アプリケーション認証の管理Behaviors

[アーティクル]
03/21/2024

アプリケーションオブジェクトの authenticationBehaviors プロパティを使用すると、トークンの発行に関連する破壊的変更動作を構成できます。アプリケーションでは、動作を有効にすることで新しい破壊的変更を採用するか (動作をに true設定します)、または既存の動作を無効にして (動作をに false設定して) 引き続き使用できます。

注:

アプリケーションオブジェクトの authenticationBehaviors プロパティは現在、のみにあります beta 。

アプリケーションの authenticationBehaviors 設定を読み取る

authenticationBehaviors プロパティは、次のような要求でのみ$select返されます。

テナント内のすべてのアプリのプロパティとその他の指定されたプロパティを読み取るために、次のサンプル要求を実行します。要求は、 200 OK 選択したプロパティのみを表示するアプリケーションオブジェクトの応答コードと JSON 表現を返します。

GET https://graph.microsoft.com/beta/applications?$select=id,displayName,appId,authenticationBehaviors


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications.GetAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Select = new string []{ "id","displayName","appId","authenticationBehaviors" };
});


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta applications list --select "id,displayName,appId,authenticationBehaviors"



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphapplications "github.com/microsoftgraph/msgraph-beta-sdk-go/applications"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestParameters := &graphapplications.ApplicationsRequestBuilderGetQueryParameters{
	Select: [] string {"id","displayName","appId","authenticationBehaviors"},
}
configuration := &graphapplications.ApplicationsRequestBuilderGetRequestConfiguration{
	QueryParameters: requestParameters,
}

applications, err := graphClient.Applications().Get(context.Background(), configuration)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ApplicationCollectionResponse result = graphClient.applications().get(requestConfiguration -> {
	requestConfiguration.queryParameters.select = new String []{"id", "displayName", "appId", "authenticationBehaviors"};
});


const options = {
	authProvider,
};

const client = Client.init(options);

let applications = await client.api('/applications')
	.version('beta')
	.select('id,displayName,appId,authenticationBehaviors')
	.get();


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Applications\ApplicationsRequestBuilderGetRequestConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestConfiguration = new ApplicationsRequestBuilderGetRequestConfiguration();
$queryParameters = ApplicationsRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->select = ["id","displayName","appId","authenticationBehaviors"];
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->applications()->get($requestConfiguration)->wait();


Import-Module Microsoft.Graph.Beta.Applications

Get-MgBetaApplication -Property "id,displayName,appId,authenticationBehaviors"


from msgraph import GraphServiceClient
from msgraph.generated.applications.applications_request_builder import ApplicationsRequestBuilder

graph_client = GraphServiceClient(credentials, scopes)

query_params = ApplicationsRequestBuilder.ApplicationsRequestBuilderGetQueryParameters(
		select = ["id","displayName","appId","authenticationBehaviors"],
)

request_configuration = ApplicationsRequestBuilder.ApplicationsRequestBuilderGetRequestConfiguration(
query_parameters = query_params,
)

result = await graph_client.applications.get(request_configuration = request_configuration)

1 つのアプリの authenticationBehaviors プロパティのみを読み取る場合は、次のサンプル要求を実行します。

GET https://graph.microsoft.com/beta/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors

Snippet not available

Snippet not available

Snippet not available

Snippet not available


const options = {
	authProvider,
};

const client = Client.init(options);

let authenticationBehaviors = await client.api('/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors')
	.version('beta')
	.get();

Snippet not available

Snippet not available

Snippet not available

appId プロパティは、次のように使用することもできます。

GET https://graph.microsoft.com/beta/applications(appId='37bf1fd4-78b0-4fea-ac2d-6c82829e9365')/authenticationBehaviors

未確認のドメイン所有者による電子メール要求の発行を防止する

Microsoft セキュリティアドバイザリ「Microsoft Entra アプリケーションでの特権エスカレーションの潜在的なリスク」で説明されているように、アプリは承認のために電子メール要求を使用しないでください。アプリケーションが承認またはプライマリユーザー識別の目的で電子メール要求を使用する場合、アカウントと特権のエスカレーション攻撃の対象となります。不正アクセスのこのリスクは、次のシナリオで特に特定されます。

ユーザーオブジェクトの mail 属性に未確認のドメイン所有者を持つメールアドレスが含まれている場合
あるテナントのユーザーが 、メール 属性を変更して別のテナントからリソースにアクセスする権限をエスカレートできるマルチテナントアプリの場合

