Added support for validating Microsoft Entra v2 access tokens

[getvictor]

Related issue: Resolves #46388

Video demo: https://www.youtube.com/watch?v=t3yuGh0kwP8
Docs PR: #46483

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

Testing

• Added/updated automated tests
• QA'd all new/changed functionality manually

Database migrations

• Checked schema for all modified table for columns that will auto-update timestamps during migration.
• Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.

New Fleet configuration settings

If you didn't check the box above, follow this checklist for GitOps-enabled settings:

• Verified that the setting is exported via fleetctl generate-gitops
• Verified the setting is documented in a separate PR to the GitOps documentation
• Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional)
• Verified that any relevant UI is disabled when GitOps mode is enabled

Summary by CodeRabbit

• New Features

  • Added support for Microsoft Entra v2 access token validation during Windows MDM enrollment.
  • New UI interface to manage and configure Windows Entra application client IDs alongside existing tenant IDs.
  • Activity tracking now logs when Entra client IDs are added or removed.

• Enhancements

  • Existing v1 token support continues unchanged.
  • Client ID configuration now available through GitOps workflows.

[getvictor]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[getvictor]

/agentic_review

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Audience port not verified ✓ Resolved 🐞 Bug ⛨ Security

Description

hasAuthorizedAzureAudience authorizes v1 (URL) audiences by hostname-only comparison, so a token
with an audience URL on the same hostname but a different port/scheme is still accepted. If Fleet’s
configured ServerURL includes a non-default port, this weakens the audience check used for Windows
automatic enrollment and can authorize tokens minted for a different origin on the same host.

Code

server/service/microsoft_mdm.go[R984-990]

Evidence

The helper authorizes URL audiences via audURL.Hostname() equality only, and the call site passes
expectedURLParsed.Hostname() (dropping any configured port). The repo also demonstrates ServerURL
can include a port, meaning this hostname-only comparison can accept audiences for a different port
on the same host.

server/service/microsoft_mdm.go[960-993]
server/service/microsoft_mdm.go[1066-1091]
server/service/microsoft_mdm_test.go[1724-1746]
server/service/service_appconfig_test.go[47-56]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`hasAuthorizedAzureAudience` currently treats any URL audience whose **hostname** matches Fleet’s server hostname as authorized (v1 token path). This ignores **port** and **scheme**, so when Fleet is configured with a non-default port (e.g. `https://acme.co:8080/`), an audience such as `https://acme.co:443/...` (or any other port) is accepted.
### Issue Context
This check gates Windows automatic enrollment (`authBinarySecurityToken`). The prior behavior compared `audURL.Host` against `expectedURLParsed.Host` (host+port), but the new helper compares only `Hostname()`.
### Fix Focus Areas
- server/service/microsoft_mdm.go[960-993]
- server/service/microsoft_mdm.go[1066-1091]
- server/service/microsoft_mdm_test.go[1724-1766]
### What to change
- Change `hasAuthorizedAzureAudience` to accept the *full expected server URL* (or expected host+port+scheme) rather than just `serverHostname`.
- For v1 URL audiences:
- Parse both the expected server URL and each audience URL.
- Compare hostnames case-insensitively.
- Compare **ports** after normalizing defaults (e.g. treat empty port as `443` for `https`, `80` for `http`).
- Optionally also require scheme match (`http` vs `https`) if that’s part of the intended security boundary.
- Update unit tests to ensure:
- `:443` matches when expected is `https://host`.
- A non-default port does **not** match (e.g. expected `https://host:8080` must not accept `https://host:443`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Client ID case mismatch ✓ Resolved 🐞 Bug ≡ Correctness

Description

The Add Entra client ID UI validates input using validator.js isUUID, which accepts uppercase
UUIDs, but the backend requires a strict lowercase GUID regex (^[a-f0-9]{8}-...$). This allows
users to submit IDs that pass client-side validation but are rejected server-side, resulting in a
confusing failure path.

