July 15, 2025 Microsoft says it has removed high-privilege access vulnerabilities across its Microsoft 365 platform, addressing over 1,000 security scenarios as part of its Secure Future Initiative.

The changes follow a deep internal review led by Microsoft Networks Labs, which found that traditional service-to-service authentication protocols granted more access than necessary. Microsoft’s Deputy CISO for Experiences and Devices, Naresh Kannan, said the review focused on enforcing least-privilege principles to reduce security exposure across the cloud environment.

High-privilege access allows applications or services to impersonate users and access content without proper authentication context. According to Microsoft, this posed major risks in the event of service compromises, credential leaks or token theft.

The engineering effort involved more than 200 staff and unfolded over three phases. Microsoft reviewed service-to-service interactions across the Microsoft 365 stack and found many applications retained permissions that exceeded their operational needs. Legacy authentication models were retired, and permissions were replaced with narrower, scenario-specific alternatives.

For instance, apps needing access to SharePoint are now limited to “Sites.Selected” permissions instead of the broader “Sites.Read.All.” The company also implemented continuous monitoring to identify any lingering overprivileged access and enforce compliance with new standards.

Microsoft 365 powers email, file sharing and collaboration tools used by businesses and institutions worldwide. The overhaul comes amid growing pressure on cloud service providers to strengthen internal security after a wave of high-profile breaches.