Description
The Microsoft Graph Authz plugin (microsoft-graph-authz) experiences periodic global authentication lockouts when Microsoft Entra ID issues Continuous Access Evaluation (CAE) challenges. All users are denied access until the condition self-resolves or Elasticsearch nodes are restarted.
Quick fix: stop advertising CAE support
Pass false for isCaeEnabled to the 5-arg AzureIdentityAuthenticationProvider constructor. This stops advertising CP1, so Entra will not issue CAE challenges to this client.
Proper fix: handle CAE challenges
Add the Kiota AuthorizationHandler middleware to the OkHttp interceptor chain. This middleware intercepts 401 responses containing a claims challenge, re-authenticates with the required claims, and retries the request transparently.
Description
The Microsoft Graph Authz plugin (
microsoft-graph-authz) experiences periodic global authentication lockouts when Microsoft Entra ID issues Continuous Access Evaluation (CAE) challenges. All users are denied access until the condition self-resolves or Elasticsearch nodes are restarted.Quick fix: stop advertising CAE support
Pass
falseforisCaeEnabledto the 5-argAzureIdentityAuthenticationProviderconstructor. This stops advertisingCP1, so Entra will not issue CAE challenges to this client.Proper fix: handle CAE challenges
Add the Kiota
AuthorizationHandlermiddleware to the OkHttp interceptor chain. This middleware intercepts 401 responses containing a claims challenge, re-authenticates with the required claims, and retries the request transparently.