Code

frontend/pages/admin/IntegrationsPage/cards/MdmSettings/components/AddEntraClientIDModal/helpers.ts[R39-50]

Evidence

Frontend uses validator.js isUUID for client ID validation (case-insensitive), while backend
explicitly validates against a lowercase-only GUID regex for both tenant IDs and client IDs, so
uppercase UUIDs will pass FE but fail BE.

frontend/pages/admin/IntegrationsPage/cards/MdmSettings/components/AddEntraClientIDModal/helpers.ts[39-50]
frontend/components/forms/validators/valid_uuid/valid_uuid.ts[1-5]
server/service/appconfig.go[1522-1526]
server/service/appconfig.go[1842-1854]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Frontend validates Entra client IDs with `validator.js` `isUUID`, but backend validation requires canonical **lowercase** GUIDs via `windowsEntraGUIDRegex`. This mismatch causes inputs that appear valid in the UI to fail when saved.
### Issue Context
- FE: `isUUID` accepts uppercase hex.
- BE: `windowsEntraGUIDRegex` only matches `[a-f0-9]` (lowercase).
### Fix Focus Areas
- frontend/pages/admin/IntegrationsPage/cards/MdmSettings/components/AddEntraClientIDModal/helpers.ts[25-52]
- frontend/components/forms/validators/valid_uuid/valid_uuid.ts[1-5]
- server/service/appconfig.go[1522-1526]
- server/service/appconfig.go[1842-1854]
### What to change (pick one consistent approach)
**Option A (recommended): normalize client-side before submit**
- In `onChangeClientId` and/or before `configAPI.update`, `trim()` and `toLowerCase()` the client ID.
- Update the duplicate check to be case-insensitive.
**Option B: enforce lowercase in FE validation**
- Replace `isUUID` with the same canonical regex (or an equivalent) so the UI blocks uppercase.
**Option C: accept uppercase in BE but store canonical**
- In backend config modification, normalize to lowercase before validating/storing, while still rejecting non-canonical structural formats (braces, missing hyphens, etc.).
Also update the error messaging if you intentionally require lowercase (so users know what to fix).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Client IDs may stay null ✓ Resolved 🐞 Bug ≡ Correctness

Description

ModifyAppConfig clears WindowsEntraClientIDs by only assigning .Value, so if the field is ever in
the optjson “Valid=false” state (e.g., PATCH sets it to null), it will continue to marshal back to
JSON null instead of []. This contradicts the migration’s goal of stabilizing GET /config and can
reintroduce noisy config diffs.

Code

server/service/appconfig.go[R512-515]

Evidence

The PR’s migration explicitly initializes windows_entra_client_ids as an empty array ([]) using
optjson.SetSlice, but ModifyAppConfig later clears the field by only setting .Value, which does not
update optjson’s Valid flag. optjson.Slice marshals to null whenever Valid is false (including after
UnmarshalJSON(null)), so the field can remain persisted/returned as null instead of [].

server/service/appconfig.go[507-515]
pkg/optjson/optjson.go[135-171]
server/datastore/mysql/migrations/tables/20260529120000_AddAppConfigMDMWindowsEntraClientIDs.go[14-21]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`optjson.Slice[T]` marshals to JSON `null` when `Valid=false`, regardless of the `Value` content. In `ModifyAppConfig`, the code clears `WindowsEntraClientIDs` (and similarly `WindowsEntraTenantIDs`) by assigning only `.Value = []string{}`. If the slice is in a `Valid=false` state (e.g., a client PATCHed `null` at some point), this assignment does not flip `Valid` back to `true`, so the persisted JSON remains `null`.
This undermines the migration’s explicit intent to keep `windows_entra_client_ids` as `[]` (not `null`) for stable `GET /config` responses and stable GitOps diffs.
### Issue Context
- `optjson.Slice.UnmarshalJSON(null)` sets `Set=true`, leaves `Valid=false`, and sets `Value` to an empty slice.
- `optjson.Slice.MarshalJSON()` returns `null` when `Valid=false`.
- The migration correctly uses `optjson.SetSlice([]string{})` (sets `Valid=true`) to initialize the field.
### Fix
When forcing these fields to be an empty array, assign the whole optjson value (or set `Valid=true`), e.g.:
- `appConfig.MDM.WindowsEntraClientIDs = optjson.SetSlice([]string{})`
- (and for consistency) `appConfig.MDM.WindowsEntraTenantIDs = optjson.SetSlice([]string{})`
### Fix Focus Areas
- server/service/appconfig.go[507-515]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[Copilot]

Pull request overview

Adds support for validating Microsoft Entra (Azure AD) v2 access tokens during Windows MDM automatic enrollment by authorizing tokens whose aud matches a configured Entra application client ID, while preserving the existing v1 aud (Fleet server URL host) behavior.

