How to remediate – Power Apps OData Feeds Detected

Contents

1. Introduction

Power Apps OData Feeds Detected refers to publicly accessible data feeds created within Microsoft Power Apps. This allows anyone on the internet to access table data, potentially exposing sensitive information. Systems affected are those using the Microsoft Power Apps platform with published OData feeds. Likely impact is high confidentiality loss, moderate integrity risk if data can be modified, and low availability risk.

2. Technical Explanation

Power Apps allows users to easily publish their application’s table data as OData feeds – a standard RESTful web service. By default, these feeds are publicly available unless specifically secured. The scanner detected that your Power Apps application has exposed data through an unsecured OData feed. An attacker could access this data without authentication.

Root cause: Default configuration of Power Apps allows public exposure of OData feeds.
Exploit mechanism: An attacker simply accesses the OData feed URL to retrieve data. For example, they can use a web browser or tool like curl to query the feed and download table contents.
Scope: This affects any Microsoft Power Apps application with published OData feeds.

3. Detection and Assessment

Confirming exposure involves checking your Power Apps portal configuration. A thorough assessment requires reviewing all data sources connected to your applications.

Quick checks: Within the Power Apps maker portal, navigate to Data > Tables + Flows and check if any tables have associated OData feeds enabled.
Scanning: There are no specific signature IDs for this issue as it is a configuration problem. Security scanners that identify publicly exposed APIs may flag the feed URL.
Logs and evidence: Review Power Apps audit logs for events related to OData feed creation or modification. Look for activity associated with table permissions.

curl https://your-powerapps-instance/odata/{table_name}

4. Solution / Remediation Steps

The following steps secure your Power Apps OData feeds by restricting access.

4.1 Preparation

Ensure you have appropriate permissions to modify Power Apps portal settings. A roll back plan involves reverting the access restrictions in the portal configuration.
A change window may be needed depending on your organisation’s policies. Approval from a security team might be necessary.

4.2 Implementation

Step 1: Open the Power Apps maker portal and navigate to Portals > Data tables.
Step 2: Select the data table with the exposed OData feed.
Step 3: In the ‘Permissions’ section, restrict access to only authorized users or groups. Do not leave it open to ‘Everyone’.
Step 4: Repeat steps 2 and 3 for all other tables with published OData feeds.

4.3 Config or Code Example

Before

Permissions: Everyone (Read)

After

Permissions: Specific Security Roles (Read)

4.4 Security Practices Relevant to This Vulnerability

Several security practices directly address this vulnerability type.

Practice 1: Least privilege – restrict access to data feeds only to those who need it, reducing the impact if a feed is compromised.
Practice 2: Secure defaults – configure Power Apps with restrictive default settings for OData feed access.

4.5 Automation (Optional)

There are currently no widely available automation tools to directly remediate this issue at scale. PowerShell scripts can be used to query the Power Apps API, but require significant development effort and careful testing.

# Example script - requires Power Apps module and authentication
# Get-PowerAppsTable | Where-Object {$_.ODataFeedEnabled -eq $true} | Set-PowerAppsTable -Permissions "Specific Security Role"

5. Verification / Validation

Post-fix check: Attempt to access the OData feed URL using a user account that does not have permission. You should receive an authorization error (HTTP 403 Forbidden).
Re-test: Re-run the curl command from the Detection and Assessment section. The response should now indicate unauthorized access.
Smoke test: Verify that authorized users can still access the data feed as expected.
Monitoring: Monitor Power Apps audit logs for failed access attempts to OData feeds, which could indicate ongoing reconnaissance activity.

curl -u {username}:{password} https://your-powerapps-instance/odata/{table_name}

6. Preventive Measures and Monitoring

Preventing this vulnerability requires proactive configuration management.

Baselines: Update your Power Apps security baseline to include a requirement for restricted OData feed access.
Pipelines: Implement checks in CI/CD pipelines to ensure that new or modified data tables do not have publicly exposed OData feeds enabled by default.
Asset and patch process: Regularly review Power Apps environment configurations to identify and secure any newly created OData feeds.

7. Risks, Side Effects, and Roll Back

Restricting access may impact users who previously relied on public data feeds.

Risk or side effect 1: Authorized users may need updated credentials or permissions to access the feed. Communicate changes clearly.
Roll back: In the Power Apps maker portal, revert the Permissions setting for affected tables to ‘Everyone’ (Read).

8. References and Resources

Links related to this specific vulnerability.

Vendor advisory or bulletin: https://crmtipoftheday.com/1407/how-to-secure-power-apps-portal-from-making-the-news/
NVD or CVE entry: Not applicable as this is a configuration issue, not a specific vulnerability.
Product or platform documentation relevant to the fix: https://docs.microsoft.com/en-us/powerapps/powerapps-overview

Updated on December 27, 2025

Was this article helpful?

Yes No