In this blog you will hear directly from Microsoft’s Deputy Chief Information Security Officer (CISO) for Experiences and Devices, Naresh Kannan, about eliminating high-privileged access across all Microsoft 365 applications. This blog is part of an ongoing series where our Deputy CISOs share their thoughts on what is most important in their respective domains. In this series you will get practical advice and forward-looking commentary on where the industry is going, as well as tactics you should start (and stop) deploying, and more.
Microsoft’s Secure Future Initiative (SFI) brings together every part of Microsoft to strengthen cybersecurity protection across our infrastructure, products and services. As part of the Protect Tenants and Isolate Production Systems pillar, one of the key objectives is to ensure continuous least privilege enforcement by eliminating high-privileged access across all Microsoft 365 applications.
High-privileged access (HPA) occurs when an application or service obtains broad access to customer content, allowing it to impersonate other users without providing any proof of user context. For example, Applications A and B may have a service-to-service (S2S) relationship to deliver a specific customer scenario. Application A owns and manages customer content in its storage. If Application B can access customer content stored in Application A by calling APIs without a user context, then this is categorized as HPA.
HPA allows for the assumption of any user’s identity within the service, which can substantially increase the security risk in the event of a service compromise, credential mishandling, or token exposure.
Given that Microsoft 365 applications interact with one another to deliver rich value and empower critical customer business scenarios, it is crucial for Microsoft to ensure all first-party application interactions involve least privilege access. This is applicable in both where the applications are acting on behalf of a user and services that are not acting on behalf of a user.
Microsoft’s approach to access rights
Eliminating HPA ensures that users and applications have only the necessary access rights. Our strategy within Microsoft’s internal Microsoft 365 environment involved fostering an ‘assume breach’ mindset, with a focus on the stringent enforcement of new standard authentication protocols. With this approach, we have successfully mitigated more than 1,000 high-privilege application scenarios thus far. Achieving this was a monumental cross-functional effort at Microsoft, engaging more than 200 engineers across the company.
First, we reviewed all existing Microsoft 365 applications and their S2S interactions with all resource providers across the stack. Second, we deprecated legacy authentication protocols that supported HPA patterns. Third, we accelerated the enforcement of new secure authentication protocols to ensure that all S2S interactions operate within the least-privileged scope required to meet the scenarios.
In many cases, this also required re-engineering the existing architecture and platform to ensure that customer scenarios are accommodated with secure, least privilege access. We ensured that Microsoft 365 first-party applications are interacting with customer content only with the least privilege access. For instance, if Application C has a requirement to read data from specific SharePoint sites, it is granted granular ‘Sites.Selected’ permission rather than ‘Sites.Read.All’ permission. Finally, we have also implemented standardized monitoring systems to identify and report any high-privilege access within Microsoft 365 applications.
Microsoft security posture recommendations
To enhance your organization’s security posture, we recommend leveraging the native capabilities of Microsoft 365 and implementing these four best practices for safeguarding environments and ensuring the principle of the least privilege access to applications.
- Audit the existing applications that have access to your data—revoke any unused permissions and reduce excessive permissions.
- Use the Microsoft Entra identity platform’s consent framework to mandate human consent when applications request access to customer content. Utilize delegated permissions in scenarios where an application acts on behalf of a signed-in user. These permissions allow the application to access resources that the user has access to.
- Develop applications with the principle of least-privilege access in mind, throughout all stages of development.
- Employ strict audit controls to periodically review all applications and ensure they adhere to the principle of least privilege access.
Learn more with Microsoft Security
Read this article to understand how to improve security with the principle of least privilege.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
