Disable CAE in microsoft-graph-authz plugin

docs/changelog/142848.yaml

@@ -0,0 +1,6 @@
+area: Security
+issues:
+ - 142743
+pr: 142848
+summary: Disable CAE in microsoft-graph-authz plugin
+type: bug

x-pack/extras/plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealm.java

@@ -185,7 +185,13 @@ private static GraphServiceClient buildClient(RealmConfig config) {
 
         return new GraphServiceClient(
             new BaseGraphRequestAdapter(
-                new AzureIdentityAuthenticationProvider(credentialProvider, Strings.EMPTY_ARRAY, "https://graph.microsoft.com/.default"),
+                new AzureIdentityAuthenticationProvider(
+                    credentialProvider,
+                    Strings.EMPTY_ARRAY,
+                    null,
+                    false,
+                    "https://graph.microsoft.com/.default"
+                ),
                 config.getSetting(MicrosoftGraphAuthzRealmSettings.API_HOST),
                 httpClient
             )

x-pack/plugin/security/qa/microsoft-graph-authz-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphHttpFixture.java

@@ -150,6 +150,15 @@ private void registerGetAccessTokenHandler() {
                 );
                 return;
             }
+            final var claims = formFields.get("claims");
+            if (claims != null && claims.toLowerCase(java.util.Locale.ROOT).contains("cp1")) {
+                graphError(
+                    exchange,
+                    RestStatus.BAD_REQUEST,
+                    "Token request must not advertise cp1 CAE capability for client_credentials flow"
+                );
+                return;
+            }
 
             final var token = XContentBuilder.builder(XContentType.JSON.xContent());
             token.startObject();