diff --git a/docs/changelog/142848.yaml b/docs/changelog/142848.yaml
new file mode 100644
index 0000000000000..b82e68e02f8ce
--- /dev/null
+++ b/docs/changelog/142848.yaml
@@ -0,0 +1,6 @@
+area: Security
+issues:
+ - 142743
+pr: 142848
+summary: Disable CAE in microsoft-graph-authz plugin
+type: bug
diff --git a/x-pack/extras/plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealm.java b/x-pack/extras/plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealm.java
index 04f2b177cf018..a5bc7e93730dc 100644
--- a/x-pack/extras/plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealm.java
+++ b/x-pack/extras/plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealm.java
@@ -185,7 +185,13 @@ private static GraphServiceClient buildClient(RealmConfig config) {
 
         return new GraphServiceClient(
             new BaseGraphRequestAdapter(
-                new AzureIdentityAuthenticationProvider(credentialProvider, Strings.EMPTY_ARRAY, "https://graph.microsoft.com/.default"),
+                new AzureIdentityAuthenticationProvider(
+                    credentialProvider,
+                    Strings.EMPTY_ARRAY,
+                    null,
+                    false,
+                    "https://graph.microsoft.com/.default"
+                ),
                 config.getSetting(MicrosoftGraphAuthzRealmSettings.API_HOST),
                 httpClient
             )
diff --git a/x-pack/plugin/security/qa/microsoft-graph-authz-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphHttpFixture.java b/x-pack/plugin/security/qa/microsoft-graph-authz-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphHttpFixture.java
index d557fd7123332..12c57764916e6 100644
--- a/x-pack/plugin/security/qa/microsoft-graph-authz-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphHttpFixture.java
+++ b/x-pack/plugin/security/qa/microsoft-graph-authz-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphHttpFixture.java
@@ -150,6 +150,15 @@ private void registerGetAccessTokenHandler() {
                 );
                 return;
             }
+            final var claims = formFields.get("claims");
+            if (claims != null && claims.toLowerCase(java.util.Locale.ROOT).contains("cp1")) {
+                graphError(
+                    exchange,
+                    RestStatus.BAD_REQUEST,
+                    "Token request must not advertise cp1 CAE capability for client_credentials flow"
+                );
+                return;
+            }
 
             final var token = XContentBuilder.builder(XContentType.JSON.xContent());
             token.startObject();