M365 Changelog: Change coming to the format of IP addresses containing IPV4 embedded in IPV6 addresses within token claims

MC798676 – Note: If your organization does not use custom applications or your custom applications do not take a dependency on the string format of the ‘ipaddr’ claim from the access token or id token, there should not be any impact and no action is required.”

Action may be required: The format of IP addresses containing IPV4 embedded in IPV6 addresses within token claims is changing.

The Microsoft identity platform implements security tokens as JSON Web Tokens (JWTs) that contain claims. Claims are name or value pairs that relay facts about the token subject. Applications can use claims for the following various tasks: Validate the token, Identify the token subject’s tenant, display user information, identify client’s IP Address etc.

One of the claims in the token is ‘ipaddr’ which is a string and refers to the IP address the user authenticates from.

The format of certain IPV6 addresses containing IPV4 address is altered to display as all IPV6 addresses. The impacted ipv6 addresses are those of a format xxxx:xxxx:xxxx:xxxx:200:5efe:xxxx:xxxx, i.e., where 7, 6, 5, and 4 octets have values ‘0x02, ‘0x00’, ‘0x5e’, ‘0xfe’ correspondingly.

Currently these IP addresses are serialized with embedded ipv4 address like this: xxxx:xxxx:xxxx:xxxx:200:5efe:YYY.YYY.YYY.YYY, where ‘YYY’ is number from 0 to 255.

Once the changes go into effect, these IP Addresses will be serialized as xxxx:xxxx:xxxx:xxxx:200:5efe:xxxx:xxxx where x is a hex digit (0-9, a-f)

For example:

• Current format: “2001:558:1416:0:200:5efe:169.152.178.93”
• Format after the change: “2001:558:1416:0:200:5efe:a998:b25d”

Please note that despite the string format looking different, both IP addresses remain the same. The change would impact both access tokens and id tokens; and the affected claims is ‘ipaddr’ claim.

Claim	Format	Description
ipaddr	String	The IP address the user authenticated from.

The ‘ipaddr’ claim is included in the V1.0 token if applicable and included in the V2.0 token if the application requests them using optional claims. Please look at Access token claims reference – Header claims for more details.

When this will happen:

The change will go into effect on July 8th, 2024.

What you need to do to prepare:

Action Required:

• If your organization does not use custom applications or your custom applications do not take dependency on the string format of ‘ipaddr’ claim from the access token or id token, there should not be any impact and no action is required.
• Check in your custom application code or scripts to see if you are taking dependency on the ‘ipaddr’ claim from the access token or id token using the string format instead of reading into an IPAddress object.
• Organization’s custom applications shouldn’t take dependency on String version of IP address. They should parse IP address from the string and load into IPAddress object. Please look at IPAddress.Parse Method for an example.
  • IPAddress address = IPAddress.Parse(ipAddress);