Loading...

Lack of service-side validation allows group guest user restrictions bypass via OWA

A recent exploration into how OWA enforces guest user restrictions for Microsoft 365 Group releaved that client-side checks are used, and in turn restrictions could be bypassed by crafting a request with modified payload. After doing the responsible thing and reporting this issue to Microsoft, I am now bringing you some additional details on it, after the corresponding fix has been rolled out worldwide. …

Continue readingLack of service-side validation allows group guest user restrictions bypass via OWA

Published on: August 16, 2025

Learn more

Michev

Share post:

More from this blog

New Graph API methods available for Entra ID audit logs operations

In this article we cover some recent additions to the Graph API that bring support for some Entra au...

Set an Entra user’s photo from a web image

Have you ever wondered how can you set the profile photo of an Microsoft 365/Entra user directly fro...

How to configure forwarding for a Microsoft 365 Group

In this article we explore the various ways to configure forwarding for email messages addressed to ...

PSA: The Set-CalendarProcessing cmdlet no longer validates recipient input

A change in behavior for the Set-CalendarProcessing cmdlet's parameter values validation might resul...

Report on partial license assignments via the Graph SDK for PowerShell

In this article, we explore a simple PowerShell script to report on "partial" license assignments in...

How to add a shared mailbox as additional account in the New Outlook

In order to access certain Outlook features, it has always been recommended to add a shared mailbox ...

Upcoming changes to the Connect-IPPSSession cmdlet (the EnableSearchOnlySession switch)

A recent message center post, MC1131771, notified us about upcoming changes to PowerShell connectivi...

Did you know: My Groups and guest access restrictions

In this article we describe some inconsistencies in the behavior of My Groups portal when it comes t...

How to export unsanitized HAR files with Chrome and Edge

If using Chrome, open DevTools, hit the gear icon in the top right corner of the DevTools dock (or p...

Relevant topics:

Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!

* Yes, I agree to the privacy policy

Lack of service-side validation allows group guest user restrictions bypass via OWA

Related posts