Claim xms_edov does not appear in Token Configuration in Azure AD by default?

[GauravES]

[Enter feedback here]

Can you provide specific steps on how to enable the optional claim xms_edov in Azure AD so that this recommended remediation can be implemented?

It does not appear by default, so instructions are needed on how to surface it.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: e2944bf9-e63d-f960-7ccd-ea09e22eb4c1
• Version Independent ID: e1156ccd-8509-1a32-fa83-f1fb0698ddbd
• Content: Migrate away from using email claims for user identification or authorization - Microsoft Entra
• Content Source: articles/active-directory/develop/migrate-off-email-claim-authorization.md
• Service: active-directory
• Sub-service: develop
• GitHub Login: @davidmu1
• Microsoft Alias: davidmu

[YashikaTyagii]

@GauravES
Thanks for your feedback! We will investigate and update as appropriate.

[deepankar-j]

@YashikaTyagii: Is there any update on this?

[YashikaTyagii]

@GauravES
Sure, I can help you with that. The xms_edov claim is an optional claim that is not included by default in Azure AD. I am assigning the case to Content author to add instructions for the same.
Thanks!

[YashikaTyagii]

@davidmu1
Kindly take a look at this case.

[SaeedAkhter-MSFT]

xms_edov is a new optional claim that doesn't have a UI quite yet. In the manifest editor you can add it to either your idToken or accessToken or both. One option is to use the UI (screenshot above to add another xms claim like xml_pl - preferred language, and then go into app->Manifest and change xms_pl -> xms_edov like follows. (WARNING - before editing the Manifest directly be sure to use the "DOWNLOAD" button to make a backup of your config)

"optionalClaims": {
"idToken": [
{
"name": "xms_edov",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"accessToken": [
{
"name": "xms_edov",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"saml2Token": []
},

[nickludwig]

Bumping this conversation along. @GauravES - does Saeed's answer help?

cc: @SaeedAkhter-MSFT

[kostaspt]

Hey, I'm having the same issue as @GauravES. Despite following @SaeedAkhter-MSFT's instructions to set the xms_edov claim, I still couldn't get a value back. Although the claim appears in the UI after setting it, a warning is displayed, and the expected value isn't returned in the claims.

I'm not sure if there are any additional steps required to resolve this issue. Any further guidance would be greatly appreciated. Thanks!

[JannikZed]

I want to escalate this issue as well. The xms_edov is here to solve critical security issues, especially for multi tenant apps. The answer from @SaeedAkhter-MSFT is NOT working. Our id and access token does not get this new claim added. It does work for other optional claims like "verified_email_address".
Is there a difference for v1 and v2 tokens? I can't get a v2 token, no matter what I try.
In general, Microsoft makes it unbelievably hard to build a secure application! Why can't you update your docs, when adding new token claims that are so crucial!

[JannikZed]

I could get it running by adding two optional claims via the manifest: xms_edov and email - xms_edov only did not work. How strange!

[kostaspt]

I could get it running by adding two optional claims via the manifest: xms_edov and email - xms_edov only did not work. How strange!

Just tried adding both xms_edov and email as optional claims, and it worked for me as well! Thanks @JannikZed for sharing this workaround. It's odd that xms_edov alone didn't do the trick, but at least we have a solution for now, even if the process of setting it up is less than ideal.

[Itaypa]

Hello! Our customers are facing a critical issue. I attempted to resolve it by adding xms_edov and an email, but unfortunately, it did not work. Is there anything else that needs to be done in order to make it work?

[JannikZed]

@Itaypa try it again after some minutes. At least for us the changes didn't got propagated immediately.

[Itaypa]

nope same thing...

[kostaspt]

@Itaypa When it asked you to give it API access when adding the email optional claim, did you accept that? The API permissions should look like this:

Also, keep in mind those ⚠️ won't go away, even if everything is fine and the claim is being returned.

[thePmr]

Does this xms_edov has any other specific condition to appear? E.g. particular MS account type?
I did what was suggested here: added it as optional claim via manifest, added optional email claim, checked permissions - same as in the comment above, but still couldn't get it from HttpContext.AuthenticateAsync. Any suggestions?

[maxbeaudoin]

I've tried the workaround mentioned above without any luck. xms_edov is not part of the access_token or id_token.

[kostaspt]

I've tried the workaround mentioned above without any luck. xms_edov is not part of the access_token or id_token.

It's not, but you can add it through the manifest manually. You can try following the nOAuth section of this guide: https://clerk.com/docs/authentication/social-connections/microsoft#stay-secure-against-the-n-o-auth-vulnerability

[davidmu1]

An ADO workitem has been opened to track any documentation work needed to address this issue. Because of repository migration work, this item is being closed.

https://dev.azure.com/msft-skilling/Content/_workitems/edit/169181

#please-close

[hf]

IDK if you know, but the docs stating that xms_edov is a boolean is completely false. You can also sometimes get "xms_edov": "1". So watch out folks!

[kostaspt]

IDK if you know, but the docs stating that xms_edov is a boolean is completely false. You can also sometimes get "xms_edov": "1". So watch out folks!

From what I've found while implementing this, it returns "1" for personal accounts and it's a boolean for Azure AD accounts. So watch out for both if you're using strict types.

[exFalso]

Why is this issue closed? Any reason for why there's no UI support for this claim?

[LuciferDoCode]

Not sure why this issue is marked closed. I followed the documentation and steps in clerk and it's been more than an hour since I updated the optional claims. It's not working for me. Is there any update on this new claim?