AzureAD · melissaahn · Oct 10, 2025 · Sep 18, 2025 · Sep 19, 2025 · Sep 25, 2025
@@ -642,7 +642,7 @@ public static final class Broker {
          *
          * @see <a href="https://identitydivision.visualstudio.com/DevEx/_git/AuthLibrariesApiReview?path=/%5BAndroid%5D%20Broker%20API/broker_protocol_versions.md">Android Auth Broker Protocol Versions</a>
          */
-        public static final String LATEST_MSAL_TO_BROKER_PROTOCOL_VERSION_CODE = "18.0";
+        public static final String LATEST_MSAL_TO_BROKER_PROTOCOL_VERSION_CODE = "19.0";
 
         /**
          * The maximum msal-to-broker protocol version known by clients such as MSAL Android.
@@ -1361,6 +1361,11 @@ public static String computeMaxHostBrokerProtocol() {
          */
         public static final String BROKER_GENERATE_SSO_TOKEN_RESULT = "broker_generate_sso_token";
 
+        /**
+         * String for all SSO tokens result.
+         */
+        public static final String BROKER_GENERATE_ALL_SSO_TOKENS_RESULT = "broker_generate_all_sso_tokens";
+
         /**
          * String for generate shr result.
          */
@@ -1673,6 +1678,8 @@ public enum API {
             BROKER_GET_FLIGHTS(BROKER_API_GET_FLIGHTS_PATH, BROKER_VERSION_3, null),
 
             GET_SSO_TOKEN(GET_SSO_TOKEN_PATH, null, VERSION_7),
+            GET_ALL_SSO_TOKENS(GET_ALL_SSO_TOKENS_PATH, null, null),
+
             UNKNOWN(null, null, null),
             DEVICE_REGISTRATION_PROTOCOLS(DEVICE_REGISTRATION_PROTOCOLS_PATH, null, null),
             BROKER_UPLOAD_LOGS(BROKER_API_UPLOAD_LOGS, BROKER_VERSION_4, null),
@@ -1848,6 +1855,11 @@ public String getMsalVersion(){
          */
         public static final String GET_SSO_TOKEN_PATH = "/ssoToken";
 
+        /**
+         * Api path for getting all SSO tokens based on environment.
+         */
+        public static final String GET_ALL_SSO_TOKENS_PATH = "/allSsoTokens";
+
         /**
          * ContentProvider path to get the preferred auth method.
          */

@@ -63,6 +63,7 @@ public enum Operation {
         BROKER_GET_FLIGHTS(API.BROKER_GET_FLIGHTS, null),
         BROKER_SET_FLIGHTS(API.BROKER_SET_FLIGHTS, null),
         MSAL_SSO_TOKEN(API.GET_SSO_TOKEN, null),
+        MSAL_ALL_SSO_TOKENS(API.GET_ALL_SSO_TOKENS, null),
         DEVICE_REGISTRATION_OPERATIONS(API.DEVICE_REGISTRATION_PROTOCOLS, null),
         BROKER_API_UPLOAD_LOGS(API.BROKER_UPLOAD_LOGS, null),
         MSAL_FETCH_DCF_AUTH_RESULT(API.FETCH_DCF_AUTH_RESULT, null),

@@ -81,6 +81,7 @@
 import com.microsoft.identity.common.java.authscheme.PopAuthenticationSchemeWithClientKeyInternal;
 import com.microsoft.identity.common.java.cache.ICacheRecord;
 import com.microsoft.identity.common.java.cache.MsalOAuth2TokenCache;
+import com.microsoft.identity.common.java.commands.AcquirePrtSsoTokenBatchResult;
 import com.microsoft.identity.common.java.commands.AcquirePrtSsoTokenResult;
 import com.microsoft.identity.common.java.commands.parameters.AcquirePrtSsoTokenCommandParameters;
 import com.microsoft.identity.common.java.commands.parameters.CommandParameters;
@@ -119,6 +120,8 @@
 import com.microsoft.identity.common.logging.Logger;
 import com.microsoft.identity.common.sharedwithoneauth.OneAuthSharedFunctions;
 
+import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
@@ -1188,6 +1191,65 @@ public void putValueInSuccessEvent(@NonNull final ApiEndEvent event,
         });
     }
 
