Add a Place in Word and security

Question

Add a Place in Word and security

JanSp 156

We use SharePoint Online with a browser interface and two factor authentication (2FA).
To start a session the user has to login, we have setup idle session sign-out.
When our users add SharePoint Online as a Place in Word (desktop) then he has to login only once (with 2FA).
It seems to be there is no session sign-out working here.
So everybody with access to this PC has access to SharePoint documents without the need to login with 2FA.
So a user with Word has found a hole in our security, the user of this PC has a backdoor to access SharePoint Online without 2FA.
This is a high security risk. How should we configure SharePoint Online to require the user has to login with 2FA to get access every session he starts?

Renjie Sun-MSFT 2,861 Reputation points Microsoft Employee

2022-11-14T01:53:06.467+00:00

We are currently looking into this issue and will give you an update as soon as possible.
Thank you for your understanding and support.

1 answer

Your answer

Renjie Sun-MSFT 2,861 Reputation points Microsoft Employee

2022-11-14T01:53:06.467+00:00

We are currently looking into this issue and will give you an update as soon as possible.
Thank you for your understanding and support.

Answer 1

Renjie Sun-MSFT 2,861 Microsoft Employee

Hi @JanSp ,

Thanks for the reply.

From SharePoint sight.
When I open a SharePoint document in a Word application, it requires authentication. If an account that has permissions to this SharePoint site can access it. Otherwise, this account cannot access this document. Only accounts with permissions can be verified the authentication. So, if you want to prevent this account from opening files in the site for a period of time afterwards, you could delete his permission in SharePoint.

From Office sight.
Normally one PC is combined with one user account, so the authentication is not frequently.
Microsoft says that when users authenticate in any of the Microsoft 365 web apps or mobile apps, a session is established. For the duration of the session, users won't need to re-authenticate.

In Word Client, the refresh tokens are valid for 90 days, and with continuous use, they can be valid until revoked.

More information about Session timeouts for Microsoft 365.

As to this issue, it is recommended that user sign out his account before close the document file.

Should you have any questions or concerns, please do feel free to contact me.

Yours sincerely,
Renjie Sun

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

JanSp 156 Reputation points

2022-11-14T08:03:14.307+00:00

Hi Renjie Sun,

My question was not about a security issue when the user uses the browser. The access with the browser is secured with 2FA and idle session signout.
The security issue is when the user uses Microsoft Word to get access to SharePoint Online documents by adding a Place.
He only needs to authenticatie himself the first time, after that every user with access to this PC has access to SharePoint Online documents.
By using a browser the user is logged out after the in SharePoint Online configured time of inactivity, this is not the case by using Microsoft Word.
This is a severe security issue.
Renjie Sun-MSFT 2,861 Reputation points Microsoft Employee

2022-11-14T08:31:09.767+00:00

Hi @JanSp ,

Thanks for the reply.

Do you mean the user open a SharePoint document in Microsoft Word app, then his account could access to whole SharePoint Online site?

Could you please try check his account permission in SharePoint site?
Site permissions-> advance permission settings -> check permissions
JanSp 156 Reputation points

2022-11-14T08:42:22.98+00:00

Thanks for your reply,
Yes I mean the user open a SharePoint document with Microsoft Word 365 on a Windows 10 PC.
The user has permissions on specific SharePoint Online sites BUT must of course also authenticate. The problem is not the permission but the authentication.
A Microsoft Word user is never asked to authenticatie himself anymore after he has once done this. This is the security issue.
Renjie Sun-MSFT 2,861 Reputation points Microsoft Employee

2022-11-14T09:06:35.01+00:00

Hi @JanSp ,

Thank you for your clarity explanation on this issue.
I will contact Microsoft Word technical support to work together to try to resolve this issue.

