The Azure SDK team has become aware of a potential risk for developers using multi-tenant applications to access Azure resources. Most applications using multi-tenant applications are safe; however, multi-tenant applications that take user-provided URIs to Azure resources and authenticate via service-to-service authentication may leave their customers vulnerable to unauthorized access. Multi-tenant applications accepting URIs to user-provided resources must properly validate resource ownership to prevent potential leaks.<\/p>\n
Multi-tenant applications need to validate resource ownership as recommended below, and in addition, the Azure SDK team is releasing new versions of the Azure Identity libraries to help multi-tenant applications be secure by default and provide some defense in depth.<\/p>\n
Multi-tenant applications that accept a user-provided URI to a customer-owned resource need to validate the ownership of that resource. Examples include, but aren’t limited to:<\/p>\n
Resource URIs could be provided through configuration files, command line interfaces (CLIs), or user interfaces. If ownership of the resource isn’t properly validated, an attacker may be able to trick your application into accessing resources in tenants to which they don’t have access.<\/p>\n
All multi-tenant applications accessing user-provided resources should consider the following measures to secure customer provided resource access:<\/p>\n
WWW-Authenticate<\/code> headers) returned from requests to customer provided resources should validate the requested authority matches a tenant owned by the same customer.<\/li>\n<\/ul>\nAdditional recommended actions<\/h3>\n
For applications using the Azure SDK, we have provided new versions of the Azure Identity library to ensure multi-tenant applications are secure by default. These updated libraries restrict multi-tenant authentication and provide APIs to configure the tenants from which credentials may acquire tokens. You should update your applications to use any of the packages below or newer:<\/p>\n
\n- .NET: https:\/\/www.nuget.org\/packages\/Azure.Identity\/1.7.0<\/a><\/li>\n
- Java: https:\/\/search.maven.org\/artifact\/com.azure\/azure-identity\/1.6.0\/jar<\/a><\/li>\n
- JavaScript: https:\/\/www.npmjs.com\/package\/@azure\/identity\/v\/3.0.0<\/a><\/li>\n
- Python: https:\/\/pypi.org\/project\/azure-identity\/1.11.0<\/a><\/li>\n<\/ul>\n
These SDK updates alone don’t mitigate the issue, but they do prevent multi-tenant applications from acquiring tokens for arbitrary tenants by default. With these updates applied, applications must configure the tenants from which credentials may acquire tokens. If an SDK client or the application attempts to acquire a token for a tenant not explicitly allowed in the credential configuration, the credential will throw a runtime error.<\/p>\n
This new behavior is a runtime breaking change from the previous support for multi-tenant authentication, which provided no such safeguards. The SDK team carefully considered the impact of this breaking change, and determined it was warranted to ensure multi-tenant applications using the Azure Identity library are secure by default. Multi-tenant applications upgrading from earlier versions of the Azure Identity library can consult the following instructions to fix any impacted credentials:<\/p>\n
.NET<\/h4>\n
As of Azure.Identity<\/code> 1.7.0, the default behavior of credentials supporting multi-tenant authentication has changed. Each of these credentials will throw an AuthenticationFailedException<\/code> if the requested TenantId<\/code> doesn’t match the tenant ID originally configured on the credential. Apps must now do one of the following things:<\/p>\n\n- Add all IDs, of tenants from which tokens should be acquired, to the
AdditionallyAllowedTenants<\/code> list in the credential options. For example:\nvar credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions\r\n{\r\n AdditionallyAllowedTenants = { \"<tenant_id_1>\", \"<tenant_id_2>\" }\r\n});<\/code><\/pre>\n<\/li>\n- Add
*<\/code> to enable token acquisition from any tenant. This configuration provides behavior compatible with previous multi-tenant support. For example:\nvar credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions\r\n{\r\n AdditionallyAllowedTenants = { \"*\" }\r\n});<\/code><\/pre>\n<\/li>\n<\/ul>\nJava<\/h4>\n
