What is the application "Office 365 Management" (AppId 00b41c95-dab0-4487-9791-b9d2c32c80f2) and why is Conditional Access not applied to it?

Tilman Schmidt 20

I am investigating a security incident and I have identified entries in the MS Sentinel SigninLogs table that might be related to the breach with the attributes:

AppDisplayName: Office 365 Management

AppId: 00b41c95-dab0-4487-9791-b9d2c32c80f2

AuthenticationRequirement: singleFactorAuthentication

ConditionalAccessStatus: notApplied

ResultType: 0

We have enabled mandatory multi-factor authentication for all our users via conditional access policy, and I am concerned very much that there is apparently a way to bypass this.

What is this application "Office 365 Management"?

Why is my conditional access policy not applied to it?

What could an attacker do with it?

Can she just use it to check whether her stolen credentials are working or can she actually do harm beyond that?

BANDELA Siri Chandana 770 Reputation points Microsoft Vendor

2024-11-08T17:22:29.1633333+00:00

Hi @Tilman Schmidt
Thank you for posting your query on Microsoft Q&A.

I understand that you have enabled mandatory multi-factor authentication for all our users via conditional access policy, but conditional access policy not applied on application "Office 365 Management" Since the authentication requirement is listed as single Factor Authentication, it indicates that the app is not enforcing multi-factor authentication (MFA), which suggests a potential gap in your security policies.

There are several reasons this could happen:

1.Excluded App: It's possible that your conditional access policies explicitly exclude this application, either because it’s been configured as a trusted application or because it requires a different policy. You should check the details of your Conditional Access policies to ensure this app is included.

2.App Permissions: This application might use a different authentication method or have a different scope, such as relying on legacy authentication protocols or service principal authentication, which wouldn't be subject to user-based conditional access policies.

If an attacker gains access to the Office 365 Management app using stolen credentials, they could perform several harmful actions:

1.Credential Checking: The attacker can verify whether their stolen credentials are valid by attempting to log in.

2.User Management: If they gain sufficient permissions, they could add or remove users, reset passwords, or change user roles, potentially compromising further accounts.

3.Data Access: Depending on the permissions granted to the app, an attacker could access sensitive organizational data stored within Microsoft 365 services.

So, to solve issue you need to:

1.Review Conditional Access Policies: Verify that all your conditional access policies are configured to cover administrative apps like Office 365 Management, particularly ensuring that MFA is required for all access to administrative tools.

2.Check Legacy Authentication: If your organization allows legacy authentication methods (such as Basic Auth), ensure that these are disabled, as they are more susceptible to bypassing MFA.

Hope this helps. Do let us know if you have any further queries.

Thanks,

B. Siri Chandana.
BANDELA Siri Chandana 770 Reputation points Microsoft Vendor

2024-11-11T08:45:17.9866667+00:00

Hi @Tilman Schmidt
Just checking in to see if above answer was helpful. If you have any further updates on this issue, please feel free to post back.
BANDELA Siri Chandana 770 Reputation points Microsoft Vendor

2024-11-12T09:11:32.76+00:00

Hi @Tilman Schmidt Just checking in to see if above answer was helpful. If you have any further updates on this issue, please feel free to post back.
Tilman Schmidt 20 Reputation points

2024-11-19T08:23:36.12+00:00

Sorry for the late reply. I regret it didn't solve the problem.

I reviewed my Conditional Access Policies but none of them even mentions an app called "Office 365 Management" or similar. The only app exclusions I could find are for Microsoft Intune Enrollment and Citrix. I can't see how these might apply to an app called "Office 365 Management".

I checked whether legacy auth is allowed. It isn't.

As to app permissions, I do not know how I might check these because I do not even know what this "Office 365 Management" app is, where it comes from and how I might access or review it.
BANDELA Siri Chandana 770 Reputation points Microsoft Vendor

2024-11-19T18:23:23.65+00:00

Hi @Tilman Schmidt

The Office 365 Management App is same as Microsoft graph API provides information about various user, admin, system, and policy actions and events from Office 365 and Microsoft Entra activity logs.

We need more information whether the sign in log is interactive, non-interactive or service principal?

In the same time frame is there any other login in azure portal?

Please send us an email on 'azcommunity@microsoft.com' with Sub - "ATTN: v-bandelas" and following details in the email body: Link to this thread/post we can connect offline and discuss further on this.

Thanks,

B. Siri Chandana.
Tilman Schmidt 20 Reputation points

2024-11-26T16:12:08.04+00:00

I sent you an email as requested, but am answering your questions here for the sake of other readers:

The sign ins are logged in the SigninLogs table with the attribute "IsInteractive: true" and a UPN belonging to a regular user, not a service principal.

