilentTokenRequest.m; sourceTree = "<group>"; };
 		4B6D22252E831AEA00546EC8 /* MSIDFlightManagerQueryKeyDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDFlightManagerQueryKeyDelegate.h; sourceTree = "<group>"; };
@@ -5283,6 +5288,8 @@
 		B2C7087F2198DE0000D917B8 /* broker */ = {
 			isa = PBXGroup;
 			children = (
+				2A886D6C2ECBE3D600675D31 /* MSIDGCDStarvationDetector.h */,
+				2A886D6D2ECBE3D600675D31 /* MSIDGCDStarvationDetector.m */,
 				2A953DF72DA45B3100A748BA /* mac */,
 				B2C708812198DE0000D917B8 /* MSIDBrokerKeyProvider.h */,
 				B2C708822198DE0000D917B8 /* MSIDBrokerKeyProvider.m */,
@@ -6514,6 +6521,7 @@
 				B286B9C52389DE78007833AD /* MSIDAccountMetadata.h in Headers */,
 				B2F671E32467A30400649855 /* MSIDInteractiveAuthorizationCodeRequest.h in Headers */,
 				1E707FE02407336300716148 /* MSIDBrokerBrowserOperationResponse.h in Headers */,
+				2A1CBC892ECE5F6E00D2E6BB /* MSIDGCDStarvationDetector.h in Headers */,
 				B4A5ACCD21F7ED4500D2A780 /* MSIDAccountCacheItem+MSIDAccountMatchers.h in Headers */,
 				F7AB29D8B906BEA5B6EB8F8C /* MSIDWPJMetadata.h in Headers */,
 			);
@@ -7450,6 +7458,7 @@
 				B29A36C120B1289D00427B63 /* MSIDAccountIdentifier.m in Sources */,
 				B2EE86E123751B6F00D0BC96 /* MSIDSystemWebviewController.m in Sources */,
 				B266903E243706CF00FB0117 /* MSIDBrokerOperationBrowserTokenRequest.m in Sources */,
+				2A886D702ECBE3D600675D31 /* MSIDGCDStarvationDetector.m in Sources */,
 				1E37AAD5252196CC00EBED3B /* NSData+JWT.m in Sources */,
 				B286B9872389DC24007833AD /* MSIDBrokerOperationGetAccountsRequest.m in Sources */,
 				B297E1F220A25F0C00F370EC /* MSIDLegacyTokenCacheItem.m in Sources */,
@@ -8372,6 +8381,7 @@
 				B2DD4B2720A7D67C0047A66E /* MSIDLegacyRefreshToken.m in Sources */,
 				1EE541412458B30300A86414 /* MSIDDevicePopManager.m in Sources */,
 				B27ACAA922EE9FE60049ACE0 /* MSIDIntuneApplicationStateManager.m in Sources */,
+				2A886D6E2ECBE3D600675D31 /* MSIDGCDStarvationDetector.m in Sources */,
 				B297E1E220A1272600F370EC /* MSIDLegacyTokenCacheQuery.m in Sources */,
 				60F7BE8B21DA4E2900F1BBA1 /* MSIDPrimaryRefreshToken.m in Sources */,
 				B214C39F1FE854FE0070C4F2 /* MSIDLegacyTokenCacheAccessor.m in Sources */,

@@ -99,6 +99,7 @@ extern NSString * _Nonnull const MSID_IS_CALLER_MANAGED_KEY;
 extern NSString * _Nonnull const MSID_BROKER_PREFERRED_AUTH_CONFIGURATION_KEY;
 extern NSString * _Nonnull const MSID_BROKER_CLIENT_FLIGHTS_KEY;
 extern NSString * _Nonnull const MSID_BROKER_SDM_WPJ_ATTEMPTED;
+extern NSString * _Nonnull const MSID_BART_DEVICE_ID_KEY;
 extern NSString * _Nonnull const MSID_EXP_RETRY_ON_NETWORK;
 extern NSString * _Nonnull const MSID_EXP_ENABLE_CONNECTION_CLOSE;
 extern NSString * _Nonnull const MSID_HTTP_CONNECTION;

