Cloud App Security alert after adding Expensify in Azure with SAML SSO
I followed the steps at How-to: Enable SAML SSO — Expensify Community and Tutorial: Azure Active Directory integration with Expensify | Microsoft Docs. A little while later, I got an alert from Microsoft 365 Defender / Cloud App Security. The description was:
The user [my name and email] performed an unusual addition of credentials to the application Expensify. This usage pattern may indicate that an attacker has compromised the app, and is using it to spread phishing, exfiltrate data, or to gain access to other accounts and devices. The user added credentials of the types: AsymmetricX509Cert, X509CertAndPassword. A credential of type AsymmetricX509Cert is added when an application is using an application certificate without a key to validate certificate ownership. A credential of type X509CertAndPassword is added when an application is using an application certificate with an encryption key to validate certificate ownership.
I haven't seen this warning before when adding other apps to the list of Enterprise Applications in Azure. Is this to be expected for Expensify?
Answers
-
Ted Harris Expensify Success Coach - Admin, Expensify Team, Expensify Student Ambassador Posts: 359 Expensify TeamOptionsA credential of type AsymmetricX509Cert is added when an application is using an application certificate without a key to validate certificate ownership
Hi @DavidAtFaber - this isn't something we've ever come across before and there are many businesses using SAML with Azure, so that's definitely not expected. I can't speak for why Azure might be throwing that error though.
