Reputation: 702
How to enable optional claim xms_edov which does not appear in Token Configuration in Azure AD App Registration by default?
A serious potential vulnerability in Azure AD for apps that rely on the email claim has been identified. [A]
Short term remediation can be done by enabling optional claim xms_edov in token configuration [B] This is a more of an immediate fix while the proper recommendations are implemented.
However that clain xms_edov does not appear in Token Configuration in Azure AD App Registration by default.
Editing the Manifest in the UI Manifest editor to manually add the claim shows an error in the UI after saving.
Are there other places in Azure AD where this claim can be surfaced so that it is available for use in Token claim configuration.
In particular, we are looking for the claim to be added to ID token.
[A] https://www.descope.com/blog/post/noauth and https://msrc.microsoft.com/blog/2023/06/potential-risk-of-privilege-escalation-in-azure-ad-applications/?_gl=1*11xcvcy*_gcl_au*Nzg2NjU0NDIxLjE2ODc4MDQ0NzM. [B] https://learn.microsoft.com/en-us/azure/active-directory/develop/migrate-off-email-claim-authorization
(To secure applications from mistakes with unverified email addresses, all new multi-tenant applications are automatically opted-in to a new default behavior that removes email addresses with unverified domain owners from tokens as of June 2023. This behavior is not enabled for single-tenant applications and multi-tenant applications with previous sign-in activity with domain-owner unverified email addresses ) We are trying to remediate older apps created before Jun 2023.
Upvotes: 6
Views: 895
Answers (1)
Reputation: 10859
The attribute or claim which are not present in the optional claims can be created by the following way.
Make sure to Install AzureAdPreview module in the powershell. acceptMappedClaims to true
Code:
New-AzureADPolicy -Definition @('
{
"ClaimsMappingPolicy":
{
"Version":1,"IncludeBasicClaimSet":"true",
"ClaimsSchema": [{"Source":"user","ID":"extensionattribute1","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/xms_edov","JwtClaimType":"xms_edov"}]
}
}') -DisplayName "xms_edov" -Type "ClaimsMappingPolicy"
// Then add this policy to the service principal of the app: Add-AzureADServicePrincipalPolicy -RefObjectIdof Policy 'PolicyID' -Id 'ServicePrincipalObjID'
Add-AzureADServicePrincipalPolicy -Id 44d0xxxx -RefObjectId 7f050xxx
Get-AzureADServicePrincipalPolicy -Id <serviceprincipalObjectId>
Make "acceptMappedClaims": true in the maifest of the app.
Then the user can be loggedin with that attrivute
Upvotes: 2
Related Questions
- Azure Ad Error The client has requested access to a resource which is not listed in the requested permissions in the client's application registration
- Custom SAML claim configured in multitenant Azure AD app is not copied to this app in another tenant
- Azure B2C invalid_grant error when requesting token with app registration created with Graph API
- ID token from Azure AD federation does not contains "roles" claim
- Azure AAD app registration: optional claims absent from JWT
- Identity Experience Framework - getting the email claim with a multi-tenant Azure AD custom policy
- Azure AD v2 with Azure App Registration missing optional email claim in ID Token for directly assigned user
- Getting email after logged in with Azure AD on Azure AD B2C