From 50288ac3d0e53a18ea6f8d5e74986c1ff9ba15bf Mon Sep 17 00:00:00 2001 From: Jordan Le Date: Wed, 10 Jun 2026 11:49:21 -0400 Subject: [PATCH] Add [Authorize] attribute to RootController to match sibling controllers (FireWatch 667635ff) The SCIM RootController exposed an unauthenticated endpoint at the service root, while all 6 sibling resource controllers (Users, Groups, BulkRequest, ResourceTypes, Schemas, ServiceProviderConfiguration) carry [Authorize]. The omission has no [AllowAnonymous] marker - it is a security oversight, not an intentional public endpoint. FireWatch finding 667635ff, IMPORTANT, PARTIALLY_EXPLOITABLE. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../Service/Controllers/RootController.cs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Microsoft.SystemForCrossDomainIdentityManagement/Service/Controllers/RootController.cs b/Microsoft.SystemForCrossDomainIdentityManagement/Service/Controllers/RootController.cs index b5d0320c..41ed1eb5 100644 --- a/Microsoft.SystemForCrossDomainIdentityManagement/Service/Controllers/RootController.cs +++ b/Microsoft.SystemForCrossDomainIdentityManagement/Service/Controllers/RootController.cs @@ -3,7 +3,9 @@ namespace Microsoft.SCIM { using System; + using Microsoft.AspNetCore.Authorization; + [Authorize] public sealed class RootController : ControllerTemplate { public RootController(IProvider provider, IMonitor monitor)