Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,839 questions
Office 365 Connector - Authentication of multiple accounts
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 94%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETJ%3C/text%3E%3C/svg%3E)
Thomas Johnson
61
Reputation points
I want to report a security flaw in the Microsoft Office Authentication when using the Azure Portal.
We had recently had to update all our email account passwords and I have a dozen different Logic Apps in many different region which read different email accounts. Each Logic uses a different Office365 API connector. When I reauthenticated each, it would prompt me, as expected, for the email address and password and update the API setting. But what I found out later is that it didn’t save the email token for the account I just logged into, but the first one I had entered in the session done earlier. So now all the Logic Apps were reading and writing to the first email account, not to the one each was supposed to be. This caused information to be sent to the wrong parties. The "fix" was I had to close my browser in between each re-authentication. Which took a lot longer to do. This is a major flaw in the online designer and authentication. It should always use the login credentials I had just entered, not the “first” one cached when authenticating.
Also when looking at the properties of the API connector, I can’t tell what account it’s connected to. All is shown is the Display name, which is just text entered at the time when the API connector was created, which in my case was the original email account. I have no visibility as to what account the API connector is really authenticated against. So when it saved the wrong account token, I was completely unaware of it until people reported getting the wrong information.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Joyce Shen - MSFT 16,641 Reputation points2022-02-07T03:55:52.017+00:00 According to your description above, your issue is more related to azure side, so I will remove the Exchange tag so that engineers in azure will give you prefessional help, thanks for your understanding!
-
MayankBargali-MSFT 68,471 Reputation points2022-02-15T04:37:47.68+00:00 @Thomas Johnson I have tested the scenario at my end and I don't observe the similar behavior as you have observed. I have tried to reauthenticate the multiple office 365 connectors again on the same browser and don't see any issue that only the first credential is used for all the API connections. Only the user with whom I have authenticated against only that user credentials are used for that API.
In case if you are still able to repro the issue at your end then I will suggest you to create a support ticket with us to troubleshoot it further. In case if you don't have the support plan and the issue is reproduced at your end then we can connect offline to troubleshoot it further. -
Thomas Johnson 61 Reputation points
2022-02-15T14:29:09.987+00:00 Thank you.
We recently have setup Duo for two factor Authentication with O365 and Azure. These accounts were setup members of a special group, that didn't need to have 2FA, but the MS prompt, after asking for the email account, did redirect me to the DUO login to authenticate.
-
MayankBargali-MSFT 68,471 Reputation points
2022-02-17T02:38:34.127+00:00 @Thomas Johnson If you still observe the same behavior I will suggest to open a support ticket to validate if the issue is from our end or the DUO end. If you don't have the support plan please let me know.
Sign in to comment