Office 365 Message Encryption Portal added by non-admin user - Unplanned Change

%3CLINGO-SUB%20id%3D%22lingo-sub-2543856%22%20slang%3D%22en-US%22%3EOffice%20365%20Message%20Encryption%20Portal%20added%20by%20non-admin%20user%20-%20Unplanned%20Change%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2543856%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20following%20up%20an%20interesting%20occurrence%20in%20which%20the%20'Office%20365%20Message%20Encryption%20Portal'%20was%20integrated%20into%20our%20Azure%20subscription%20without%20any%20admin%20doing%20so.%20It%20turns%20out%20a%20standard%20user's%20account%20is%20associated%20with%20this%20integration%20however%2C%20this%20was%20not%20planned%20or%20expected%20in%20any%20way.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20I%20can%20determine%20how%20this%20took%20place%3F%20The%20owner%20of%20the%20non-admin%20user%20account%20was%20in%20a%20meeting%20while%20this%20integration%20took%20place%20and%20has%20no%20knowledge%20about%20their%20account%20being%20used%20for%20this%20purpose.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProperties%3A%3CBR%20%2F%3E'Homepage%20URL'%3A%20%3CA%20href%3D%22https%3A%2F%2Fproducts.office.com%2Fen-us%2Fexchange%2Foffice-365-message-encryption%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fproducts.office.com%2Fen-us%2Fexchange%2Foffice-365-message-encryption%3C%2FA%3E%3CBR%20%2F%3E'User%20Assignment%20Required'%3A%20'No'%3CBR%20%2F%3Eeverything%20appears%20%22normal%22%20here.%3C%2FP%3E%3CP%3EOwners%3A%20None%20assigned%3C%2FP%3E%3CP%3ERoles%20and%20Admins%3A%3CBR%20%2F%3ENo%20accounts%20assigned%20to%20'App%20admin'%2C%20'Cloud%20application%20admin'%20or%20'Reports%20reader'%20roles.%3C%2FP%3E%3CP%3EUsers%20and%20groups%3A%3CBR%20%2F%3EUser%20associated%20with%20integration%20with%20'Default%20Access'%20Role%20assigned%3C%2FP%3E%3CP%3EAccount%20that%20integrated%20portal%20has%20'Default%20Access'%20role%20assigned%3CBR%20%2F%3ESelf%20Service%20Portal%20is%20not%20configured%20(and%20'Allow%20users%20to%20request%20access%20to%20this%20application%3F'%20is%20toggled%20off)%3C%2FP%3E%3CP%3ESSO%2C%20Provisioning%20and%20Self-Service%20are%20all%20not%20enabled%20nor%20configured%3C%2FP%3E%3CP%3E'Permissions'%20are%20not%20set%20or%20configured%20in%20any%20way%3C%2FP%3E%3CP%3EActivity%20%26gt%3B%20Audit%20Logs%3A%3CBR%20%2F%3Eaccount%20initiated%20and%20successfully%20implemented%20'Add%20service%20principal'%20for%20Office%20365%20Message%20Encryption%20Portal%3CBR%20%2F%3Eaccount%20initiated%20and%20successfully%20implemented%20'Add%20delegated%20permission%20grant'%20for%20Microsoft%20Graph%2C%203ada7267-11d0-4113-99fe-538c9edaeff6%3CBR%20%2F%3Eaccount%20initiated%20and%20successfully%20implemented%20'Add%20app%20role%20assignment%20granted'%20for%20Office%20365%20Message%20Encryption%20Portal%3CBR%20%2F%3Eaccount%20initiated%20and%20successfully%20implemented%20'Consent%20to%20Application'%20for%20Office%20365%20Message%20Encryption%20Portal%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20any%20idea%20what%20could%20have%20caused%20this%20integration%20to%20happen%3F%20This%20is%20concerning%20on%20several%20levels.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

I am following up an interesting occurrence in which the 'Office 365 Message Encryption Portal' was integrated into our Azure subscription without any admin doing so. It turns out a standard user's account is associated with this integration however, this was not planned or expected in any way. 

 

Is there a way I can determine how this took place? The owner of the non-admin user account was in a meeting while this integration took place and has no knowledge about their account being used for this purpose. 

 

Does anyone have any idea what could have caused this integration to happen?

This is concerning on several levels. Here are some details, please let me know if there are another other logs or info I could use to determine what happened.

 

Properties:
'Homepage URL': https://products.office.com/en-us/exchange/office-365-message-encryption
'User Assignment Required': 'No'


Owners: None assigned

 

Roles and Admins: No accounts assigned to 'App admin', 'Cloud application admin' or 'Reports reader' roles.

 

Users and groups: User associated with integration with 'Default Access' Role assigned


Self Service Portal is not configured (and 'Allow users to request access to this application?' is toggled off)

 

SSO, Provisioning and Self-Service are all not enabled nor configured

 

'Permissions' are not set or configured in any way

 

Activity > Audit Logs (chronological order):
account initiated and successfully implemented 'Add service principal' for Office 365 Message Encryption Portal
account initiated and successfully implemented 'Add delegated permission grant' for Microsoft Graph, 3ada7267-11d0-4113-99fe-538c9edaeff6
account initiated and successfully implemented 'Add app role assignment granted' for Office 365 Message Encryption Portal
account initiated and successfully implemented 'Consent to Application' for Office 365 Message Encryption Portal

 

 

0 Replies