+    /**
+     * Get all SSO tokens from broker by environment from given request authority.
+     * @param parameters {@link AcquirePrtSsoTokenCommandParameters}
+     * @return {@link AcquirePrtSsoTokenBatchResult} containing all relevant SSO tokens.
+     * @throws BaseException
+     */
+    public AcquirePrtSsoTokenBatchResult getAllSsoTokens(@NonNull final AcquirePrtSsoTokenCommandParameters parameters) throws BaseException {
+        return getBrokerOperationExecutor().execute(parameters,
+                new BrokerOperation<AcquirePrtSsoTokenBatchResult>() {
+                    private String negotiatedBrokerProtocolVersion;
+
+                    @Override
+                    public void performPrerequisites(@NonNull final IIpcStrategy strategy) throws BaseException {
+                        negotiatedBrokerProtocolVersion = hello(strategy, parameters.getRequiredBrokerProtocolVersion());
+                    }
+
+                    @NonNull
+                    @Override
+                    public BrokerOperationBundle getBundle() throws ClientException {
+                        return new BrokerOperationBundle(
+                                BrokerOperationBundle.Operation.MSAL_ALL_SSO_TOKENS,
+                                mActiveBrokerPackageName,
+                                mRequestAdapter.getRequestBundleForAllSsoTokens(
+                                        parameters,
+                                        negotiatedBrokerProtocolVersion
+                                )
+                        );
+                    }
+
+                    @NonNull
+                    @Override
+                    public AcquirePrtSsoTokenBatchResult extractResultBundle(
+                            @Nullable final Bundle resultBundle) throws BaseException {
+                        if (resultBundle == null) {
+                            throw mResultAdapter.getExceptionForEmptyResultBundle();
+                        }
+                        verifyBrokerVersionIsSupported(resultBundle, parameters.getRequiredBrokerProtocolVersion());
+                        return mResultAdapter.getAcquirePrtSsoTokenBatchResultFromBundle(resultBundle);
+                    }
+
+                    @NonNull
+                    @Override
+                    public String getMethodName() {
+                        return ":getAllSsoTokens";
+                    }
+
+                    @Nullable
+                    @Override
+                    public String getTelemetryApiId() {
+                        return null;
+                    }
+
+                    @Override
+                    public void putValueInSuccessEvent(@NonNull final ApiEndEvent event,
+                                                       @NonNull final AcquirePrtSsoTokenBatchResult result) {
+                    }
+                });
+    }
+
     /**
      * Sign in a resource account in broker based on given parameters. Should called by OneAuth/MSAL
      * to provision resource account in broker.

@@ -232,6 +232,24 @@ public BrokerRequest brokerRequestFromSilentOperationParameters(@NonNull final S
         return requestBundle;
     }
 
+    public Bundle getRequestBundleForAllSsoTokens(
+            @NonNull final AcquirePrtSsoTokenCommandParameters parameters,
+            @NonNull final String negotiatedBrokerProtocolVersion) {
+
+        final Bundle bundle = new Bundle();
+        bundle.putString(AuthenticationConstants.Broker.NEGOTIATED_BP_VERSION_KEY, negotiatedBrokerProtocolVersion);
+        if (parameters.getRequestAuthority() != null) {
+            bundle.putString(AuthenticationConstants.Broker.REQUEST_AUTHORITY, parameters.getRequestAuthority());
+        }
+        if (parameters.getSsoUrl() != null) {
+            bundle.putString(AuthenticationConstants.Broker.BROKER_SSO_URL_KEY, parameters.getSsoUrl());
+        }
+        if (parameters.getCorrelationId() != null) {
+            bundle.putString(AuthenticationConstants.Broker.ACCOUNT_CORRELATIONID, parameters.getCorrelationId());
+        }
+        return bundle;
+    }
+
     /**
      * Method to construct a request bundle for broker hello request.
      *

@@ -34,6 +34,7 @@
 
 import com.microsoft.identity.common.adal.internal.ADALError;
 import com.microsoft.identity.common.adal.internal.AuthenticationConstants;
+import com.microsoft.identity.common.java.commands.AcquirePrtSsoTokenBatchResult;
 import com.microsoft.identity.common.java.commands.AcquirePrtSsoTokenResult;
 import com.microsoft.identity.common.java.constants.OAuth2ErrorCode;
 import com.microsoft.identity.common.java.exception.ArgumentException;
@@ -184,6 +185,12 @@ public AcquirePrtSsoTokenResult getAcquirePrtSsoTokenResultFromBundle(Bundle res
         throw new UnsupportedOperationException();
     }
 
+    @NonNull
+    @Override
+    public AcquirePrtSsoTokenBatchResult getAcquirePrtSsoTokenBatchResultFromBundle(Bundle resultBundle) {
+        throw new UnsupportedOperationException();
+    }
+
     /**
      * Helper method to map and add errors to Adal specific constants.
      */

@@ -27,6 +27,7 @@
 import androidx.annotation.NonNull;
 import androidx.annotation.Nullable;
 
