We’re excited to announce the General Availability (GA) of Single Sign-On (SSO) from Native Apps to Embedded Web Views for Microsoft Entra External ID (EEID) Native Authentication.
This release marks a major milestone in delivering end-to-end seamless authentication experiences for modern CIAM applications bridging the gap between native and web-based app surfaces.
Why RT transfer matters for Native Auth
Native Authentication enables developers to build fully in‑app, customizable sign-in experiences with secure token management.
However, modern applications increasingly extend beyond a single device.
Real-world scenarios include:
- Companion apps (e.g., Apple Watch)
- Widgets and background experiences
- Multi-surface mobile ecosystems
In these cases, devices like Apple Watch must independently access APIs even when disconnected from the phone.
Without RT transfer:
- Watch apps cannot refresh expired access tokens
- Users experience interruptions or forced re-authentication
- Developers resort to unsupported or insecure workarounds
As highlighted in customer scenarios (e.g., GM), this gap creates significant friction and can block adoption of native authentication in production environments. With GA of RT transfer, this problem is now solved.
What’s now generally available
With this release, developers can securely enable token continuity across devices, allowing companion apps like Apple Watch to maintain authenticated sessions independently.
✅ Independent token refresh on Apple Watch Companion devices can refresh access tokens without relying on phone connectivity ensuring uninterrupted API access.
✅ Seamless cross-device experience Users authenticate once on their mobile app and continue interacting on secondary devices without additional sign-in prompts.
✅ Opt-in developer control RT access is explicitly enabled via configuration, ensuring developers consciously opt into advanced scenarios.
✅ Secure-by-design guidance Clear best practices for storage, transfer, and revocation are provided to maintain strong security posture when handling refresh tokens.
How it works (high-level)
The RT transfer model builds on top of EEID Native Authentication and extends it to companion devices:
- User signs in via native authentication on iOS
- The app retrieves authentication tokens (including RT via opt-in API)
- The RT is securely transmitted to the Apple Watch (e.g., via WatchConnectivity)
- The watch independently uses the RT to renew access tokens when needed
This enables a secure, long-lived authentication bridge across devices, even in offline or intermittent connectivity scenarios.
Developer scenarios unlocked
This capability is especially impactful for CIAM developers building multi-device ecosystems:
⌚ Companion device experiences (Apple Watch) Enable fully functional, authenticated watch apps without requiring constant phone connectivity.
📱 Background and widget scenarios Support independent token refresh for widgets and background services running outside the primary app session.
🚗 Connected experiences (e.g., automotive apps) Unblock real-world use cases where devices must operate autonomously while maintaining secure access.
🔒 Consistent authentication across surfaces Avoid fragmented identity flows and deliver a cohesive, trusted user experience across devices.
Behind the scenes: Why this matters
By design, MSAL historically does not expose refresh tokens, prioritizing security by keeping long-lived credentials protected within the SDK. However, this creates limitations for multi-device scenarios where token state must extend beyond a single device.
In practice, customers have already implemented workarounds extracting tokens from secure storage and transferring them manually which introduces inconsistency and risk.
With this GA release:
- RT access is formally supported via a controlled, opt-in API
- Developers receive clear security guidance (encryption, secure transport, revocation)
- The platform enables companion device scenarios without requiring unsupported approaches
This balances developer flexibility with enterprise-grade security expectations.
This is just the beginning of cross-device authentication
RT transfer represents a critical first step toward a broader vision of multi-device SSO and session continuity for Native Authentication.
We are actively investing in:
- Short-lived session transfer tokens for secure, brokered session handoff
- SSO across multiple apps and devices
- Advanced token lifecycle and rotation management
- Deeper integration with identity security controls (Conditional Access, policy)
Our goal is to deliver a modern, secure, multi-surface identity platform for CIAM.
Ready to get started with Native Authentication?
To enable refresh token transfer to Apple Watch:
- Configure Native Authentication in your Entra External ID tenant
- Enable RT access via explicit application configuration
- Implement secure token transfer (e.g., WatchConnectivity)
- Ensure proper handling of token rotation, revocation, and secure storage
Stay connected and informed
To learn more or test out features in the Microsoft Entra suite of products, visit our developer center. Make sure you subscribe to the Identity blog for more insights and to keep up with the latest on all things Identity. And, follow us on YouTube for video overviews, tutorials, and deep dives.
Subject: URGENT Formal Proposal Project The Light for Global Identity Sovereignty
Dear Microsoft Leadership,
I am Lekbir El Marouani writing to formally address a critical architectural failure in current identity recovery workflows. The existing system operates in a state of systemic blindness where the recovery mechanism itself becomes a weapon for attackers. As documented in VULN-056593, VULN-056738, VULN-169872, 105534, and CRM 0022118606, the system cannot distinguish between a legitimate user and a thief when a device is compromised. This creates a circular dependency loop that directly undermines the security Microsoft promises to its users.
I am proposing a decisive solution called Project The...