@@ -97,6 +97,7 @@
 NSString *const MSID_JIT_TROUBLESHOOTING_HOST = @"jit_troubleshooting";
 NSString *const MSID_IS_CALLER_MANAGED_KEY = @"isCallerAppManaged";
 NSString *const MSID_BROKER_SDM_WPJ_ATTEMPTED = @"sdm_reg_attempted";
+NSString *const MSID_BART_DEVICE_ID_KEY = @"bart_device_id";
 NSString *const MSID_FORCE_REFRESH_KEY = @"force_refresh";
 
 // Experiments

@@ -235,6 +235,9 @@ extern NSString * _Nonnull const MSID_FLIGHT_DISABLE_REMOVE_ACCOUNT_ARTIFACTS;
 extern NSString * _Nonnull const MSID_FLIGHT_ENABLE_QUERYING_STK;
 extern NSString * _Nonnull const MSID_FLIGHT_IS_BART_SUPPORTED;
 
+extern NSString * _Nonnull const MSID_FLIGHT_USE_AUTOLAYOUT_FOR_LOADING_INDICATOR;
+
 extern NSString * _Nonnull const MSID_DOMAIN_HINT_KEY;
 
+extern NSString * _Nonnull const MSID_FLIGHT_ENABLE_THREAD_STARVATION;
 #define METHODANDLINE   [NSString stringWithFormat:@"%s [Line %d]", __PRETTY_FUNCTION__, __LINE__]
@@ -100,7 +100,11 @@
 NSString *const MSID_FLIGHT_ENABLE_QUERYING_STK = @"enable_querying_stk";
 NSString *const MSID_FLIGHT_IS_BART_SUPPORTED = @"is_msal_bart_supported";
 
+NSString *const MSID_FLIGHT_USE_AUTOLAYOUT_FOR_LOADING_INDICATOR = @"use_autolayout_for_loading_indicator";
+
 NSString *const MSID_DOMAIN_HINT_KEY  = @"domain_hint";
 
+// This is SsoExt flow only flight
+NSString *const MSID_FLIGHT_ENABLE_THREAD_STARVATION = @"ts_en";
 
 #define METHODANDLINE   [NSString stringWithFormat:@"%s [Line %d]", __PRETTY_FUNCTION__, __LINE__]
@@ -180,5 +180,5 @@ extern NSString *const MSID_CCS_REQUEST_ID_RESPONSE;
 extern NSString *const MSID_CCS_REQUEST_SEQUENCE_KEY;
 extern NSString *const MSID_CCS_REQUEST_SEQUENCE_RESPONSE;
 extern NSString *const MSID_BOUND_DEVICE_ID_CACHE_KEY;
+extern NSString *const MSID_BOUND_RT_EXCHANGE;
 extern NSString *const MSID_MSAL_CLIENT_APV_PREFIX;
-extern NSString *const MSID_BOUND_REFRESH_TOKEN_EXCHANGE;
@@ -180,6 +180,6 @@
 NSString *const MSID_CCS_REQUEST_SEQUENCE_KEY            = @"x-ms-srs";
 NSString *const MSID_CCS_REQUEST_SEQUENCE_RESPONSE       = @"ccs-request-sequence";
 
-NSString *const MSID_BOUND_REFRESH_TOKEN_EXCHANGE        = @"bound_rt_exchange";
 NSString *const MSID_BOUND_DEVICE_ID_CACHE_KEY           = @"bound_device_id";
+NSString *const MSID_BOUND_RT_EXCHANGE                   = @"bound_rt_exchange";
 NSString *const MSID_MSAL_CLIENT_APV_PREFIX              = @"MsalClient";
@@ -36,6 +36,7 @@ NS_ASSUME_NONNULL_BEGIN
 - (instancetype _Nullable)initWithTokenResponse:(nonnull MSIDBrokerOperationTokenResponse *)tokenResponse;
 
 @property (nonatomic, nullable) NSString *state;
+@property (nonatomic, nullable) NSString *requestAccountUpn;
 @property (nonatomic, nullable) MSIDBrokerOperationBrowserNativeMessageMATSReport *matsReport;
 
 

@@ -72,7 +72,7 @@ - (NSDictionary *)jsonDictionary
     }
 
     __auto_type accountJson = [NSMutableDictionary new];
-    accountJson[@"userName"] = tokenResponse.accountUpn;
+    accountJson[@"userName"] = tokenResponse.accountUpn ?: self.requestAccountUpn;
     accountJson[@"id"] = tokenResponse.accountIdentifier;
 
     response[@"account"] = accountJson;

