Microsoft to Restrict Domain Data Exposure in Exchange Online

Microsoft is preparing to release a significant update to the Get-FederationInformation cmdlet in Exchange Online next month, designed to enhance security across tenant environments. This enhancement will help organizations minimize the exposure of domain names to unauthorized users, reducing the risk of data leakage and targeted attacks.

In Exchange Online, the Get-FederationInformation cmdlet is used to gather configuration details about how an organization can establish a federation trust with another domain. This is particularly useful for enabling secure sharing of calendar availability and other data between Exchange organizations.

Microsoft notes that specifying a domain allows the cmdlet to retrieve metadata such as federation certificates and endpoints. This cmdlet will help administrators to verify and troubleshoot cross-organization sharing setups.

Currently, the Get-FederationInformation cmdlet can be run by any user without authentication to retrieve federation metadata for a specified domain. This includes sensitive configuration details like the list of accepted domains (DomainNames) associated with the target tenant.

This means that an external user could potentially investigate an organization’s federation setup and discover domain names used within that tenant. This bug could be exploited by cybercriminals for reconnaissance or social engineering attacks if not properly mitigated.

What does the change mean for Exchange Online users?

With this release, the Get-FederationInformation cmdlet will only return information about the specific domain that is passed as a parameter, rather than revealing all federated domain information. This change will help reduce the risk of information leakage and make it harder for unauthorized users to collect data about an organization’s domain structure.

“We understand that this change may impact some of your current workflows, especially if you rely on the Get-FederationInformation cmdlet to retrieve a list of all federated domain names for a target tenant. Once we make this change, starting mid-June, if you need this information, you will need to work directly with the target tenant administrators,” the Exchange team explained.

What are the recommended actions for organizations?

Microsoft mentioned that administrators can use the Get-FederatedOrganizationIdentifier cmdlet to establish a cross-tenant relationship. This cmdlet provides a list of domains that are already federated within their organization.

Administrators can then manually share this list with other trusted tenants to help set up the necessary federation trust. Microsoft advises IT admins to include .mail.onmicrosoft.com in the DomainNames list while creating an organization relationship with a Microsoft 365 tenant.

Microsoft notes that this change will only impact the scope of data returned, and it won’t affect the availability or core functionality of the Get-FederationInformation cmdlet. It’s highly recommended that administrators review any automation, scripts, or tools that use this cmdlet within their organizations.