Unanswered

Possible vulnerability in granting consent for the Office365Groups connector

(1) Share

Report

Posted on by Hernan Ramirez

Any maker has the ability to use the Office365Groups connector in their applications. If a malicious maker places the script I show in the image, the maker can grant himself permissions to the same groups where the end user is the owner.
I don't see that there is a way to control the use of these connector actions by DLP. Does anyone have any suggestions?
The security department of the company I work for is very concerned because this breaks down any security that the entraID can provide us.
The script shows how in the OnStart of an application, a maker can silently add members deliberately to the groups where the end user is the owner.

Categories:

Connectors

I have the same question (0)

All responses (2)

Answers (0)

ANB 7,221 Super User 2025 Season 2 on at

Like (0)

Report

Possible vulnerability in granting consent for the Office365Groups connector

Hi @Hernan Ramirez, I hope I understood your question correctly:

You can restrict the connectors: Please check:

https://learn.microsoft.com/en-us/power-platform/admin/connector-action-control

Please click Does this answer your question if my post helped you solve your issue. This will help others find it more readily. It also closes the item. If the content was useful in other ways, please consider giving it a Like.

Thanks,
ANB

Was this reply helpful? Yes No
Hernan Ramirez 21 on at

Like (0)

Report

Possible vulnerability in granting consent for the Office365Groups connector

Hi @ANB, thank you very much for answering.

These options are not available for this connector:

Regards,

Hernan

Was this reply helpful? Yes No