Share via

Microsoft Cloud Vulnerability for multi-tenant app

Vaibhav-A Mankar 65 Reputation points
2023-06-14T07:44:14.1666667+00:00

Hi Team,

We are using JAVA Microsoft Bot Framework SDK for app development. As per the documentation of Microsoft, it only support Multi-tenant app. Our organization raise concern for Vulnerability in Multi-tenant app.

Does Multi-tenant app has any Vulnerability? if yes then how to remediate it.

However We don’t have Azure App Service/Function running in Azure cloud. Also, we make use Microsoft Authentication Library (MSAL) in App running on our application server to validate incoming request token against configured Azure App creds.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2023-06-15T10:59:35.6766667+00:00

    Hi @Vaibhav-A Mankar ,

    Thanks for reaching out.

    Multi-tenant applications are designed to be secure and have been widely adopted by many organizations. However, there are potential vulnerabilities that can be exploited if not properly secured.

    One of the main concerns with multi-tenant applications is the possibility of data leakage between tenants**.** This can occur if the application is not properly designed to prevent one tenant from accessing another tenant's data. To mitigate this risk, it is important to implement proper access controls and isolate the data of each tenant.

    Another potential vulnerability is the possibility of a malicious tenant exploiting a vulnerability in the application to gain access to other tenants' data. To prevent this, if you know the valid tenants in advance, define them as valid token issuers for your token validator.

    ValidIssuers = new[] // THIS IS IMPORTANT Only accept tokens from these tenants  
{  
    $"https://login.microsoftonline.com/tenant1/v2.0",  
    $"https://login.microsoftonline.com/tenant2/v2.0"  
}

    To remediate these vulnerabilities, it is important to follow security best practices when developing and deploying multi-tenant applications. Additionally, it is important to regularly test and audit the application for vulnerabilities and to promptly address any issues that are identified.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vaibhav-A Mankar 65 Reputation points
    2023-06-15T11:21:08.5+00:00

    Thanks Shweta.

    Does Java Microsoft Bot Framework SDK also support tenant validation.

    We are using :

    MicrosoftAppCredentials mac = new MicrosoftAppCredentials(APPID, APPPASSWORD, tennantId);

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.