britechguy
Well-Known Member
- Reaction score
- 4,062
- Location
- Staunton, VA
Interesting . . . from The Register: Microsoft 365 guest accounts + Power Apps = security nightmare
- Thread starter britechguy
- Start date
Sky-Knight
Well-Known Member
- Reaction score
- 5,164
- Location
- Arizona
The linch pin is this bit:
And it's correct. Azure / M365 isn't one server, or service... it's an interconnected mess of many services and the interaction points between them have controls that have to be configured for the enterprise.
One of the levers that I have to know to pull, is to disable the ability for a user to install a new app into a tenant without admin permissions. Just like I have to tell the system to enforce MFA when a user joins a machine to the directory.
If you do not know how to do this stuff on setup, you're not qualified to service an M365 tenant. I can't even go into the entire list of crap I have to do, and have been doing for years... it's too long to post. But this is also why M365 Lighthouse exists, so partner companies can templatize these settings, and get alerts when a tenant is out of compliance.
As for guest accounts... they are limited users FOR THE ORGANIZATION. Not the Team... not the SharePoint site... they have access to anything that uses that particular Entra ID directory. So yes, this access is normal, it's default, I turn it off because I know about this sort of thing.
The author of the article however... must be new to this game. Despite the fact that Active Directory has the EXACT SAME PROBLEMS if you federate it.
We're back to water is wet... and security is hard.
And it's correct. Azure / M365 isn't one server, or service... it's an interconnected mess of many services and the interaction points between them have controls that have to be configured for the enterprise.
One of the levers that I have to know to pull, is to disable the ability for a user to install a new app into a tenant without admin permissions. Just like I have to tell the system to enforce MFA when a user joins a machine to the directory.
If you do not know how to do this stuff on setup, you're not qualified to service an M365 tenant. I can't even go into the entire list of crap I have to do, and have been doing for years... it's too long to post. But this is also why M365 Lighthouse exists, so partner companies can templatize these settings, and get alerts when a tenant is out of compliance.
As for guest accounts... they are limited users FOR THE ORGANIZATION. Not the Team... not the SharePoint site... they have access to anything that uses that particular Entra ID directory. So yes, this access is normal, it's default, I turn it off because I know about this sort of thing.
The author of the article however... must be new to this game. Despite the fact that Active Directory has the EXACT SAME PROBLEMS if you federate it.
We're back to water is wet... and security is hard.
britechguy
Well-Known Member
- Reaction score
- 4,062
- Location
- Staunton, VA
@Sky-Knight
The problem is that very, very few people exist out there that have the depth of knowledge about "the whole ball of wax" that you do. And given my decades in IT for situations every bit as complex, it's going to stay that way. There are only so many hours in the day.
Microsoft should be taking it upon itself to "tighten the ship" as issues like this are identified, just as is done for tons of other stuff. And I'll bet even their own people mostly were unaware of the issue, until it was identified.
I've said it before, and will say it again: Security always has been and will be a game of cat and mouse. And often discoveries about where the mice can get in are made by them, first. And when those mice are calling, "Yoo, hoo - cat!," that cat had ought to be taking action in short order to make sure future mice can't take that route in again.
Over time you can determine "how tight is tight enough" without that degree of tightness causeing unnecessary constriction for doing the business that has to be done.
The problem is that very, very few people exist out there that have the depth of knowledge about "the whole ball of wax" that you do. And given my decades in IT for situations every bit as complex, it's going to stay that way. There are only so many hours in the day.
Microsoft should be taking it upon itself to "tighten the ship" as issues like this are identified, just as is done for tons of other stuff. And I'll bet even their own people mostly were unaware of the issue, until it was identified.
I've said it before, and will say it again: Security always has been and will be a game of cat and mouse. And often discoveries about where the mice can get in are made by them, first. And when those mice are calling, "Yoo, hoo - cat!," that cat had ought to be taking action in short order to make sure future mice can't take that route in again.
Over time you can determine "how tight is tight enough" without that degree of tightness causeing unnecessary constriction for doing the business that has to be done.
Sky-Knight
Well-Known Member
- Reaction score
- 5,164
- Location
- Arizona
@britechguy
The good news and the bad news is... Microsoft is doing this.
If I configure an M365 tenant right now, the defaults it gets are drastically different than what was there a year ago, which don't even hold a passing resemblance to what was there when the platform launched.
The problem is... those are DEFAULTS. At no point does Microsoft dig into these systems and update them. The setup might be OK today, but every so many years you need to dig through there and audit it again.
As service providers we have a simple choice...
Put the time in as I have, or watch your customers get hacked...
Though... I suppose you could also contract that service out to a 3rd party and have them do the audit. Which is what my current workplace does, we have our own Security Operations Center (SOC), and we white / grey label that thing all the time.
From a compliance and liability perspective you really want a 3rd party doing that work anyway. The courts and the insurance companies love it.
But Microsoft will not do it, because they cannot... The compliance rule set includes limited estate ownership. That ownership means Microsoft has to stay out of your chunk of their space you're renting to a large degree. Much like how a landlord cannot just come into your apartment without notice.
That isn't to say they do not ever make sweeping changes. They're doing the Security Defaults push if you don't have any Conditional Access policy update right now, that started in May. So they do update things when they're huge, but they have to give months of notice, and it breaks stuff... and this too gives them bad press. They simply cannot win here.
P.S. The PowerApp integration being cried about in that article you linked? That was actually a sold and advertised feature of Power Automate!
It's not a bug it's a feature! literally applies here.
The good news and the bad news is... Microsoft is doing this.
If I configure an M365 tenant right now, the defaults it gets are drastically different than what was there a year ago, which don't even hold a passing resemblance to what was there when the platform launched.
The problem is... those are DEFAULTS. At no point does Microsoft dig into these systems and update them. The setup might be OK today, but every so many years you need to dig through there and audit it again.
As service providers we have a simple choice...
Put the time in as I have, or watch your customers get hacked...
Though... I suppose you could also contract that service out to a 3rd party and have them do the audit. Which is what my current workplace does, we have our own Security Operations Center (SOC), and we white / grey label that thing all the time.
From a compliance and liability perspective you really want a 3rd party doing that work anyway. The courts and the insurance companies love it.
But Microsoft will not do it, because they cannot... The compliance rule set includes limited estate ownership. That ownership means Microsoft has to stay out of your chunk of their space you're renting to a large degree. Much like how a landlord cannot just come into your apartment without notice.
That isn't to say they do not ever make sweeping changes. They're doing the Security Defaults push if you don't have any Conditional Access policy update right now, that started in May. So they do update things when they're huge, but they have to give months of notice, and it breaks stuff... and this too gives them bad press. They simply cannot win here.
P.S. The PowerApp integration being cried about in that article you linked? That was actually a sold and advertised feature of Power Automate!
It's not a bug it's a feature! literally applies here.
Last edited:
Similar threads
