Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Entra: FederatedTokenValidationPolicy Test. If federation is enabled for a domain, the policy should enforce validation. #54

Open
merill opened this issue Apr 1, 2024 · 0 comments
Open

Entra: FederatedTokenValidationPolicy Test. If federation is enabled for a domain, the policy should enforce validation. #54

merill opened this issue Apr 1, 2024 · 0 comments

Comments

@merill
Copy link
Contributor

merill commented Apr 1, 2024

This test will validation if the tenant is configured to block federated tokens (deny sign-in request) from asserting to managed accounts or accounts belonging to a different federated domain in the same tenant.

What is it?
With this policy you will be able to secure accounts by validating whether the domain in the mapped Entra Id account matches the token issuer domain. The new policy will confirm that the domain in Entra Id associated with the federated IdP matches with the root domain of the mapped Entra ID account. Admins will be able to apply this policy to all or specific verified federated or managed root domains registered in their Entra ID tenant.

How does it work:
If this validation is enabled for contoso.com (managed root domain) or fabrikam.com (federated root domain), federated token issued for [email protected] will not be able to assert an Entra Id account [email protected] or [email protected] even if [email protected] immutableId is mapped with [email protected] or [email protected] immutableId. This will ensure protection against any attack vector looking to elevate privileges by impersonating a user ([email protected] trying to impersonate [email protected] or [email protected]).

By default, the validation is disabled for all the domains in the tenant. Admins will need to enable the validation for all or specific root domains via MS Graph API.

Why?
This validation: ​

  • Will strengthen federated authentication by blocking federated tokens from asserting to managed accounts or accounts belonging to a different federated domain in the same tenant.
  • Will protect against any attack vector looking to elevate privileges by impersonating a user.

There will be no change in user experience if this validation succeeds. However, if the validation fails, admin will see a sign-in failure in sign-in logs and the mismatch between the domain in Entra ID associated with the federated IdP and the root domain of the mapped Entra ID account in the sing-in logs.

To read more about how to configure Federated Token Validation Policy head over to federatedTokenValidationPolicy resource type - Microsoft Graph beta | Microsoft Learn
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@merill