@@ -557,14 +557,15 @@ - (BOOL)removeAccountsWithKey:(MSIDCacheKey *)key
 
 - (NSArray<MSIDJsonObject *> *)jsonObjectsWithKey:(__unused MSIDCacheKey *)key serializer:(__unused id<MSIDExtendedCacheItemSerializing>)serializer context:(id<MSIDRequestContext>)context error:(NSError *__autoreleasing *)error
 {
-    [self createUnimplementedError:error context:context];
+    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"Skipping jsonObjectsWithKey:serializer:context:error: in MSIDMacKeychainTokenCache.");
     return nil;
 }
 
 
 - (BOOL)saveJsonObject:(__unused MSIDJsonObject *)jsonObject serializer:(__unused id<MSIDExtendedCacheItemSerializing>)serializer key:(__unused MSIDCacheKey *)key context:(id<MSIDRequestContext>)context error:(NSError *__autoreleasing *)error
 {
-    [self createUnimplementedError:error context:context];
+    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"Skipping saveJsonObject:serializer:key:context:error: in MSIDMacKeychainTokenCache.");
+
     return NO;
 }
 

@@ -95,6 +95,8 @@
 
 @property (nonatomic) BOOL createdFromCache;
 
+@property (nonatomic, nullable) NSString *boundAppRefreshTokenDeviceId;
+
 - (nullable instancetype)initWithJSONDictionary:(nonnull NSDictionary *)json
                                    refreshToken:(nullable MSIDBaseToken<MSIDRefreshableToken> *)token
                                           error:(NSError * _Nullable __autoreleasing *_Nullable)error;

@@ -170,6 +170,7 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__au
         _stsErrorCodes = [json msidArrayOfIntegersForKey: MSID_OAUTH2_ERROR_CODES];
         _errorDescription = [[json msidStringObjectForKey:MSID_OAUTH2_ERROR_DESCRIPTION] msidURLDecode];
         _clientAppVersion = [json msidStringObjectForKey:MSID_BROKER_CLIENT_APP_VERSION_KEY];
+        _boundAppRefreshTokenDeviceId = [json msidStringObjectForKey:MSID_BART_DEVICE_ID_KEY];
         [self setAdditionalServerInfo:json];
     }
 

@@ -70,7 +70,7 @@ - (nonnull NSMutableDictionary *)jsonDictionary
 {
     NSMutableDictionary *jsonDict = [NSMutableDictionary new];
     jsonDict[MSID_OAUTH2_GRANT_TYPE] = MSID_OAUTH2_REFRESH_TOKEN;
-    jsonDict[MSID_BOUND_REFRESH_TOKEN_EXCHANGE] = @1;
+    jsonDict[MSID_BOUND_RT_EXCHANGE] = @1;
     jsonDict[@"aud"] = self.audience;
     jsonDict[@"iss"] = self.clientId; // Issuer is the client ID
     NSTimeInterval now = [[NSDate date] timeIntervalSince1970];

@@ -120,8 +120,14 @@
 #pragma mark - Xpc Mode
 @property (nonatomic) MSIDXpcMode xpcMode;
 
+#pragma mark - monitor gcd thread starvation
+@property (nonatomic) BOOL allowThreadStarvationMonitoring;
+
 - (NSURL *)tokenEndpoint;
 
+// property that indicates if calling app requested broker for a Bound App Refresh token
+@property (nonatomic) BOOL isBoundAppRefreshTokenRequested;
+
 #pragma mark Methods
 - (void)setCloudAuthorityWithCloudHostName:(NSString *)cloudHostName;
 - (NSString *)allTokenRequestScopes;

@@ -42,6 +42,9 @@
 #import "MSIDCurrentRequestTelemetry.h"
 #import "MSIDAccountMetadataCacheItem.h"
 #import "MSIDFlightManager.h"
+#import "MSIDDefaultTokenCacheAccessor.h"
+#import "MSIDAccountCredentialCache.h"
+#import "MSIDKeychainTokenCache.h"
 
