Office 365 Connector - Authentication of multiple accounts

Thomas Johnson 61 Reputation points
2022-02-04T19:14:58.467+00:00

I want to report a security flaw in the Microsoft Office Authentication when using the Azure Portal.

We had recently had to update all our email account passwords and I have a dozen different Logic Apps in many different region which read different email accounts. Each Logic uses a different Office365 API connector. When I reauthenticated each, it would prompt me, as expected, for the email address and password and update the API setting. But what I found out later is that it didn’t save the email token for the account I just logged into, but the first one I had entered in the session done earlier. So now all the Logic Apps were reading and writing to the first email account, not to the one each was supposed to be. This caused information to be sent to the wrong parties. The "fix" was I had to close my browser in between each re-authentication. Which took a lot longer to do. This is a major flaw in the online designer and authentication. It should always use the login credentials I had just entered, not the “first” one cached when authenticating.

Also when looking at the properties of the API connector, I can’t tell what account it’s connected to. All is shown is the Display name, which is just text entered at the time when the API connector was created, which in my case was the original email account. I have no visibility as to what account the API connector is really authenticated against. So when it saved the wrong account token, I was completely unaware of it until people reported getting the wrong information.

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,829 questions
{count} votes