Changes:

• Add mdm.windows_entra_client_ids app config setting (including migration) and validate it (premium-only, GUID format, Windows MDM enabled).
• Update Windows MDM JWT audience authorization logic to accept either configured client IDs (v2) or server URL host (v1), plus add unit coverage for the matching helper.
• Extend GitOps parsing/generation and anonymous statistics payload to include the new setting.

Reviewed changes

Copilot reviewed 19 out of 20 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
server/service/microsoft_mdm.go	Adds shared audience-matching helper and uses it when authorizing Entra JWTs for Windows automatic enrollment.
server/service/microsoft_mdm_test.go	Adds unit tests for the audience authorization helper (v1 URL-host and v2 client-ID paths).
server/service/client.go	Ensures GitOps/app config patching includes windows_entra_client_ids with stable empty-array defaults.
server/service/appconfig.go	Validates the new client ID allowlist, clears it when disabling Windows MDM, and emits add/remove activities.
server/service/appconfig_test.go	Updates MDM config test fixtures and adds validation-focused test cases for the new setting.
server/fleet/app.go	Adds WindowsEntraClientIDs to the fleet.MDM config struct and deep-copies it in AppConfig.Copy().
server/fleet/activities.go	Introduces new activity types for adding/deleting Microsoft Entra client IDs.
server/fleet/statistics.go	Adds numWindowsEntraClientIDs to the anonymous statistics payload.
server/datastore/mysql/statistics.go	Populates the new statistics field from app config.
server/datastore/mysql/migrations/tables/20260529120000_AddAppConfigMDMWindowsEntraClientIDs.go	Migration initializes mdm.windows_entra_client_ids to [] for upgraded installs.
server/datastore/mysql/migrations/tables/20260529120000_AddAppConfigMDMWindowsEntraClientIDs_test.go	Verifies the migration initializes windows_entra_client_ids to an empty array in app config JSON.
pkg/spec/gitops.go	Extends GitOps controls schema and Set() detection to include windows_entra_client_ids.
pkg/spec/gitops_test.go	Asserts GitOps parsing includes the new key.
pkg/spec/testdata/team_config_no_paths.yml	Adds windows_entra_client_ids: [] to GitOps testdata.
pkg/spec/testdata/team_config_invalid_sha.yml	Adds windows_entra_client_ids: [] to GitOps testdata.
pkg/spec/testdata/global_config_no_paths.yml	Adds windows_entra_client_ids: [] to GitOps testdata.
pkg/spec/testdata/controls.yml	Adds windows_entra_client_ids: [] to GitOps testdata.
pkg/spec/testdata/controls_new_names.yml	Adds windows_entra_client_ids: [] to GitOps testdata.
cmd/fleetctl/fleetctl/generate_gitops.go	Emits windows_entra_client_ids in generated GitOps controls when configured and Windows MDM is enabled.
changes/46388-windows-entra-v2-access-tokens	Adds a release note for v2 access token support and the new configuration key.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Caution

Review failed

Failed to post review comments

Walkthrough

This pull request adds support for Microsoft Entra v2 access tokens during Windows MDM enrollment. The change introduces a configurable allowlist of Entra application client IDs (windows_entra_client_ids) that complement existing tenant ID validation. The implementation spans the full stack: a new AppConfig field with database migration, validation and activity emission on modification, dual-mode JWT audience authorization (matching client IDs via GUID for v2 tokens and server URLs for v1 tokens), refactored Azure claim extraction with optional unique_name and UPN fallback, GitOps and API surface updates, frontend admin UI components for managing client IDs, and comprehensive test coverage including integration tests.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 59.09% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and concisely describes the main change: adding support for validating Microsoft Entra v2 access tokens, which is the core objective.
Description check	✅ Passed	The PR description is comprehensive and follows the repository template, including the related issue number (#46388), completed checklist items covering validation, testing, migrations, and GitOps settings with all required sections addressed.
Linked Issues check	✅ Passed	The PR implements all major coding objectives from issue #46388: new mdm.windows_entra_client_ids AppConfig field with GUID validation, v2 token audience validation with case-insensitive client ID matching, UPN fallback to preferred_username, database migration, activities for add/delete operations, UI controls, GitOps support, and comprehensive API/validation updates.
Out of Scope Changes check	✅ Passed	All changes are aligned with the PR objectives and issue #46388 requirements. The scope includes backend validation, database migrations, frontend UI components, GitOps support, activities, API updates, and comprehensive testing—all directly supporting Entra v2 token validation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch victor/46388-entra-v2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@changes/46388-windows-entra-v2-access-tokens`:
- Line 1: Update the release note text to match Microsoft's wording and include
the official doc link: change the cutoff phrasing from "after 2026-07-01" to
"effective July 1, 2026" (or "starting July 1, 2026") and specify that this
applies to new on-premises MDM applications created via the Entra Portal flow;
keep that v1 tokens continue to work unchanged and retain the configuration
reference mdm.windows_entra_client_ids (or controls.windows_entra_client_ids)
and append the Microsoft link
https://learn.microsoft.com/en-us/windows/client-management/azure-active-directory-integration-with-mdm
for reference.

