How to Protect Your Organization After Running PowerPWN
Use powerpwn dump -v <TenantId> with a guest account to find every resource they have access to.
Disclaimer:
Note that guests could gain access to credentials, apps and automations through direct or indirect (groups) sharing, not just the "Everyone" special group.
As a Power Platform administrator, you can also use the following PowerShell scripts. Thank you to Microsoft Security Response Center (MSRC) for providing these scripts.
Edit: these cmdlets are not available yet, use powerpwn instead. Waiting for an update from MSRC and leaving them here for clarity.
Find connections shared with the "Everyone" special group:
Get-EveryoneConnections -EnvironmentName <EnvironmentGuid>
# Found 8 connections........WARNING: Connection: <ConnectionGuid> (shared_sql) in Environment: <EnvironmentGuid> is shared with the whole tenant
Find apps shared with the "Everyone" special group:
Get-EveryoneApps -EnvironmentName <EnvironmentGuid>
# Processing environment <EnvironmentGuid> # Found 3 apps
# WARNING: App: <AppGuid> (<AppName>) in Environment: <EnvironmentGuid> is shared with the whole tenant
Use the following PowerShell scripts as a Power Platform administrator. Thank you to Microsoft Security Response Center (MSRC) for providing these scripts.
Revoke user's ability to share with the "Everyone" special group:
$tenantSettings = Get-TenantSettings
$tenantSettings.powerPlatform.powerApps.disableShareWithEveryone = $true
Set-TenantSettings $tenantSettingsEntraID allows you to restrict who can invite guests and which directory properties those guests would have access to. We suggest limiting guest invite permissions to administrative roles. While limiting access to directory properties won't help the threat vectors that powerpwn illuminates, it might be a good idea anyway.
