Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,172 questions
What is the application "Office 365 Management" (AppId 00b41c95-dab0-4487-9791-b9d2c32c80f2) and why is Conditional Access not applied to it?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 33%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Tilman Schmidt
0
Reputation points
I am investigating a security incident and I have identified entries in the MS Sentinel SigninLogs table that might be related to the breach with the attributes:
AppDisplayName: Office 365 Management
AppId: 00b41c95-dab0-4487-9791-b9d2c32c80f2
AuthenticationRequirement: singleFactorAuthentication
ConditionalAccessStatus: notApplied
ResultType: 0
We have enabled mandatory multi-factor authentication for all our users via conditional access policy, and I am concerned very much that there is apparently a way to bypass this.
What is this application "Office 365 Management"?
Why is my conditional access policy not applied to it?
What could an attacker do with it?
Can she just use it to check whether her stolen credentials are working or can she actually do harm beyond that?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 51%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
BANDELA Siri Chandana 325 Reputation points Microsoft Vendor2024-11-08T17:22:29.1633333+00:00 Hi @Tilman Schmidt
Thank you for posting your query on Microsoft Q&A.I understand that you have enabled mandatory multi-factor authentication for all our users via conditional access policy, but conditional access policy not applied on application "Office 365 Management" Since the authentication requirement is listed as single Factor Authentication, it indicates that the app is not enforcing multi-factor authentication (MFA), which suggests a potential gap in your security policies.
There are several reasons this could happen:
1.Excluded App: It's possible that your conditional access policies explicitly exclude this application, either because it’s been configured as a trusted application or because it requires a different policy. You should check the details of your Conditional Access policies to ensure this app is included.
2.App Permissions: This application might use a different authentication method or have a different scope, such as relying on legacy authentication protocols or service principal authentication, which wouldn't be subject to user-based conditional access policies.
If an attacker gains access to the Office 365 Management app using stolen credentials, they could perform several harmful actions:
1.Credential Checking: The attacker can verify whether their stolen credentials are valid by attempting to log in.
2.User Management: If they gain sufficient permissions, they could add or remove users, reset passwords, or change user roles, potentially compromising further accounts.
3.Data Access: Depending on the permissions granted to the app, an attacker could access sensitive organizational data stored within Microsoft 365 services.
So, to solve issue you need to:
1.Review Conditional Access Policies: Verify that all your conditional access policies are configured to cover administrative apps like Office 365 Management, particularly ensuring that MFA is required for all access to administrative tools.
2.Check Legacy Authentication: If your organization allows legacy authentication methods (such as Basic Auth), ensure that these are disabled, as they are more susceptible to bypassing MFA.
Hope this helps. Do let us know if you have any further queries.
Thanks,
B. Siri Chandana.
-
BANDELA Siri Chandana 325 Reputation points Microsoft Vendor
2024-11-11T08:45:17.9866667+00:00 Hi @Tilman Schmidt
Just checking in to see if above answer was helpful. If you have any further updates on this issue, please feel free to post back. -
BANDELA Siri Chandana 325 Reputation points Microsoft Vendor
2024-11-12T09:11:32.76+00:00 Hi @Tilman Schmidt Just checking in to see if above answer was helpful. If you have any further updates on this issue, please feel free to post back.
-
Tilman Schmidt 0 Reputation points
2024-11-19T08:23:36.12+00:00 Sorry for the late reply. I regret it didn't solve the problem.
I reviewed my Conditional Access Policies but none of them even mentions an app called "Office 365 Management" or similar. The only app exclusions I could find are for Microsoft Intune Enrollment and Citrix. I can't see how these might apply to an app called "Office 365 Management".
I checked whether legacy auth is allowed. It isn't.
As to app permissions, I do not know how I might check these because I do not even know what this "Office 365 Management" app is, where it comes from and how I might access or review it.
-
BANDELA Siri Chandana 325 Reputation points Microsoft Vendor
2024-11-19T18:23:23.65+00:00 Hi @Tilman Schmidt
The Office 365 Management App is same as Microsoft graph API provides information about various user, admin, system, and policy actions and events from Office 365 and Microsoft Entra activity logs.
We need more information whether the sign in log is interactive, non-interactive or service principal?
In the same time frame is there any other login in azure portal?
Please send us an email on 'azcommunity@microsoft.com' with Sub - "ATTN: v-bandelas" and following details in the email body: Link to this thread/post we can connect offline and discuss further on this.
Thanks,
B. Siri Chandana.
Sign in to comment
Sign in to answer