Background & Risk
What risk is Sev2.5 trying to mitigate?
Multi-tenant first-party Microsoft apps without tenant scoping, creating tenant overexposure risk.
Name the 3 Fusion 1P apps flagged.
1. AADFusionRestoredCosmosDB (46d1e42a-a64b-41e0-adb1-a7cebd8ca78b),
2. TEST-AADFusionRestoredCosmosDB (887a9a52-fa1a-432f-acb7-b9147aa07ae1),
3. FusionApplication (e47f47b1-066c-43a4-9716-7456883e5509)
Who directly calls Fusion?
Microsoft Graph (AGS) (not external tenants).
Which tenant ID is for Microsoft Services (Prod + USGov)?
f8cdef31-a31e-4b4a-93e4-5f571e91255a
What existing safeguards protect Fusion 1P App?
RBAC checks + PFAT enforcement.
What event raised urgency for Sev2.5?
A vulnerability expected to be disclosed at Blackhat USA 2025 (Aug 2–7).
Which app had no active tenantIds in telemetry?
AADFusionRestoredCosmosDB.
Why does Graph need OBO flow when calling Fusion?
Because MSI token audience = Graph, but Fusion requires audience = Fusion.
Which tenant ID is for Mooncake?
0b4a31a2-c1a0-475d-b363-5f26668660a3
Why did Sev2.5 escalations stall initially?
SMEs from MSGraph were OOF, hard to confirm flows.
What two compliance options do services have under Sev2.5?
1. Apply central restrictions (OrgRestrictions).
2. Review usage and attest no tenant overexposure.
What’s the risk of applying central action too quickly?
Potential outage for partner teams if flows break unexpectedly.
What does the outer vs inner token in PFAT validate?
Outer actor token → confirms caller is Microsoft Graph.
Why are USNat and USSec untouched?
They’re in AGC and isolated from external exposure.
What improvement was suggested to prevent OOF gaps?
Have 1–2 security champs per team, so both aren’t OOF simultaneously.
Why are customer tenant IDs not observed in Fusion telemetry?
Fusion uses UseGlobalTenantForActor → all actor tokens issued in Microsoft Services tenant instead of customer tenant.
Which Fusion app was proposed for Disable?
AADFusionRestoredCosmosDB.
What is UseGlobalTenantForActor?
Configuration that forces all actor tokens to be issued in Microsoft Services tenant, regardless of original tenant.
What is the AME tenantId?
33e01921-4d64-4f8c-a055-5bdaffd5e33d
What is the long-term tool available (post Aug 8) to allow-list tenantIds?
App model team’s tool.
What is the Ferryville program’s overall focus?
Securing internal-only, multi-tenant Microsoft Services apps by enforcing tenant scoping.
What’s the difference between “Disable” and “OrgRestrictions” central actions?
1. Disable = cancel app with tenant impact (full shutdown).
2. OrgRestrictions = restrict usage to scoped tenant allow list.
Describe the full Fusion token exchange flow (MSI → Graph → ESTS → Fusion).
→ MSI gets token for Graph → Graph uses OBO with ESTS → ESTS issues actor token in MSS tenant → Graph sends actor + original token in PFAT → Fusion validates actor = Graph, inner token = MSI identity.
Which tenants were proposed in the signInRestrictions Allow List?
f8cdef31-a31e-4b4a-93e4-5f571e91255a (Prod + USGov),
0b4a31a2-c1a0-475d-b363-5f26668660a3 (Mooncake).