New Permission Addition: Microsoft has introduced a new app-only User.ReadBasic.All permission allowing applications to access basic user information (ID, display name, first and last name, email address, and photo.), enhancing security and minimizing data access to just what's necessary.
Addressed Bug Fix: A bug that previously allowed apps with User.ReadBasic.All delegated permission to filter on unauthorized properties has been resolved, tightening control over app permissions and data access.
Error Handling Update: Applications incorrectly using delegated User.ReadBasic.All permission to filter restricted properties will now receive a 403 error message, promoting correct permission usage.
Assessment and Adjustment: Organizations now have the ability to audit apps' permission needs and adjust to User.ReadBasic.All where suitable, potentially improving security protocols and privacy compliance.
Impending Rollout and Action Steps: The rollout will commence in mid-January 2024 and is expected to conclude by the end of January. Organizations may need to update their documentation to prepare for this change.
Microsoft's recent update to Entra's permissions represents a significant step in bolstering security and governance within Microsoft 365 ecosystems. By creating a distinction between app-only and delegated User.ReadBasic.All permissions, Microsoft ensures that applications only consume the least amount of user data necessary for functionality, thus adhering to the principle of least privilege. This change not only helps in reinforcing data privacy but also in reducing the risk of data breaches, as apps are now more restricted in the user information they can access. With the roll-out approaching, it's an ideal time for businesses and administrators within the Microsoft 365 environment to review and adjust their application permissions accordingly, to better align with these updated security measures.
Microsoft Entra, the acclaimed security and access management solution, has made a significant update with the introduction of the Entra App-Only User.ReadBasic.All Permission. Previously, only the delegated version of this permission, allowing access to basic user information like ID and names, was available. Now, following user feedback, Microsoft has unlocked the app-only level of this permission.
This update to Microsoft Entra also includes a critical bug fix that previously allowed apps with delegated permissions to inadvertently filter on unauthorized properties. With the fix in place, apps are now correctly restricted from accessing properties beyond their granted permission scope, enhancing overall security protocols.
Should any apps attempt to filter user properties without the required permissions, they will encounter a 403 error, indicating insufficient privileges. This error enforces proper permission usage and helps administrators enforce security guidelines effectively within their applications.
For administrators managing Microsoft Entra permissions, app-only User.ReadBasic.All provides a more secure and limited access option for applications. Evaluating your applications to determine if they require full access or can operate with basic access is an essential part of maintaining optimal security standards.
The rollout of this update is scheduled to begin in mid-January 2024, with completion expected before the end of January. The seamless implementation by Microsoft ensures minimal disruption to organizations and their operations.
Most organizations will not need to take any action if their applications are already compliant with the data access restrictions of User.ReadBasic.All. However, if applications require more extensive access for filtering operations, User.Read.All permission must be granted.
To stay ahead, organizations should consider revising their internal documentation to reflect these changes and ensure that all staff are informed of the new permissions available and how they might impact current and future application configurations.
As for organizations, there's no immediate action required unless your apps rely on filtering user properties. If they do, you may need to adjust permissions to User.Read.All to avoid any operational disruptions. Otherwise, applications should operate as normal without any adjustments.
Lastly, to stay ahead, updating organizational documentation might be necessary to reflect these changes and ensure all procedures align with the new permission structure. We appreciate your attention to this update and encourage you to make the necessary preparations.
Read the full article Entra App-Only User.ReadBasic.All Permission is now available
Entra App-Only User.ReadBasic.All Permission, Microsoft Entra Permissions, App-Only Permissions Release, User Read Basic All Access, New Entra Feature, Entra API Permissions, Entra Access Management, Entra Security Permissions, Advanced Entra Controls, Microsoft Identity Platform Update.