{"id":25906,"date":"2025-07-25T07:28:48","date_gmt":"2025-07-25T15:28:48","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2025\/07\/25\/news-19626\/"},"modified":"2025-07-25T07:28:48","modified_gmt":"2025-07-25T15:28:48","slug":"news-19626","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2025\/07\/25\/news-19626\/","title":{"rendered":"Enhancing Microsoft 365 security by eliminating high-privilege access\u00a0"},"content":{"rendered":"

Credit to Author: Naresh Kannan| Date: Tue, 08 Jul 2025 19:00:00 +0000<\/strong><\/p>\n

\n

In this blog you will hear directly from Microsoft\u2019s Deputy Chief Information Security Officer (CISO) for Experiences and Devices, Naresh Kannan, about eliminating high-privileged access across all Microsoft 365 applications. This blog is part of an ongoing series where our Deputy CISOs share their thoughts on what is most important in their respective domains. In this series you will get practical advice and forward-looking commentary on where the industry is going, as well as tactics you should start (and stop) deploying, and more.<\/em> <\/p>\n

Microsoft\u2019s Secure Future Initiative<\/a>\u202f(SFI) brings together every part of Microsoft to strengthen cybersecurity protection across our infrastructure, products and services. As part of the Protect Tenants and Isolate Production Systems pillar, one of the key objectives is to ensure continuous least privilege enforcement<\/strong> by eliminating high-privileged access across all Microsoft 365 applications.  <\/p>\n

\n
Learn more about the Secure Future Initiative<\/a><\/div>\n<\/p><\/div>\n

High-privileged access (HPA) occurs when an application or service obtains broad access to customer content, allowing it to impersonate other users without providing any proof of user context. For example, Applications A and B may have a service-to-service (S2S) relationship to deliver a specific customer scenario. Application A owns and manages customer content in its storage. If Application B can access customer content stored in Application A by calling APIs without a user context, then this is categorized as HPA.\u00a0<\/p>\n

HPA allows for the assumption of any user’s identity within the service, which can substantially increase the security risk in the event of a service compromise, credential mishandling, or token exposure.\u202f <\/p>\n

Given that Microsoft 365 applications<\/a> interact with one another to deliver rich value and empower critical customer business scenarios, it is crucial for Microsoft to ensure all first-party application interactions involve least privilege access. This is applicable in both where the applications are acting on behalf of a user and services that are not acting on behalf of a user.  <\/p>\n

Microsoft’s approach to access rights<\/h2>\n

Eliminating HPA ensures that users and applications have only the necessary access rights. Our strategy within Microsoft\u2019s internal Microsoft 365 environment involved fostering an \u2018assume breach\u2019 mindset, with a focus on the stringent enforcement of new standard authentication protocols. With this approach, we have successfully mitigated more than 1,000 high-privilege application scenarios thus far. Achieving this was a monumental cross-functional effort at Microsoft, engaging more than 200 engineers across the company. <\/p>\n

First, we reviewed all existing Microsoft 365 applications and their S2S interactions with all resource providers across the stack. Second, we deprecated legacy authentication protocols that supported HPA patterns. Third, we accelerated the enforcement of new secure authentication protocols to ensure that all S2S interactions operate within the least-privileged scope required to meet the scenarios. <\/p>\n

In many cases, this also required re-engineering the existing architecture and platform to ensure that customer scenarios are accommodated with secure, least privilege access. We ensured that Microsoft 365 first-party applications are interacting with customer content only with the least privilege access. For instance, if Application C has a requirement to read data from specific SharePoint sites, it is granted granular \u2018Sites.Selected\u2019 permission rather than \u2018Sites.Read.All\u2019 permission. Finally, we have also implemented standardized monitoring systems to identify and report any high-privilege access within Microsoft 365 applications. <\/p>\n

Microsoft security posture recommendations <\/h2>\n

To enhance your organization’s security posture, we recommend leveraging the native capabilities of Microsoft 365 and implementing these four best practices for safeguarding environments and ensuring the principle of the least privilege access to applications.  <\/p>\n

\n
\n

\t\t\tWhat is the Microsoft Indentity Platform?\t\t<\/h2>\n

\t\t\t\t\t\t\t \t\t\t\t\t\tLearn more\t\t\t\t\t\t\t\u2197<\/a> \t\t\t\t\t<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

    \n
  1. Audit the existing applications that have access to your data\u2014revoke any unused permissions and reduce excessive permissions.  <\/li>\n
  2. Use the Microsoft Entra identity platform\u2019s consent framework to mandate human consent when applications request access to customer content. Utilize delegated permissions in scenarios where an application acts on behalf of a signed-in user. These permissions allow the application to access resources that the user has access to.  <\/li>\n
  3. Develop applications with the principle of least-privilege access in mind, throughout all stages of development.  <\/li>\n
  4. Employ strict audit controls to periodically review all applications and ensure they adhere to the principle of least privilege access.  <\/li>\n<\/ol>\n

    Learn more with Microsoft Security<\/h2>\n

    Read this article<\/a> to understand how to improve security with the principle of least privilege. <\/p>\n

    \n
    Discover more about the Microsoft Secure Future Initiative<\/a><\/div>\n<\/p><\/div>\n

    To learn more about Microsoft Security solutions, visit our\u202fwebsite.<\/a>\u202fBookmark the\u202fSecurity blog<\/a>\u202fto keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security<\/a>) and X (@MSFTSecurity<\/a>)\u202ffor the latest news and updates on cybersecurity. <\/a><\/p>\n

    \n

    The post Enhancing Microsoft 365 security by eliminating high-privilege access\u00a0<\/a> appeared first on Microsoft Security Blog<\/a>.<\/p>\n

    https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    Credit to Author: Naresh Kannan| Date: Tue, 08 Jul 2025 19:00:00 +0000<\/strong><\/p>\n

    \u200bIn this blog you will hear directly from Microsoft\u2019s Deputy Chief Information Security Officer (CISO) for Experiences and Devices, Naresh Kannan, about eliminating high-privileged access across all Microsoft 365 applications. This blog is part of an ongoing series where our Deputy CISOs share their thoughts on what is most important in their respective domains. In this series you will get practical advice and forward-looking commentary on where the industry is going, as well as tactics you should start (and stop) deploying, and more. <\/p>\n

    The post Enhancing Microsoft 365 security by eliminating high-privilege access\u00a0<\/a> appeared first on Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[],"class_list":["post-25906","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25906","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=25906"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25906\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=25906"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=25906"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=25906"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}