I see no other sign-in events with AppDisplayName == "Office 365 Management" on the same day as the events in question, or with the same user at any other time. There are several small bursts of sign-in attempts with that AppDisplayName on other dates and with other users, all of them also sporting ConditionalAccessStatus == "notApplied" but none of them successful.
Tilman Schmidt 20 Reputation points

2024-11-29T09:48:03.7033333+00:00
I researched a bit more in my logs and found two interesting (to me) bits of information:

None of the sign-in events for the "Office 365 Management" app are coming from IP addresses belonging to the owners of the respective accounts. It appears that this app is (at least on our tenant) exclusively used by attackers, never by legitimate users.

There are actually quite a lot of other sign-in events with "ConditionalAccessStatus: notApplied" besides those for "Office 365 Management", including a substantial number of legitimate sign-ins to services which should be, and normally are, subjected to my MFA policies. It seems that Conditional Access is not applied quite as reliably as I had hoped.
Raja Pothuraju 10,040 Reputation points Microsoft Vendor

2024-12-11T20:00:09.96+00:00

Hello @Tilman Schmidt,

Thank you for your time on the call, and I apologize for the delayed response.

I conducted a repro in my demo tenant to identify the sign-in scenarios involving the "Office 365 Management" application. Based on the results in the Microsoft Entra sign-in logs, this application is triggered when a user attempts to log in to the Microsoft 365 Admin app (Mobile Client App) on iOS or Android devices.

It would be helpful if we could review recent logs to analyze the data and understand why the Conditional Access (CA) policy did not apply to the user's sign-in.

Since the "Microsoft 365 Admin" app is a client application, it relies on either the Microsoft Intune or the Microsoft Authenticator broker app to complete the sign-in process on iOS or Android devices. If you have sign-in logs from the last 30 days, I recommend raising a support ticket with the support team to analyze the backend logs in detail and determine the cause of this behavior.

If you do not have a support plan to raise a ticket, please let me know, and I can enable one-time free technical support for this issue.

Thanks,
Raja Pothuraju.
Tilman Schmidt 20 Reputation points

2024-12-16T13:21:54.8966667+00:00

Hello @Raja Pothuraju ,

thanks for your reply and for your effort.

I re-checked my logs and there weren't any successful sign-in events with AppDisplayName == "Office 365 Management" in the last 30 days. There are nine failed sign-in events for that app within the last 30 days coming from nine different IP addresses, none of which appear in any legitimate activity. All of them failed with result 50126 "Invalid username or password or Invalid on-premise username or password." This seems to confirm my theory that this service isn't in legitimate use within my organisation, and all sign-in events I observe for it are attacks.

On the other hand this means I currently do not have a basis for raising a support ticket on this topic. The nine failed events do have "ConditionalAccessStatus: notApplied" but AFAICS that is normal for sign-ins which fail because of an invalid username or password.

Since the attacks seem to continue, I would very much like to understand what the possible impact of a successful breach would be, ie. what an attacker could do after gaining access to that Microsoft 365 Admin app you identified. From the description at https://www.microsoft.com/en-us/microsoft-365/business/manage-office-365-admin-app it looks like it's intended for admins only, so what would an attacker who breached an ordinary non-admin user account be able to achieve with it?

Thanks,
Tilman Schmidt

Accepted answer

Raja Pothuraju 10,040 Reputation points Microsoft Vendor

2024-12-18T20:52:37.2166667+00:00

Hello @Tilman Schmidt,

Thank you for your response.

As you observed, there are no successful sign-in logs for "Office 365 Management" in the last 30 days. However, we noted 9 failed sign-in attempts, with the failure reason being "Invalid username or password" or "Invalid on-premises username or password."

This error indicates that whoever attempted to log in to the application entered an incorrect password. Regarding Conditional Access, you might notice that its status shows as "Not Applied" for these attempts. This is because Conditional Access policies are enforced only after the first factor of authentication is successfully completed. In this scenario, the sign-in attempts failed at the first factor itself, so the Conditional Access policy was not triggered.

If this type of attack were successful, and the user gained access to "Office 365 Management," they would be able to access users, groups, and licenses for all users in the tenant—provided that the user in question has the necessary roles and permissions assigned. However, if the user does not hold any elevated roles, such as Global Administrator, they would not be able to make changes to the tenant.

Thanks,
Raja Pothuraju.
Please sign in to rate this answer.

1 person found this answer helpful.
Raja Pothuraju 10,040 Reputation points Microsoft Vendor

2024-12-20T04:51:50.15+00:00

Hello @Tilman Schmidt,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

What is the application "Office 365 Management" (AppId 00b41c95-dab0-4487-9791-b9d2c32c80f2) and why is Conditional Access not applied to it?

0 additional answers

Your answer