テナントでこれらのケースを特定する方法の詳細については、「ユーザー識別または承認のために電子メール要求を使用しないように移行する」を参照してください。

現在の既定の動作では、シングルテナントアプリと、以前のサインインアクティビティが未確認のメールを含むマルチテナントアプリを除き、要求で未確認のドメイン所有者を持つメールアドレスを削除します。アプリがこれらの例外のいずれかに該当し、未確認のメールアドレスを削除する場合は、次の例に示すように、authenticationBehaviors の removeUnverifiedEmailClaim プロパティをにtrue設定します。要求は、204 No Content 応答コードを返します。

未確認のドメイン所有者のメールアドレスを要求から削除する

オプション 1

PATCH https://graph.microsoft.com/beta/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors
Content-Type: application/json

{
    "removeUnverifiedEmailClaim": true
}

Snippet not available

Snippet not available

Snippet not available

Snippet not available


const options = {
	authProvider,
};

const client = Client.init(options);

const authenticationBehaviors = {
    removeUnverifiedEmailClaim: true
};

await client.api('/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors')
	.version('beta')
	.update(authenticationBehaviors);

Snippet not available

Snippet not available

Snippet not available

オプション 2

PATCH https://graph.microsoft.com/beta/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e
Content-Type: application/json

{
    "authenticationBehaviors": {
        "removeUnverifiedEmailClaim": true
    }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new Application
{
	AuthenticationBehaviors = new AuthenticationBehaviors
	{
		RemoveUnverifiedEmailClaim = true,
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta applications patch --application-id {application-id} --body '{\
    "authenticationBehaviors": {\
        "removeUnverifiedEmailClaim": true\
    }\
}\
'



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestBody := graphmodels.NewApplication()
authenticationBehaviors := graphmodels.NewAuthenticationBehaviors()
removeUnverifiedEmailClaim := true
authenticationBehaviors.SetRemoveUnverifiedEmailClaim(&removeUnverifiedEmailClaim) 
requestBody.SetAuthenticationBehaviors(authenticationBehaviors)

applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
AuthenticationBehaviors authenticationBehaviors = new AuthenticationBehaviors();
authenticationBehaviors.setRemoveUnverifiedEmailClaim(true);
application.setAuthenticationBehaviors(authenticationBehaviors);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);


const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
    authenticationBehaviors: {
        removeUnverifiedEmailClaim: true
    }
};

await client.api('/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e')
	.version('beta')
	.update(application);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\AuthenticationBehaviors;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$authenticationBehaviors = new AuthenticationBehaviors();
$authenticationBehaviors->setRemoveUnverifiedEmailClaim(true);
$requestBody->setAuthenticationBehaviors($authenticationBehaviors);

$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Beta.Applications

$params = @{
	authenticationBehaviors = @{
		removeUnverifiedEmailClaim = $true
	}
}

Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params


from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.authentication_behaviors import AuthenticationBehaviors

graph_client = GraphServiceClient(credentials, scopes)

request_body = Application(
	authentication_behaviors = AuthenticationBehaviors(
		remove_unverified_email_claim = True,
	),
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

要求で未確認のドメイン所有者を持つメールアドレスを受け入れる

オプション 1

PATCH https://graph.microsoft.com/beta/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors
Content-Type: application/json

{
    "removeUnverifiedEmailClaim": false
}

Snippet not available

Snippet not available

Snippet not available

Snippet not available


const options = {
	authProvider,
};

const client = Client.init(options);

const authenticationBehaviors = {
    removeUnverifiedEmailClaim: false
};

await client.api('/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors')
	.version('beta')
	.update(authenticationBehaviors);

Snippet not available

Snippet not available

Snippet not available

オプション 2

PATCH https://graph.microsoft.com/beta/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e
Content-Type: application/json

{
    "authenticationBehaviors": {
        "removeUnverifiedEmailClaim": false
    }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new Application
{
	AuthenticationBehaviors = new AuthenticationBehaviors
	{
		RemoveUnverifiedEmailClaim = false,
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta applications patch --application-id {application-id} --body '{\
    "authenticationBehaviors": {\
        "removeUnverifiedEmailClaim": false\
    }\
}\
'