In
`@server/datastore/mysql/migrations/tables/20260529120000_AddAppConfigMDMWindowsEntraClientIDs_test.go`:
- Line 17: The test currently reads the app_config_json row with a
non-deterministic query (`SELECT json_value FROM app_config_json LIMIT 1`),
which relies on an implicit singleton invariant; update the test to explicitly
target the singleton row by querying with WHERE id = 1 (e.g., use `SELECT
json_value FROM app_config_json WHERE id = 1`) or alternatively add a clear
comment documenting the singleton invariant for app_config_json, referencing the
test that runs this query
(20260529120000_AddAppConfigMDMWindowsEntraClientIDs_test.go) so future changes
don’t introduce additional rows that break the assertion.

In `@server/service/microsoft_mdm.go`:
- Around line 969-988: The v1 audience host check in hasAuthorizedAzureAudience
currently does a case-sensitive compare between audURL.Host and serverHost which
can fail due to casing or default-port formatting; update the logic to
canonicalize both sides by parsing/normalizing hosts (split host and port,
remove default ports like :443 for https or :80 for http, or normalize to just
hostname) and then perform a case-insensitive comparison (e.g., use
strings.EqualFold on the normalized hostnames). Ensure you normalize serverHost
once (parse expected URL or host string) and apply the same normalization to
audURL.Host before comparing so v1 audience matches ignore case and default-port
differences.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ba6db45b-c762-43fd-8355-1bc3dd5bbd13

📥 Commits

Reviewing files that changed from the base of the PR and between 8feb3bd and e9cd9ff.

📒 Files selected for processing (20)

• changes/46388-windows-entra-v2-access-tokens
• cmd/fleetctl/fleetctl/generate_gitops.go
• pkg/spec/gitops.go
• pkg/spec/gitops_test.go
• pkg/spec/testdata/controls.yml
• pkg/spec/testdata/controls_new_names.yml
• pkg/spec/testdata/global_config_no_paths.yml
• pkg/spec/testdata/team_config_invalid_sha.yml
• pkg/spec/testdata/team_config_no_paths.yml
• server/datastore/mysql/migrations/tables/20260529120000_AddAppConfigMDMWindowsEntraClientIDs.go
• server/datastore/mysql/migrations/tables/20260529120000_AddAppConfigMDMWindowsEntraClientIDs_test.go
• server/datastore/mysql/statistics.go
• server/fleet/activities.go
• server/fleet/app.go
• server/fleet/statistics.go
• server/service/appconfig.go
• server/service/appconfig_test.go
• server/service/client.go
• server/service/microsoft_mdm.go
• server/service/microsoft_mdm_test.go

[codecov]

Codecov Report

❌ Patch coverage is 72.17391% with 32 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.81%. Comparing base (9e10c3c) to head (7bb107f).
⚠️ Report is 8 commits behind head on main.

Files with missing lines	Patch %	Lines
...vityFeed/GlobalActivityItem/GlobalActivityItem.tsx	0.00%	17 Missing ⚠️
server/service/appconfig.go	86.95%	4 Missing and 2 partials ⚠️
...0529120000_AddAppConfigMDMWindowsEntraClientIDs.go	66.66%	4 Missing ⚠️
server/service/microsoft_mdm.go	83.33%	2 Missing and 2 partials ⚠️
server/mdm/microsoft/wstep.go	85.71%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #46416   +/-   ##
=======================================
  Coverage   66.81%   66.81%           
=======================================
  Files        2804     2806    +2     
  Lines      223574   223652   +78     
  Branches    11346    11315   -31     
=======================================
+ Hits       149379   149437   +58     
- Misses      60640    60662   +22     
+ Partials    13555    13553    -2     

Flag	Coverage Δ
backend	68.54% <84.69%> (+<0.01%)	⬆️
frontend	56.45% <0.00%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[getvictor]

@coderabbitai full review

[getvictor]

/agentic_review

[coderabbitai]

✅ Actions performed

Full review triggered.

