WPNinjas HeaderWPNinjas Header

Issue with Stale externally shared Files Policy in MCAS

Introduction

In a Customer Engagement we faced an issue where people lost access to specific files and the files of Teams Private channels. This post should make you aware of how Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) handles the governance action “Remove external users” which is probably not how you would expect it.

To tell the story from the beginning let’s go back to July 2021, when we received the request from our customer whether we could analyze how many files in SharePoint and teams are shared with external parties and minimize this number.

Configuration

To make this request, we used Microsoft Defender for Cloud Apps and analyzed the number
of files. We noticed that the customer shared several thousand files with
external parties and those files had not been edited for several months.

To minimize this number, we have activated a file policy from the “Stale externally shared files” template. All files with a Last Modified Date older than 90 days should be affected by this policy.

As a governance action we have defined those external users will be removed.

Findings

After a few months we discovered that users do no longer have access to a specific Teams channel in the environment.

The case was that some users had guest accounts, and this is an external user, however, others had an account from the customer’s domain, and this is considered an internal user. So why did both suddenly no longer have access to the Teams Channel?

We discovered that the member group, in which both types were part of was missing. Our analyses showed that our access problems can be tracked back to the file policy in Microsoft Defender for Cloud Apps.

Each Teams channel has an owner, member, and a visitor group. In this picture you see the
default Groups for a Teams Channel in SharePoint

In this Teams Channel we see the permissions after external Users are removed with the File
Policy. 
We can also see that the inheritance has been interrupted.

Therefore, I followed the same procedure in my personal test environment and was able to determine this incorrect behavior.

Conclusion

With the Microsoft Defender for Cloud Apps File Policy “Stale externally shared files”, access to external users is removed, but it can happen that if an external user is a member of a member group, the entire member group is removed and thus the authorization is removed for all members. If a clean audit log has not been kept, it will also be difficult to understand which access has been removed and thus to restore the original status.

 

I am currently working on this case with Microsoft and will update this article after the ticket has been successfully closed.

Latest posts by Pratheep Sinnathurai (see all)

1 Comment

Cyrille Grenier · November 22, 2021 at 19:32

Nice article Pratheep, nice finding and thanks for sharing.

Just to be sure, when you show default and modified permission groups, it concerns “private” Teams’ channels security as they are linked to a private Sharepoint site (without Azure AD Group), not just a standard one.

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.