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestBody := graphmodels.NewApplication()
authenticationBehaviors := graphmodels.NewAuthenticationBehaviors()
removeUnverifiedEmailClaim := false
authenticationBehaviors.SetRemoveUnverifiedEmailClaim(&removeUnverifiedEmailClaim) 
requestBody.SetAuthenticationBehaviors(authenticationBehaviors)

applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
AuthenticationBehaviors authenticationBehaviors = new AuthenticationBehaviors();
authenticationBehaviors.setRemoveUnverifiedEmailClaim(false);
application.setAuthenticationBehaviors(authenticationBehaviors);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);


const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
    authenticationBehaviors: {
        removeUnverifiedEmailClaim: false
    }
};

await client.api('/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e')
	.version('beta')
	.update(application);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\AuthenticationBehaviors;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$authenticationBehaviors = new AuthenticationBehaviors();
$authenticationBehaviors->setRemoveUnverifiedEmailClaim(false);
$requestBody->setAuthenticationBehaviors($authenticationBehaviors);

$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Beta.Applications

$params = @{
	authenticationBehaviors = @{
		removeUnverifiedEmailClaim = $false
	}
}

Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params


from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.authentication_behaviors import AuthenticationBehaviors

graph_client = GraphServiceClient(credentials, scopes)

request_body = Application(
	authentication_behaviors = AuthenticationBehaviors(
		remove_unverified_email_claim = False,
	),
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

既定の動作を復元する

オプション 1

PATCH https://graph.microsoft.com/beta/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors
Content-Type: application/json

{
    "removeUnverifiedEmailClaim": null
}

Snippet not available

Snippet not available

Snippet not available

Snippet not available


const options = {
	authProvider,
};

const client = Client.init(options);

const authenticationBehaviors = {
    removeUnverifiedEmailClaim: null
};

await client.api('/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/authenticationBehaviors')
	.version('beta')
	.update(authenticationBehaviors);

Snippet not available

Snippet not available

Snippet not available

オプション 2

PATCH https://graph.microsoft.com/beta/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/
Content-Type: application/json

{
    "authenticationBehaviors": {
        "removeUnverifiedEmailClaim": null
    }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new Application
{
	AuthenticationBehaviors = new AuthenticationBehaviors
	{
		RemoveUnverifiedEmailClaim = null,
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta applications patch --application-id {application-id} --body '{\
    "authenticationBehaviors": {\
        "removeUnverifiedEmailClaim": null\
    }\
}\
'



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestBody := graphmodels.NewApplication()
authenticationBehaviors := graphmodels.NewAuthenticationBehaviors()
removeUnverifiedEmailClaim := null
authenticationBehaviors.SetRemoveUnverifiedEmailClaim(&removeUnverifiedEmailClaim) 
requestBody.SetAuthenticationBehaviors(authenticationBehaviors)

applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
AuthenticationBehaviors authenticationBehaviors = new AuthenticationBehaviors();
authenticationBehaviors.setRemoveUnverifiedEmailClaim(null);
application.setAuthenticationBehaviors(authenticationBehaviors);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);


const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
    authenticationBehaviors: {
        removeUnverifiedEmailClaim: null
    }
};

await client.api('/applications/03ef14b0-ca33-4840-8f4f-d6e91916010e/')
	.version('beta')
	.update(application);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\AuthenticationBehaviors;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$authenticationBehaviors = new AuthenticationBehaviors();
$authenticationBehaviors->setRemoveUnverifiedEmailClaim(null);
$requestBody->setAuthenticationBehaviors($authenticationBehaviors);

$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Beta.Applications

$params = @{
	authenticationBehaviors = @{
		removeUnverifiedEmailClaim = $null
	}
}

Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params


from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.authentication_behaviors import AuthenticationBehaviors

graph_client = GraphServiceClient(credentials, scopes)

request_body = Application(
	authentication_behaviors = AuthenticationBehaviors(
		remove_unverified_email_claim = None,
	),
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

アプリケーション認証の管理Behaviors

アプリケーションの authenticationBehaviors 設定を読み取る

未確認のドメイン所有者による電子メール要求の発行を防止する

未確認のドメイン所有者のメールアドレスを要求から削除する

オプション 1

オプション 2

要求で未確認のドメイン所有者を持つメールアドレスを受け入れる

オプション 1

オプション 2

既定の動作を復元する

オプション 1

オプション 2

フィードバック

フィードバック

その他のリソース

アプリケーション認証の管理Behaviors

アプリケーションの authenticationBehaviors 設定を読み取る

未確認のドメイン所有者による電子メール要求の発行を防止する

未確認のドメイン所有者のメール アドレスを要求から削除する

オプション 1

オプション 2

要求で未確認のドメイン所有者を持つメール アドレスを受け入れる

オプション 1

オプション 2

既定の動作を復元する

オプション 1

オプション 2

関連コンテンツ

フィードバック

フィードバック

その他のリソース

未確認のドメイン所有者のメールアドレスを要求から削除する

要求で未確認のドメイン所有者を持つメールアドレスを受け入れる