[qodo-free-for-open-source-projects]

Code review by qodo was updated up to the latest commit c001e70

[Copilot]

Pull request overview

Copilot reviewed 37 out of 38 changed files in this pull request and generated 3 comments.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

server/mdm/microsoft/wstep.go (1)

411-484: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don’t require unique_name in azureDataFromClaims (v2 tokens)

azureDataFromClaims currently fails with invalid UniqueName claim when claims["unique_name"] is missing. This blocks Entra v2 access tokens that use preferred_username instead. The automatic-enrollment auth path only uses tokenData.Audience, tokenData.TenantID, and returns tokenData.UPN—UniqueName isn’t used—so unique_name should be optional. Microsoft documents unique_name as v1-only and preferred_username as v2.
https://learn.microsoft.com/en-us/entra/identity-platform/access-token-claims-reference

💡 Minimal fix

-	// Get UniqueName claim
-	uniqueNameClaim, ok := claims["unique_name"].(string)
-	if !ok {
-		return AzureData{}, ctxerr.New(ctx, "invalid UniqueName claim")
-	}
+	// `unique_name` is v1-only. Keep it when present, but don't reject v2 tokens that
+	// identify the user via `preferred_username`.
+	uniqueNameClaim, _ := claims["unique_name"].(string)
+	if uniqueNameClaim == "" {
+		uniqueNameClaim = upnClaim
+	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/mdm/microsoft/wstep.go` around lines 411 - 484, azureDataFromClaims
currently returns an error if claims["unique_name"] is missing; make UniqueName
optional to support Entra v2 tokens that use preferred_username instead: in
azureDataFromClaims remove the hard failure on missing unique_name (the block
referencing uniqueNameClaim and the error "invalid UniqueName claim"), instead
set AzureData.UniqueName to the value if present
(claims["unique_name"].(string)) or leave it empty when absent; ensure
downstream use (e.g., automatic-enrollment path) continues to rely only on
Audience, TenantID and UPN.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@frontend/pages/admin/IntegrationsPage/cards/MdmSettings/components/AddEntraClientIDModal/AddEntraClientIDModal.tsx`:
- Around line 60-68: The add flow treats clientId as possibly undefined and does
a case-sensitive duplicate check; update the AddEntraClientIDModal logic to
first narrow/guard clientId (e.g., early return if !clientId) so TypeScript
knows it's a string before using it in [...currentClientIds, clientId] and
configAPI.update, and perform a case-insensitive duplicate check by normalizing
both currentClientIds and clientId (e.g., compare currentClientIds.map(id =>
id.toLowerCase()) includes clientId.toLowerCase()) when computing clientIdExists
and before pushing into windows_entra_client_ids.

In
`@frontend/pages/admin/IntegrationsPage/cards/MdmSettings/WindowsAutomaticEnrollmentPage/EntraClientIDsListItem/EntraClientIDsListItem.tsx`:
- Around line 27-34: The icon-only delete Button in the EntraClientIDsListItem
component lacks an accessible name; update the Button (the element using props
disabled={disableChildren}, onClick={onClickDelete},
className={`${baseClass}__action-button`} and variant="icon") to include an
appropriate aria-label (e.g., "Delete client ID" or similar contextual text) so
screen readers can identify the action.

In
`@frontend/pages/DashboardPage/cards/ActivityFeed/GlobalActivityItem/GlobalActivityItem.tsx`:
- Around line 2098-2106: The addedMicrosoftEntraClientId and
deletedMicrosoftEntraClientId renderers currently interpolate
activity.details?.client_id directly which can produce "(undefined)"; update
both functions to guard the value and either omit the parenthetical when
client_id is falsy or supply a safe fallback (e.g., "unknown" or "unspecified")
and render accordingly so the UI never shows "undefined" in the activity text.

