User Misconfigurations in Microsoft Power Apps Exposes 38 Million Records!

Recent cyberattacks on Poly Network, T-Mobile, Accenture, and other major organizations have shed light on how a single security vulnerability can put a business in dire straits. Yet, many organizations, including the tech giants like Microsoft, are still dropping the ball on cybersecurity.

Microsoft Power Apps’ improper security configuration has inadvertently exposed 38 million personal records of 47 businesses. Though this security misconfiguration stayed in the portals for months before being detected by security firm UpGuard, there’s no evidence that the data has been exploited, fortunately.

Power Apps Explained

As described by Microsoft, Power Apps is a “suite of apps, services, and connectors, as well as a data platform, that provides a rapid development environment to build custom apps for business needs.” This low-code tool enables people to build applications without writing code.

Power Apps platform uses Open Data Protocol (OData) API to retrieve and store private and public information and provide users secure access to that data. Here lies the crux of the security snafu.

The API retrieves data from Power Apps lists, which pull the data from tables in a database. To control who can access the data, the Power Apps users must configure Table Permissions and set the Enable Table Permissions Boolean value on the list record to true. However, Enable Table Permissions has been disabled by default, exposing millions of records.

“If those configurations are not set and the OData feed is enabled, anonymous users can access list data freely,” said UpGuard.

Data Exposure!


In a recent report, UpGuard stated that the misconfiguration of the Power Apps portal exposed sensitive customer data ranging from COVID-19 vaccination status and names to email addresses.

“We found one of these Power Apps portal that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue?” said UpGuard’s VP of cyber research Greg Pollock. “Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”

“The types of data varied between portals, including PII used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses,” mentioned UpGuard.

Among the 47 affected companies were state agencies in Indiana, Maryland, and New York City, and private organizations like Ford, American Airlines, J.B. Hunt, and Microsoft itself.

Some of the most significant exposures revealed by UpGuard are as follows:


  • American Airlines

A set of 398,890 records and another set of 470,400 records were exposed. The records included personal information such as full names, phone numbers, job titles, and email addresses.

  • Denton County, Texas

A list of 632,171 records which included vaccination types, appointment dates and times, employee IDs, full names, phone numbers, DoBs, and email addresses. A list by the name ‘contactVaccinationSet’ featured 400,091 records with information such as full names and vaccination types. Another list, ‘contactset,’ had 253,844 records with full names and email addresses.

  • J.B. Hunt Transport Services

A total of 905,228 records that included customers’ full names, email addresses, geological addresses, and phone numbers were exposed.

  • Microsoft’s Global Payroll Services Portal

UpGuard found that 332,000 records of Microsoft employees with their email address, full name, and phone numbers were exposed due to the Power Apps’ misconfiguration.

It’s a feature, not a vulnerability!

It’s A Feature, Not A Vulnerability!

After discovering the misconfiguration vulnerability, UpGuard submitted a vulnerability report to the Microsoft Security Resource Center on June 24, 2021.

In response, Microsoft promptly began to investigate the claims that its Power Apps are exposing millions of sensitive data records. On June 29, 2021, the tech giant informed UpGuard that the behavior is not a software vulnerability. Microsoft closed the case saying that the “behavior is considered to be by design”.

“The case was closed, and the Microsoft analyst informed us that they had determined that this behavior is considered to be by design,” stated UpGuard.

“While we understand (and agree with) Microsoft’s position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities,” the UpGuard said in its report.

“It is a better resolution to change the product in response to observed user behaviors than to label systemic loss of data confidentiality an end-user misconfiguration, allowing the problem to persist and exposing end users to the cybersecurity risk of a data breach.”

Microsoft Response

Microsoft Response

After UpGuard notified Microsoft about the portal issue, the tech giant responded swiftly to alert its customers.

“At some point, Microsoft notified government cloud customers of this issue. We could observe its effect in that several lists for portals on that had been public in June were no longer public by the end of July,” wrote UpGuard.

Microsoft also released a tool, ‘Portal Checker,’ to help customers assess their Power Apps portals for data exposure. The tech company also planned changes to the portal to enable table permissions by default.

“To diagnose configuration issues, the Portal Checker can be used to detect lists that allow anonymous access. More importantly, newly created Power Apps portals will have table permissions enabled by default,” mentioned UpGuard.

Contact Us

More Articles: