Is my Office 365 GDPR compliant?

Is my Office 365 GDPR compliant?

In short, no it’s not. In this blog, I’ll tell you three reasons why.

First, I would like to clarify that I do believe that the Office 365 and Azure Active Directory platforms are GDPR compliant. However, your Office 365 tenant is not.

PowerShell

Previously, Microsoft has stated that the MsOnline and AzureAD PowerShell modules require administrative rights. Currently, they state that they are intended for admins, which is more truthful. However, what is not told is that any Office 365 user can connect to AAD with PowerShell.

So, what’s the big deal? Well, accessing AAD with PowerShell gives you read-only access to AAD. This means that you can for instance export all users to an XML file or list all administrators:

# Connect to Azure Ad

Connect-MsolService

# Export all AAD users to xml file

Get-MsolUser | Export-Clixml -Path users.xml

# Get the role id of Global Administrators

$roleid=Get-MsolRole -RoleName "Company Administrator"

# List all Global Administrators

Get-MsolRoleMember -RoleObjectId $roleid.ObjectId
(to install MsOnline module, see this)

Currently, there is no way to prevent regular users to use PowerShell to access AAD.
EDIT: To blog regular users access to PowerShell, see my blog post.

Delegated Administration

Besides the normal admin rights, Microsoft partners can give their users delegated admin role. There are two admin roles: full administration and limited administrations. These are, respectively, equivalent to global admin and password admin roles.

So, when a delegated partner offer is accepted by customer’s global admin, partner organisation’s users having delegated admin roles have access to customer’s tenant. The problem is that customer organisation can see that there is a delegated admin contract, but they do not know who actually has those delegated admin roles. Thus, customers have no way to know who has the global admin level rights to their tenant.

Therefore I strongly suggest removing any delegated admin partner contracts immediately. It is more secure to create separate admin accounts for partners to your tenant.

Identity federation

As I announced last year in my blog post, there is a serious implementation flaw in AAD identity federation. In short, the flaw allows rogue administrators to impersonate any user in their Office 365. This includes external users and users having the initial onmicrosoft.com domain name.

Currently, there is no way to prevent this either. However, I strongly suggest removing any unnecessary global admin rights to minimize the risk of exploitation.

Summary

GDPR sets many requirements for organisations regarding handling personal data. For instance, organisations need to be aware of WHO is processing personal data and HOW it is processed. Regular users’ PowerShell access, delegated administration, and the identity federation prevents organisations to be GDPR compliant. And, unfortunately, only the delegated administration can be mitigated.

Acknowledgements

This blog is based on a research paper I co-authored with Tessa Viitanen. Original research paper available here (requires registration).

All the mentioned issues have been reported to Microsoft in November 2017.

Dr Nestori Syynimaa (@DrAzureAD) avatar
About Dr Nestori Syynimaa (@DrAzureAD)
Dr Syynimaa works as Principal Identity Security Researcher at Microsoft Security Research.
Before his security researcher career, Dr Syynimaa worked as a CIO, consultant, trainer, and university lecturer for over 20 years. He is a regular speaker in scientific and professional conferences related to Microsoft 365 and Entra ID (Azure AD) security.

Before joining Microsoft, Dr Syynimaa was Microsoft MVP in security category and Microsoft Most Valuable Security Researcher (MVR).