Microsoft has developed mitigations for an insecure anti-pattern used in Azure AD (AAD) applications highlighted by Descope, and reported to Microsoft, where use of the email claim from access tokens for authorization can lead to an escalation of privilege. An attacker can falsify the email claim in tokens issued to applications. Additionally, the threat of data leakage exists if applications use such claims for email lookup. [...] Microsoft has identified several multi-tenant applications with users that use an email address with an unverified domain owner. [...] To protect customers and applications that may be vulnerable to privilege escalation, Microsoft has deployed mitigations to omit token claims from unverified domain owners for most applications.
Summary (give a brief description of the issue)
Microsoft has developed mitigations for an insecure anti-pattern used in Azure AD (AAD) applications highlighted by Descope, and reported to Microsoft, where use of the email claim from access tokens for authorization can lead to an escalation of privilege. An attacker can falsify the email claim in tokens issued to applications. Additionally, the threat of data leakage exists if applications use such claims for email lookup. [...] Microsoft has identified several multi-tenant applications with users that use an email address with an unverified domain owner. [...] To protect customers and applications that may be vulnerable to privilege escalation, Microsoft has deployed mitigations to omit token claims from unverified domain owners for most applications.
References (provide links to blogposts, etc.)
https://msrc.microsoft.com/blog/2023/06/potential-risk-of-privilege-escalation-in-azure-ad-applications/ https://www.descope.com/blog/post/noauth