Microsoft misconfigurations expose millions of records globally

In September 2024, significant data exposure was discovered within Microsoft Power Pages, a low-code SaaS platform, due to misconfigured access controls. The exposure, which potentially affected millions of individuals, highlights the risks associated with excessive permissions granted to the platform's "Anonymous" and "Authenticated" user roles. When these roles are given improper access to sensitive data, such as personally identifiable information (PII), it can result in widespread leaks. This is particularly troubling given that organizations often use Power Pages for building externally-facing websites, which can inadvertently make private data accessible to the public.

Microsoft misconfigurations expose millions of records globally

Power Pages is built on Microsoft’s Power Platform and enables users to create websites with minimal coding. The platform integrates tightly with Microsoft’s Dataverse, providing an easy method for organizations to manage and display data. Power Pages also uses a role-based access control (RBAC) model, which is designed to manage who can view or edit various types of data. However, when these access controls are mismanaged, even public-facing websites can expose sensitive data. One of the primary concerns raised by this exposure is the tendency of organizations to grant too many permissions to user roles, particularly those associated with external users, such as "Anonymous Users" and "Authenticated Users."

In one of the most alarming findings, over 1.1 million records from NHS employees were exposed due to misconfigurations in a shared business service provider’s Power Pages site. The data included sensitive details such as full names, email addresses, phone numbers, and home addresses. The breach was discovered through authorized testing and was quickly reported and resolved.

The underlying cause of these data exposures stems from the over-permissioning of roles. The "Anonymous Users" role is intended for users who have not logged into the site, while the "Authenticated Users" role applies to users who have registered and logged in. However, organizations often mistakenly grant the same level of access to both roles, assuming that "Authenticated Users" are internal, when in fact, they are often external users with the ability to access sensitive information. Furthermore, mismanagement of the Web API, which is used to interact with the data stored in Dataverse, can allow unauthorized users to access records they should not have permission to view.

To address these issues, the post emphasizes the importance of strict configuration management and monitoring. Organizations must ensure that they carefully configure their role-based access controls, especially for external users. Additionally, administrators should avoid granting "Global Access" to tables, as this can allow any user to access all records within a table. When it comes to sensitive columns, such as those containing home addresses or phone numbers, column-level security must be implemented to restrict unauthorized access. Microsoft offers tools such as column masking, but many organizations fail to properly set these up, increasing the risk of exposure.

The exposure issue also highlights the need for continuous security audits. Organizations should regularly review their Power Pages sites to ensure that misconfigurations do not compromise data integrity. In some cases, organizations may be unaware of the risks posed by certain configurations, especially if they are using custom code or APIs that are not adequately secured.

This situation serves as a reminder that even low-code platforms like Power Pages, which are designed to simplify web development, can introduce significant security vulnerabilities if not properly managed. The case also underlines the critical importance of understanding and applying access controls at all levels within a platform, particularly when dealing with sensitive personal data. For organizations using Power Pages, proactive monitoring tools such as the AppOmni Insight for Microsoft 365 products can assist in detecting potential data exposures and guiding corrective actions.

Ultimately, the discovery of these misconfigurations is a wake-up call for organizations relying on low-code platforms to ensure that they are not sacrificing security for convenience. To avoid similar breaches in the future, companies must prioritize proper access control configurations, regularly audit their systems, and stay vigilant against the risk of data exposure.