As of azure-identity<\/code> 1.6.0, the default behavior of credentials supporting multi-tenant authentication has changed. Each of these credentials will throw an ClientAuthenticationException<\/code> if the requested tenantId<\/code> doesn’t match the tenant ID originally configured on the credential. Apps must now do one of the following things:<\/p>\n\n- Add all IDs, of tenants from which tokens should be acquired, to the
additionallyAllowedTenants<\/code> list on the credential builder. For example:\nDefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder()\r\n .additionallyAllowedTenants(\"<tenant_id_1>\", \"tenant_id_2>\")\r\n .build();<\/code><\/pre>\n<\/li>\n- Add
*<\/code> to enable token acquisition from any tenant. This is the original behavior and is compatible with versions 1.4.0 through 1.5.5. For example:\nDefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder()\r\n .additionallyAllowedTenants(\"*\")\r\n .build();<\/code><\/pre>\n<\/li>\n<\/ul>\nJavaScript<\/h4>\n
As of @azure\/identity<\/code> 3.0.0, the default behavior of credentials supporting multi-tenant authentication has changed. Each of these credentials will throw an error if the requested tenantId<\/code> doesn’t match the tenant ID originally configured on the credential. Apps must now do one of the following things:<\/p>\n\n- Add all IDs, of tenants from which tokens should be acquired, to the
additionallyAllowedTenants<\/code> array in the credential options. For example:\nconst credential = new DefaultAzureCredential({\r\nadditionallyAllowedTenants: [\"<tenant_id_1>\", \"<tenant_id_2>\"]\r\n});<\/code><\/pre>\n<\/li>\n- Add
*<\/code> to enable token acquisition from any tenant, which is the original behavior. For example:\nconst credential = new DefaultAzureCredential({\r\nadditionallyAllowedTenants: [\"*\"]\r\n});<\/code><\/pre>\n<\/li>\n<\/ul>\nPython<\/h4>\nBehavioral change to credential types supporting multi-tenant authentication<\/h3>\n
As of azure-identity<\/code> 1.11.0, the default behavior of credentials supporting multi-tenant authentication has changed. Each of these credentials will throw an ClientAuthenticationError<\/code> if the requested tenant_id<\/code> doesn’t match the tenant ID originally configured on the credential. Apps must now do one of the following things:<\/p>\n\n- Add all IDs, of tenants from which tokens should be acquired, to the
additionally_allowed_tenants<\/code> list in the credential options. For example:<\/li>\n<\/ul>\ncredential = DefaultAzureCredential(additionally_allowed_tenants = [\"<tenant_id_1>\", \"<tenant_id_2>\"])<\/code><\/pre>\n\n- Add
*<\/code> to enable token acquisition from any tenant. This is the original behavior and is compatible with previous versions supporting multi tenant authentication. For example:<\/li>\n<\/ul>\ncredential = DefaultAzureCredential(additionally_allowed_tenants=['*'])<\/code><\/pre>\nSummary<\/h2>\n
Make sure your application validates that all user-provided URIs to Azure resources are owned by the customer supplying them to avoid unauthorized cross tenant access. Update your Azure Identity package references to the latest package versions to ensure your application is secure by default against unauthorized cross tenant access. Update credentials used in your application which require multi-tenant access to specify any additional tenants the credential may access. For more information on impacted credential types, see the release notes for the language specific Azure Identity library referenced by your application.<\/p>\n","protected":false},"excerpt":{"rendered":"
Guidelines for multi-tenant applications to validate tenant ownership of user-provided URIs for Azure resources.<\/p>\n","protected":false},"author":101500,"featured_media":2214,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[831,158,705],"class_list":["post-2204","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure-sdk","tag-guidelines","tag-identity","tag-sdk"],"acf":[],"blog_post_summary":"
Guidelines for multi-tenant applications to validate tenant ownership of user-provided URIs for Azure resources.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/posts\/2204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/users\/101500"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/comments?post=2204"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/posts\/2204\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/media\/2214"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/media?parent=2204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/categories?post=2204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/tags?post=2204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}