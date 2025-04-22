Note: For the rest of this post, I’m going to use “connector” to describe the library of actions in Power Apps (ex: the Entra ID connector), and “connection” to refer to a connector that has been created and authenticated by a user (ex: the Entra ID connection authenticated as john.smith@contoso.com) and can be used to create new actions.

For as long as this connection exists, your authentication will be associated with it. Any user with access to that connection can create new actions that will use your authentication. For example, if you create an Entra ID connection, then another user with access to that connection could create an “Add user to group” action, which will use your authentication, even if that user would not have the necessary Entra ID permissions to add a user to a group. I’ve previously blogged about abusing this in Azure Logic Apps, and found a serviceable privilege escalation exploit in Azure Logic Apps that abused this functionality.

Up until 2024, this type of attack was far more likely to occur in Power Apps. It used to be the case that when you would share an application that uses a connection, the associated connection would also be shared. You can see this documented on this page from Microsoft, which hasn’t been updated since 2022. However, according to this page from 2024, this is no longer the case. Now, you’ll need the connection to be shared with your account, which is a far less likely misconfiguration. This could have been the result of the BlackHat 2023 talk “All You Need Is Guest” by Michael Bargury, an excellent talk which also covered enumerating and dumping information from Power Apps.