kbt181566

Objective

During a security audit it was noticed that the K2 for SharePoint Online app has write rights in AAD. Is it safe to revoke them and why they are necessary?

Before You Begin

K2 App needs to have directory wide read user profile data rights, so it can read users' information and select users in different pickers, as well as to be able to check users’ group memberships etc. This is required/cannot be revoked.

According to the product documentation, Write rights are only required if you use any type of K2 and AAD integration which writes data into AAD. K2 has a couple of service types integrating with AAD:

1. Azure Active Directory service type. The Azure Active Directory Service Type exposes Azure AD User methods (such as reading user information, updating user information) Group methods (such as retrieving groups and a user's group memberships) and User-Group operations (such as adding users to groups). Documentation on this one stipulates that: The K2 for SharePoint application requires Write permissions, configured in Azure Active Directory, in order for the Create and Update methods to function correctly when using the Azure Active Directory wizards in a workflow. So if you don’t use K2 to manage users information or users you don’t need write permissions for this one.

2. Azure Active Directory Management (Read/Write to AAD) service type. When you integrate K2 Five with SharePoint Online, you must consent permissions to the K2 for Office 365 app. In addition to SharePoint Online permissions, this app also requests read-only permissions to your Azure Active Directory (AAD). This permission, along with the SharePoint requested permissions, allows solutions to read data from AAD and read and write data to SharePoint Online. If you need to build solutions that write data to AAD, you must consent the write permission using the Azure Active Directory Management for K2 app. When the AAD service instance is configured against the K2 for Office 365 App, all SmartObject methods are exposed even though the underlying OAuth tokens and App do not expose AAD editing permissions by default.

There is also a KB article "Security Concerns with Azure-based K2 Integration" – it mainly explains that we only need read permissions, but tenant admin should grant them as those are directory wide. If we look at the product Installation and Configuration Guide Required permissions section it also says: Write permissions in Azure Active Directory - Required for the Azure Active Directory wizards to function correctly at runtime.

You should also keep in mind that K2 provides different applications (Apps) that are used to allow K2 to integrate with certain technologies. For example, if you need to integrate your K2 environment with Azure Active Directory (AAD), you may need to add one or more Apps to your Azure AAD environment to allow K2 to integrate with that AAD environment. A good summary of those applications is available in the product documentation section on Applications.

K2 Five with SharePoint Online will use the K2 for Office 365 app configured against the K2 MSOA (Microsoft OAuth App-Only) resource. This App only includes Read permission to AAD (only). The Read and write user profiles permission relates to SharePoint profiles and both read and write is required for K2 for SharePoint integration to function correctly. Depending on when consent was initially granted for this App, it may still include write permissions for AAD which was previously configured against this App. Around 2017 a change was made to the App’s permissions to only request AAD read access. Due to feedback from some customers that the K2 App does not necessarily need the "AAD Write" permission, since the App Token Account is being impersonated by every user that uses the K2 App and you typically do not want "everyone" making changes in AAD, consequently this was changed to "AAD Read" permission types only. We have not checked if it is possible to manually revoke the write permission for the App in the AAD portal but it may be possible when re-granting consent to the K2 for Office 365 app for minimum AAD permissions by following the steps in the KB article "How to Reconsent to the K2 for Office 365 app for Minimum AAD Permissions".

This may impact AAD SmartObjects that write data to AAD (if those are used at all). Those service instances should then be rebound to use the AADMGMT resource which specifically includes write permissions (more details). With this configuration it is possible to only have read permissions to AAD for K2 O365 and only AAD SmartObject instances which specifically need to write data back to AAD can be configured to use the AAD management app.

How-to Steps

Write permissions can be revoked or limited as explained above.