How to enable optional claim xms_edov which does not appear in Token Configuration in Azure AD App Registration by default?

Question

A serious potential vulnerability in Azure AD for apps that rely on the email claim has been identified. [A]

Short term remediation can be done by enabling optional claim xms_edov in token configuration [B] This is a more of an immediate fix while the proper recommendations are implemented.

However that clain xms_edov does not appear in Token Configuration in Azure AD App Registration by default.

Editing the Manifest in the UI Manifest editor to manually add the claim shows an error in the UI after saving.

Are there other places in Azure AD where this claim can be surfaced so that it is available for use in Token claim configuration.

In particular, we are looking for the claim to be added to ID token.

[A] https://www.descope.com/blog/post/noauth and https://msrc.microsoft.com/blog/2023/06/potential-risk-of-privilege-escalation-in-azure-ad-applications/?_gl=1*11xcvcy*_gcl_au*Nzg2NjU0NDIxLjE2ODc4MDQ0NzM. [B] https://learn.microsoft.com/en-us/azure/active-directory/develop/migrate-off-email-claim-authorization

(To secure applications from mistakes with unverified email addresses, all new multi-tenant applications are automatically opted-in to a new default behavior that removes email addresses with unverified domain owners from tokens as of June 2023. This behavior is not enabled for single-tenant applications and multi-tenant applications with previous sign-in activity with domain-owner unverified email addresses ) We are trying to remediate older apps created before Jun 2023.

Answer 1

The attribute or claim which are not present in the optional claims can be created by the following way.

Make sure to Install AzureAdPreview module in the powershell. acceptMappedClaims to true

Code:

New-AzureADPolicy -Definition @('
{
    "ClaimsMappingPolicy":
    {
        "Version":1,"IncludeBasicClaimSet":"true", 
        "ClaimsSchema": [{"Source":"user","ID":"extensionattribute1","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/xms_edov","JwtClaimType":"xms_edov"}]
    }
}') -DisplayName "xms_edov" -Type "ClaimsMappingPolicy"

// Then add this policy to the service principal of the app: Add-AzureADServicePrincipalPolicy -RefObjectIdof Policy 'PolicyID' -Id 'ServicePrincipalObjID'

Add-AzureADServicePrincipalPolicy -Id 44d0xxxx    -RefObjectId 7f050xxx

Get-AzureADServicePrincipalPolicy -Id <serviceprincipalObjectId>

Make "acceptMappedClaims": true in the maifest of the app.

Then the user can be loggedin with that attrivute

Also check https://stackoverflow.com/questions/75671482/cannot-find-type-microsoft-open-azuread-model-claimsmappingpolicy-error