cancel
Showing results for 
Search instead for 
Did you mean: 

Potential AAD B2B security hole?

TL;DR:

I have access to edit and manage content in a workspace in an external tenant, despite the "Allow external guest users to edit and manage content in the organization" admin setting being disabled in that tenant.

 

----

 

I have been assigned direct access to a workspace in the external tenant, and have also inherited access through an AD security group, and in both cases I can access and edit content in that workspace (create reports, dataflows etc).

 

Everything that is said in this link and this link suggests that I should not have access. But I can do everything that is explained in those articles, despite the "Allow external guest users to edit and manage content in the organization" being disabled.

 

I don't understand how this is happening - I am an external guest user, so I shouldn't be able to access and edit content in this workspace, surely? This feels like a huge security hole.

 

Is this expected behaviour? Is there something I'm missing?

 

Ed

Status: New
Comments
Community Support Team

@ed-freeman ,

 

Have the power bi service tenant admin input your power bi account in the specific security groups? It should take several minutes to take effect to you. Please check that.

Capture.PNG  

 

Regards,

Jimmy Tao

 

 

Frequent Visitor

Hi @v-yuta-msft,

 

Thanks for your reply, but I think you've misunderstood my message.

 

The "Allow external guest users to edit and manage content in the organization" setting is disabled. It is meant to be disabled, because the company does not want external guests to have access to their Power BI tenant.

 

The problem is that I am able to access the workspace even though I shouldn't be able to (because I am an external user).

 

I am wondering how this is possible.

 

Thank you,

 

Ed