Skip to content

Disable CAE in microsoft-graph-authz plugin#142848

Merged
jfreden merged 5 commits intoelastic:mainfrom
jfreden:fix_ms_graph_cae_bug
Feb 24, 2026
Merged

Disable CAE in microsoft-graph-authz plugin#142848
jfreden merged 5 commits intoelastic:mainfrom
jfreden:fix_ms_graph_cae_bug

Conversation

@jfreden
Copy link
Copy Markdown
Contributor

@jfreden jfreden commented Feb 23, 2026
edited
Loading

Resolves: #142743

Disable CAE in the AzureIdentityAuthenticationProvider used by the Microsoft Graph authorization realm plugin.

Problem

The Microsoft Graph Authz plugin uses AzureIdentityAuthenticationProvider from the Kiota SDK to authenticate with Microsoft Entra via the client_credentials (service principal) flow. The 3-argument constructor enables CAE by default, which advertises the cp1 client capability to Entra.

When Entra updates its Conditional Access policies, it issues a CAE claims challenge with InteractionRequired and code TokenCreatedWithOutdatedPolicies. This challenge requires interactive user re-authentication, which is impossible for a service principal.

The result is that all users are denied login for up to 1 hour (the token expiry default) or until the coordinator nodes are restarted.

Fix

Pass isCaeEnabled=false to the AzureIdentityAuthenticationProvider constructor:

new AzureIdentityAuthenticationProvider(
    credentialProvider, Strings.EMPTY_ARRAY,
    null, false,
    "https://graph.microsoft.com/.default")

This stops the SDK from advertising cp1, so Entra:

  1. Does not issue CAE challenges to this client. See docs here
  2. Issues standard 1-hour tokens (instead of extended 28-hour CAE tokens). See docs here
  3. Policy changes take effect at the next natural token refresh (within 1 hour)
    The integration test fixture's mock token endpoint now rejects any token request that advertises the cp1 CAE capability, so all existing integration tests implicitly verify the fix.

Why CAE cannot be handled instead of disabled

  1. The Kiota SDK has built-in CAE retry logic: OkHttpRequestAdapter.retryCAEResponseIfRequired checks for 401 responses with claims challenges and retries once with a refreshed token. The AuthorizationHandler middleware (suggested in Microsoft Graph Authz plugin: CAE challenges cause authorization lockout #142743) uses the same mechanism. Since the error
    still surfaces to the application, the retry either did not trigger (claims extraction failed) or the retried request was also rejected.
  2. InteractionRequired cannot be satisfied by client_credentials: The InteractionRequired result in the CAE challenge indicates that resolving the outdated-policy condition requires user interaction, which is impossible in a service principal flow.
  3. Microsoft guidance: Applications should only advertise cp1 if they can handle claims challenges (docs). Since this plugin uses client_credentials and cannot handle interactive challenges, it should not
    advertise cp1.

@jfreden jfreden force-pushed the fix_ms_graph_cae_bug branch from 1df565c to d6df444 Compare February 23, 2026 13:22
@jfreden jfreden force-pushed the fix_ms_graph_cae_bug branch from d6df444 to f5bdf68 Compare February 23, 2026 13:22
@jfreden jfreden added :Security/Security Security issues without another label >bug auto-backport Automatically create backport pull requests when merged branch:9.2 branch:8.19 branch:9.3 labels Feb 23, 2026
@jfreden jfreden marked this pull request as ready for review February 23, 2026 13:23
@elasticsearchmachine
Copy link
Copy Markdown
Collaborator

elasticsearchmachine commented Feb 23, 2026

Hi @jfreden, I've created a changelog YAML for you.

@elasticsearchmachine
Copy link
Copy Markdown
Collaborator

elasticsearchmachine commented Feb 23, 2026

Pinging @elastic/es-security (Team:Security)

@jfreden
Copy link
Copy Markdown
Contributor Author

jfreden commented Feb 24, 2026

Added test mute for unrelated CI failures in #142926 so going to merge.