In `@server/service/appconfig.go`:
- Around line 1522-1525: The windowsEntraGUIDRegex only accepts lowercase hex
and rejects valid GUIDs with A-F; update its pattern to accept uppercase hex as
well (e.g. make character classes include A-F or use a case-insensitive regex
flag) so the Entra tenant and application client ID validations that use
windowsEntraGUIDRegex (the validation calls around the current checks) will
accept valid UUIDs in either case.

---

Outside diff comments:
In `@server/mdm/microsoft/wstep.go`:
- Around line 411-484: azureDataFromClaims currently returns an error if
claims["unique_name"] is missing; make UniqueName optional to support Entra v2
tokens that use preferred_username instead: in azureDataFromClaims remove the
hard failure on missing unique_name (the block referencing uniqueNameClaim and
the error "invalid UniqueName claim"), instead set AzureData.UniqueName to the
value if present (claims["unique_name"].(string)) or leave it empty when absent;
ensure downstream use (e.g., automatic-enrollment path) continues to rely only
on Audience, TenantID and UPN.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 20f97e63-6dc1-47af-88d1-ebd26479dfd8

📥 Commits

Reviewing files that changed from the base of the PR and between 8feb3bd and c001e70.

📒 Files selected for processing (38)

• changes/46388-windows-entra-v2-access-tokens
• cmd/fleetctl/fleetctl/generate_gitops.go
• frontend/__mocks__/configMock.ts
• frontend/interfaces/activity.ts
• frontend/interfaces/config.ts
• frontend/pages/DashboardPage/cards/ActivityFeed/GlobalActivityItem/GlobalActivityItem.tsx
• frontend/pages/admin/IntegrationsPage/cards/MdmSettings/WindowsAutomaticEnrollmentPage/EntraClientIDsListHeader/EntraClientIDsListHeader.tsx
• frontend/pages/admin/IntegrationsPage/cards/MdmSettings/WindowsAutomaticEnrollmentPage/EntraClientIDsListHeader/_styles.scss
• frontend/pages/admin/IntegrationsPage/cards/MdmSettings/WindowsAutomaticEnrollmentPage/EntraClientIDsListHeader/index.ts
• frontend/pages/admin/IntegrationsPage/cards/MdmSettings/WindowsAutomaticEnrollmentPage/EntraClientIDsListItem/EntraClientIDsListItem.tsx
• frontend/pages/admin/IntegrationsPage/cards/MdmSettings/WindowsAutomaticEnrollmentPage/EntraClientIDsListItem/_styles.scss
• frontend/pages/admin/IntegrationsPage/cards/MdmSettings/WindowsAutomaticEnrollmentPage/EntraClientIDsListItem/index.ts
• frontend/pages/admin/IntegrationsPage/cards/MdmSettings/WindowsAutomaticEnrollmentPage/WindowsAutomaticEnrollmentPage.tsx
• frontend/pages/admin/IntegrationsPage/cards/MdmSettings/components/AddEntraClientIDModal/AddEntraClientIDModal.tsx
• frontend/pages/admin/IntegrationsPage/cards/MdmSettings/components/AddEntraClientIDModal/helpers.ts
• frontend/pages/admin/IntegrationsPage/cards/MdmSettings/components/AddEntraClientIDModal/index.ts
• frontend/pages/admin/IntegrationsPage/cards/MdmSettings/components/DeleteEntraClientIDModal/DeleteEntraClientIDModal.tsx
• frontend/pages/admin/IntegrationsPage/cards/MdmSettings/components/DeleteEntraClientIDModal/index.ts
• pkg/spec/gitops.go
• pkg/spec/gitops_test.go
• pkg/spec/testdata/controls.yml
• pkg/spec/testdata/controls_new_names.yml
• pkg/spec/testdata/global_config_no_paths.yml
• pkg/spec/testdata/team_config_invalid_sha.yml
• pkg/spec/testdata/team_config_no_paths.yml
• server/datastore/mysql/migrations/tables/20260529120000_AddAppConfigMDMWindowsEntraClientIDs.go
• server/datastore/mysql/migrations/tables/20260529120000_AddAppConfigMDMWindowsEntraClientIDs_test.go
• server/datastore/mysql/statistics.go
• server/fleet/activities.go
• server/fleet/app.go
• server/fleet/statistics.go
• server/mdm/microsoft/wstep.go
• server/mdm/microsoft/wstep_test.go
• server/service/appconfig.go
• server/service/appconfig_test.go
• server/service/client.go
• server/service/microsoft_mdm.go
• server/service/microsoft_mdm_test.go

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}