Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

ed-freeman

Potential AAD B2B security hole?

Submitted by Helper II on ‎10-17-2019 01:56 PM

TL;DR:

I have access to edit and manage content in a workspace in an external tenant, despite the "Allow external guest users to edit and manage content in the organization" admin setting being disabled in that tenant.

 

----

 

I have been assigned direct access to a workspace in the external tenant, and have also inherited access through an AD security group, and in both cases I can access and edit content in that workspace (create reports, dataflows etc).

 

Everything that is said in this link and this link suggests that I should not have access. But I can do everything that is explained in those articles, despite the "Allow external guest users to edit and manage content in the organization" being disabled.

 

I don't understand how this is happening - I am an external guest user, so I shouldn't be able to access and edit content in this workspace, surely? This feels like a huge security hole.

 

Is this expected behaviour? Is there something I'm missing?

 

Ed

Status: New
See more ideas labeled with:
2 Comments (2 New)
Comments
v-yuta-msft
Community Support
Community Support
‎10-18-2019 02:24 AM

@ed-freeman ,

 

Have the power bi service tenant admin input your power bi account in the specific security groups? It should take several minutes to take effect to you. Please check that.

Capture.PNG  

 

Regards,

Jimmy Tao

 

 

ed-freeman
Helper II
Helper II
‎10-19-2019 06:37 AM

Hi @v-yuta-msft,

 

Thanks for your reply, but I think you've misunderstood my message.

 

The "Allow external guest users to edit and manage content in the organization" setting is disabled. It is meant to be disabled, because the company does not want external guests to have access to their Power BI tenant.

 

The problem is that I am able to access the workspace even though I shouldn't be able to (because I am an external user).

 

I am wondering how this is possible.

 

Thank you,

 

Ed

Idea Statuses