Microsoft Entra: Upcoming changes to federatedTokenValidationPolicy default settings
🚨 The Signal: Microsoft Entra will now default to blocking cross-domain federated logins where the UPN doesn't match the internal federation domain. This strengthens security by preventing unauthorized access attempts via misconfigured or malicious federation trusts.
The Impact
Federated users with mismatched UPNs and federation domains are affected, reducing the risk of unauthorized cross-domain access.
- Federated users: May experience login issues if UPNs don't match federation domains.
- Security teams: Reduced risk of unauthorized access via federated identity misconfigurations.
- Identity admins: Need to verify federation configurations for UPN consistency.
- Organisations: Enhanced protection against cross-domain identity attacks.
The Action
- Review existing federatedTokenValidationPolicy configurations in Microsoft Graph.
- Identify federated domains where internalDomainFederation does not match UPN domain.
- Communicate potential login impact to affected federated user populations.
- Consider creating explicit federatedTokenValidationPolicy rules to allow specific cross-domain scenarios if required, post-assessment.
Domain: Entra · Impact: high · Workload: Entra ID · Essential Eight: Multi-Factor Authentication · ISM: ISM-0109, ISM-0123, ISM-0140, ISM-0974, ISM-1173, ISM-1228, ISM-1401, ISM-1504, ISM-1505, ISM-1679, ISM-1680, ISM-1681, ISM-1682, ISM-1683, ISM-1815, ISM-1819, ISM-1872, ISM-1873, ISM-1874, ISM-1892, ISM-1893, ISM-1894, ISM-1906, ISM-1907