NAA or BroCI...? Let Me Explain

This writeup documents Nested Application Authentication (NAA) / brokered client IDs (BroCI) used by Microsoft SPAs and host applications to broker tokens for nested apps, explains the brokering flows (prefetch and on-demand), BroCI token lifetimes and request parameters, highlights tooling and enumeration resources for identifying brokerable apps, and discusses OPSEC/logging considerations and limitations that affect abuse potential.