Thank you for your patience and understanding:)
Renjie Sun-MSFT 2,861 Reputation points Microsoft Employee

2022-11-16T08:02:31.13+00:00

Hi @JanSp ,

We have updated the answer, please check.
JanSp 156 Reputation points

2022-11-16T11:30:21.147+00:00

Hi Renjie Sun,

My question is related to the target audience of a web based license product (Microsoft Business Basic, Office 365 E1, Microsoft 365 F3).
These products cannot be used of course without reliable access security.
For authentication 2FA and idle session time out is available for these products and these are good.

But I understand that for a Word desktop client there is a second accesspoint for using these webservices like SharePoint Online with other default settings.
These default settings are not suitable for the webbased products because of the access security leak that arises.
A user can now use any PC with a personal Word desktop app with a personal Microsoft account to login once with his work account to our SharePoint Online service and is not automatic logged out.
These makes the setting of idle session time out for SharePoint Online not effective.

My question is how can I change the settings of the time that the tokens are valid to make sure the user has to login for our SharePoint Online service in a consistent way?
JanSp 156 Reputation points

2022-11-18T12:51:28.147+00:00

Hi Renjie Sun,

I repeat my question/comment I send two days ago:
My question is related to the target audience of a web based license product (Microsoft Business Basic, Office 365 E1, Microsoft 365 F3).
These products cannot be used of course without reliable access security.
For authentication 2FA and idle session time out is available for these products and these are good.

But I understand that for a Word desktop client there is a second accesspoint for using these webservices like SharePoint Online with other default settings.
These default settings are not suitable for the webbased products because of the access security leak that arises.
A user can now use any PC with a personal Word desktop app with a personal Microsoft account to login once with his work account to our SharePoint Online service and is not automatic logged out.
These makes the setting of idle session time out for SharePoint Online not effective.

My question is how can I change the settings of the time that the tokens are valid to make sure the user has to login for our SharePoint Online service in a consistent way?
Wendy Li_MSFT 1,711 Reputation points Moderator

2022-11-22T09:37:05.857+00:00

@JanSp This issue is complex, it is highly recommended to open a ticket from Microsoft, more Professional will assist you on this issue.
JanSp 156 Reputation points

2022-11-22T15:35:44.247+00:00

Thanks, I have opened a ticket and wil report the results.
Wendy Li_MSFT 1,711 Reputation points Moderator

2022-11-23T00:55:00.677+00:00

Thanks for your update and welcome to share the results if you get from the ticket. :)
JanSp 156 Reputation points

2022-11-23T15:19:49.807+00:00

We received the following documention control-access-from-unmanaged-devices
we study this document what to do next.
JanSp 156 Reputation points

2022-11-25T06:22:05.07+00:00

With the features described in this document we can limit the permissions of users.
But our problem is NOT that authorized users has to much permissions but that the authentication for local Word app users is NOT suitable for cloud services.
We are stil trying to find a solution with Microsoft.
JanSp 156 Reputation points

2022-12-24T07:18:04.083+00:00

For a cloud-only service, it is very important that there is sufficient certainty about the identity of the user when he logs in for the first time and after he has been inactive for a certain period of time (eg 30 - 60 minutes). Office 365 E1 is intended for this use and offers the features MFA and idle session sign out.
It has been observed that with Office E1 idle session sign out only applies to browser users and not to users using their private desktop Office app. It cannot be prevented that desktop app users will retain their access after the initial sign-in, even after they have been inactive for months, without having to re-identify.
After many sessions and escalation with various Microsoft support groups, the SharePoint Online support group considers this issue to be "by design".
It is recommended to report the deficiency to the feedback portal and use additional Azure AD Premium P1 licenses to close the gap.
In fact, Microsoft support admits that it cannot provide Office E1 with sufficient protection for its intended use. This makes the Microsoft policy "Security by default" not applicable for this product.
We are disappointed with the result of the support request.
It is agreed that I will inform them about any feedback in the Microsoft forum about the support request.

Share via

Add a Place in Word and security

1 answer

Your answer