Fix guide · low · microsoft_entra_association_exposed

Azure AD / Entra app association exposed

Why it matters

Microsoft requires you to host /.well-known/microsoft-identity-association.json on a publisher domain to prove ownership of that domain for verified-publisher status. The document looks like:

{
  "associatedApplications": [
    { "applicationId": "11111111-2222-3333-4444-555555555555" }
  ]
}

In some configurations, a tenantId field also appears.

This is public by design. The reason we surface it: in real audits we've seen the file:

• List a different tenant ID than the one the operator thinks is associated (e.g. a staging tenant accidentally promoted to production).
• List multiple application IDs, some of which are no longer in use but were never cleaned up (and remain a target for adversaries to attempt token-exchange flows against).
• Reveal a tenant ID that the operator didn't realise was inferable from public-facing services.

None of this is a vulnerability per se. It's a hygiene + intent check — does the publicly-visible list match what you think it does?

How to fix it

1. Open your Microsoft Entra admin centre → App registrations → App publisher → Verified publisher.
2. Confirm the tenant ID listed in the JSON matches the tenant ID in the admin centre.
3. For each applicationId listed, confirm:

• The app is still in active use (not a long-deprecated integration).
• The app's "Allow public client flows" setting is what you want.
• The app's permissions are minimum-needed.

1. Remove application IDs that are no longer in use by:

• Deleting the app registration in Azure entirely (if truly unused), OR
• Editing microsoft-identity-association.json to remove the entry.

1. If you didn't intentionally publish this file, find the subsystem serving it (likely a SaaS or Microsoft 365 integration) and disable that integration if you no longer use it.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.