{"id":7828,"date":"2025-07-08T14:36:25","date_gmt":"2025-07-08T14:36:25","guid":{"rendered":"http:\/\/localhost\/?p=7828"},"modified":"2025-07-08T14:36:25","modified_gmt":"2025-07-08T14:36:25","slug":"enhancing-microsoft-365-security-by-eliminating-high-privilege-access","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=7828","title":{"rendered":"Enhancing Microsoft 365 security by eliminating high-privilege access"},"content":{"rendered":"<h2>Security Update News<\/h2>\n<h3>Update Information<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Title<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">Enhancing Microsoft 365 security by eliminating high-privilege access<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Update ID<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">MSSECURE:B07EA2A784253F83B53BAD4FD6F2A880<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Type<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">mssecure<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Published<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-07-08T19:00:00<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Last Updated<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-07-08T19:00:00<\/td>\n<\/tr>\n<\/table>\n<h3>Security Impact<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Severity<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd; color: #666666; font-weight: bold;\">NONE<\/td>\n<\/tr>\n<\/table>\n<h3>Update Details<\/h3>\n<div style=\"; padding: 15px; border-left: 4px solid #4CAF50; margin-bottom: 20px;\">\n* * *<\/p>\n<p>_In this blog you will hear directly from Microsoft\u2019s Deputy Chief Information Security Officer (CISO) for Experiences and Devices, Naresh Kannan, about eliminating high-privileged access across all Microsoft 365 applications. This blog is part of an ongoing series where our Deputy CISOs share their thoughts on what is most important in their respective domains. In this series you will get practical advice and forward-looking commentary on where the industry is going, as well as tactics you should start (and stop) deploying, and more._  <\/p>\n<p>Microsoft\u2019s Secure Future Initiative (SFI) brings together every part of Microsoft to strengthen cybersecurity protection across our infrastructure, products and services. As part of the Protect Tenants and Isolate Production Systems pillar, one of the key objectives is to ensure continuous **least privilege enforcement** by eliminating high-privileged access across all Microsoft 365 applications.  <\/p>\n<p>Learn more about the Secure Future Initiative<\/p>\n<p>High-privileged access (HPA) occurs when an application or service obtains broad access to customer content, allowing it to impersonate other users without providing any proof of user context. For example, Applications A and B may have a service-to-service (S2S) relationship to deliver a specific customer scenario. Application A owns and manages customer content in its storage. If Application B can access customer content stored in Application A by calling APIs without a user context, then this is categorized as HPA. <\/p>\n<p>HPA allows for the assumption of any user&#8217;s identity within the service, which can substantially increase the security risk in the event of a service compromise, credential mishandling, or token exposure.  <\/p>\n<p>Given that Microsoft 365 applications interact with one another to deliver rich value and empower critical customer business scenarios, it is crucial for Microsoft to ensure all first-party application interactions involve least privilege access. This is applicable in both where the applications are acting on behalf of a user and services that are not acting on behalf of a user.  <\/p>\n<p>## Microsoft&#8217;s approach to access rights<\/p>\n<p>Eliminating HPA ensures that users and applications have only the necessary access rights. Our strategy within Microsoft\u2019s internal Microsoft 365 environment involved fostering an \u2018assume breach\u2019 mindset, with a focus on the stringent enforcement of new standard authentication protocols. With this approach, we have successfully mitigated more than 1,000 high-privilege application scenarios thus far. Achieving this was a monumental cross-functional effort at Microsoft, engaging more than 200 engineers across the company. <\/p>\n<p>First, we reviewed all existing Microsoft 365 applications and their S2S interactions with all resource providers across the stack. Second, we deprecated legacy authentication protocols that supported HPA patterns. Third, we accelerated the enforcement of new secure authentication protocols to ensure that all S2S interactions operate within the least-privileged scope required to meet the scenarios. <\/p>\n<p>In many cases, this also required re-engineering the existing architecture and platform to ensure that customer scenarios are accommodated with secure, least privilege access. We ensured that Microsoft 365 first-party applications are interacting with customer content only with the least privilege access. For instance, if Application C has a requirement to read data from specific SharePoint sites, it is granted granular \u2018Sites.Selected\u2019 permission rather than \u2018Sites.Read.All\u2019 permission. Finally, we have also implemented standardized monitoring systems to identify and report any high-privilege access within Microsoft 365 applications. <\/p>\n<p>## Microsoft security posture recommendations <\/p>\n<p>To enhance your organization&#8217;s security posture, we recommend leveraging the native capabilities of Microsoft 365 and implementing these four best practices for safeguarding environments and ensuring the principle of the least privilege access to applications.  <\/p>\n<p>##  What is the Microsoft Indentity Platform? <\/p>\n<p>Learn more \u2197<\/p>\n<p>  1. Audit the existing applications that have access to your data\u2014revoke any unused permissions and reduce excessive permissions.  <br \/>  2. Use the Microsoft Entra identity platform\u2019s consent framework to mandate human consent when applications request access to customer content. Utilize delegated permissions in scenarios where an application acts on behalf of a signed-in user. These permissions allow the application to access resources that the user has access to.  <br \/>  3. Develop applications with the principle of least-privilege access in mind, throughout all stages of development.  <br \/>  4. Employ strict audit controls to periodically review all applications and ensure they adhere to the principle of least privilege access.  <\/p>\n<p>## Learn more with Microsoft Security<\/p>\n<p>Read this article to understand how to improve security with the principle of least privilege. <\/p>\n<p>Discover more about the Microsoft Secure Future Initiative<\/p>\n<p>To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. <\/p>\n<p>The post Enhancing Microsoft 365 security by eliminating high-privilege access  appeared first on Microsoft Security Blog.\n<\/p><\/div>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/08\/enhancing-microsoft-365-security-by-eliminating-high-privilege-access\/\" target=\"_blank\" style=\"display: inline-block; color: white; padding: 10px 20px; text-decoration: none; border-radius: 4px;\">View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security Update News Update Information Title Enhancing Microsoft 365 security by eliminating high-privilege access Update ID MSSECURE:B07EA2A784253F83B53BAD4FD6F2A880 Type mssecure Published 2025-07-08T19:00:00 Last Updated 2025-07-08T19:00:00 Security&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-7828","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Enhancing Microsoft 365 security by eliminating high-privilege access - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=7828\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Enhancing Microsoft 365 security by eliminating high-privilege access - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Enhancing Microsoft 365 security by eliminating high-privilege access Update ID MSSECURE:B07EA2A784253F83B53BAD4FD6F2A880 Type mssecure Published 2025-07-08T19:00:00 Last Updated 2025-07-08T19:00:00 Security...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=7828\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-08T14:36:25+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7828#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7828\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Enhancing Microsoft 365 security by eliminating high-privilege access\",\"datePublished\":\"2025-07-08T14:36:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7828\"},\"wordCount\":819,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"mssecure\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7828#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7828\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7828\",\"name\":\"Enhancing Microsoft 365 security by eliminating high-privilege access - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-08T14:36:25+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7828#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7828\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7828#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Enhancing Microsoft 365 security by eliminating high-privilege access\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Enhancing Microsoft 365 security by eliminating high-privilege access - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=7828","og_locale":"en_US","og_type":"article","og_title":"Enhancing Microsoft 365 security by eliminating high-privilege access - zero redgem","og_description":"Security Update News Update Information Title Enhancing Microsoft 365 security by eliminating high-privilege access Update ID MSSECURE:B07EA2A784253F83B53BAD4FD6F2A880 Type mssecure Published 2025-07-08T19:00:00 Last Updated 2025-07-08T19:00:00 Security...","og_url":"https:\/\/zero.redgem.net\/?p=7828","og_site_name":"zero redgem","article_published_time":"2025-07-08T14:36:25+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=7828#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=7828"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Enhancing Microsoft 365 security by eliminating high-privilege access","datePublished":"2025-07-08T14:36:25+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=7828"},"wordCount":819,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","mssecure","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=7828#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=7828","url":"https:\/\/zero.redgem.net\/?p=7828","name":"Enhancing Microsoft 365 security by eliminating high-privilege access - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-08T14:36:25+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=7828#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=7828"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=7828#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Enhancing Microsoft 365 security by eliminating high-privilege access"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7828","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7828"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7828\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7828"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7828"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7828"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}