MicrosoftMicrosoftOne of the issues I observed is that even longstanding Microsoft Partners develop SaaS applications that tie into Azure AD via an App Registration that requires permissions like Directory.Read.All, Application.Read.All, Users.Read.Write.All. When asked why, they respond with phrases like "this is how it works for all our customers" or they just can't answer these questions. This is a result of a lack of training, but also a result of a lack of clear guidance from Microsoft, especially towards their partners. As a result, many companies are forced to introduce these additional attack vectors and are at the mercy of the service provider's infrastructure security. Because if they are breached, attackers get access to the entire data of dozens, hundreds or even thousands of companies.
Even with more mundane permissions like Mail.ReadWrite.All or Mail.Send, applications get access to the entire organisation including classified or highly sensitive information. There still are no simple ways of restricting these permissions to individual mailboxes. The existing options are too complex, lack of transparency and are often forgotten as time goes by.
These are challenges, that are difficult to be solved on the customer-side and need to be addressed directly by Microsoft.
