Learnings from the Microsoft 365 guest accounts vulnerability

6 min read
6 min read

If you are following news around Cloud Governance or Cloud Security, chances are you have heard what Michael Bargury, CTO at low-code security and governance company Zenity, pointed out in his session at the Black Hat USA 2023 Conference earlier this month.

Microsoft 365 guest accounts can, with some workarounds and maybe a tiny bit of malicious energy, use a Power Apps trial to gain access to all Power Apps connections available for this account and create their own apps. Worst case, this grants access to internal, sensitive, and personal data resulting in a data breach.

As both Bargury and the author of this The Register article, Brandon Vigliarolo point out, this vulnerability is a freak accident where a technical permission set-up blunder for trial licenses on Microsoft’s end meets a lack of access management and negligence when setting up Power Apps properly in the first place on the side of the businesses and ultimately end users’ side.

How to prevent a data breach from happening

While Microsoft is aware of this vulnerability and are currently working on patching it, the root cause of this issue remains: a general lack of understanding, awareness, and training for business users on the possible implications of freely sharing apps across the entire organization – especially since this also includes guest users.

Training your end users is the best way forward here. But it is also the slowest. In the meantime, implementing and enforcing a solid governance plan around Power Apps is the order of the day!

Cloud Collaboration Governance tools like Rencore Governance have a broad set of policies in place that allow you to easily and quickly identify, monitor, and fix potential Power Apps, Flows and much more across the M365 stack. The following policies in Rencore Governance that help mitigate the current M365 guest accounts vulnerability include:

  • Power Apps with organization-wide access
  • Power Apps shared with many users
  • Power Apps guest users can access
  • Power Apps run by guest users
  • Power Apps owned by guest users
  • Flows owned by guest users
  • Flows with organization-wide access


Over to you

Not all violations are malicious and honest mistakes do happen. As we say in Germany, the road to most data breaches is paved with good intentions (editor’s note: this idiom might have been slightly altered to fit the topic). This is why it is all the more important for an organization to provide a solid last line of defence, ie. a powerful cloud collaboration governance system.

If you want to experience hands-on how Rencore Governance policies help you identify potential risks related to your Power Apps and constantly monitor guest user access to your organization’s Power Apps, you can start a free 30-day trial here. The trial runs on demo data but you can also connect with a real tenant at any time.

If you want to learn more about Rencore Governance’s Compliance and Access Review features, click here.

And finally, if you want to talk to us about an actual challenge with Power Apps Governance, we are always happy to help.

Subscribe to our newsletter