 #if TARGET_OS_OSX && !EXCLUDE_FROM_MSALCPP
 #import "MSIDExternalAADCacheSeeder.h"
@@ -277,7 +280,9 @@ - (void)executeRequestImpl:(MSIDRequestCompletionBlock)completionBlock
         return;
     }
 
-    [self fetchCachedTokenAndCheckForFRTFirst:NO shouldComplete:NO completionHandler:^(MSIDBaseToken<MSIDRefreshableToken> *refreshToken, MSIDRefreshTokenTypes tokenType, NSError *error) {
+    BOOL checkForFRTFirst = [self shouldCheckForFRTFirst];
+
+    [self fetchCachedTokenAndCheckForFRTFirst:checkForFRTFirst shouldComplete:NO completionHandler:^(MSIDBaseToken<MSIDRefreshableToken> *refreshToken, MSIDRefreshTokenTypes tokenType, NSError *error) {
         if (!refreshToken)
         {
             NSError *interactionError = MSIDCreateError(MSIDErrorDomain, MSIDErrorInteractionRequired, @"No token matching arguments found in the cache, user interaction is required", error.msidOauthError, error.msidSubError, error, self.requestParameters.correlationId, nil, YES);
@@ -387,6 +392,38 @@ - (void)tryRefreshToken:(MSIDBaseToken<MSIDRefreshableToken> *)refreshToken
 
 #pragma mark - Helpers
 
+- (BOOL)shouldCheckForFRTFirst
+{
+    MSIDAccountCredentialCache *accountCredentialCache = nil;
+
+    if (self.tokenCache != nil && [self.tokenCache isKindOfClass:[MSIDDefaultTokenCacheAccessor class]])
+    {
+        accountCredentialCache = ((MSIDDefaultTokenCacheAccessor *)self.tokenCache).accountCredentialCache;
+    }
+
+    // Use default keychain if account credential cache is not provided
+    if (accountCredentialCache == nil)
+    {
+        accountCredentialCache = [[MSIDAccountCredentialCache alloc] initWithDataSource:MSIDKeychainTokenCache.defaultKeychainCache];
+    }
+
+    NSError *frtError = nil;
+    MSIDIsFRTEnabledStatus frtStatus = [accountCredentialCache checkFRTEnabled:self.requestParameters error:&frtError];
+    BOOL frtEnabled = frtStatus == MSIDIsFRTEnabledStatusEnabled;
+    if (frtError)
+    {
+        // Log error, but continue to use old FRT code
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, self.requestParameters, @"Error checking FRT enabled status, not using new FRT. Error: %@", frtError);
+    }
+    else if (frtEnabled)
+    {
+        // FRT is enabled, should try to use it first
+        return YES;
+    }
+
+    return NO;
+}
+
 - (BOOL)handleErrorResponseForAppRefreshToken:(MSIDBaseToken<MSIDRefreshableToken> *)refreshToken
                               completionBlock:(nonnull MSIDRequestCompletionBlock)completionBlock
 {
@@ -486,7 +523,7 @@ - (void)acquireTokenWithRefreshTokenImpl:(MSIDBaseToken<MSIDRefreshableToken> *)
                          completionBlock:(MSIDRequestCompletionBlock) __unused completionBlock
 {
 #if !EXCLUDE_FROM_MSALCPP
-    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Acquiring Access token via Refresh token...");
+    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Acquiring Access token via %@ Refresh token...", refreshToken.credentialType == MSIDFamilyRefreshTokenType ? @"Family" : @"App");
 
     MSIDRefreshTokenGrantRequest *tokenRequest = [self.oauthFactory refreshTokenRequestWithRequestParameters:self.requestParameters
                                                                                                 refreshToken:refreshToken.refreshToken];

@@ -0,0 +1,41 @@
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+
+#import <Foundation/Foundation.h>
+
+NS_ASSUME_NONNULL_BEGIN
+
+@interface MSIDGCDStarvationDetector : NSObject
+
+// Start monitoring on a dedicated thread
+- (void)startMonitoring;
+
+// Stop monitoring
+// Returns the cumulative duration (in seconds) of GCD starvation detected during the monitoring period.
+- (NSTimeInterval)stopMonitoring;
+
+@end
+
+NS_ASSUME_NONNULL_END