A data breach caused by Microsoft Flow

A data breach caused by Microsoft Flow

by | Apr 17, 2019 | Data, Security

Protecting only the front door is not enough to prevent a data breach. Nowadays, preventing data breaches is on top of the C-level management agenda. Why? Simple, they need to avoid negative publicity because this means losing money. For me, as a consultant, this is not a bad situation because organizations suddenly have a security budget to improve protecting corporate data. The majority of the enterprise organizations started by introducing one or more security products in their IT environments. This is based on their own wishes and demand and government regulations like GDPR.

Supporting Enterprise organization by their journey to a modern way of protection IP can be challenging. The trick is to find an equal balance between security and productivity. For example, organizations require that devices of their employees are compliant before access to resources is granted. Sounds good, isn’t it? Yes, but think of a situation where the corporate application is capable to sync data to other resources outside the control of your organization.

Microsoft has a couple of security-related components bundled into the Enterprise Mobility + Security (EM+S) suite like Intune + MDM and MAM. There are also applications where users can expose data via a backdoor! Strange, isn’t it? An example of this is Microsoft Flow. One of the capabilities is to copy data to locations outside the control of the organization. Later, I will describe how any user can do this with the default configuration and how to protect this. First, why should a user use Microsoft flow to sync their calendar to another e-mail account?

Scenario – The reason(s) why people need to sync their business calendar towards another account.

Azure Active Directory has the capability to use conditional access rules to enforce users to use a specific application. The security department requires this because they demand full control of company data. They are looking for controls like erasing data in case of a stolen device or when a user leaves the organization.

Microsoft has the solution for both the mobility (Android & IOS) and for Windows 10 workspaces. This is feature is MAM (Mobile Application Management) for mobile devices and for Windows 10 WIP (Windows Information Protection).

Employees need easy access and wish to use their private apps because they like the look-and-feels better and understand how they work. Secondly, the companion devices like smartwatches operate only with native phone functionalities this includes the calendar.

The “solution” of a couple of users? True story!

A couple of weeks ago we finalized the implementation of an Enterprise mobility project, this include features like Mobile Application Management. The goal of the organization was to get more control of the business e-mail account on mobile phones without the requirement of a full enrollment. The functional behavior of this is that only one e-mail app (Microsoft Outlook) can be used. In any other application, the employee will see one e-mail message with instructions to download the Company portal or Microsoft Authenticator and Microsoft Outlook to sync their e-mail account.

The organization had protected the front-door. Some employees didn’t like the Microsoft Outlook app because it is not possible to sync the calendar to the native calendar. The employees wish to use their smartphones and want to use one application to review his private and business calendar into one application. They said this was no longer possible (“not true”) because IT (always blame IT) enforced to use Microsoft Outlook. They found their workaround by using Microsoft Flow and built a flow who could sync the business calendar to their private e-mail account.

With this workaround, they were happy to work how they used to it. The downside for the organization was that they had no longer full control of the data because this backdoor was not closed.

Feedback is valuable!

There are two different approaches to find out that this was going on. The first is the use of a technique that analyzes the behavior of data like as Microsoft Cloud App Security (MCAS). The second option is asking to users feedback.

In the above situation, the organization opted for the personal approach. They created an open platform for suggestions for improvements for the deployed solution. Because of the platform, one of the users told us proud about his workaround. We did not realize that a none-technical employee was able to use flow. We listen to his issue and discussed with him how he could do this without breaking the security policies.

How to Prevent data breach through Microsoft Flow

The countermeasure we additional configured was as follow. We closed this backdoor by configuring flow data DLP protection policies. The applications we allowed are in control by the company.

Step 1 – Login to the admin flow portal


Step 2 – Create a DLP-policy (DLP for Flow) and choose the option the apply to all environments.

Step 3 – Create a data group with allowed applications.

Step 4 – Save the policy.

Example blocked by DLP policy The flow cannot be saved because of it against the company
DLP policy.


Protecting the front door is good, but we need to realize that nowadays their employees are more IT capable and able to create workaround. Technically, It is not possible to close any backdoor but if understand how the employees prefer to work than we can built an infrastructure which is secure and productive.

Share This