browser-bearer-graph-authlisted

# Browser-Bearer Microsoft Graph Auth ## What A pattern for capturing a Microsoft Graph bearer token by driving a real Edge browser via Playwright, intercepting the token from the first authenticated Graph request, and persisting the Edge session for subsequent silent refresh. This is the workaround you reach for **after** Conditional Access has blocked every other OAuth path you tried. It is not the production answer. It is the path that lets a single consultant make progress while waiting for an admin-consented App Registration. ## Why Many enterprise tenants (especially in healthcare, finance, defense) enforce a Conditional Access policy that requires: - Compliant or hybrid-joined device, OR - Device registered with Intune / Entra ID, OR - App protection policy active OAuth Device Code Flow cannot satisfy any of these — the device authenticating in the browser is not the device presenting the code. Headless OAuth flows fail for the same reason. Empirical results from a real tenant: | OAuth client | Result | |---|---| | Microsoft Graph PowerShell (`14d82eec-c10e-4ab5-bd9c-b31da76ffd80`) Device Code | BLOCKED — AADSTS53003 "Device state: Unregistered" | | Azure CLI (`04b07795-8ddb-461a-bbee-02f9e1bf7b46`) Device Code | BLOCKED — same error, even on VPN | | `Connect-MgGraph` WAM broker (sandboxed PowerShell) | FAILED — needs window handle, not available from sandboxed shell | | Browser-driven (Playwright + Edge) | WORKS — Edge has WAM, sends device identity claim | E