Share via

What is the application "Office 365 Management" (AppId 00b41c95-dab0-4487-9791-b9d2c32c80f2) and why is Conditional Access not applied to it?

Tilman Schmidt 0 Reputation points
Nov 7, 2024, 4:22 PM

I am investigating a security incident and I have identified entries in the MS Sentinel SigninLogs table that might be related to the breach with the attributes:

AppDisplayName: Office 365 Management

AppId: 00b41c95-dab0-4487-9791-b9d2c32c80f2

AuthenticationRequirement: singleFactorAuthentication

ConditionalAccessStatus: notApplied

ResultType: 0

We have enabled mandatory multi-factor authentication for all our users via conditional access policy, and I am concerned very much that there is apparently a way to bypass this.

What is this application "Office 365 Management"?

Why is my conditional access policy not applied to it?

What could an attacker do with it?

Can she just use it to check whether her stolen credentials are working or can she actually do harm beyond that?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,159 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. BANDELA Siri Chandana 235 Reputation points Microsoft Vendor
    Nov 8, 2024, 5:22 PM

    Hi @Tilman Schmidt
    Thank you for posting your query on Microsoft Q&A.

    I understand that you have enabled mandatory multi-factor authentication for all our users via conditional access policy, but conditional access policy not applied on application "Office 365 Management" Since the authentication requirement is listed as single Factor Authentication, it indicates that the app is not enforcing multi-factor authentication (MFA), which suggests a potential gap in your security policies.

    There are several reasons this could happen:

    1.Excluded App: It's possible that your conditional access policies explicitly exclude this application, either because it’s been configured as a trusted application or because it requires a different policy. You should check the details of your Conditional Access policies to ensure this app is included.

    2.App Permissions: This application might use a different authentication method or have a different scope, such as relying on legacy authentication protocols or service principal authentication, which wouldn't be subject to user-based conditional access policies.

    If an attacker gains access to the Office 365 Management app using stolen credentials, they could perform several harmful actions:

    1.Credential Checking: The attacker can verify whether their stolen credentials are valid by attempting to log in.

    2.User Management: If they gain sufficient permissions, they could add or remove users, reset passwords, or change user roles, potentially compromising further accounts.

    3.Data Access: Depending on the permissions granted to the app, an attacker could access sensitive organizational data stored within Microsoft 365 services.

    So, to solve issue you need to:

    1.Review Conditional Access Policies: Verify that all your conditional access policies are configured to cover administrative apps like Office 365 Management, particularly ensuring that MFA is required for all access to administrative tools.

    2.Check Legacy Authentication: If your organization allows legacy authentication methods (such as Basic Auth), ensure that these are disabled, as they are more susceptible to bypassing MFA.

    Hope this helps. Do let us know if you have any further queries.  

    ------------  

    If this answers your query, do click `Accept Answer` and `Yes` if this answer helpful.

    Thanks,

    B. Siri Chandana.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.