Identifying security loop-holes in Power Apps Portals

Written by

Posted on 4 Comments

Recently, Microsoft Power Apps Portals were in the news about the data breach due to missing a configuration in the Portals. Now, to set things straight this was not a hack but a breach due to misconfiguration of the system by the customer. When you use any product; there are several settings and as a configurators you should first give undivided attention towards the security aspect of the product and understand the architecture to minimize such instances.

Identification Process

So, how do you go about analyzing your current Power Apps Portals.

Run Portal Checker

In order to run portal checker, you need to first go to make.powerapps.com and select your portal app; then from the top menu-bar select Settings (as shown in the image below):

This should open a side-panel. Select Administration link which will take you to the Portal administrator page; as shown below.

Look for Run Portal Checker option on the left-hand menu items. Selecting the option should show the Portal Checker page with Run Portal Checker button. Click this button to run the diagnostics on your portal.

Look for Warnings especially when Category states Configuration Issues. If the issue stated is Anonymous access to entity form(s) and entity list(s) then take immediate action to resolve the issue. Expanding the issue will provide you with the list of GUIDs of entity forms & lists which you can look using Portal Management app.

Check Enable Table Permission

Another way of identifying the issues and the quickest way compared to the first one is to do an “Advanced find” in the model-driven app on Entity Form & Entity List as shown below:

🙌 Thanks to Nick Doelman for this tip.

Note: After Portal update, Entity Forms are called Basic Forms & Entity Lists are called Lists.

Check OData Feed

Now the last piece is to identify the OData feed. This may contain some false-positive as some of them maybe exposed on purpose using anonymous web roles for anonymous users.

To check your OData feed, open your browser in incognito/in-private mode and navigate to https://{your portal sub-domain}.powerappsportals.com/_odata

Replace {your portal sub-domain} with you proper sub-domain information..

This will provide you with all the entity lists that have been configured for OData.

Few important links:

This post will be updated as new information is made available through other sources.

For more content subscribe to my blogs and follow me on:

Don’t forget to subscribe to my Power Platform ProDev Newsletter

https://www.getrevue.co/profile/power-maverick

Become one of my sponsors on GitHub

💙 Sponsor

4 comments

  1. Pingback: Identifying security loop-holes in Power Apps Portals - 365 Community
  2. Pingback: Power Apps Portals – Did you remember to lock the door? – ReadyXRM
  3. Pingback: Power Apps Portals – Did you remember to lock the door? - 365 Community
  4. Pingback: Power Apps Portals – Did you remember to lock the door? - Microsoft Dynamics 365 Community

Leave a comment