Security Groups play a pivotal role in tenant governance across platforms like Entra, Power Platform, and SharePoint. They allow administrators to control access, enforce identity-aware security, and prevent unauthorized interactions. However, we’ve identified a security group bypass risk: Application Users (App Users) - Service Principal identities from Entra - can slip past Security Group restrictions, creating misaligned identity assumptions and enabling unauthorized data access.
Our research demonstrated this issue through a simulated environment, revealing a Dataverse security gap involving unauthorized API access via Service Principals: Security Groups in Power Platform are designed to control access to environments and data. They sync with Entra ID, enabling centralized governance. However, while Security Groups effectively restrict regular user access, App Users are not governed by these controls. This means an App User not listed in a Security Group can still interact with data in Dataverse, even without elevated permissions.
Our research demonstrated this issue through a simulated environment:
Why This MattersThis access control gap undermines the integrity of Power Platform governance, as administrators rely on Security Groups to enforce identity-aware access policies. But App Users can bypass these controls, violating zero-trust assumptions and enabling sensitive data exposure.
Deeper Dive: The Dataverse Security Design Flaw You Might Be Missing
While Power Platform is often built around "Secure by Design" principles, Dataverse - its core data platform - has a critical blind spot. Even with Role-Based Access Control (RBAC) in place, granular data-level security is often insufficient, leading to potential exposure of sensitive data at the row or field level.
Real Risk: Users with limited UI access can still query sensitive records (e.g., customer credit card fields) if API or backend enforcement is misconfigured.
Mitigation Tactics:
A Step to Better Governance - Working with MicrosoftAfter identifying the issue, we flagged it to Microsoft and the response was swift and constructive: Upon identifying this gap, we engaged with Microsoft to ensure transparency and remediation:
Their response highlights a strong commitment to addressing security concerns raised by the community.
What You Can Do Right Now
Power Platform administrators and developers must stay vigilant by implementing enterprise-grade safeguards that address both human and Service Principal access risks. As Microsoft evolves its platform, organizations should prioritize future-ready environment controls and collaborative security governance across all identity types.
The gap between design intent and real-world enforcement is where security breaches happen. Now is the time to close it - with visibility, alignment, and accountability across your identity and access ecosystem.
Research is what turns cybersecurity from a reactive scramble into a proactive discipline. It’s how security teams...
Microsoft’s Power Platform recently introduced an IP-based Firewall feature designed to restrict access to environments...
As enterprises rapidly adopt AI Agents to enhance operations, the imperative for robust governance and security...
We’d love to chat with you about how your team can secure and govern AI Agents everywhere.
Book Demo