Gabi Lehner announces a change:
The
current_principal_is_member_of()
function checks if the principal who runs the query is a member in any of the users, apps or groups provided as arguments.Up until now, it was allowed to specify the AAD group details in multiple forms, including the display name of the AAD group, without specifying the tenant id or name, for example
current_principal_is_member_of(“mygroup”)
.
I have to say, that’s a pretty big security flaw.