Describe the bug
When using MSAL Python with the broker (msal[broker]) on macOS Tahoe 26.4.1 (Intel), silent token acquisition via the SSO broker consistently fails with error code -42000 and domain MSALErrorDomain. The error is thrown in sourceArea: Broker with Status: Response_Status.Status_Unexpected.
From the Company Portal logs, the broker appears to be reachable (keychain lookups succeed, PSSO/secondary broker is selected), but the silent flow ultimately fails. No fallback to interactive auth occurs.
To Reproduce
Steps to reproduce the behavior:
We are not using an off-the-shelf sample. This is a CLI tool that uses msal[broker] for authentication. The relevant auth flow is:
- Create a
PublicClientApplication with allow_broker=True on macOS Tahoe 26.4.1 (Intel)
- Call
acquire_token_interactive() or acquire_token_silent() targeting an A2A scope
- MSAL routes the request to the macOS SSO broker
- Broker returns error code -42000
We can provide the CLI package privately (via Teams) if needed.
Expected behavior
Broker-based token acquisition should succeed, or MSAL should cleanly fall back to interactive browser-based authentication.
What you see instead
Paste the sample output, or add screenshots to help explain your problem.
Error from MSAL Python:
Failed to acquire token: Description: (pii), Domain: MSALErrorDomain.
Error was thrown in sourceArea: Broker.
Status: Response_Status.Status_Unexpected,
Error code: -42000, Tag: 508638916
Native broker logs (from Company Portal):
2026-05-07 13:26:11:691 | I | ADB v3.16.5/WPJ v3.14.1 | Beginning authorization request
2026-05-07 13:26:11:692 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] New Browser SSO state machine handler will be used
2026-05-07 13:26:11:692 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag enable_js_platform_authentication, value in config 1, value type __NSCFNumber, this feature is disabled by default
2026-05-07 13:26:11:692 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Feature flag enable_js_platform_authentication is enabled
2026-05-07 13:26:11:692 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag browser_sso_interaction_enabled, value in config (null), value type (null), this feature is enabled by default
2026-05-07 13:26:11:692 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag browser_sso_disable_mfa, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag disable_browser_sso_intercept_all, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag disable_inapp_sso_signin, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag allow_account_enumeration_for_any_app, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag allow_account_enumeration_for_managed_apps, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag allow_global_signout_for_managed_apps, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag sharedDeviceMode, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag suppress_camera_consent, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag sdm_suppress_camera_consent, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature strings get_sso_cookie_allowlist, value in config (null), value type (null), this feature is not set by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature strings get_sso_cookie_blocklist, value in config (null), value type (null), this feature is not set by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag admin_debug_mode_enabled, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag disable_explicit_app_prompt, value in config (null), value type (null), this feature is enabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag disable_explicit_app_prompt_and_autologin, value in config 1, value type __NSCFNumber, this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Feature flag disable_explicit_app_prompt_and_autologin is enabled
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag remove_sso_rt_header, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag disable_explicit_native_app_prompt, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag disable_explicit_native_app_prompt_and_autologin, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag sso_extension_exclude_msal_request_enabled, value in config (null), value type (null), this feature is enabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag sso_extension_disable_browser_interrupts, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature flag disable_ecc_prts, value in config (null), value type (null), this feature is disabled by default
2026-05-07 13:26:11:693 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Checking for feature string preferred_auth_config, value in config (null), value type (null), this feature is not set by default
2026-05-07 13:26:11:708 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Pre-processing received json...
2026-05-07 13:26:11:708 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] No broker key in json payload, generate it from source application.
2026-05-07 13:26:11:709 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Return pre-preocess json.
2026-05-07 13:26:11:709 | E | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] token_type key is missing in dictionary.
2026-05-07 13:26:11:710 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] PID analysis - Parent is not launchd: YES, Runtime-like: YES
2026-05-07 13:26:11:710 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] No UI is needed. About to execute without UI.
2026-05-07 13:26:11:710 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Handling SSO request, requested operation: refresh
2026-05-07 13:26:11:710 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11 - 22BFFFB8-02DE-46B6-99E5-150B526FB531] Handling silent SSO request...
2026-05-07 13:26:11:714 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] PSSO status : enabled and registered
2026-05-07 13:26:11:715 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] bundleIdsAllowedInBrowserNativeMessageFlow {(
"com.microsoft.msedge.adhoc-df",
"com.microsoft.msedge.debug",
"com.microsoft.edgemac",
"com.microsoft.edgemac.Canary",
"com.microsoft.edgemac.Beta",
"com.microsoft.msedge",
"com.microsoft.edgemac.local",
"com.microsoft.edgemac.Dev",
"com.microsoft.msedge-df.dev",
"com.microsoft.msedge-df.canary",
"microsoft.com.browserMessagingHost",
"com.microsoft.msedge.dogfood",
"com.microsoft.msedge-df.beta"
)}
2026-05-07 13:26:11:718 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Keychain find status: -25300
2026-05-07 13:26:11:718 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Start redirect_uri validation with isRunTimeLikeApp: 1 teamID != nil: 0 sourceApp: redirectURI:
2026-05-07 13:26:11:718 | E | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Creating Error with description: SouceApplication is invalid
2026-05-07 13:26:11:719 | E | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Failed to handle SSO request, error Error Domain=MSALErrorDomain Code=-42000 "(null)" UserInfo={MSALErrorDescriptionKey=SouceApplication is invalid}
2026-05-07 13:26:11:719 | I | ADB v3.16.5/WPJ v3.14.1 | Finish calling executing SSO extension request. (new handler)
2026-05-07 13:26:11:719 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Finish executing request.
2026-05-07 13:26:11:719 | I | ADB v3.16.5/WPJ v3.14.1 | TID=239902 MSAL 2.9.0 Mac 26.4.1 [2026-05-07 20:26:11] Finished SSO request.The MSAL Python version you are using
Paste the output of this
msal==1.36.0 (with broker extra)
Additional context
- Reproduces consistently, even after clearing all cached tokens.
- The calling application is an unsigned Python process (Python Build Standalone distribution), which may affect broker redirect URI validation or
sourceApplication resolution.
- The same codebase works correctly on Windows, Linux, and macOS Apple Silicon (M3) - it does appear to be Intel-specific or broker request payload related judging by the empty
sourceApp in the broker logs.
Describe the bug
When using MSAL Python with the broker (
msal[broker]) on macOS Tahoe 26.4.1 (Intel), silent token acquisition via the SSO broker consistently fails with error code-42000and domainMSALErrorDomain. The error is thrown insourceArea: BrokerwithStatus: Response_Status.Status_Unexpected.From the Company Portal logs, the broker appears to be reachable (keychain lookups succeed, PSSO/secondary broker is selected), but the silent flow ultimately fails. No fallback to interactive auth occurs.
To Reproduce
Steps to reproduce the behavior:
We are not using an off-the-shelf sample. This is a CLI tool that uses
msal[broker]for authentication. The relevant auth flow is:PublicClientApplicationwithallow_broker=Trueon macOS Tahoe 26.4.1 (Intel)acquire_token_interactive()oracquire_token_silent()targeting an A2A scopeWe can provide the CLI package privately (via Teams) if needed.
Expected behavior
Broker-based token acquisition should succeed, or MSAL should cleanly fall back to interactive browser-based authentication.
What you see instead
Paste the sample output, or add screenshots to help explain your problem.
Error from MSAL Python:
Native broker logs (from Company Portal):
The MSAL Python version you are using
Paste the output of this
Additional context
sourceApplicationresolution.sourceAppin the broker logs.