@jfreden jfreden merged commit 1c17a0f into elastic:main Feb 24, 2026
37 of 41 checks passed
This was referenced Feb 24, 2026
Merged
Merged
@jfreden jfreden mentioned this pull request Feb 24, 2026
Merged
@elasticsearchmachine
Copy link
Copy Markdown
Collaborator

elasticsearchmachine commented Feb 24, 2026

💚 Backport successful

Status Branch Result
9.3
8.19
9.2

jfreden added a commit to jfreden/elasticsearch that referenced this pull request Feb 24, 2026
@jfreden
Disable CAE in microsoft-graph-authz plugin (elastic#142848)
a0b55da 
* Disable CAE in microsoft-graph-authz plugin

* Update docs/changelog/142848.yaml
jfreden added a commit to jfreden/elasticsearch that referenced this pull request Feb 24, 2026
@jfreden
Disable CAE in microsoft-graph-authz plugin (elastic#142848)
f509126 
* Disable CAE in microsoft-graph-authz plugin

* Update docs/changelog/142848.yaml
jfreden added a commit to jfreden/elasticsearch that referenced this pull request Feb 24, 2026
@jfreden
Disable CAE in microsoft-graph-authz plugin (elastic#142848)
583acb5 
* Disable CAE in microsoft-graph-authz plugin

* Update docs/changelog/142848.yaml
elasticsearchmachine pushed a commit that referenced this pull request Feb 24, 2026
@jfreden
Disable CAE in microsoft-graph-authz plugin (#142848) (#142928)
686efab 
* Disable CAE in microsoft-graph-authz plugin

* Update docs/changelog/142848.yaml
elasticsearchmachine pushed a commit that referenced this pull request Feb 24, 2026
@jfreden
Disable CAE in microsoft-graph-authz plugin (#142848) (#142929)
59bc5d1 
* Disable CAE in microsoft-graph-authz plugin

* Update docs/changelog/142848.yaml
elasticsearchmachine pushed a commit that referenced this pull request Feb 24, 2026
@jfreden
Disable CAE in microsoft-graph-authz plugin (#142848) (#142927)
465c827 
* Disable CAE in microsoft-graph-authz plugin

* Update docs/changelog/142848.yaml
szybia added a commit to szybia/elasticsearch that referenced this pull request Feb 24, 2026
@szybia
Merge remote-tracking branch 'upstream/main' into stop-and-relocate-n…
3307514 
…on-sliced-reindex

* upstream/main:
  Update docs for v9.3.1 release (elastic#142887)
  Update docs for v9.2.6 release (elastic#142888)
  Improves visibility of vector index options and inference configuration (elastic#141653)
  Disable CAE in microsoft-graph-authz plugin (elastic#142848)
  Small improvements to `GetSnapshotsIT#testAllFeatures` (elastic#142825)
  Fix IndexSettingsTests synthetic ID tests (elastic#142654)
  [Test] Unmute tests of SnapshotShutdownIT (elastic#142921)
  Fixing metrics_info.json kibana definition file name (elastic#142813)
  [Packaging] Disable glibc 2.43 malloc huge pages in Wolfi images (elastic#142894)
  Mute org.elasticsearch.xpack.searchablesnapshots.SearchableSnapshotsTSDBSyntheticIdIntegTests testSearchableSnapshot elastic#142918
  Add shard heap usage to ClusterInfo (elastic#139557)
  ESQL: Load script fields row-by-row (elastic#142807)
  ESQL: Consolidate doc values memory tracking (elastic#142816)
  ES-14124  Create Index Count Limit User documentation Page (elastic#142570)
  Add a es819 codec test to verify tryRead returns null if may contain duplicates (elastic#142409)
  Support arithmetic operations for dense_vectors: scalar version (elastic#141060)
  [Transform] Allow project_routing (elastic#142421)
  Refactor query rewrite async actions for knn and sparse_vector queries (elastic#142889)
  Do not mark bulk indexing requests as retried after primary relocations (elastic#142157)
sidosera pushed a commit to sidosera/elasticsearch that referenced this pull request Feb 24, 2026
@jfreden @sidosera
Disable CAE in microsoft-graph-authz plugin (elastic#142848)
78be51c 
* Disable CAE in microsoft-graph-authz plugin

* Update docs/changelog/142848.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@richard-dennehy richard-dennehy richard-dennehy approved these changes

Assignees

No one assigned

Labels

auto-backport Automatically create backport pull requests when merged >bug :Security/Security Security issues without another label Team:Security Meta label for security team v8.19.13 v9.2.7 v9.3.2 v9.4.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Microsoft Graph Authz plugin: CAE challenges cause authorization lockout

3 participants

@jfreden @elasticsearchmachine @richard-dennehy