Microsoft 365 app: Microsoft Places - Graph API support for directory objects

🚨 The Signal: Microsoft Places now supports Graph API for managing directory objects. This expands automation capabilities but also introduces new attack surfaces for Places data, requiring careful access control.

The Impact

Security teams and identity admins are affected by new API access, increasing the risk of unauthorised data modification or exfiltration if not properly secured.

  • Identity Admins: Increased risk of privilege escalation if Graph API permissions are over-provisioned.
  • Security Teams: New attack vector for data exfiltration or manipulation of Places data via API.
  • Compliance Officers: Requires review of data handling policies for Places data accessed via Graph API.
  • Developers: Must implement secure coding practices for Graph API interactions to prevent vulnerabilities.

The Action

  1. Review and apply the principle of least privilege to all applications and service principals granted Microsoft Graph API permissions for Microsoft Places.
  2. Implement Conditional Access policies to restrict Graph API access to Microsoft Places data based on device, location, and user risk.
  3. Monitor Microsoft Entra ID audit logs for unusual or excessive Graph API activity related to Microsoft Places directory objects.
  4. Establish a process for regular review of applications and service principals with permissions to Microsoft Places via Graph API.
  5. Educate developers on secure Graph API integration practices, including token management and input validation.

Domain: Entra · Impact: high · Workload: Entra ID · Essential Eight: Restrict Administrative Privileges, Multi-Factor Authentication · ISM: ISM-0109, ISM-0123, ISM-0140, ISM-0445, ISM-0974, ISM-1173, ISM-1175, ISM-1228, ISM-1380, ISM-1401, ISM-1504, ISM-1505, ISM-1507, ISM-1508, ISM-1509, ISM-1647, ISM-1648, ISM-1650, ISM-1679, ISM-1680, ISM-1681, ISM-1682, ISM-1683, ISM-1686, ISM-1688, ISM-1689, ISM-1815, ISM-1819, ISM-1872, ISM-1873, ISM-1874, ISM-1883, ISM-1892, ISM-1893, ISM-1894, ISM-1897, ISM-1898, ISM-1906, ISM-1907