maester icon indicating copy to clipboard operation
maester copied to clipboard

Published 20 hours ago verified publisher icon maester365

Entra: FederatedTokenValidationPolicy Test. If federation is enabled for a domain, the policy should enforce validation.

Open merill opened this issue 3 months ago • 0 comments

This test will validation if the tenant is configured to block federated tokens (deny sign-in request) from asserting to managed accounts or accounts belonging to a different federated domain in the same tenant.

What is it? With this policy you will be able to secure accounts by validating whether the domain in the mapped Entra Id account matches the token issuer domain. The new policy will confirm that the domain in Entra Id associated with the federated IdP matches with the root domain of the mapped Entra ID account. Admins will be able to apply this policy to all or specific verified federated or managed root domains registered in their Entra ID tenant.

How does it work: If this validation is enabled for contoso.com (managed root domain) or fabrikam.com (federated root domain), federated token issued for [email protected] will not be able to assert an Entra Id account [email protected] or [email protected] even if [email protected] immutableId is mapped with [email protected] or [email protected] immutableId. This will ensure protection against any attack vector looking to elevate privileges by impersonating a user ([email protected] trying to impersonate [email protected] or [email protected]).

By default, the validation is disabled for all the domains in the tenant. Admins will need to enable the validation for all or specific root domains via MS Graph API.

Why? This validation: ​

  • Will strengthen federated authentication by blocking federated tokens from asserting to managed accounts or accounts belonging to a different federated domain in the same tenant.
  • Will protect against any attack vector looking to elevate privileges by impersonating a user.

There will be no change in user experience if this validation succeeds. However, if the validation fails, admin will see a sign-in failure in sign-in logs and the mismatch between the domain in Entra ID associated with the federated IdP and the root domain of the mapped Entra ID account in the sing-in logs.

To read more about how to configure Federated Token Validation Policy head over to federatedTokenValidationPolicy resource type - Microsoft Graph beta | Microsoft Learn

merill avatar Apr 01 '24 02:04 merill