Unverified email domains and authenticationBehaviors for Oauth

Chris 0 Reputation points
2024-11-20T22:59:47.26+00:00

I was looking at https://learn.microsoft.com/en-us/graph/applications-authenticationbehaviors?tabs=http. That article discusses a potential security problem involving unverified emails.

How do we check if an email claim from an Oauth authentication result is verified? In addition, how can we check if our organization account has removeUnverifiedEmailClaim set to true?

If I'm understanding the documentation correctly, the removeUnverifiedEmailClaim property is part of authenticationBehaviors, which is a beta-only feature. How do I gain access to the beta in order to access this feature?

And finally, if that value is set to true, am I correctly understanding that we can safely handle emails in Oauth token claims as internally verified?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,444 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 109.2K Reputation points MVP
    2024-11-21T08:00:20.91+00:00

    "Beta" here means that you have to use the /beta Graph API endpoints, much like in the examples in the article above. If you need to make changes to the default behavior, simply use the /beta endpoint, no other steps are needed to gain access to the feature.

    That said, this only applies to LOB apps that specifically use the mail claim to authenticate the user, which is not a common scenario. Moreover, you cannot control this behavior on third-party apps (or any built-in one), so you should only ever concert yourself with this if you know your organization is creating LOB apps that leverage said claim.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.