+import com.microsoft.identity.common.java.commands.AcquirePrtSsoTokenBatchResult;
 import com.microsoft.identity.common.java.commands.AcquirePrtSsoTokenResult;
 import com.microsoft.identity.common.java.exception.BaseException;
 import com.microsoft.identity.common.java.result.ILocalAuthenticationResult;
@@ -75,4 +76,7 @@ public interface IBrokerResultAdapter {
      */
     @NonNull
     AcquirePrtSsoTokenResult getAcquirePrtSsoTokenResultFromBundle(Bundle resultBundle);
+
+    @NonNull
+    AcquirePrtSsoTokenBatchResult getAcquirePrtSsoTokenBatchResultFromBundle(Bundle resultBundle);
 }
@@ -26,6 +26,7 @@
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.BROKER_ACCOUNTS_COMPRESSED;
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.BROKER_ACTIVITY_NAME;
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.BROKER_DEVICE_MODE;
+import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.BROKER_GENERATE_ALL_SSO_TOKENS_RESULT;
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.BROKER_GENERATE_SHR_RESULT;
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.BROKER_GENERATE_SSO_TOKEN_RESULT;
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.BROKER_PACKAGE_NAME;
@@ -56,6 +57,7 @@
 import com.microsoft.identity.common.java.authorities.AzureActiveDirectoryAudience;
 import com.microsoft.identity.common.java.cache.CacheRecord;
 import com.microsoft.identity.common.java.cache.ICacheRecord;
+import com.microsoft.identity.common.java.commands.AcquirePrtSsoTokenBatchResult;
 import com.microsoft.identity.common.java.commands.AcquirePrtSsoTokenResult;
 import com.microsoft.identity.common.java.constants.OAuth2ErrorCode;
 import com.microsoft.identity.common.java.constants.OAuth2SubErrorCode;
@@ -414,6 +416,12 @@ public AcquirePrtSsoTokenResult getAcquirePrtSsoTokenResultFromBundle(Bundle res
         return GSON.fromJson(resultBundle.getString(BROKER_GENERATE_SSO_TOKEN_RESULT), AcquirePrtSsoTokenResult.class);
     }
 
+    @NonNull
+    @Override
+    public AcquirePrtSsoTokenBatchResult getAcquirePrtSsoTokenBatchResultFromBundle(Bundle resultBundle) {
+        return GSON.fromJson(resultBundle.getString(BROKER_GENERATE_ALL_SSO_TOKENS_RESULT), AcquirePrtSsoTokenBatchResult.class);
+    }
+
     @NonNull
     public Bundle bundleFromBrokerResult(@NonNull final BrokerResult brokerResult,
                                          @Nullable final String negotiatedBrokerProtocolVersion) {

@@ -0,0 +1,74 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+package com.microsoft.identity.common.java.commands;
+
+import com.google.gson.annotations.SerializedName;
+
+import java.util.List;
+import java.util.Map;
+
+import edu.umd.cs.findbugs.annotations.Nullable;
+import lombok.Builder;
+import lombok.Getter;
+import lombok.NonNull;
+import lombok.experimental.Accessors;
+
+/**
+ * A DTO for the results of a batch AcquirePrtSsoToken request.
+ */
+@Builder
+@Getter
+@Accessors(prefix = "m")
+public class AcquirePrtSsoTokenBatchResult {
+
+    /**
+     * List of successful per-account results keyed by home account id.
+     */
+    @SerializedName("results")
+    private final @NonNull List<AcquirePrtSsoTokenResult> mResults;
+
+    /**
+     * Map of failed accounts keyed by home account id with error message/code.
+     * (Only include accounts that did not produce a full result object.)
+     */
+    @SerializedName("failedAccounts")
+    private final @Nullable Map<String, String> mFailedAccounts;
+
+    /**
+     * Optional top-level error.
+     */
+    @SerializedName("error")
+    private final @Nullable String mError;
+
+    /**
+     * Correlation id for diagnostics.
+     */
+    @SerializedName("correlationId")
+    private final @Nullable String mCorrelationId;
+
+    /**
+     * Authority used for the request.
+     */
+    @SerializedName("authority")
+    private final @Nullable String mAuthority;
+}
@@ -89,4 +89,10 @@ public class AcquirePrtSsoTokenResult {
     @SerializedName("telemetry")
     private final @NonNull Map<String, Object> mTelemetry;
 
+    /**
+     * The time when the token was acquired, in milliseconds since epoch.
+     */
+    @SerializedName("AcquisitionTimeMillis")
+    private final @Nullable Long mAcquisitionTimeMillis;
+
 }
@@ -66,6 +66,6 @@ public enum SpanName {
     SwitchBrowserProcess,
     WrappedKeyAlgorithmIdentifier,
     ProcessWebCpRedirects,
-
-    ProvisionResourceAccount
+    ProvisionResourceAccount,
+    GetAllSsoTokens
 }