Solved

Email gateway - O365 App-only authentication

  • 20 June 2023
  • 9 replies
  • 473 views

Badge

We are going to setup the Service Based Agent for the Email gateway testing with the O365 App-only authentication method. In the requirements the User.Read.All application permission is required (see the link above). This means that info about all users is available.

As we want to conduct test in the production environment this is a security issue and we would  like to know what is the reason for this kind of permission as for the email gateway testing emails are received only in that particular mailbox used for testing. Concerning the proposed limitation of Cymulate to specific mailbox (https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access.) does not solve this issue as it is applicable to the mailbox as such, not to users.

icon

Best answer by Shiraz 21 June 2023, 09:52

View original

9 replies

Userlevel 3
Badge +3

Hi @FMI 

By adding these permissions (User.Read.All), Cymulate will read only the profile details of the specific user you set during installation.

Before the connection will be established, you will get a dialog to authorize Cymulate access this specific profile.

 

Shiraz

Product manager

Cymulate

Hello @Shiraz,

can the configuration be done without user.read.all permissions? Our concern is that this is an application type of permission which can’t be scoped (unlike mail.* permissions), thus we would literarlly provide Cymulate with an ability to read all users in our Azure AD tenant.

Hi @tomas_visek , @FMI 

 

There are two options to configure the 365 integration:

  1. Interactive / DeviceCode – Will allow User.Read permissions for a specific mailbox. In that scenario, you will always need to make sure that the agent is always connected, update the user expired password according to the company policy, reauthenticate in case of token expiration, and more.
  2. AppOnly – Will allow Users.Read.All permissions for all mailboxes in the organization, and this is why we recommend following Microsoft KB Limiting application permissions to specific Exchange Online mailboxes . Once running those two PS commands, you are limiting the App Only permissions to a specific mailbox.
    The main advantage of working in AppOnly mode is not dealing with all the mentioned in the previous section (password and token expiry, connected agent, and more).

 

Shahar Perets,

CISO

Cymulate

Helo Sharad,

the point is that scoping capabilities mentioned as part of point 2 are only applicable for mail persmissions see below mentioned reference. So even if we do apply this limitation, you willbe capable to manipulate selected mailboxes only (those scoped via policy) but still enumarate all users with their details from out environment (via user.read permission) which is not applicable from scoping perspective.

Thus, again, is this permission really needed for option 2 please? We would like to really avoid the situation providing this permission to any vendor.

https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access#supported-permissions-and-additional-resources

 

Thank you

Tomas

Hi Tomas

 

It is our top priority to protect the information of our customers, and this is why we recommend configuring the “Limiting application permissions” KB.

Once configuring the limit, the app can access only the mailboxes associated with the mail-enabled security group.

From the KB:
There are scenarios where administrators may want to limit an app to only specific mailboxes and not all Exchange Online mailboxes in the organization. Administrators can identify the set of mailboxes to permit access by putting them in a mail-enabled security group. Administrators can then limit third-party app access to only that set of mailboxes by creating an application access policy for access to that group.

 

You can test that by:

  1. Create a mailbox called Cymulate Test (or any other name)
  2. Create a mail-enabled security group, and add the mailbox to that group
  3. Follow Cymulate KB configuring AppOnly.
  4. Execute the PS command to limit the App permissions to the security group from section 2
  5. Perform the test.

As you can see in the following screenshot that the app has access only to the first mailbox (share@...), when it tries accessing the other mailboxes, it gets Denied access:
 

 

Thanks,

Shahar.

Thank you Shahar, I’m aware of this, if you would take a look to referred article, this is applicable only for mail.* permissions, not for user.read.all you’ve been reqesting for initial setup as well.

Can you also elaborate

  • why do you need mail.read permissions whilest you’ve been requesting mail.readwrite at the same time (mail.readwrite also do have read permissions, thus mail.read should not be needed)
  • what is the use case of Cymulate for sending an email from within a mailbox you’ve asking for permission on (mail.send permissions)? I understand that you would like to take a look what content has been delivered to the mailbox, why do you also need to send the emails?

Dear Tomas,

 

The user.read.all allows app/users to enumerate other user’s attributes in their organization (Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user) . This behavior is the default permission each user already has, regarding to the app we created, as you can see in the following KB:

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions

So even if we would not have created an app and were using the Interactive/Device pairing, we would still be able to use the user.read.all function as the signed-in user.

 

Regards,

Shahar Perets

CISO

Cymulate.

Badge

ConcerningTomas’ second question

Thank you Shahar, I’m aware of this, if you would take a look to referred article, this is applicable only for mail.* permissions, not for user.read.all you’ve been reqesting for initial setup as well.

Can you also elaborate

  • why do you need mail.read permissions whilest you’ve been requesting mail.readwrite at the same time (mail.readwrite also do have read permissions, thus mail.read should not be needed)
  • what is the use case of Cymulate for sending an email from within a mailbox you’ve asking for permission on (mail.send permissions)? I understand that you would like to take a look what content has been delivered to the mailbox, why do you also need to send the emails?

I noticed that the Mail.Send permission is relevant for the Data Exfiltration module, which is not used case

Hi FMI,

 

If Data Exfiltration is not tested, you can remove this permission from the app.

 

Best,

Shahar Perets

CISO

Cymulate.

 

Reply