Access Panel allows for potential enumeration attack.

Occasional Contributor

Use Case: We allow for particular guest users (having the guest inviter role) to invite other B2B guest users using the groups Access Panel. However we would like to limit what they can see as much as possible as we deal with multiple B2B tenants. For instance currently the tenant guest setting is set to "Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)". However with this setting these guest users cannot add new guests to the groups they own on the Access Panel. As soon as they do it breaks and throws an error. To work around this these users were also given the "Directory Readers" role. However now they can enumerate ALL users in AAD using the Join Group function:

brlgen_0-1640769956406.png

This is too permissive as it allows these users to enumerate all users in the tenant including the other B2B guest users which they should not be able to see.

 

Problem: The group Access Panel which can be found here: Access Panel Groups (windowsazure.com)

Can be potentially exploited to perform an enumeration attack. By design this allows you to enumerate all groups and their members and email addresses in Azure AD. by using the "+Join Group" feature or by adding a new member to a group you own and typing an initial letter which shows an autocomplete menu with all members having that letter.

 

Solution:

  1. Add a setting under the Azure AD Groups settings to disable the "Join Group" functionality on the Access Panel
  2. Do not throw an error if the Guest inviter does not have the Directory readers role when inviting new users. The behavior should rather be:
    1. When the inviter adds an existing user to another group they own, only enumerate the users that are members of groups the guest inviter is owner of for the auto complete menu.
    2. When adding a new guest user, show the guest invitation menu (as is currently the case)
  3. If complete enumeration is required then the Directory Readers role can be assigned (like we currently did for the workaround)

I hope these changes can be considered as they have been highlighted a few times already by security experts see:

Risks of Microsoft Teams and Microsoft 365 Groups | Clément Notin | Blog

Scary Azure AD Tenant Enumeration… Using Regular B2B Guest Accounts – Daniel Chronlund Cloud Tech Bl...

Azure AD Data Exposure to Guests. A common Azure AD configuration issue… | by Marko Buuri | Fraktal

Azure Active Directory Account Enumeration – Liam Cleary [MVP and MCT] (helloitsliam.com)

 

 

 

1 Reply
Dear Blrgen,
This is a wonderful suggestion but I request you to suggest it here - https://feedback.azure.com/d365community/
Microsoft product team review ideas/suggestions made here and response/take actions too.
Once again, thanks for sharing the information.