AIWiki

┌────────────────────────────────────────────────────────────────────────────────┐ │ 📄 shadcn/directory/clerk/clerk-docs/_partials/authentication/microsoft/noauth │ └────────────────────────────────────────────────────────────────────────────────┘

File: noauth.md

Updated: 11/7/2025

╔══════════════════════════════════════════════════════════════════════════════════════════════╗

║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║

nOAuth is an exploit in Microsoft Entra ID OAuth apps that can lead to account takeovers via email address spoofing. Clerk mitigates this risk by enforcing stricter checks on verified email addresses.

For further security, Microsoft offers an optional xms_edov claim, which provides additional context to determine whether the returned email is verified.

[!IMPORTANT] When adding the xms_edov claim in the Azure portal, you may see a warning saying it's invalid or not recognized. You can safely ignore this warning - xms_edov is fully supported and documented by Microsoft Entra ID for stronger email domain verification, but the Azure portal's token configuration UI may not recognize it yet.

To enable it, you must:

In the left sidenav, in the Manage dropdown, select Token configuration.
Select Add optional claim.
For the Token type, select ID. Then, in the table that opens, enable the email and xms_pdl claims.
At the bottom of the modal, select Add. A new modal will prompt you to turn on the Microsoft Graph email permission. Enable it, then select Add to complete the form.
Repeat the previous steps but for Token type, select Access instead of ID. The Optional claims list should now show two claims for email and two for xms_pdl: one each for ID and Access.
In the left sidenav, in the Manage dropdown, select Manifest.
In the text editor, search for "acceptMappedClaims" and set its value from null to true.
Search for "optionalClaims", where you'll find the idToken and accessToken arrays. Each array has an object with the name xms_pdl. Change the name to xms_edov.
At the top of the page, select Save.
In the left sidenav, in the Manage dropdown, select Token configuration to confirm that the Optional claims list includes two claims for email and two for xms_edov: one each for ID and Access.

With these steps complete, Microsoft will send the xms_edov claim in the token, which Clerk will use to determine whether the email is verified, even when used with Microsoft Entra ID.

║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║
║

╚══════════════════════════════════════════════════════════════════════════════════════════════╝

← Root | ↑ Up